- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] usb: gadget: f_ncm: Refactor bind path to use __free()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101659-exciting-salad-fa55@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef Mon Sep 17 00:00:00 2001 From: Kuen-Han Tsai <khtsai(a)google.com> Date: Tue, 16 Sep 2025 16:21:34 +0800 Subject: [PATCH] usb: gadget: f_ncm: Refactor bind path to use __free() After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20 Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added") Cc: stable(a)kernel.org Signed-off-by: Kuen-Han Tsai <khtsai(a)google.com> Link: https://lore.kernel.org/r/20250916-ready-v1-3-4997bf277548@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Link: https://lore.kernel.org/r/20250916-ready-v1-3-4997bf277548@google.com diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c index 58b0dd575af3..0148d60926dc 100644 --- a/drivers/usb/gadget/function/f_ncm.c +++ b/drivers/usb/gadget/function/f_ncm.c @@ -11,6 +11,7 @@ * Copyright (C) 2008 Nokia Corporation */ +#include <linux/cleanup.h> #include <linux/kernel.h> #include <linux/interrupt.h> #include <linux/module.h> @@ -20,6 +21,7 @@ #include <linux/string_choices.h> #include <linux/usb/cdc.h> +#include <linux/usb/gadget.h> #include "u_ether.h" #include "u_ether_configfs.h" @@ -1436,18 +1438,18 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) struct usb_ep *ep; struct f_ncm_opts *ncm_opts; + struct usb_os_desc_table *os_desc_table __free(kfree) = NULL; + struct usb_request *request __free(free_usb_request) = NULL; + if (!can_support_ecm(cdev->gadget)) return -EINVAL; ncm_opts = container_of(f->fi, struct f_ncm_opts, func_inst); if (cdev->use_os_string) { - f->os_desc_table = kzalloc(sizeof(*f->os_desc_table), - GFP_KERNEL); - if (!f->os_desc_table) + os_desc_table = kzalloc(sizeof(*os_desc_table), GFP_KERNEL); + if (!os_desc_table) return -ENOMEM; - f->os_desc_n = 1; - f->os_desc_table[0].os_desc = &ncm_opts->ncm_os_desc; } mutex_lock(&ncm_opts->lock); @@ -1459,16 +1461,15 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) mutex_unlock(&ncm_opts->lock); if (status) - goto fail; + return status; ncm_opts->bound = true; us = usb_gstrings_attach(cdev, ncm_strings, ARRAY_SIZE(ncm_string_defs)); - if (IS_ERR(us)) { - status = PTR_ERR(us); - goto fail; - } + if (IS_ERR(us)) + return PTR_ERR(us); + ncm_control_intf.iInterface = us[STRING_CTRL_IDX].id; ncm_data_nop_intf.iInterface = us[STRING_DATA_IDX].id; ncm_data_intf.iInterface = us[STRING_DATA_IDX].id; @@ -1478,20 +1479,16 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) /* allocate instance-specific interface IDs */ status = usb_interface_id(c, f); if (status < 0) - goto fail; + return status; ncm->ctrl_id = status; ncm_iad_desc.bFirstInterface = status; ncm_control_intf.bInterfaceNumber = status; ncm_union_desc.bMasterInterface0 = status; - if (cdev->use_os_string) - f->os_desc_table[0].if_id = - ncm_iad_desc.bFirstInterface; - status = usb_interface_id(c, f); if (status < 0) - goto fail; + return status; ncm->data_id = status; ncm_data_nop_intf.bInterfaceNumber = status; @@ -1500,35 +1497,31 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) ecm_desc.wMaxSegmentSize = cpu_to_le16(ncm_opts->max_segment_size); - status = -ENODEV; - /* allocate instance-specific endpoints */ ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_in_desc); if (!ep) - goto fail; + return -ENODEV; ncm->port.in_ep = ep; ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_out_desc); if (!ep) - goto fail; + return -ENODEV; ncm->port.out_ep = ep; ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_notify_desc); if (!ep) - goto fail; + return -ENODEV; ncm->notify = ep; - status = -ENOMEM; - /* allocate notification request and buffer */ - ncm->notify_req = usb_ep_alloc_request(ep, GFP_KERNEL); - if (!ncm->notify_req) - goto fail; - ncm->notify_req->buf = kmalloc(NCM_STATUS_BYTECOUNT, GFP_KERNEL); - if (!ncm->notify_req->buf) - goto fail; - ncm->notify_req->context = ncm; - ncm->notify_req->complete = ncm_notify_complete; + request = usb_ep_alloc_request(ep, GFP_KERNEL); + if (!request) + return -ENOMEM; + request->buf = kmalloc(NCM_STATUS_BYTECOUNT, GFP_KERNEL); + if (!request->buf) + return -ENOMEM; + request->context = ncm; + request->complete = ncm_notify_complete; /* * support all relevant hardware speeds... we expect that when @@ -1548,7 +1541,7 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) status = usb_assign_descriptors(f, ncm_fs_function, ncm_hs_function, ncm_ss_function, ncm_ss_function); if (status) - goto fail; + return status; /* * NOTE: all that is done without knowing or caring about @@ -1561,23 +1554,18 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) hrtimer_setup(&ncm->task_timer, ncm_tx_timeout, CLOCK_MONOTONIC, HRTIMER_MODE_REL_SOFT); + if (cdev->use_os_string) { + os_desc_table[0].os_desc = &ncm_opts->ncm_os_desc; + os_desc_table[0].if_id = ncm_iad_desc.bFirstInterface; + f->os_desc_table = no_free_ptr(os_desc_table); + f->os_desc_n = 1; + } + ncm->notify_req = no_free_ptr(request); + DBG(cdev, "CDC Network: IN/%s OUT/%s NOTIFY/%s\n", ncm->port.in_ep->name, ncm->port.out_ep->name, ncm->notify->name); return 0; - -fail: - kfree(f->os_desc_table); - f->os_desc_n = 0; - - if (ncm->notify_req) { - kfree(ncm->notify_req->buf); - usb_ep_free_request(ncm->notify, ncm->notify_req); - } - - ERROR(cdev, "%s: can't bind, err %d\n", f->name, status); - - return status; } static inline struct f_ncm_opts *to_f_ncm_opts(struct config_item *item)

2 weeks, 6 days

1
0
0 0

[PATCH 6.1.y] cpuidle: governors: menu: Avoid using invalid recent intervals data

by Sergey Senozhatsky

From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> [ Upstream commit fa3fa55de0d6177fdcaf6fc254f13cc8f33c3eed ] Marc has reported that commit 85975daeaa4d ("cpuidle: menu: Avoid discarding useful information") caused the number of wakeup interrupts to increase on an idle system [1], which was not expected to happen after merely allowing shallower idle states to be selected by the governor in some cases. However, on the system in question, all of the idle states deeper than WFI are rejected by the driver due to a firmware issue [2]. This causes the governor to only consider the recent interval duriation data corresponding to attempts to enter WFI that are successful and the recent invervals table is filled with values lower than the scheduler tick period. Consequently, the governor predicts an idle duration below the scheduler tick period length and avoids stopping the tick more often which leads to the observed symptom. Address it by modifying the governor to update the recent intervals table also when entering the previously selected idle state fails, so it knows that the short idle intervals might have been the minority had the selected idle states been actually entered every time. Fixes: 85975daeaa4d ("cpuidle: menu: Avoid discarding useful information") Link: https://lore.kernel.org/linux-pm/86o6sv6n94.wl-maz@kernel.org/ [1] Link: https://lore.kernel.org/linux-pm/7ffcb716-9a1b-48c2-aaa4-469d0df7c792@arm.c… [2] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Tested-by: Christian Loehle <christian.loehle(a)arm.com> Tested-by: Marc Zyngier <maz(a)kernel.org> Reviewed-by: Christian Loehle <christian.loehle(a)arm.com> Link: https://patch.msgid.link/2793874.mvXUDI8C0e@rafael.j.wysocki Signed-off-by: Sasha Levin <sashal(a)kernel.org> (cherry picked from commit 7337a6356dffc93194af24ee31023b3578661a5b) --- drivers/cpuidle/governors/menu.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/drivers/cpuidle/governors/menu.c b/drivers/cpuidle/governors/menu.c index 4edac724983a..0b3c917d505d 100644 --- a/drivers/cpuidle/governors/menu.c +++ b/drivers/cpuidle/governors/menu.c @@ -158,6 +158,14 @@ static inline int performance_multiplier(unsigned int nr_iowaiters) static DEFINE_PER_CPU(struct menu_device, menu_devices); +static void menu_update_intervals(struct menu_device *data, unsigned int interval_us) +{ + /* Update the repeating-pattern data. */ + data->intervals[data->interval_ptr++] = interval_us; + if (data->interval_ptr >= INTERVALS) + data->interval_ptr = 0; +} + static void menu_update(struct cpuidle_driver *drv, struct cpuidle_device *dev); /* @@ -288,6 +296,14 @@ static int menu_select(struct cpuidle_driver *drv, struct cpuidle_device *dev, if (data->needs_update) { menu_update(drv, dev); data->needs_update = 0; + } else if (!dev->last_residency_ns) { + /* + * This happens when the driver rejects the previously selected + * idle state and returns an error, so update the recent + * intervals table to prevent invalid information from being + * used going forward. + */ + menu_update_intervals(data, UINT_MAX); } /* determine the expected residency time, round up */ @@ -542,10 +558,7 @@ static void menu_update(struct cpuidle_driver *drv, struct cpuidle_device *dev) data->correction_factor[data->bucket] = new_factor; - /* update the repeating-pattern data */ - data->intervals[data->interval_ptr++] = ktime_to_us(measured_ns); - if (data->interval_ptr >= INTERVALS) - data->interval_ptr = 0; + menu_update_intervals(data, ktime_to_us(measured_ns)); } /** -- 2.51.0.760.g7b8bcc2412-goog

2 weeks, 6 days

3
7
0 0

FAILED: patch "[PATCH] xen/events: Return -EEXIST for bound VIRQs" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 07ce121d93a5e5fb2440a24da3dbf408fcee978e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101625-rebalance-humbling-87a2@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 07ce121d93a5e5fb2440a24da3dbf408fcee978e Mon Sep 17 00:00:00 2001 From: Jason Andryuk <jason.andryuk(a)amd.com> Date: Wed, 27 Aug 2025 20:36:02 -0400 Subject: [PATCH] xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUG_ON() from bind_virq_to_irq() to propogate the error upwards. Some VIRQs are per-cpu, but others are per-domain or global. Those must be bound to CPU0 and can then migrate elsewhere. The lookup for per-domain and global will probably fail when migrated off CPU 0, especially when the current CPU is tracked. This now returns -EEXIST instead of BUG_ON(). A second call to bind a per-domain or global VIRQ is not expected, but make it non-fatal to avoid trying to look up the irq, since we don't know which per_cpu(virq_to_irq) it will be in. Cc: stable(a)vger.kernel.org Signed-off-by: Jason Andryuk <jason.andryuk(a)amd.com> Reviewed-by: Juergen Gross <jgross(a)suse.com> Signed-off-by: Juergen Gross <jgross(a)suse.com> Message-ID: <20250828003604.8949-3-jason.andryuk(a)amd.com> diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c index 374231d84e4f..b060b5a95f45 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -1314,10 +1314,12 @@ int bind_interdomain_evtchn_to_irq_lateeoi(struct xenbus_device *dev, } EXPORT_SYMBOL_GPL(bind_interdomain_evtchn_to_irq_lateeoi); -static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn) +static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn, + bool percpu) { struct evtchn_status status; evtchn_port_t port; + bool exists = false; memset(&status, 0, sizeof(status)); for (port = 0; port < xen_evtchn_max_channels(); port++) { @@ -1330,12 +1332,16 @@ static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn) continue; if (status.status != EVTCHNSTAT_virq) continue; - if (status.u.virq == virq && status.vcpu == xen_vcpu_nr(cpu)) { + if (status.u.virq != virq) + continue; + if (status.vcpu == xen_vcpu_nr(cpu)) { *evtchn = port; return 0; + } else if (!percpu) { + exists = true; } } - return -ENOENT; + return exists ? -EEXIST : -ENOENT; } /** @@ -1382,8 +1388,11 @@ int bind_virq_to_irq(unsigned int virq, unsigned int cpu, bool percpu) evtchn = bind_virq.port; else { if (ret == -EEXIST) - ret = find_virq(virq, cpu, &evtchn); - BUG_ON(ret < 0); + ret = find_virq(virq, cpu, &evtchn, percpu); + if (ret) { + __unbind_from_irq(info, info->irq); + goto out; + } } ret = xen_irq_info_virq_setup(info, cpu, evtchn, virq);

2 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] xen/events: Return -EEXIST for bound VIRQs" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 07ce121d93a5e5fb2440a24da3dbf408fcee978e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101625-gully-disaster-8717@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 07ce121d93a5e5fb2440a24da3dbf408fcee978e Mon Sep 17 00:00:00 2001 From: Jason Andryuk <jason.andryuk(a)amd.com> Date: Wed, 27 Aug 2025 20:36:02 -0400 Subject: [PATCH] xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUG_ON() from bind_virq_to_irq() to propogate the error upwards. Some VIRQs are per-cpu, but others are per-domain or global. Those must be bound to CPU0 and can then migrate elsewhere. The lookup for per-domain and global will probably fail when migrated off CPU 0, especially when the current CPU is tracked. This now returns -EEXIST instead of BUG_ON(). A second call to bind a per-domain or global VIRQ is not expected, but make it non-fatal to avoid trying to look up the irq, since we don't know which per_cpu(virq_to_irq) it will be in. Cc: stable(a)vger.kernel.org Signed-off-by: Jason Andryuk <jason.andryuk(a)amd.com> Reviewed-by: Juergen Gross <jgross(a)suse.com> Signed-off-by: Juergen Gross <jgross(a)suse.com> Message-ID: <20250828003604.8949-3-jason.andryuk(a)amd.com> diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c index 374231d84e4f..b060b5a95f45 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -1314,10 +1314,12 @@ int bind_interdomain_evtchn_to_irq_lateeoi(struct xenbus_device *dev, } EXPORT_SYMBOL_GPL(bind_interdomain_evtchn_to_irq_lateeoi); -static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn) +static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn, + bool percpu) { struct evtchn_status status; evtchn_port_t port; + bool exists = false; memset(&status, 0, sizeof(status)); for (port = 0; port < xen_evtchn_max_channels(); port++) { @@ -1330,12 +1332,16 @@ static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn) continue; if (status.status != EVTCHNSTAT_virq) continue; - if (status.u.virq == virq && status.vcpu == xen_vcpu_nr(cpu)) { + if (status.u.virq != virq) + continue; + if (status.vcpu == xen_vcpu_nr(cpu)) { *evtchn = port; return 0; + } else if (!percpu) { + exists = true; } } - return -ENOENT; + return exists ? -EEXIST : -ENOENT; } /** @@ -1382,8 +1388,11 @@ int bind_virq_to_irq(unsigned int virq, unsigned int cpu, bool percpu) evtchn = bind_virq.port; else { if (ret == -EEXIST) - ret = find_virq(virq, cpu, &evtchn); - BUG_ON(ret < 0); + ret = find_virq(virq, cpu, &evtchn, percpu); + if (ret) { + __unbind_from_irq(info, info->irq); + goto out; + } } ret = xen_irq_info_virq_setup(info, cpu, evtchn, virq);

2 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] xen/events: Return -EEXIST for bound VIRQs" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 07ce121d93a5e5fb2440a24da3dbf408fcee978e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101624-yield-grime-5287@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 07ce121d93a5e5fb2440a24da3dbf408fcee978e Mon Sep 17 00:00:00 2001 From: Jason Andryuk <jason.andryuk(a)amd.com> Date: Wed, 27 Aug 2025 20:36:02 -0400 Subject: [PATCH] xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUG_ON() from bind_virq_to_irq() to propogate the error upwards. Some VIRQs are per-cpu, but others are per-domain or global. Those must be bound to CPU0 and can then migrate elsewhere. The lookup for per-domain and global will probably fail when migrated off CPU 0, especially when the current CPU is tracked. This now returns -EEXIST instead of BUG_ON(). A second call to bind a per-domain or global VIRQ is not expected, but make it non-fatal to avoid trying to look up the irq, since we don't know which per_cpu(virq_to_irq) it will be in. Cc: stable(a)vger.kernel.org Signed-off-by: Jason Andryuk <jason.andryuk(a)amd.com> Reviewed-by: Juergen Gross <jgross(a)suse.com> Signed-off-by: Juergen Gross <jgross(a)suse.com> Message-ID: <20250828003604.8949-3-jason.andryuk(a)amd.com> diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c index 374231d84e4f..b060b5a95f45 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -1314,10 +1314,12 @@ int bind_interdomain_evtchn_to_irq_lateeoi(struct xenbus_device *dev, } EXPORT_SYMBOL_GPL(bind_interdomain_evtchn_to_irq_lateeoi); -static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn) +static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn, + bool percpu) { struct evtchn_status status; evtchn_port_t port; + bool exists = false; memset(&status, 0, sizeof(status)); for (port = 0; port < xen_evtchn_max_channels(); port++) { @@ -1330,12 +1332,16 @@ static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn) continue; if (status.status != EVTCHNSTAT_virq) continue; - if (status.u.virq == virq && status.vcpu == xen_vcpu_nr(cpu)) { + if (status.u.virq != virq) + continue; + if (status.vcpu == xen_vcpu_nr(cpu)) { *evtchn = port; return 0; + } else if (!percpu) { + exists = true; } } - return -ENOENT; + return exists ? -EEXIST : -ENOENT; } /** @@ -1382,8 +1388,11 @@ int bind_virq_to_irq(unsigned int virq, unsigned int cpu, bool percpu) evtchn = bind_virq.port; else { if (ret == -EEXIST) - ret = find_virq(virq, cpu, &evtchn); - BUG_ON(ret < 0); + ret = find_virq(virq, cpu, &evtchn, percpu); + if (ret) { + __unbind_from_irq(info, info->irq); + goto out; + } } ret = xen_irq_info_virq_setup(info, cpu, evtchn, virq);

2 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 29da8c823abffdacb71c7c07ec48fcf9eb38757c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101656-durable-outmost-5a6e@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 29da8c823abffdacb71c7c07ec48fcf9eb38757c Mon Sep 17 00:00:00 2001 From: Hou Wenlong <houwenlong.hwl(a)antgroup.com> Date: Tue, 23 Sep 2025 08:37:38 -0700 Subject: [PATCH] KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES guest Prior to running an SEV-ES guest, set TSC_AUX in the host save area to the current value in hardware, as tracked by the user return infrastructure, instead of always loading the host's desired value for the CPU. If the pCPU is also running a non-SEV-ES vCPU, loading the host's value on #VMEXIT could clobber the other vCPU's value, e.g. if the SEV-ES vCPU preempted the non-SEV-ES vCPU, in which case KVM expects the other vCPU's TSC_AUX value to be resident in hardware. Note, unlike TDX, which blindly _zeroes_ TSC_AUX on TD-Exit, SEV-ES CPUs can load an arbitrary value. Stuff the current value in the host save area instead of refreshing the user return cache so that KVM doesn't need to track whether or not the vCPU actually enterred the guest and thus loaded TSC_AUX from the host save area. Opportunistically tag tsc_aux_uret_slot as read-only after init to guard against unexpected modifications, and to make it obvious that using the variable in sev_es_prepare_switch_to_guest() is safe. Fixes: 916e3e5f26ab ("KVM: SVM: Do not use user return MSR support for virtualized TSC_AUX") Cc: stable(a)vger.kernel.org Suggested-by: Lai Jiangshan <jiangshan.ljs(a)antgroup.com> Signed-off-by: Hou Wenlong <houwenlong.hwl(a)antgroup.com> [sean: handle the SEV-ES case in sev_es_prepare_switch_to_guest()] Reviewed-by: Xiaoyao Li <xiaoyao.li(a)intel.com> Link: https://lore.kernel.org/r/20250923153738.1875174-3-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 019d920fe442..5529e4c3362b 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -4666,6 +4666,16 @@ void sev_es_prepare_switch_to_guest(struct vcpu_svm *svm, struct sev_es_save_are hostsa->dr2_addr_mask = amd_get_dr_addr_mask(2); hostsa->dr3_addr_mask = amd_get_dr_addr_mask(3); } + + /* + * TSC_AUX is always virtualized for SEV-ES guests when the feature is + * available, i.e. TSC_AUX is loaded on #VMEXIT from the host save area. + * Set the save area to the current hardware value, i.e. the current + * user return value, so that the correct value is restored on #VMEXIT. + */ + if (cpu_feature_enabled(X86_FEATURE_V_TSC_AUX) && + !WARN_ON_ONCE(tsc_aux_uret_slot < 0)) + hostsa->tsc_aux = kvm_get_user_return_msr(tsc_aux_uret_slot); } void sev_vcpu_deliver_sipi_vector(struct kvm_vcpu *vcpu, u8 vector) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index b237b4081c91..6f486fb82144 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -195,7 +195,7 @@ static DEFINE_MUTEX(vmcb_dump_mutex); * RDTSCP and RDPID are not used in the kernel, specifically to allow KVM to * defer the restoration of TSC_AUX until the CPU returns to userspace. */ -static int tsc_aux_uret_slot __read_mostly = -1; +int tsc_aux_uret_slot __ro_after_init = -1; static int get_npt_level(void) { @@ -577,18 +577,6 @@ static int svm_enable_virtualization_cpu(void) amd_pmu_enable_virt(); - /* - * If TSC_AUX virtualization is supported, TSC_AUX becomes a swap type - * "B" field (see sev_es_prepare_switch_to_guest()) for SEV-ES guests. - * Since Linux does not change the value of TSC_AUX once set, prime the - * TSC_AUX field now to avoid a RDMSR on every vCPU run. - */ - if (boot_cpu_has(X86_FEATURE_V_TSC_AUX)) { - u32 __maybe_unused msr_hi; - - rdmsr(MSR_TSC_AUX, sev_es_host_save_area(sd)->tsc_aux, msr_hi); - } - return 0; } @@ -1406,10 +1394,10 @@ static void svm_prepare_switch_to_guest(struct kvm_vcpu *vcpu) __svm_write_tsc_multiplier(vcpu->arch.tsc_scaling_ratio); /* - * TSC_AUX is always virtualized for SEV-ES guests when the feature is - * available. The user return MSR support is not required in this case - * because TSC_AUX is restored on #VMEXIT from the host save area - * (which has been initialized in svm_enable_virtualization_cpu()). + * TSC_AUX is always virtualized (context switched by hardware) for + * SEV-ES guests when the feature is available. For non-SEV-ES guests, + * context switch TSC_AUX via the user_return MSR infrastructure (not + * all CPUs support TSC_AUX virtualization). */ if (likely(tsc_aux_uret_slot >= 0) && (!boot_cpu_has(X86_FEATURE_V_TSC_AUX) || !sev_es_guest(vcpu->kvm))) @@ -3004,8 +2992,7 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) * TSC_AUX is always virtualized for SEV-ES guests when the * feature is available. The user return MSR support is not * required in this case because TSC_AUX is restored on #VMEXIT - * from the host save area (which has been initialized in - * svm_enable_virtualization_cpu()). + * from the host save area. */ if (boot_cpu_has(X86_FEATURE_V_TSC_AUX) && sev_es_guest(vcpu->kvm)) break; diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index 10d5cbc259e1..ec3fb318ca83 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -52,6 +52,8 @@ extern bool x2avic_enabled; extern bool vnmi; extern int lbrv; +extern int tsc_aux_uret_slot __ro_after_init; + /* * Clean bits in VMCB. * VMCB_ALL_CLEAN_MASK might also need to

2 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] xen/events: Return -EEXIST for bound VIRQs" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 07ce121d93a5e5fb2440a24da3dbf408fcee978e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101657-dragonish-scarcity-3be3@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 07ce121d93a5e5fb2440a24da3dbf408fcee978e Mon Sep 17 00:00:00 2001 From: Jason Andryuk <jason.andryuk(a)amd.com> Date: Wed, 27 Aug 2025 20:36:02 -0400 Subject: [PATCH] xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUG_ON() from bind_virq_to_irq() to propogate the error upwards. Some VIRQs are per-cpu, but others are per-domain or global. Those must be bound to CPU0 and can then migrate elsewhere. The lookup for per-domain and global will probably fail when migrated off CPU 0, especially when the current CPU is tracked. This now returns -EEXIST instead of BUG_ON(). A second call to bind a per-domain or global VIRQ is not expected, but make it non-fatal to avoid trying to look up the irq, since we don't know which per_cpu(virq_to_irq) it will be in. Cc: stable(a)vger.kernel.org Signed-off-by: Jason Andryuk <jason.andryuk(a)amd.com> Reviewed-by: Juergen Gross <jgross(a)suse.com> Signed-off-by: Juergen Gross <jgross(a)suse.com> Message-ID: <20250828003604.8949-3-jason.andryuk(a)amd.com> diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c index 374231d84e4f..b060b5a95f45 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -1314,10 +1314,12 @@ int bind_interdomain_evtchn_to_irq_lateeoi(struct xenbus_device *dev, } EXPORT_SYMBOL_GPL(bind_interdomain_evtchn_to_irq_lateeoi); -static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn) +static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn, + bool percpu) { struct evtchn_status status; evtchn_port_t port; + bool exists = false; memset(&status, 0, sizeof(status)); for (port = 0; port < xen_evtchn_max_channels(); port++) { @@ -1330,12 +1332,16 @@ static int find_virq(unsigned int virq, unsigned int cpu, evtchn_port_t *evtchn) continue; if (status.status != EVTCHNSTAT_virq) continue; - if (status.u.virq == virq && status.vcpu == xen_vcpu_nr(cpu)) { + if (status.u.virq != virq) + continue; + if (status.vcpu == xen_vcpu_nr(cpu)) { *evtchn = port; return 0; + } else if (!percpu) { + exists = true; } } - return -ENOENT; + return exists ? -EEXIST : -ENOENT; } /** @@ -1382,8 +1388,11 @@ int bind_virq_to_irq(unsigned int virq, unsigned int cpu, bool percpu) evtchn = bind_virq.port; else { if (ret == -EEXIST) - ret = find_virq(virq, cpu, &evtchn); - BUG_ON(ret < 0); + ret = find_virq(virq, cpu, &evtchn, percpu); + if (ret) { + __unbind_from_irq(info, info->irq); + goto out; + } } ret = xen_irq_info_virq_setup(info, cpu, evtchn, virq);

2 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 29da8c823abffdacb71c7c07ec48fcf9eb38757c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101638-lively-electable-a835@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 29da8c823abffdacb71c7c07ec48fcf9eb38757c Mon Sep 17 00:00:00 2001 From: Hou Wenlong <houwenlong.hwl(a)antgroup.com> Date: Tue, 23 Sep 2025 08:37:38 -0700 Subject: [PATCH] KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES guest Prior to running an SEV-ES guest, set TSC_AUX in the host save area to the current value in hardware, as tracked by the user return infrastructure, instead of always loading the host's desired value for the CPU. If the pCPU is also running a non-SEV-ES vCPU, loading the host's value on #VMEXIT could clobber the other vCPU's value, e.g. if the SEV-ES vCPU preempted the non-SEV-ES vCPU, in which case KVM expects the other vCPU's TSC_AUX value to be resident in hardware. Note, unlike TDX, which blindly _zeroes_ TSC_AUX on TD-Exit, SEV-ES CPUs can load an arbitrary value. Stuff the current value in the host save area instead of refreshing the user return cache so that KVM doesn't need to track whether or not the vCPU actually enterred the guest and thus loaded TSC_AUX from the host save area. Opportunistically tag tsc_aux_uret_slot as read-only after init to guard against unexpected modifications, and to make it obvious that using the variable in sev_es_prepare_switch_to_guest() is safe. Fixes: 916e3e5f26ab ("KVM: SVM: Do not use user return MSR support for virtualized TSC_AUX") Cc: stable(a)vger.kernel.org Suggested-by: Lai Jiangshan <jiangshan.ljs(a)antgroup.com> Signed-off-by: Hou Wenlong <houwenlong.hwl(a)antgroup.com> [sean: handle the SEV-ES case in sev_es_prepare_switch_to_guest()] Reviewed-by: Xiaoyao Li <xiaoyao.li(a)intel.com> Link: https://lore.kernel.org/r/20250923153738.1875174-3-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c index 019d920fe442..5529e4c3362b 100644 --- a/arch/x86/kvm/svm/sev.c +++ b/arch/x86/kvm/svm/sev.c @@ -4666,6 +4666,16 @@ void sev_es_prepare_switch_to_guest(struct vcpu_svm *svm, struct sev_es_save_are hostsa->dr2_addr_mask = amd_get_dr_addr_mask(2); hostsa->dr3_addr_mask = amd_get_dr_addr_mask(3); } + + /* + * TSC_AUX is always virtualized for SEV-ES guests when the feature is + * available, i.e. TSC_AUX is loaded on #VMEXIT from the host save area. + * Set the save area to the current hardware value, i.e. the current + * user return value, so that the correct value is restored on #VMEXIT. + */ + if (cpu_feature_enabled(X86_FEATURE_V_TSC_AUX) && + !WARN_ON_ONCE(tsc_aux_uret_slot < 0)) + hostsa->tsc_aux = kvm_get_user_return_msr(tsc_aux_uret_slot); } void sev_vcpu_deliver_sipi_vector(struct kvm_vcpu *vcpu, u8 vector) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index b237b4081c91..6f486fb82144 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -195,7 +195,7 @@ static DEFINE_MUTEX(vmcb_dump_mutex); * RDTSCP and RDPID are not used in the kernel, specifically to allow KVM to * defer the restoration of TSC_AUX until the CPU returns to userspace. */ -static int tsc_aux_uret_slot __read_mostly = -1; +int tsc_aux_uret_slot __ro_after_init = -1; static int get_npt_level(void) { @@ -577,18 +577,6 @@ static int svm_enable_virtualization_cpu(void) amd_pmu_enable_virt(); - /* - * If TSC_AUX virtualization is supported, TSC_AUX becomes a swap type - * "B" field (see sev_es_prepare_switch_to_guest()) for SEV-ES guests. - * Since Linux does not change the value of TSC_AUX once set, prime the - * TSC_AUX field now to avoid a RDMSR on every vCPU run. - */ - if (boot_cpu_has(X86_FEATURE_V_TSC_AUX)) { - u32 __maybe_unused msr_hi; - - rdmsr(MSR_TSC_AUX, sev_es_host_save_area(sd)->tsc_aux, msr_hi); - } - return 0; } @@ -1406,10 +1394,10 @@ static void svm_prepare_switch_to_guest(struct kvm_vcpu *vcpu) __svm_write_tsc_multiplier(vcpu->arch.tsc_scaling_ratio); /* - * TSC_AUX is always virtualized for SEV-ES guests when the feature is - * available. The user return MSR support is not required in this case - * because TSC_AUX is restored on #VMEXIT from the host save area - * (which has been initialized in svm_enable_virtualization_cpu()). + * TSC_AUX is always virtualized (context switched by hardware) for + * SEV-ES guests when the feature is available. For non-SEV-ES guests, + * context switch TSC_AUX via the user_return MSR infrastructure (not + * all CPUs support TSC_AUX virtualization). */ if (likely(tsc_aux_uret_slot >= 0) && (!boot_cpu_has(X86_FEATURE_V_TSC_AUX) || !sev_es_guest(vcpu->kvm))) @@ -3004,8 +2992,7 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr) * TSC_AUX is always virtualized for SEV-ES guests when the * feature is available. The user return MSR support is not * required in this case because TSC_AUX is restored on #VMEXIT - * from the host save area (which has been initialized in - * svm_enable_virtualization_cpu()). + * from the host save area. */ if (boot_cpu_has(X86_FEATURE_V_TSC_AUX) && sev_es_guest(vcpu->kvm)) break; diff --git a/arch/x86/kvm/svm/svm.h b/arch/x86/kvm/svm/svm.h index 10d5cbc259e1..ec3fb318ca83 100644 --- a/arch/x86/kvm/svm/svm.h +++ b/arch/x86/kvm/svm/svm.h @@ -52,6 +52,8 @@ extern bool x2avic_enabled; extern bool vnmi; extern int lbrv; +extern int tsc_aux_uret_slot __ro_after_init; + /* * Clean bits in VMCB. * VMCB_ALL_CLEAN_MASK might also need to

2 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] arm64: kprobes: call set_memory_rox() for kprobe page" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 195a1b7d8388c0ec2969a39324feb8bebf9bb907 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101631-croon-serving-8366@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 195a1b7d8388c0ec2969a39324feb8bebf9bb907 Mon Sep 17 00:00:00 2001 From: Yang Shi <yang(a)os.amperecomputing.com> Date: Thu, 18 Sep 2025 09:23:49 -0700 Subject: [PATCH] arm64: kprobes: call set_memory_rox() for kprobe page The kprobe page is allocated by execmem allocator with ROX permission. It needs to call set_memory_rox() to set proper permission for the direct map too. It was missed. Fixes: 10d5e97c1bf8 ("arm64: use PAGE_KERNEL_ROX directly in alloc_insn_page") Cc: <stable(a)vger.kernel.org> Signed-off-by: Yang Shi <yang(a)os.amperecomputing.com> Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/probes/kprobes.c b/arch/arm64/kernel/probes/kprobes.c index 0c5d408afd95..8ab6104a4883 100644 --- a/arch/arm64/kernel/probes/kprobes.c +++ b/arch/arm64/kernel/probes/kprobes.c @@ -10,6 +10,7 @@ #define pr_fmt(fmt) "kprobes: " fmt +#include <linux/execmem.h> #include <linux/extable.h> #include <linux/kasan.h> #include <linux/kernel.h> @@ -41,6 +42,17 @@ DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); static void __kprobes post_kprobe_handler(struct kprobe *, struct kprobe_ctlblk *, struct pt_regs *); +void *alloc_insn_page(void) +{ + void *addr; + + addr = execmem_alloc(EXECMEM_KPROBES, PAGE_SIZE); + if (!addr) + return NULL; + set_memory_rox((unsigned long)addr, 1); + return addr; +} + static void __kprobes arch_prepare_ss_slot(struct kprobe *p) { kprobe_opcode_t *addr = p->ainsn.xol_insn;

2 weeks, 6 days

1
0
0 0

[PATCH 6.12.y] KVM: x86: Advertise SRSO_USER_KERNEL_NO to userspace

by Harshit Mogalapalli

From: "Borislav Petkov (AMD)" <bp(a)alien8.de> [ Upstream commit 716f86b523d8ec3c17015ee0b03135c7aa6f2f08 ] SRSO_USER_KERNEL_NO denotes whether the CPU is affected by SRSO across user/kernel boundaries. Advertise it to guest userspace. Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Nikolay Borisov <nik.borisov(a)suse.com> Link: https://lore.kernel.org/r/20241202120416.6054-3-bp@kernel.org Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> --- Boris Ostrovsky suggested that we backport this commit to 6.12.y as we have commit: 6f0f23ef76be ("KVM: x86: Add IBPB_BRTYPE support") in 6.12.y Hi borislav: Can you please ACK before stable maintainers pick this ? --- arch/x86/kvm/cpuid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index 8f587c5bb6bc..a7a1486ce270 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -816,7 +816,7 @@ void kvm_set_cpu_caps(void) F(NO_NESTED_DATA_BP) | F(LFENCE_RDTSC) | 0 /* SmmPgCfgLock */ | F(VERW_CLEAR) | F(NULL_SEL_CLR_BASE) | F(AUTOIBRS) | 0 /* PrefetchCtlMsr */ | - F(WRMSR_XX_BASE_NS) + F(WRMSR_XX_BASE_NS) | F(SRSO_USER_KERNEL_NO) ); kvm_cpu_cap_check_and_set(X86_FEATURE_SBPB); -- 2.50.1

2 weeks, 6 days

1
0
0 0

New October Order. 41380 Thursday, October 16, 2025 at 05:19:56 AM

by Purchase - PathnSitu 686

Hi Stable, Please provide a quote for your products: Include: 1.Pricing (per unit) 2.Delivery cost & timeline 3.Quote expiry date Deadline: October Thanks! Danny Peddinti PathnSitu Trading

2 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] rseq: Protect event mask against membarrier IPI" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 6eb350a2233100a283f882c023e5ad426d0ed63b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101555-glimpse-gauntlet-5c2a@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6eb350a2233100a283f882c023e5ad426d0ed63b Mon Sep 17 00:00:00 2001 From: Thomas Gleixner <tglx(a)linutronix.de> Date: Wed, 13 Aug 2025 17:02:30 +0200 Subject: [PATCH] rseq: Protect event mask against membarrier IPI rseq_need_restart() reads and clears task::rseq_event_mask with preemption disabled to guard against the scheduler. But membarrier() uses an IPI and sets the PREEMPT bit in the event mask from the IPI, which leaves that RMW operation unprotected. Use guard(irq) if CONFIG_MEMBARRIER is enabled to fix that. Fixes: 2a36ab717e8f ("rseq/membarrier: Add MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ") Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Boqun Feng <boqun.feng(a)gmail.com> Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: stable(a)vger.kernel.org diff --git a/include/linux/rseq.h b/include/linux/rseq.h index bc8af3eb5598..1fbeb61babeb 100644 --- a/include/linux/rseq.h +++ b/include/linux/rseq.h @@ -7,6 +7,12 @@ #include <linux/preempt.h> #include <linux/sched.h> +#ifdef CONFIG_MEMBARRIER +# define RSEQ_EVENT_GUARD irq +#else +# define RSEQ_EVENT_GUARD preempt +#endif + /* * Map the event mask on the user-space ABI enum rseq_cs_flags * for direct mask checks. @@ -41,9 +47,8 @@ static inline void rseq_handle_notify_resume(struct ksignal *ksig, static inline void rseq_signal_deliver(struct ksignal *ksig, struct pt_regs *regs) { - preempt_disable(); - __set_bit(RSEQ_EVENT_SIGNAL_BIT, &current->rseq_event_mask); - preempt_enable(); + scoped_guard(RSEQ_EVENT_GUARD) + __set_bit(RSEQ_EVENT_SIGNAL_BIT, &current->rseq_event_mask); rseq_handle_notify_resume(ksig, regs); } diff --git a/kernel/rseq.c b/kernel/rseq.c index b7a1ec327e81..2452b7366b00 100644 --- a/kernel/rseq.c +++ b/kernel/rseq.c @@ -342,12 +342,12 @@ static int rseq_need_restart(struct task_struct *t, u32 cs_flags) /* * Load and clear event mask atomically with respect to - * scheduler preemption. + * scheduler preemption and membarrier IPIs. */ - preempt_disable(); - event_mask = t->rseq_event_mask; - t->rseq_event_mask = 0; - preempt_enable(); + scoped_guard(RSEQ_EVENT_GUARD) { + event_mask = t->rseq_event_mask; + t->rseq_event_mask = 0; + } return !!event_mask; }

2 weeks, 6 days

2
1
0 0

[PATCH net 01/10] can: gs_usb: increase max interface to U8_MAX

by Marc Kleine-Budde

From: Celeste Liu <uwu(a)coelacanthus.name> This issue was found by Runcheng Lu when develop HSCanT USB to CAN FD converter[1]. The original developers may have only 3 interfaces device to test so they write 3 here and wait for future change. During the HSCanT development, we actually used 4 interfaces, so the limitation of 3 is not enough now. But just increase one is not future-proofed. Since the channel index type in gs_host_frame is u8, just make canch[] become a flexible array with a u8 index, so it naturally constraint by U8_MAX and avoid statically allocate 256 pointer for every gs_usb device. [1]: https://github.com/cherry-embedded/HSCanT-hardware Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") Reported-by: Runcheng Lu <runcheng.lu(a)hpmicro.com> Cc: stable(a)vger.kernel.org Reviewed-by: Vincent Mailhol <mailhol(a)kernel.org> Signed-off-by: Celeste Liu <uwu(a)coelacanthus.name> Link: https://patch.msgid.link/20250930-gs-usb-max-if-v5-1-863330bf6666@coelacant… Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/usb/gs_usb.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index c9482d6e947b..9fb4cbbd6d6d 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -289,11 +289,6 @@ struct gs_host_frame { #define GS_MAX_RX_URBS 30 #define GS_NAPI_WEIGHT 32 -/* Maximum number of interfaces the driver supports per device. - * Current hardware only supports 3 interfaces. The future may vary. - */ -#define GS_MAX_INTF 3 - struct gs_tx_context { struct gs_can *dev; unsigned int echo_id; @@ -324,7 +319,6 @@ struct gs_can { /* usb interface struct */ struct gs_usb { - struct gs_can *canch[GS_MAX_INTF]; struct usb_anchor rx_submitted; struct usb_device *udev; @@ -336,9 +330,11 @@ struct gs_usb { unsigned int hf_size_rx; u8 active_channels; + u8 channel_cnt; unsigned int pipe_in; unsigned int pipe_out; + struct gs_can *canch[] __counted_by(channel_cnt); }; /* 'allocate' a tx context. @@ -599,7 +595,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) } /* device reports out of range channel id */ - if (hf->channel >= GS_MAX_INTF) + if (hf->channel >= parent->channel_cnt) goto device_detach; dev = parent->canch[hf->channel]; @@ -699,7 +695,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) /* USB failure take down all interfaces */ if (rc == -ENODEV) { device_detach: - for (rc = 0; rc < GS_MAX_INTF; rc++) { + for (rc = 0; rc < parent->channel_cnt; rc++) { if (parent->canch[rc]) netif_device_detach(parent->canch[rc]->netdev); } @@ -1460,17 +1456,19 @@ static int gs_usb_probe(struct usb_interface *intf, icount = dconf.icount + 1; dev_info(&intf->dev, "Configuring for %u interfaces\n", icount); - if (icount > GS_MAX_INTF) { + if (icount > type_max(parent->channel_cnt)) { dev_err(&intf->dev, "Driver cannot handle more that %u CAN interfaces\n", - GS_MAX_INTF); + type_max(parent->channel_cnt)); return -EINVAL; } - parent = kzalloc(sizeof(*parent), GFP_KERNEL); + parent = kzalloc(struct_size(parent, canch, icount), GFP_KERNEL); if (!parent) return -ENOMEM; + parent->channel_cnt = icount; + init_usb_anchor(&parent->rx_submitted); usb_set_intfdata(intf, parent); @@ -1531,7 +1529,7 @@ static void gs_usb_disconnect(struct usb_interface *intf) return; } - for (i = 0; i < GS_MAX_INTF; i++) + for (i = 0; i < parent->channel_cnt; i++) if (parent->canch[i]) gs_destroy_candev(parent->canch[i]); base-commit: 2c95a756e0cfc19af6d0b32b0c6cf3bada334998 -- 2.51.0

2 weeks, 6 days

2
1
0 0

[PATCH net v3] r8152: add error handling in rtl8152_driver_init

by yicongsrfy＠163.com

From: Yi Cong <yicong(a)kylinos.cn> rtl8152_driver_init missing error handling. If cannot register rtl8152_driver, rtl8152_cfgselector_driver should be deregistered. Fixes: ec51fbd1b8a2 ("r8152: add USB device driver for config selection") Cc: stable(a)vger.kernel.org Signed-off-by: Yi Cong <yicong(a)kylinos.cn> Reviewed-by: Simon Horman <horms(a)kernel.org> --- v2: replacing return 0 with return ret and adding Cc stable v3: delete the redundant return ret --- drivers/net/usb/r8152.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c index 44cba7acfe7d..a22d4bb2cf3b 100644 --- a/drivers/net/usb/r8152.c +++ b/drivers/net/usb/r8152.c @@ -10122,7 +10122,12 @@ static int __init rtl8152_driver_init(void) ret = usb_register_device_driver(&rtl8152_cfgselector_driver, THIS_MODULE); if (ret) return ret; - return usb_register(&rtl8152_driver); + + ret = usb_register(&rtl8152_driver); + if (ret) + usb_deregister_device_driver(&rtl8152_cfgselector_driver); + + return ret; } static void __exit rtl8152_driver_exit(void) -- 2.25.1

2 weeks, 6 days

2
1
0 0

[PATCH 6.1 000/196] 6.1.156-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.156 release. There are 196 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 15 Oct 2025 14:42:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.156-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.156-rc1 K Prateek Nayak <kprateek.nayak(a)amd.com> drivers: base: cacheinfo: Update cpu_map_populated during CPU Hotplug Yicong Yang <yangyicong(a)hisilicon.com> cacheinfo: Fix LLC is not exported through sysfs Pierre Gondois <pierre.gondois(a)arm.com> cacheinfo: Initialize variables in fetch_cache_info() Miaoqian Lin <linmq006(a)gmail.com> usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call Sven Peter <sven(a)kernel.org> usb: typec: tipd: Clear interrupts first Oleksij Rempel <linux(a)rempel-privat.de> net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Salah Triki <salah.triki(a)gmail.com> bus: fsl-mc: Check return value of platform_get_resource() Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: check the return value of pinmux_ops::get_function_name() Zhen Ni <zhen.ni(a)easystack.cn> Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Marek Vasut <marek.vasut(a)mailbox.org> Input: atmel_mxt_ts - allow reset GPIO to sleep Ling Xu <quic_lxu5(a)quicinc.com> misc: fastrpc: Skip reference for DMA handles Ling Xu <quic_lxu5(a)quicinc.com> misc: fastrpc: fix possible map leak in fastrpc_put_args Ling Xu <quic_lxu5(a)quicinc.com> misc: fastrpc: Fix fastrpc_map_lookup operation Guangshuo Li <lgs201920130244(a)gmail.com> nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() Yang Shi <yang(a)os.amperecomputing.com> mm: hugetlb: avoid soft lockup when mprotect to large memory area Jan Kara <jack(a)suse.cz> ext4: fix checks for orphan inodes Matvey Kovalev <matvey.kovalev(a)ispras.ru> ksmbd: fix error code overwriting in smb2_get_info_filesystem() Zheng Qixing <zhengqixing(a)huawei.com> dm: fix NULL pointer dereference in __dm_suspend() Zheng Qixing <zhengqixing(a)huawei.com> dm: fix queue start/stop imbalance under suspend/load/resume races Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() Deepak Sharma <deepak.sharma.472935(a)gmail.com> net: nfc: nci: Add parameter validation for packet data Larshin Sergey <Sergey.Larshin(a)kaspersky.com> fs: udf: fix OOB read in lengthAllocDescs handling Naman Jain <namjain(a)linux.microsoft.com> uio_hv_generic: Let userspace take care of interrupt mask Phillip Lougher <phillip(a)squashfs.org.uk> Squashfs: fix uninit-value in squashfs_get_parent zhang jiao <zhangjiao2(a)cmss.chinamobile.com> vhost: vringh: Modify the return value check Jakub Kicinski <kuba(a)kernel.org> Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: fw reset, add reset timeout work Shay Drory <shayd(a)nvidia.com> net/mlx5: pagealloc: Fix reclaim race during command interface teardown Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: Stop polling for command response if interface goes down Yeounsu Moon <yyyynoom(a)gmail.com> net: dlink: handle copy_thresh allocation failure Kohei Enju <enjuk(a)amazon.com> net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable Kohei Enju <enjuk(a)amazon.com> nfp: fix RSS hash key size when RSS is not supported Erick Karanja <karanja99erick(a)gmail.com> mtd: rawnand: atmel: Fix error handling path in atmel_nand_controller_add_nands Donet Tom <donettom(a)linux.ibm.com> drivers/base/node: fix double free in register_one_node() Dan Carpenter <dan.carpenter(a)linaro.org> ocfs2: fix double free in user_cluster_connect() Nishanth Menon <nm(a)ti.com> hwrng: ks-sa - fix division by zero in ks_sa_rng_init Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements Pauli Virtanen <pav(a)iki.fi> Bluetooth: ISO: don't leak skb in ISO_CONT RX Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix possible UAF on iso_conn_free Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO Michael S. Tsirkin <mst(a)redhat.com> vhost: vringh: Fix copy_to_iter return value check I Viswanath <viswanathiyyappan(a)gmail.com> net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast Bernard Metzler <bernard.metzler(a)linux.dev> RDMA/siw: Always report immediate post SQ errors Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> usb: vhci-hcd: Prevent suspending virtually attached devices Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() Slavin Liu <slavin452(a)gmail.com> ipvs: Defer ip_vs_ftp unregister during netns cleanup Anthony Iliopoulos <ailiop(a)suse.com> NFSv4.1: fix backchannel max_resp_sz verification check Leo Yan <leo.yan(a)arm.com> coresight: trbe: Return NULL pointer for allocation failures Yuanfang Zhang <yuanfang.zhang(a)oss.qualcomm.com> coresight-etm4x: Conditionally access register TRCEXTINSELR Stephan Gerhold <stephan.gerhold(a)linaro.org> remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice Nagarjuna Kristam <nkristam(a)nvidia.com> PCI: tegra194: Fix duplicate PLL disable in pex_ep_event_pex_rst_assert() Fedor Pchelkin <pchelkin(a)ispras.ru> wifi: rtw89: avoid circular locking dependency in ser_state_run() Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_{from,to}_user for M7 Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_to_user for Niagara 4 Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC Aditya Kumar Singh <aditya.kumar.singh(a)oss.qualcomm.com> wifi: mac80211: fix Rx packet handling when pubsta information is not available Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> wifi: ath10k: avoid unnecessary wait for service ready message Bagas Sanjaya <bagasdotme(a)gmail.com> Documentation: trace: historgram-design: Separate sched_waking histogram section heading and the following diagram Vlad Dumitrescu <vdumitrescu(a)nvidia.com> IB/sa: Fix sa_local_svc_timeout_ms read race Parav Pandit <parav(a)nvidia.com> RDMA/core: Resolve MAC of next-hop device without ARP support Michal Pecio <michal.pecio(a)gmail.com> Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running" wangzijie <wangzijie1(a)honor.com> f2fs: fix zero-sized extent for precache extents Qianfeng Rong <rongqianfeng(a)vivo.com> scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES() Qianfeng Rong <rongqianfeng(a)vivo.com> scsi: qla2xxx: edif: Fix incorrect sign of error code Colin Ian King <colin.i.king(a)gmail.com> ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: mt76: fix potential memory leak in mt76_wmac_probe() Håkon Bugge <haakon.bugge(a)oracle.com> RDMA/cm: Rate limit destroy CM ID timeout error message Donet Tom <donettom(a)linux.ibm.com> drivers/base/node: handle error properly in register_one_node() Christophe Leroy <christophe.leroy(a)csgroup.eu> watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog Zhen Ni <zhen.ni(a)easystack.cn> netfilter: ipset: Remove unused htable_bits in macro ahash_region Hans de Goede <hansg(a)kernel.org> iio: consumers: Fix offset handling in iio_convert_raw_to_processed() Vitaly Grigoryev <Vitaly.Grigoryev(a)kaspersky.com> fs: ntfs3: Fix integer overflow in run_unpack() Qianfeng Rong <rongqianfeng(a)vivo.com> drm/msm/dpu: fix incorrect type for ret Takashi Iwai <tiwai(a)suse.de> ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping Takashi Iwai <tiwai(a)suse.de> ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping Takashi Iwai <tiwai(a)suse.de> ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping Wang Liang <wangliang74(a)huawei.com> pps: fix warning in pps_register_cdev when register device fail Colin Ian King <colin.i.king(a)gmail.com> misc: genwqe: Fix incorrect cmd field being reported in error William Wu <william.wu(a)rock-chips.com> usb: gadget: configfs: Correctly set use_os_string at bind Xichao Zhao <zhao.xichao(a)vivo.com> usb: phy: twl6030: Fix incorrect type for ret Qianfeng Rong <rongqianfeng(a)vivo.com> drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl() Eric Dumazet <edumazet(a)google.com> tcp: fix __tcp_close() to only send RST when required Alok Tiwari <alok.a.tiwari(a)oracle.com> PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation Stefan Kerkmann <s.kerkmann(a)pengutronix.de> wifi: mwifiex: send world regulatory domain to driver Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Adjust si_upload_smc_data register programming (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Fix si_upload_smc_data (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Disable ULV even if unsupported (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amdgpu: Power up UVD 3 for FW validation (v2) Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon - re-enable address prefetch after device resuming Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon/zip - remove unnecessary validation for high-performance mode configurations Arnd Bergmann <arnd(a)arndb.de> media: st-delta: avoid excessive stack usage Qianfeng Rong <rongqianfeng(a)vivo.com> ALSA: lx_core: use int type to store negative error codes Zhang Shurong <zhang_shurong(a)foxmail.com> media: rj54n1cb0c: Fix memleak in rj54n1_probe() Thomas Fourier <fourier.thomas(a)gmail.com> scsi: myrs: Fix dma_alloc_coherent() error check Niklas Cassel <cassel(a)kernel.org> scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Arnd Bergmann <arnd(a)arndb.de> hwrng: nomadik - add ARM_AMBA dependency Liao Yuanhong <liaoyuanhong(a)vivo.com> drm/amd/display: Remove redundant semicolons Dan Carpenter <dan.carpenter(a)linaro.org> serial: max310x: Add error checking in probe() Dan Carpenter <dan.carpenter(a)linaro.org> usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup Brahmajit Das <listout(a)listout.xyz> drm/radeon/r600_cs: clean up of dead code in r600_cs Brigham Campbell <me(a)brighamcampbell.com> drm/panel: novatek-nt35560: Fix invalid return value Daniel Borkmann <daniel(a)iogearbox.net> bpf: Enforce expected_attach_type for tailcall compatibility Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> i2c: designware: Add disabling clocks when probe fails Leilk.Liu <leilk.liu(a)mediatek.com> i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> thermal/drivers/qcom/lmh: Add missing IRQ includes Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> thermal/drivers/qcom: Make LMH select QCOM_SCM Vadim Pasternak <vadimp(a)nvidia.com> hwmon: (mlxreg-fan) Separate methods of fan setting coming from different subsystems Zhouyi Zhou <zhouzhouyi(a)gmail.com> tools/nolibc: make time_t robust if __kernel_old_time_t is missing in host headers Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> smp: Fix up and expand the smp_call_function_many() kerneldoc Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Explicitly check accesses to bpf_sock_addr Akhilesh Patil <akhilesh(a)ee.iitb.ac.in> selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported Stanley Chu <stanley.chuys(a)gmail.com> i3c: master: svc: Recycle unused IBI slot Stanley Chu <yschu(a)nuvoton.com> i3c: master: svc: Use manual response for IBI events Daniel Wagner <wagi(a)kernel.org> nvmet-fc: move lsop put work to nvmet_fc_ls_req_op Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: tiehrpwm: Fix corner case in clock divisor calculation AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible Johan Hovold <johan(a)kernel.org> cpuidle: qcom-spm: fix device and OF node leaks at probe Johan Hovold <johan(a)kernel.org> firmware: firmware: meson-sm: fix compile-test default Eric Dumazet <edumazet(a)google.com> nbd: restrict sockets to TCP and UDP Genjian Zhang <zhanggenjian(a)kylinos.cn> null_blk: Fix the description of the cache_size module argument Qianfeng Rong <rongqianfeng(a)vivo.com> pinctrl: renesas: Use int type to store negative error codes Andy Yan <andyshrk(a)163.com> power: supply: cw2015: Fix a alignment coding style issue Dan Carpenter <dan.carpenter(a)linaro.org> PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: sleep: core: Clear power.must_resume in noirq suspend error path Qianfeng Rong <rongqianfeng(a)vivo.com> block: use int to store blk_stack_limits() return value Qianfeng Rong <rongqianfeng(a)vivo.com> regulator: scmi: Use int type to store negative error codes Nicolas Ferre <nicolas.ferre(a)microchip.com> ARM: at91: pm: fix MCKx restore routine Li Nan <linan122(a)huawei.com> blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx Da Xue <da(a)libre.computer> pinctrl: meson-gxl: add missing i2c_d pinmux Sneh Mankad <sneh.mankad(a)oss.qualcomm.com> soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS Huisong Li <lihuisong(a)huawei.com> ACPI: processor: idle: Fix memory leak when register cpuidle device failed Florian Fainelli <florian.fainelli(a)broadcom.com> cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus() Yureka Lilian <yuka(a)yuka.dev> libbpf: Fix reuse of DEVMAP Tao Chen <chen.dylane(a)linux.dev> bpf: Remove migrate_disable in kprobe_multi_link_prog_run Matt Bobrowski <mattbobrowski(a)google.com> bpf/selftests: Fix test_tcpnotify_user Geert Uytterhoeven <geert+renesas(a)glider.be> regmap: Remove superfluous check for !config in __regmap_init() Biju Das <biju.das.jz(a)bp.renesas.com> arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0 Uros Bizjak <ubizjak(a)gmail.com> x86/vdso: Fix output operand size of RDPID Stefan Metzmacher <metze(a)samba.org> smb: server: fix IRD/ORD negotiation with the client Leo Yan <leo.yan(a)arm.com> perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Leo Yan <leo.yan(a)arm.com> coresight: trbe: Prevent overflow in PERF_IDX2OFF() Bala-Vignesh-Reddy <reddybalavignesh9979(a)gmail.com> selftests: arm64: Check fread return value in exec_target Johannes Nixdorf <johannes(a)nixdorf.dev> seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too fast Geert Uytterhoeven <geert+renesas(a)glider.be> init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD Jeff Layton <jlayton(a)kernel.org> filelock: add FL_RECLAIM to show_fl_flags() macro Nalivayko Sergey <Sergey.Nalivayko(a)kaspersky.com> net/9p: fix double req put in p9_fd_cancelled Herbert Xu <herbert(a)gondor.apana.org.au> crypto: rng - Ensure set_ent is always present Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> driver core/PM: Set power.no_callbacks along with power.no_pm Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: flush RX FIFO on read errors Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: fix TX handling on copy_from_user() failure Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> staging: axis-fifo: fix maximum TX packet length check Raphael Gallais-Pou <raphael.gallais-pou(a)foss.st.com> serial: stm32: allow selecting console when the driver is module Arnaud Lecomte <contact(a)arnaud-lcm.com> hid: fix I2C read buffer overflow in raw_event() for mcp2221 Duy Nguyen <duy.nguyen.rh(a)renesas.com> can: rcar_canfd: Fix controller mode setting Chen Yufeng <chenyufeng(a)iie.ac.cn> can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled David Sterba <dsterba(a)suse.com> btrfs: ref-verify: handle damaged extent root tree Jack Yu <jack.yu(a)realtek.com> ASoC: rt5682s: Adjust SAR ADC button mode to fix noise issue hupu <hupu.gm(a)gmail.com> perf subcmd: avoid crash in exclude_cmds when excludes is empty Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: limit MAX_TAG_SIZE to 255 Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188 Xiaowei Li <xiaowei.li(a)simcom.com> USB: serial: option: add SIMCom 8230C compositions David Laight <David.Laight(a)ACULAB.COM> minmax.h: remove some #defines that are only expanded once David Laight <David.Laight(a)ACULAB.COM> minmax.h: simplify the variants of clamp() David Laight <David.Laight(a)ACULAB.COM> minmax.h: move all the clamp() definitions after the min/max() ones David Laight <David.Laight(a)ACULAB.COM> minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() David Laight <David.Laight(a)ACULAB.COM> minmax.h: reduce the #define expansion of min(), max() and clamp() David Laight <David.Laight(a)ACULAB.COM> minmax.h: update some comments David Laight <David.Laight(a)ACULAB.COM> minmax.h: add whitespace around operators and after commas Linus Torvalds <torvalds(a)linux-foundation.org> minmax: fix up min3() and max3() too Linus Torvalds <torvalds(a)linux-foundation.org> minmax: improve macro expansion and type checking Linus Torvalds <torvalds(a)linux-foundation.org> minmax: simplify min()/max()/clamp() implementation Linus Torvalds <torvalds(a)linux-foundation.org> minmax: don't use max() in situations that want a C constant expression Duoming Zhou <duoming(a)zju.edu.cn> media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe Duoming Zhou <duoming(a)zju.edu.cn> media: tuner: xc5000: Fix use-after-free in xc5000_release Ricardo Ribalda <ribalda(a)chromium.org> media: tunner: xc5000: Refactor firmware load Will Deacon <will(a)kernel.org> KVM: arm64: Fix softirq masking in FPSIMD register saving sequence Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> ASoC: qcom: audioreach: fix potential null pointer dereference Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Larshin Sergey <Sergey.Larshin(a)kaspersky.com> media: rc: fix races with imon_disconnect() Duoming Zhou <duoming(a)zju.edu.cn> media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove Wang Haoran <haoranwangsec(a)gmail.com> scsi: target: target_core_configfs: Add length check to avoid buffer overflow Kees Cook <kees(a)kernel.org> gcc-plugins: Remove TODO_verify_il for GCC >= 16 Pierre Gondois <pierre.gondois(a)arm.com> arch_topology: Build cacheinfo from primary CPU Pierre Gondois <pierre.gondois(a)arm.com> ACPI: PPTT: Update acpi_find_last_cache_level() to acpi_get_cache_info() Pierre Gondois <pierre.gondois(a)arm.com> ACPI: PPTT: Remove acpi_find_cache_levels() Pierre Gondois <pierre.gondois(a)arm.com> cacheinfo: Check 'cache-unified' property to count cache leaves Pierre Gondois <pierre.gondois(a)arm.com> cacheinfo: Return error code in init_of_cache_level() Pierre Gondois <pierre.gondois(a)arm.com> cacheinfo: Use RISC-V's init_cache_level() as generic OF implementation Kenta Akagi <k(a)mgml.me> selftests: mptcp: connect: fix build regression caused by backport Breno Leitao <leitao(a)debian.org> crypto: sha256 - fix crash at kexec ------------- Diffstat: Documentation/trace/histogram-design.rst | 4 +- Makefile | 4 +- arch/arm/mach-at91/pm_suspend.S | 4 +- arch/arm64/boot/dts/mediatek/mt8516-pumpkin.dts | 2 +- arch/arm64/boot/dts/renesas/rzg2lc-smarc.dtsi | 5 +- arch/arm64/kernel/cacheinfo.c | 11 +- arch/arm64/kernel/fpsimd.c | 8 +- arch/riscv/kernel/cacheinfo.c | 42 ---- arch/sparc/lib/M7memcpy.S | 20 +- arch/sparc/lib/Memcpy_utils.S | 9 + arch/sparc/lib/NG4memcpy.S | 2 +- arch/sparc/lib/NGmemcpy.S | 29 ++- arch/sparc/lib/U1memcpy.S | 19 +- arch/sparc/lib/U3memcpy.S | 2 +- arch/x86/include/asm/segment.h | 8 +- block/blk-mq-sysfs.c | 6 +- block/blk-settings.c | 3 +- crypto/rng.c | 8 + drivers/acpi/nfit/core.c | 2 +- drivers/acpi/pptt.c | 93 ++++---- drivers/acpi/processor_idle.c | 3 + drivers/base/arch_topology.c | 12 +- drivers/base/cacheinfo.c | 168 ++++++++++++--- drivers/base/node.c | 4 + drivers/base/power/main.c | 14 +- drivers/base/regmap/regmap.c | 2 +- drivers/block/nbd.c | 8 + drivers/block/null_blk/main.c | 2 +- drivers/bus/fsl-mc/fsl-mc-bus.c | 3 + drivers/char/hw_random/Kconfig | 1 + drivers/char/hw_random/ks-sa-rng.c | 4 + drivers/cpufreq/scmi-cpufreq.c | 10 + drivers/cpuidle/cpuidle-qcom-spm.c | 7 +- drivers/crypto/hisilicon/debugfs.c | 1 + drivers/crypto/hisilicon/hpre/hpre_main.c | 3 +- drivers/crypto/hisilicon/qm.c | 3 - drivers/crypto/hisilicon/sec2/sec_main.c | 80 +++---- drivers/crypto/hisilicon/zip/zip_main.c | 17 +- drivers/devfreq/mtk-cci-devfreq.c | 3 +- drivers/firmware/meson/Kconfig | 2 +- drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 29 ++- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 +- .../display/dc/dml/dcn32/display_rq_dlg_calc_32.c | 1 - drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 7 + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 92 +++++--- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 2 +- drivers/gpu/drm/panel/panel-novatek-nt35560.c | 2 +- drivers/gpu/drm/radeon/r600_cs.c | 4 +- drivers/hid/hid-mcp2221.c | 4 + drivers/hwmon/mlxreg-fan.c | 24 ++- drivers/hwtracing/coresight/coresight-etm4x-core.c | 11 +- drivers/hwtracing/coresight/coresight-etm4x.h | 2 + drivers/hwtracing/coresight/coresight-trbe.c | 9 +- drivers/i2c/busses/i2c-designware-platdrv.c | 1 + drivers/i2c/busses/i2c-mt65xx.c | 17 +- drivers/i3c/master/svc-i3c-master.c | 31 ++- drivers/iio/inkern.c | 2 +- drivers/infiniband/core/addr.c | 10 +- drivers/infiniband/core/cm.c | 4 +- drivers/infiniband/core/sa_query.c | 6 +- drivers/infiniband/sw/siw/siw_verbs.c | 25 ++- drivers/input/misc/uinput.c | 1 + drivers/input/touchscreen/atmel_mxt_ts.c | 2 +- drivers/input/touchscreen/cyttsp4_core.c | 2 +- drivers/irqchip/irq-sun6i-r.c | 2 +- drivers/md/dm-core.h | 1 + drivers/md/dm-integrity.c | 4 +- drivers/md/dm.c | 13 +- drivers/media/i2c/rj54n1cb0c.c | 9 +- drivers/media/i2c/tc358743.c | 4 +- drivers/media/pci/b2c2/flexcop-pci.c | 2 +- .../media/platform/st/sti/delta/delta-mjpeg-dec.c | 20 +- drivers/media/rc/imon.c | 27 ++- drivers/media/tuners/xc5000.c | 41 ++-- drivers/media/usb/uvc/uvc_driver.c | 73 ++++--- drivers/media/usb/uvc/uvcvideo.h | 2 + drivers/mfd/vexpress-sysreg.c | 6 +- drivers/misc/fastrpc.c | 62 ++++-- drivers/misc/genwqe/card_ddcb.c | 2 +- drivers/mtd/nand/raw/atmel/nand-controller.c | 4 +- drivers/net/can/rcar/rcar_canfd.c | 7 +- drivers/net/can/spi/hi311x.c | 33 +-- drivers/net/ethernet/amazon/ena/ena_ethtool.c | 5 +- drivers/net/ethernet/dlink/dl2k.c | 7 +- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 +- .../ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 -- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 17 +- drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 24 +++ .../net/ethernet/mellanox/mlx5/core/pagealloc.c | 7 +- .../net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 +- drivers/net/usb/asix_devices.c | 29 +++ drivers/net/usb/rtl8150.c | 2 - drivers/net/wireless/ath/ath10k/wmi.c | 39 ++-- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 7 +- drivers/net/wireless/mediatek/mt76/mt7603/soc.c | 2 +- .../net/wireless/realtek/rtlwifi/rtl8192cu/sw.c | 1 - drivers/net/wireless/realtek/rtw89/ser.c | 3 +- drivers/nvme/target/fc.c | 19 +- drivers/pci/controller/dwc/pcie-tegra194.c | 4 +- drivers/pci/controller/pci-tegra.c | 2 +- drivers/perf/arm_spe_pmu.c | 3 +- drivers/pinctrl/meson/pinctrl-meson-gxl.c | 10 + drivers/pinctrl/pinmux.c | 2 +- drivers/pinctrl/renesas/pinctrl.c | 3 +- drivers/power/supply/cw2015_battery.c | 3 +- drivers/pps/kapi.c | 5 +- drivers/pps/pps.c | 5 +- drivers/pwm/pwm-tiehrpwm.c | 4 +- drivers/regulator/scmi-regulator.c | 3 +- drivers/remoteproc/qcom_q6v5.c | 3 - drivers/scsi/mpt3sas/mpt3sas_transport.c | 8 +- drivers/scsi/myrs.c | 8 +- drivers/scsi/pm8001/pm8001_sas.c | 9 +- drivers/scsi/qla2xxx/qla_edif.c | 4 +- drivers/scsi/qla2xxx/qla_init.c | 4 +- drivers/soc/qcom/rpmh-rsc.c | 7 +- drivers/staging/axis-fifo/axis-fifo.c | 68 +++--- drivers/target/target_core_configfs.c | 2 +- drivers/thermal/qcom/Kconfig | 3 +- drivers/thermal/qcom/lmh.c | 2 + drivers/tty/serial/Kconfig | 2 +- drivers/tty/serial/max310x.c | 2 + drivers/uio/uio_hv_generic.c | 7 +- drivers/usb/cdns3/cdnsp-pci.c | 5 +- drivers/usb/gadget/configfs.c | 2 + drivers/usb/host/max3421-hcd.c | 2 +- drivers/usb/host/xhci-ring.c | 11 +- drivers/usb/phy/phy-twl6030-usb.c | 3 +- drivers/usb/serial/option.c | 6 + drivers/usb/typec/tipd/core.c | 24 +-- drivers/usb/usbip/vhci_hcd.c | 22 ++ drivers/vhost/vringh.c | 14 +- drivers/watchdog/mpc8xxx_wdt.c | 2 + fs/btrfs/ref-verify.c | 9 +- fs/btrfs/tree-checker.c | 2 +- fs/ext4/ext4.h | 10 + fs/ext4/file.c | 2 +- fs/ext4/inode.c | 2 +- fs/ext4/orphan.c | 6 +- fs/ext4/super.c | 4 +- fs/f2fs/data.c | 7 +- fs/nfs/nfs4proc.c | 2 +- fs/ntfs3/run.c | 12 +- fs/ocfs2/stack_user.c | 1 + fs/smb/server/smb2pdu.c | 3 +- fs/smb/server/transport_rdma.c | 97 +++++++-- fs/squashfs/inode.c | 7 + fs/squashfs/squashfs_fs_i.h | 2 +- fs/udf/inode.c | 3 + include/crypto/sha256_base.h | 2 +- include/linux/bpf.h | 1 + include/linux/cacheinfo.h | 11 +- include/linux/compiler.h | 9 + include/linux/device.h | 3 + include/linux/minmax.h | 236 ++++++++++++--------- include/trace/events/filelock.h | 3 +- init/Kconfig | 1 + kernel/bpf/core.c | 5 + kernel/seccomp.c | 12 +- kernel/smp.c | 11 +- kernel/trace/bpf_trace.c | 9 +- lib/vsprintf.c | 2 +- mm/hugetlb.c | 2 + net/9p/trans_fd.c | 8 +- net/bluetooth/hci_sync.c | 10 +- net/bluetooth/iso.c | 9 +- net/bluetooth/mgmt.c | 10 +- net/core/filter.c | 16 +- net/ipv4/tcp.c | 9 +- net/mac80211/rx.c | 28 ++- net/netfilter/ipset/ip_set_hash_gen.h | 8 +- net/netfilter/ipvs/ip_vs_ftp.c | 4 +- net/nfc/nci/ntf.c | 135 ++++++++---- scripts/gcc-plugins/gcc-common.h | 7 + sound/pci/lx6464es/lx_core.c | 4 +- sound/soc/codecs/rt5682s.c | 17 +- sound/soc/intel/boards/bytcht_es8316.c | 20 +- sound/soc/intel/boards/bytcr_rt5640.c | 7 +- sound/soc/intel/boards/bytcr_rt5651.c | 26 ++- sound/soc/qcom/qdsp6/topology.c | 4 +- tools/include/nolibc/std.h | 2 +- tools/lib/bpf/libbpf.c | 10 + tools/lib/subcmd/help.c | 3 + tools/testing/nvdimm/test/ndtest.c | 13 +- tools/testing/selftests/arm64/pauth/exec_target.c | 7 +- .../selftests/bpf/progs/test_tcpnotify_kern.c | 1 - tools/testing/selftests/bpf/test_tcpnotify_user.c | 20 +- tools/testing/selftests/net/mptcp/mptcp_connect.c | 2 +- tools/testing/selftests/watchdog/watchdog-test.c | 6 + 190 files changed, 1637 insertions(+), 903 deletions(-)

2 weeks, 6 days

12
212
0 0

Looking for a Principal

by Martin Lazon

2 weeks, 6 days

1
0
0 0

FAILED: patch "[PATCH] nfsd: unregister with rpcbind when deleting a transport" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 898374fdd7f06fa4c4a66e8be3135efeae6128d5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101547-demeanor-rectify-27be@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 898374fdd7f06fa4c4a66e8be3135efeae6128d5 Mon Sep 17 00:00:00 2001 From: Olga Kornievskaia <okorniev(a)redhat.com> Date: Tue, 19 Aug 2025 14:04:02 -0400 Subject: [PATCH] nfsd: unregister with rpcbind when deleting a transport When a listener is added, a part of creation of transport also registers program/port with rpcbind. However, when the listener is removed, while transport goes away, rpcbind still has the entry for that port/type. When deleting the transport, unregister with rpcbind when appropriate. ---v2 created a new xpt_flag XPT_RPCB_UNREG to mark TCP and UDP transport and at xprt destroy send rpcbind unregister if flag set. Suggested-by: Chuck Lever <chuck.lever(a)oracle.com> Fixes: d093c9089260 ("nfsd: fix management of listener transports") Cc: stable(a)vger.kernel.org Signed-off-by: Olga Kornievskaia <okorniev(a)redhat.com> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> diff --git a/include/linux/sunrpc/svc_xprt.h b/include/linux/sunrpc/svc_xprt.h index 369a89aea186..2b886f7eb295 100644 --- a/include/linux/sunrpc/svc_xprt.h +++ b/include/linux/sunrpc/svc_xprt.h @@ -104,6 +104,9 @@ enum { * it has access to. It is NOT counted * in ->sv_tmpcnt. */ + XPT_RPCB_UNREG, /* transport that needs unregistering + * with rpcbind (TCP, UDP) on destroy + */ }; /* diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c index 8b1837228799..b800d704d807 100644 --- a/net/sunrpc/svc_xprt.c +++ b/net/sunrpc/svc_xprt.c @@ -1014,6 +1014,19 @@ static void svc_delete_xprt(struct svc_xprt *xprt) struct svc_serv *serv = xprt->xpt_server; struct svc_deferred_req *dr; + /* unregister with rpcbind for when transport type is TCP or UDP. + */ + if (test_bit(XPT_RPCB_UNREG, &xprt->xpt_flags)) { + struct svc_sock *svsk = container_of(xprt, struct svc_sock, + sk_xprt); + struct socket *sock = svsk->sk_sock; + + if (svc_register(serv, xprt->xpt_net, sock->sk->sk_family, + sock->sk->sk_protocol, 0) < 0) + pr_warn("failed to unregister %s with rpcbind\n", + xprt->xpt_class->xcl_name); + } + if (test_and_set_bit(XPT_DEAD, &xprt->xpt_flags)) return; diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index c0d5a27ba674..7b90abc5cf0e 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -836,6 +836,7 @@ static void svc_udp_init(struct svc_sock *svsk, struct svc_serv *serv) /* data might have come in before data_ready set up */ set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); set_bit(XPT_CHNGBUF, &svsk->sk_xprt.xpt_flags); + set_bit(XPT_RPCB_UNREG, &svsk->sk_xprt.xpt_flags); /* make sure we get destination address info */ switch (svsk->sk_sk->sk_family) { @@ -1350,6 +1351,7 @@ static void svc_tcp_init(struct svc_sock *svsk, struct svc_serv *serv) if (sk->sk_state == TCP_LISTEN) { strcpy(svsk->sk_xprt.xpt_remotebuf, "listener"); set_bit(XPT_LISTENER, &svsk->sk_xprt.xpt_flags); + set_bit(XPT_RPCB_UNREG, &svsk->sk_xprt.xpt_flags); sk->sk_data_ready = svc_tcp_listen_data_ready; set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); } else {

2 weeks, 6 days

2
5
0 0

[PATCH v4 resend 1/7] efi: Add missing static initializer for efi_mm::cpus_allowed_lock

by Ard Biesheuvel

From: Ard Biesheuvel <ardb(a)kernel.org> Initialize the cpus_allowed_lock struct member of efi_mm. Cc: <stable(a)vger.kernel.org> Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/efi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 1ce428e2ac8a..fc407d891348 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -74,6 +74,9 @@ struct mm_struct efi_mm = { .page_table_lock = __SPIN_LOCK_UNLOCKED(efi_mm.page_table_lock), .mmlist = LIST_HEAD_INIT(efi_mm.mmlist), .cpu_bitmap = { [BITS_TO_LONGS(NR_CPUS)] = 0}, +#ifdef CONFIG_SCHED_MM_CID + .cpus_allowed_lock = __RAW_SPIN_LOCK_UNLOCKED(efi_mm.cpus_allowed_lock), +#endif }; struct workqueue_struct *efi_rts_wq; -- 2.51.0.869.ge66316f041-goog

3 weeks

1
0
0 0

El feedback efectivo empieza con datos claros

by Daniel Rodríguez

Fortalece la evaluación del desempeño Fortalece la evaluación del desempeño con Vorecol 360 Feedback. Hola, , La retroalimentación es una de las herramientas más poderosas para el desarrollo de las personas, pero muchas veces se limita a la opinión de un solo líder. Con una visión más amplia, las decisiones se vuelven más justas y efectivas. Vorecol 360 Feedback te permite evaluar el desempeño desde múltiples perspectivas, obteniendo una imagen completa y objetiva. Con Vorecol 360 Feedback puedes: • Recibir evaluaciones desde diferentes fuentes: líderes, pares, colaboradores y autoevaluación. • Personalizar competencias y criterios según el rol y las metas de la organización. • Generar reportes claros y accionables, con áreas de mejora y fortalezas destacadas. Esto ayuda a crear una cultura de retroalimentación continua y mejora constante en todos los niveles. Si estás buscando fortalecer la evaluación del desempeño, esta puede ser una muy buena opción. Si quieres conocer más puedes responder este correo o simplemente contactarme, mis datos están abajo o da clic aquí Saludos, -------------- Atte.: Daniel Rodríguez Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewispouseup">click aquí</a>

3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-prevent-poison-consumption-when-splitting-thp.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: prevent poison consumption when splitting THP has been removed from the -mm tree. Its filename was mm-prevent-poison-consumption-when-splitting-thp.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> Subject: mm: prevent poison consumption when splitting THP Date: Sat, 11 Oct 2025 15:55:19 +0800 When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10:<ffffffff8372f8bc> {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue. Link: https://lkml.kernel.org/r/20251015064926.1887643-1-qiuxu.zhuo@intel.com Link: https://lkml.kernel.org/r/20251011075520.320862-1-qiuxu.zhuo@intel.com Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> Reported-by: Farrah Chen <farrah.chen(a)intel.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Tested-by: Farrah Chen <farrah.chen(a)intel.com> Tested-by: Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> Acked-by: Lance Yang <lance.yang(a)linux.dev> Reviewed-by: Wei Yang <richard.weiyang(a)gmail.com> Acked-by: Zi Yan <ziy(a)nvidia.com> Reviewed-by: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Jiaqi Yan <jiaqiyan(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: "Luck, Tony" <tony.luck(a)intel.com> Cc: Mariano Pache <npache(a)redhat.com> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 3 +++ mm/migrate.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) --- a/mm/huge_memory.c~mm-prevent-poison-consumption-when-splitting-thp +++ a/mm/huge_memory.c @@ -4109,6 +4109,9 @@ static bool thp_underused(struct folio * if (khugepaged_max_ptes_none == HPAGE_PMD_NR - 1) return false; + if (folio_contain_hwpoisoned_page(folio)) + return false; + for (i = 0; i < folio_nr_pages(folio); i++) { if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) { if (++num_zero_pages > khugepaged_max_ptes_none) --- a/mm/migrate.c~mm-prevent-poison-consumption-when-splitting-thp +++ a/mm/migrate.c @@ -301,8 +301,9 @@ static bool try_to_map_unused_to_zeropag struct page *page = folio_page(folio, idx); pte_t newpte; - if (PageCompound(page)) + if (PageCompound(page) || PageHWPoison(page)) return false; + VM_BUG_ON_PAGE(!PageAnon(page), page); VM_BUG_ON_PAGE(!PageLocked(page), page); VM_BUG_ON_PAGE(pte_present(old_pte), page); _ Patches currently in -mm which might be from qiuxu.zhuo(a)intel.com are

3 weeks

1
0
0 0

[merged mm-hotfixes-stable] ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: clear extent cache after moving/defragmenting extents has been removed from the -mm tree. Its filename was ocfs2-clear-extent-cache-after-moving-defragmenting-extents.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Deepanshu Kartikey <kartikey406(a)gmail.com> Subject: ocfs2: clear extent cache after moving/defragmenting extents Date: Thu, 9 Oct 2025 21:19:03 +0530 The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk. Link: https://lore.kernel.org/all/20251009142917.517229-1-kartikey406@gmail.com/T/ Link: https://lkml.kernel.org/r/20251009154903.522339-1-kartikey406@gmail.com Fixes: 53069d4e7695 ("Ocfs2/move_extents: move/defrag extents within a certain range.") Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> Reported-by: syzbot+6fdd8fa3380730a4b22c(a)syzkaller.appspotmail.com Tested-by: syzbot+6fdd8fa3380730a4b22c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?id=2959889e1f6e216585ce522f7e8bc002b46ad9… Reviewed-by: Mark Fasheh <mark(a)fasheh.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/move_extents.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/fs/ocfs2/move_extents.c~ocfs2-clear-extent-cache-after-moving-defragmenting-extents +++ a/fs/ocfs2/move_extents.c @@ -867,6 +867,11 @@ static int __ocfs2_move_extents_range(st mlog_errno(ret); goto out; } + /* + * Invalidate extent cache after moving/defragging to prevent + * stale cached data with outdated extent flags. + */ + ocfs2_extent_map_trunc(inode, cpos); context->clusters_moved += alloc_size; next: _ Patches currently in -mm which might be from kartikey406(a)gmail.com are hugetlbfs-move-lock-assertions-after-early-returns-in-huge_pmd_unshare.patch

3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-dont-spin-in-add_stack_record-when-gfp-flags-dont-allow.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: don't spin in add_stack_record when gfp flags don't allow has been removed from the -mm tree. Its filename was mm-dont-spin-in-add_stack_record-when-gfp-flags-dont-allow.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Alexei Starovoitov <ast(a)kernel.org> Subject: mm: don't spin in add_stack_record when gfp flags don't allow Date: Thu, 9 Oct 2025 17:15:13 -0700 syzbot was able to find the following path: add_stack_record_to_list mm/page_owner.c:182 [inline] inc_stack_record_count mm/page_owner.c:214 [inline] __set_page_owner+0x2c3/0x4a0 mm/page_owner.c:333 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858 alloc_pages_nolock_noprof+0x94/0x120 mm/page_alloc.c:7554 Don't spin in add_stack_record_to_list() when it is called from *_nolock() context. Link: https://lkml.kernel.org/r/CAADnVQK_8bNYEA7TJYgwTYR57=TTFagsvRxp62pFzS_z129e… Fixes: 97769a53f117 ("mm, bpf: Introduce try_alloc_pages() for opportunistic page allocation") Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Reported-by: syzbot+8259e1d0e3ae8ed0c490(a)syzkaller.appspotmail.com Reported-by: syzbot+665739f456b28f32b23d(a)syzkaller.appspotmail.com Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: Brendan Jackman <jackmanb(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_owner.c | 3 +++ 1 file changed, 3 insertions(+) --- a/mm/page_owner.c~mm-dont-spin-in-add_stack_record-when-gfp-flags-dont-allow +++ a/mm/page_owner.c @@ -168,6 +168,9 @@ static void add_stack_record_to_list(str unsigned long flags; struct stack *stack; + if (!gfpflags_allow_spinning(gfp_mask)) + return; + set_current_in_page_owner(); stack = kmalloc(sizeof(*stack), gfp_nested_mask(gfp_mask)); if (!stack) { _ Patches currently in -mm which might be from ast(a)kernel.org are

3 weeks

1
0
0 0

[merged mm-hotfixes-stable] dma-debug-dont-report-false-positives-with-dma_bounce_unaligned_kmalloc.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: dma-debug: don't report false positives with DMA_BOUNCE_UNALIGNED_KMALLOC has been removed from the -mm tree. Its filename was dma-debug-dont-report-false-positives-with-dma_bounce_unaligned_kmalloc.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Marek Szyprowski <m.szyprowski(a)samsung.com> Subject: dma-debug: don't report false positives with DMA_BOUNCE_UNALIGNED_KMALLOC Date: Thu, 9 Oct 2025 16:15:08 +0200 Commit 370645f41e6e ("dma-mapping: force bouncing if the kmalloc() size is not cache-line-aligned") introduced DMA_BOUNCE_UNALIGNED_KMALLOC feature and permitted architecture specific code configure kmalloc slabs with sizes smaller than the value of dma_get_cache_alignment(). When that feature is enabled, the physical address of some small kmalloc()-ed buffers might be not aligned to the CPU cachelines, thus not really suitable for typical DMA. To properly handle that case a SWIOTLB buffer bouncing is used, so no CPU cache corruption occurs. When that happens, there is no point reporting a false-positive DMA-API warning that the buffer is not properly aligned, as this is not a client driver fault. [m.szyprowski(a)samsung.com: replace is_swiotlb_allocated() with is_swiotlb_active(), per Catalin] Link: https://lkml.kernel.org/r/20251010173009.3916215-1-m.szyprowski@samsung.com Link: https://lkml.kernel.org/r/20251009141508.2342138-1-m.szyprowski@samsung.com Fixes: 370645f41e6e ("dma-mapping: force bouncing if the kmalloc() size is not cache-line-aligned") Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Reviewed-by: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Christoph Hellwig <hch(a)lst.de> Cc: Inki Dae <m.szyprowski(a)samsung.com> Cc: Robin Murohy <robin.murphy(a)arm.com> Cc: "Isaac J. Manjarres" <isaacmanjarres(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/dma/debug.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/kernel/dma/debug.c~dma-debug-dont-report-false-positives-with-dma_bounce_unaligned_kmalloc +++ a/kernel/dma/debug.c @@ -23,6 +23,7 @@ #include <linux/ctype.h> #include <linux/list.h> #include <linux/slab.h> +#include <linux/swiotlb.h> #include <asm/sections.h> #include "debug.h" @@ -594,7 +595,9 @@ static void add_dma_entry(struct dma_deb if (rc == -ENOMEM) { pr_err_once("cacheline tracking ENOMEM, dma-debug disabled\n"); global_disable = true; - } else if (rc == -EEXIST && !(attrs & DMA_ATTR_SKIP_CPU_SYNC)) { + } else if (rc == -EEXIST && !(attrs & DMA_ATTR_SKIP_CPU_SYNC) && + !(IS_ENABLED(CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC) && + is_swiotlb_active(entry->dev))) { err_printk(entry->dev, entry, "cacheline tracking EEXIST, overlapping mappings aren't supported\n"); } _ Patches currently in -mm which might be from m.szyprowski(a)samsung.com are

3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-sysfs-catch-commit-test-ctx-alloc-failure.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/sysfs: catch commit test ctx alloc failure has been removed from the -mm tree. Its filename was mm-damon-sysfs-catch-commit-test-ctx-alloc-failure.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/sysfs: catch commit test ctx alloc failure Date: Fri, 3 Oct 2025 13:14:54 -0700 Patch series "mm/damon/sysfs: fix commit test damon_ctx [de]allocation". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed. Link: https://lkml.kernel.org/r/20251003201455.41448-1-sj@kernel.org Link: https://lkml.kernel.org/r/20251003201455.41448-2-sj@kernel.org Fixes: 4c9ea539ad59 ("mm/damon/sysfs: validate user inputs from damon_sysfs_commit_input()") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/sysfs.c | 2 ++ 1 file changed, 2 insertions(+) --- a/mm/damon/sysfs.c~mm-damon-sysfs-catch-commit-test-ctx-alloc-failure +++ a/mm/damon/sysfs.c @@ -1473,6 +1473,8 @@ static int damon_sysfs_commit_input(void if (IS_ERR(param_ctx)) return PTR_ERR(param_ctx); test_ctx = damon_new_ctx(); + if (!test_ctx) + return -ENOMEM; err = damon_commit_ctx(test_ctx, param_ctx); if (err) { damon_destroy_ctx(test_ctx); _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-fix-list_add_tail-call-on-damon_call.patch mm-damon-core-use-damos_commit_quota_goal-for-new-goal-commit.patch mm-zswap-remove-unnecessary-dlen-writes-for-incompressible-pages.patch mm-zswap-fix-typos-s-zwap-zswap.patch mm-zswap-s-red-black-tree-xarray.patch docs-admin-guide-mm-zswap-s-red-black-tree-xarray.patch

3 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-sysfs-dealloc-commit-test-ctx-always.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/sysfs: dealloc commit test ctx always has been removed from the -mm tree. Its filename was mm-damon-sysfs-dealloc-commit-test-ctx-always.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/sysfs: dealloc commit test ctx always Date: Fri, 3 Oct 2025 13:14:55 -0700 The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it. Link: https://lkml.kernel.org/r/20251003201455.41448-3-sj@kernel.org Fixes: 4c9ea539ad59 ("mm/damon/sysfs: validate user inputs from damon_sysfs_commit_input()") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.15+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/sysfs.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/mm/damon/sysfs.c~mm-damon-sysfs-dealloc-commit-test-ctx-always +++ a/mm/damon/sysfs.c @@ -1476,12 +1476,11 @@ static int damon_sysfs_commit_input(void if (!test_ctx) return -ENOMEM; err = damon_commit_ctx(test_ctx, param_ctx); - if (err) { - damon_destroy_ctx(test_ctx); + if (err) goto out; - } err = damon_commit_ctx(kdamond->damon_ctx, param_ctx); out: + damon_destroy_ctx(test_ctx); damon_destroy_ctx(param_ctx); return err; } _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-fix-list_add_tail-call-on-damon_call.patch mm-damon-core-use-damos_commit_quota_goal-for-new-goal-commit.patch mm-zswap-remove-unnecessary-dlen-writes-for-incompressible-pages.patch mm-zswap-fix-typos-s-zwap-zswap.patch mm-zswap-s-red-black-tree-xarray.patch docs-admin-guide-mm-zswap-s-red-black-tree-xarray.patch

3 weeks

1
0
0 0

[merged mm-hotfixes-stable] hung_task-fix-warnings-caused-by-unaligned-lock-pointers.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: hung_task: fix warnings caused by unaligned lock pointers has been removed from the -mm tree. Its filename was hung_task-fix-warnings-caused-by-unaligned-lock-pointers.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Lance Yang <lance.yang(a)linux.dev> Subject: hung_task: fix warnings caused by unaligned lock pointers Date: Tue, 9 Sep 2025 22:52:43 +0800 From: Lance Yang <lance.yang(a)linux.dev> The blocker tracking mechanism assumes that lock pointers are at least 4-byte aligned to use their lower bits for type encoding. However, as reported by Eero Tamminen, some architectures like m68k only guarantee 2-byte alignment of 32-bit values. This breaks the assumption and causes two related WARN_ON_ONCE checks to trigger. To fix this, the runtime checks are adjusted to silently ignore any lock that is not 4-byte aligned, effectively disabling the feature in such cases and avoiding the related warnings. Thanks to Geert Uytterhoeven for bisecting! Link: https://lkml.kernel.org/r/20250909145243.17119-1-lance.yang@linux.dev Fixes: e711faaafbe5 ("hung_task: replace blocker_mutex with encoded blocker") Signed-off-by: Lance Yang <lance.yang(a)linux.dev> Reported-by: Eero Tamminen <oak(a)helsinkinet.fi> Closes: https://lore.kernel.org/lkml/CAMuHMdW7Ab13DdGs2acMQcix5ObJK0O2dG_Fxzr8_g58R… Reviewed-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Cc: John Paul Adrian Glaubitz <glaubitz(a)physik.fu-berlin.de> Cc: Anna Schumaker <anna.schumaker(a)oracle.com> Cc: Boqun Feng <boqun.feng(a)gmail.com> Cc: Finn Thain <fthain(a)linux-m68k.org> Cc: Geert Uytterhoeven <geert(a)linux-m68k.org> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Joel Granados <joel.granados(a)kernel.org> Cc: John Stultz <jstultz(a)google.com> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Lance Yang <lance.yang(a)linux.dev> Cc: Mingzhe Yang <mingzhe.yang(a)ly.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Tomasz Figa <tfiga(a)chromium.org> Cc: Waiman Long <longman(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: Yongliang Gao <leonylgao(a)tencent.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/hung_task.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/include/linux/hung_task.h~hung_task-fix-warnings-caused-by-unaligned-lock-pointers +++ a/include/linux/hung_task.h @@ -20,6 +20,10 @@ * always zero. So we can use these bits to encode the specific blocking * type. * + * Note that on architectures where this is not guaranteed, or for any + * unaligned lock, this tracking mechanism is silently skipped for that + * lock. + * * Type encoding: * 00 - Blocked on mutex (BLOCKER_TYPE_MUTEX) * 01 - Blocked on semaphore (BLOCKER_TYPE_SEM) @@ -45,7 +49,7 @@ static inline void hung_task_set_blocker * If the lock pointer matches the BLOCKER_TYPE_MASK, return * without writing anything. */ - if (WARN_ON_ONCE(lock_ptr & BLOCKER_TYPE_MASK)) + if (lock_ptr & BLOCKER_TYPE_MASK) return; WRITE_ONCE(current->blocker, lock_ptr | type); @@ -53,8 +57,6 @@ static inline void hung_task_set_blocker static inline void hung_task_clear_blocker(void) { - WARN_ON_ONCE(!READ_ONCE(current->blocker)); - WRITE_ONCE(current->blocker, 0UL); } _ Patches currently in -mm which might be from lance.yang(a)linux.dev are

3 weeks

1
0
0 0

FAILED: patch "[PATCH] cpufreq: Make drivers using CPUFREQ_ETERNAL specify" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x f97aef092e199c10a3da96ae79b571edd5362faa # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101528-barcode-doorstop-420a@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f97aef092e199c10a3da96ae79b571edd5362faa Mon Sep 17 00:00:00 2001 From: "Rafael J. Wysocki" <rafael.j.wysocki(a)intel.com> Date: Fri, 26 Sep 2025 12:12:37 +0200 Subject: [PATCH] cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency Commit a755d0e2d41b ("cpufreq: Honour transition_latency over transition_delay_us") caused platforms where cpuinfo.transition_latency is CPUFREQ_ETERNAL to get a very large transition latency whereas previously it had been capped at 10 ms (and later at 2 ms). This led to a user-observable regression between 6.6 and 6.12 as described by Shawn: "The dbs sampling_rate was 10000 us on 6.6 and suddently becomes 6442450 us (4294967295 / 1000 * 1.5) on 6.12 for these platforms because the default transition delay was dropped [...]. It slows down dbs governor's reacting to CPU loading change dramatically. Also, as transition_delay_us is used by schedutil governor as rate_limit_us, it shows a negative impact on device idle power consumption, because the device gets slightly less time in the lowest OPP." Evidently, the expectation of the drivers using CPUFREQ_ETERNAL as cpuinfo.transition_latency was that it would be capped by the core, but they may as well return a default transition latency value instead of CPUFREQ_ETERNAL and the core need not do anything with it. Accordingly, introduce CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS and make all of the drivers in question use it instead of CPUFREQ_ETERNAL. Also update the related Rust binding. Fixes: a755d0e2d41b ("cpufreq: Honour transition_latency over transition_delay_us") Closes: https://lore.kernel.org/linux-pm/20250922125929.453444-1-shawnguo2@yeah.net/ Reported-by: Shawn Guo <shawnguo(a)kernel.org> Reviewed-by: Mario Limonciello (AMD) <superm1(a)kernel.org> Reviewed-by: Jie Zhan <zhanjie9(a)hisilicon.com> Acked-by: Viresh Kumar <viresh.kumar(a)linaro.org> Cc: 6.6+ <stable(a)vger.kernel.org> # 6.6+ Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Link: https://patch.msgid.link/2264949.irdbgypaU6@rafael.j.wysocki [ rjw: Fix typo in new symbol name, drop redundant type cast from Rust binding ] Tested-by: Shawn Guo <shawnguo(a)kernel.org> # with cpufreq-dt driver Reviewed-by: Qais Yousef <qyousef(a)layalina.io> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/cpufreq/cpufreq-dt.c b/drivers/cpufreq/cpufreq-dt.c index 506437489b4d..7d5079fd1688 100644 --- a/drivers/cpufreq/cpufreq-dt.c +++ b/drivers/cpufreq/cpufreq-dt.c @@ -104,7 +104,7 @@ static int cpufreq_init(struct cpufreq_policy *policy) transition_latency = dev_pm_opp_get_max_transition_latency(cpu_dev); if (!transition_latency) - transition_latency = CPUFREQ_ETERNAL; + transition_latency = CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS; cpumask_copy(policy->cpus, priv->cpus); policy->driver_data = priv; diff --git a/drivers/cpufreq/imx6q-cpufreq.c b/drivers/cpufreq/imx6q-cpufreq.c index db1c88e9d3f9..e93697d3edfd 100644 --- a/drivers/cpufreq/imx6q-cpufreq.c +++ b/drivers/cpufreq/imx6q-cpufreq.c @@ -442,7 +442,7 @@ static int imx6q_cpufreq_probe(struct platform_device *pdev) } if (of_property_read_u32(np, "clock-latency", &transition_latency)) - transition_latency = CPUFREQ_ETERNAL; + transition_latency = CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS; /* * Calculate the ramp time for max voltage change in the diff --git a/drivers/cpufreq/mediatek-cpufreq-hw.c b/drivers/cpufreq/mediatek-cpufreq-hw.c index fce5aa5ceea0..ae4500ab4891 100644 --- a/drivers/cpufreq/mediatek-cpufreq-hw.c +++ b/drivers/cpufreq/mediatek-cpufreq-hw.c @@ -309,7 +309,7 @@ static int mtk_cpufreq_hw_cpu_init(struct cpufreq_policy *policy) latency = readl_relaxed(data->reg_bases[REG_FREQ_LATENCY]) * 1000; if (!latency) - latency = CPUFREQ_ETERNAL; + latency = CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS; policy->cpuinfo.transition_latency = latency; policy->fast_switch_possible = true; diff --git a/drivers/cpufreq/rcpufreq_dt.rs b/drivers/cpufreq/rcpufreq_dt.rs index 7e1fbf9a091f..3909022e1c74 100644 --- a/drivers/cpufreq/rcpufreq_dt.rs +++ b/drivers/cpufreq/rcpufreq_dt.rs @@ -123,7 +123,7 @@ fn init(policy: &mut cpufreq::Policy) -> Result<Self::PData> { let mut transition_latency = opp_table.max_transition_latency_ns() as u32; if transition_latency == 0 { - transition_latency = cpufreq::ETERNAL_LATENCY_NS; + transition_latency = cpufreq::DEFAULT_TRANSITION_LATENCY_NS; } policy diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c index 38c165d526d1..d2a110079f5f 100644 --- a/drivers/cpufreq/scmi-cpufreq.c +++ b/drivers/cpufreq/scmi-cpufreq.c @@ -294,7 +294,7 @@ static int scmi_cpufreq_init(struct cpufreq_policy *policy) latency = perf_ops->transition_latency_get(ph, domain); if (!latency) - latency = CPUFREQ_ETERNAL; + latency = CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS; policy->cpuinfo.transition_latency = latency; diff --git a/drivers/cpufreq/scpi-cpufreq.c b/drivers/cpufreq/scpi-cpufreq.c index dcbb0ae7dd47..e530345baddf 100644 --- a/drivers/cpufreq/scpi-cpufreq.c +++ b/drivers/cpufreq/scpi-cpufreq.c @@ -157,7 +157,7 @@ static int scpi_cpufreq_init(struct cpufreq_policy *policy) latency = scpi_ops->get_transition_latency(cpu_dev); if (!latency) - latency = CPUFREQ_ETERNAL; + latency = CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS; policy->cpuinfo.transition_latency = latency; diff --git a/drivers/cpufreq/spear-cpufreq.c b/drivers/cpufreq/spear-cpufreq.c index 707c71090cc3..2a1550e1aa21 100644 --- a/drivers/cpufreq/spear-cpufreq.c +++ b/drivers/cpufreq/spear-cpufreq.c @@ -182,7 +182,7 @@ static int spear_cpufreq_probe(struct platform_device *pdev) if (of_property_read_u32(np, "clock-latency", &spear_cpufreq.transition_latency)) - spear_cpufreq.transition_latency = CPUFREQ_ETERNAL; + spear_cpufreq.transition_latency = CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS; cnt = of_property_count_u32_elems(np, "cpufreq_tbl"); if (cnt <= 0) { diff --git a/include/linux/cpufreq.h b/include/linux/cpufreq.h index 40966512ea18..bc8c083bc16a 100644 --- a/include/linux/cpufreq.h +++ b/include/linux/cpufreq.h @@ -32,6 +32,9 @@ */ #define CPUFREQ_ETERNAL (-1) + +#define CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS NSEC_PER_MSEC + #define CPUFREQ_NAME_LEN 16 /* Print length for names. Extra 1 space for accommodating '\n' in prints */ #define CPUFREQ_NAME_PLEN (CPUFREQ_NAME_LEN + 1) diff --git a/rust/kernel/cpufreq.rs b/rust/kernel/cpufreq.rs index eea57ba95f24..2ea735700ae7 100644 --- a/rust/kernel/cpufreq.rs +++ b/rust/kernel/cpufreq.rs @@ -39,7 +39,8 @@ const CPUFREQ_NAME_LEN: usize = bindings::CPUFREQ_NAME_LEN as usize; /// Default transition latency value in nanoseconds. -pub const ETERNAL_LATENCY_NS: u32 = bindings::CPUFREQ_ETERNAL as u32; +pub const DEFAULT_TRANSITION_LATENCY_NS: u32 = + bindings::CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS; /// CPU frequency driver flags. pub mod flags { @@ -400,13 +401,13 @@ pub fn to_table(mut self) -> Result<TableBox> { /// The following example demonstrates how to create a CPU frequency table. /// /// ``` -/// use kernel::cpufreq::{ETERNAL_LATENCY_NS, Policy}; +/// use kernel::cpufreq::{DEFAULT_TRANSITION_LATENCY_NS, Policy}; /// /// fn update_policy(policy: &mut Policy) { /// policy /// .set_dvfs_possible_from_any_cpu(true) /// .set_fast_switch_possible(true) -/// .set_transition_latency_ns(ETERNAL_LATENCY_NS); +/// .set_transition_latency_ns(DEFAULT_TRANSITION_LATENCY_NS); /// /// pr_info!("The policy details are: {:?}\n", (policy.cpu(), policy.cur())); /// }

3 weeks

2
1
0 0

[PATCH] perf: Fix dangling cgroup pointer in cpuctx

by Chris J Arges

From: Yeoreum Yun <yeoreum.yun(a)arm.com> [ Upstream commit 3b7a34aebbdf2a4b7295205bf0c654294283ec82 ] Commit a3c3c66670ce ("perf/core: Fix child_total_time_enabled accounting bug at task exit") moves the event->state update to before list_del_event(). This makes the event->state test in list_del_event() always false; never calling perf_cgroup_event_disable(). As a result, cpuctx->cgrp won't be cleared properly; causing havoc. Cc: stable(a)vger.kernel.org # 6.6.x, 6.12.x Fixes: a3c3c66670ce ("perf/core: Fix child_total_time_enabled accounting bug at task exit") Signed-off-by: Chris J Arges <carges(a)cloudflare.com> --- kernel/events/core.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/kernel/events/core.c b/kernel/events/core.c index 3cc06ffb60c1..6688660845d2 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -2100,18 +2100,6 @@ list_del_event(struct perf_event *event, struct perf_event_context *ctx) if (event->group_leader == event) del_event_from_groups(event, ctx); - /* - * If event was in error state, then keep it - * that way, otherwise bogus counts will be - * returned on read(). The only way to get out - * of error state is by explicit re-enabling - * of the event - */ - if (event->state > PERF_EVENT_STATE_OFF) { - perf_cgroup_event_disable(event, ctx); - perf_event_set_state(event, PERF_EVENT_STATE_OFF); - } - ctx->generation++; event->pmu_ctx->nr_events--; } @@ -2456,11 +2444,14 @@ __perf_remove_from_context(struct perf_event *event, */ if (flags & DETACH_EXIT) state = PERF_EVENT_STATE_EXIT; - if (flags & DETACH_DEAD) { - event->pending_disable = 1; + if (flags & DETACH_DEAD) state = PERF_EVENT_STATE_DEAD; - } + event_sched_out(event, ctx); + + if (event->state > PERF_EVENT_STATE_OFF) + perf_cgroup_event_disable(event, ctx); + perf_event_set_state(event, min(event->state, state)); if (flags & DETACH_GROUP) perf_group_detach(event); -- 2.43.0

3 weeks

2
1
0 0

FAILED: patch "[PATCH] fscontext: do not consume log entries when returning" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 72d271a7baa7062cb27e774ac37c5459c6d20e22 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101539-racoon-uneasily-cfd4@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 72d271a7baa7062cb27e774ac37c5459c6d20e22 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <cyphar(a)cyphar.com> Date: Thu, 7 Aug 2025 03:55:23 +1000 Subject: [PATCH] fscontext: do not consume log entries when returning -EMSGSIZE Userspace generally expects APIs that return -EMSGSIZE to allow for them to adjust their buffer size and retry the operation. However, the fscontext log would previously clear the message even in the -EMSGSIZE case. Given that it is very cheap for us to check whether the buffer is too small before we remove the message from the ring buffer, let's just do that instead. While we're at it, refactor some fscontext_read() into a separate helper to make the ring buffer logic a bit easier to read. Fixes: 007ec26cdc9f ("vfs: Implement logging through fs_context") Cc: David Howells <dhowells(a)redhat.com> Cc: stable(a)vger.kernel.org # v5.2+ Signed-off-by: Aleksa Sarai <cyphar(a)cyphar.com> Link: https://lore.kernel.org/20250807-fscontext-log-cleanups-v3-1-8d91d6242dc3@c… Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/fsopen.c b/fs/fsopen.c index 1aaf4cb2afb2..f645c99204eb 100644 --- a/fs/fsopen.c +++ b/fs/fsopen.c @@ -18,50 +18,56 @@ #include "internal.h" #include "mount.h" +static inline const char *fetch_message_locked(struct fc_log *log, size_t len, + bool *need_free) +{ + const char *p; + int index; + + if (unlikely(log->head == log->tail)) + return ERR_PTR(-ENODATA); + + index = log->tail & (ARRAY_SIZE(log->buffer) - 1); + p = log->buffer[index]; + if (unlikely(strlen(p) > len)) + return ERR_PTR(-EMSGSIZE); + + log->buffer[index] = NULL; + *need_free = log->need_free & (1 << index); + log->need_free &= ~(1 << index); + log->tail++; + + return p; +} + /* * Allow the user to read back any error, warning or informational messages. + * Only one message is returned for each read(2) call. */ static ssize_t fscontext_read(struct file *file, char __user *_buf, size_t len, loff_t *pos) { struct fs_context *fc = file->private_data; - struct fc_log *log = fc->log.log; - unsigned int logsize = ARRAY_SIZE(log->buffer); - ssize_t ret; - char *p; + ssize_t err; + const char *p __free(kfree) = NULL, *message; bool need_free; - int index, n; + int n; - ret = mutex_lock_interruptible(&fc->uapi_mutex); - if (ret < 0) - return ret; - - if (log->head == log->tail) { - mutex_unlock(&fc->uapi_mutex); - return -ENODATA; - } - - index = log->tail & (logsize - 1); - p = log->buffer[index]; - need_free = log->need_free & (1 << index); - log->buffer[index] = NULL; - log->need_free &= ~(1 << index); - log->tail++; + err = mutex_lock_interruptible(&fc->uapi_mutex); + if (err < 0) + return err; + message = fetch_message_locked(fc->log.log, len, &need_free); mutex_unlock(&fc->uapi_mutex); + if (IS_ERR(message)) + return PTR_ERR(message); - ret = -EMSGSIZE; - n = strlen(p); - if (n > len) - goto err_free; - ret = -EFAULT; - if (copy_to_user(_buf, p, n) != 0) - goto err_free; - ret = n; - -err_free: if (need_free) - kfree(p); - return ret; + p = message; + + n = strlen(message); + if (copy_to_user(_buf, message, n)) + return -EFAULT; + return n; } static int fscontext_release(struct inode *inode, struct file *file)

3 weeks

2
2
0 0

[PATCH 1/3] net: ravb: Make DBAT entry count configurable per-SoC

by Prabhakar

From: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> The number of CDARq (Current Descriptor Address Register) registers is not fixed to 22 across all SoC variants. For example, the GBETH implementation uses only two entries. Hardcoding the value leads to incorrect resource allocation on such platforms. Pass the DBAT entry count through the per-SoC hardware info struct and use it during probe instead of relying on a fixed constant. This ensures correct descriptor table sizing and initialization across different SoCs. Fixes: feab85c7ccea ("ravb: Add support for RZ/G2L SoC") Cc: stable(a)vger.kernel.org Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> --- drivers/net/ethernet/renesas/ravb.h | 2 +- drivers/net/ethernet/renesas/ravb_main.c | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/renesas/ravb.h b/drivers/net/ethernet/renesas/ravb.h index 7b48060c250b..d65cd83ddd16 100644 --- a/drivers/net/ethernet/renesas/ravb.h +++ b/drivers/net/ethernet/renesas/ravb.h @@ -1017,7 +1017,6 @@ enum CSR2_BIT { #define CSR2_CSUM_ENABLE (CSR2_RTCP4 | CSR2_RUDP4 | CSR2_RICMP4 | \ CSR2_RTCP6 | CSR2_RUDP6 | CSR2_RICMP6) -#define DBAT_ENTRY_NUM 22 #define RX_QUEUE_OFFSET 4 #define NUM_RX_QUEUE 2 #define NUM_TX_QUEUE 2 @@ -1062,6 +1061,7 @@ struct ravb_hw_info { u32 rx_max_frame_size; u32 rx_buffer_size; u32 rx_desc_size; + u32 dbat_entry_num; unsigned aligned_tx: 1; unsigned coalesce_irqs:1; /* Needs software IRQ coalescing */ diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c index 9d3bd65b85ff..69d382e8757d 100644 --- a/drivers/net/ethernet/renesas/ravb_main.c +++ b/drivers/net/ethernet/renesas/ravb_main.c @@ -2694,6 +2694,7 @@ static const struct ravb_hw_info ravb_gen2_hw_info = { .rx_buffer_size = SZ_2K + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)), .rx_desc_size = sizeof(struct ravb_ex_rx_desc), + .dbat_entry_num = 22, .aligned_tx = 1, .gptp = 1, .nc_queues = 1, @@ -2717,6 +2718,7 @@ static const struct ravb_hw_info ravb_gen3_hw_info = { .rx_buffer_size = SZ_2K + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)), .rx_desc_size = sizeof(struct ravb_ex_rx_desc), + .dbat_entry_num = 22, .internal_delay = 1, .tx_counters = 1, .multi_irqs = 1, @@ -2743,6 +2745,7 @@ static const struct ravb_hw_info ravb_gen4_hw_info = { .rx_buffer_size = SZ_2K + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)), .rx_desc_size = sizeof(struct ravb_ex_rx_desc), + .dbat_entry_num = 22, .internal_delay = 1, .tx_counters = 1, .multi_irqs = 1, @@ -2769,6 +2772,7 @@ static const struct ravb_hw_info ravb_rzv2m_hw_info = { .rx_buffer_size = SZ_2K + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)), .rx_desc_size = sizeof(struct ravb_ex_rx_desc), + .dbat_entry_num = 22, .multi_irqs = 1, .err_mgmt_irqs = 1, .gptp = 1, @@ -2794,6 +2798,7 @@ static const struct ravb_hw_info gbeth_hw_info = { .rx_max_frame_size = SZ_8K, .rx_buffer_size = SZ_2K, .rx_desc_size = sizeof(struct ravb_rx_desc), + .dbat_entry_num = 2, .aligned_tx = 1, .coalesce_irqs = 1, .tx_counters = 1, @@ -3025,7 +3030,7 @@ static int ravb_probe(struct platform_device *pdev) ravb_parse_delay_mode(np, ndev); /* Allocate descriptor base address table */ - priv->desc_bat_size = sizeof(struct ravb_desc) * DBAT_ENTRY_NUM; + priv->desc_bat_size = sizeof(struct ravb_desc) * info->dbat_entry_num; priv->desc_bat = dma_alloc_coherent(ndev->dev.parent, priv->desc_bat_size, &priv->desc_bat_dma, GFP_KERNEL); if (!priv->desc_bat) { @@ -3035,7 +3040,7 @@ static int ravb_probe(struct platform_device *pdev) error = -ENOMEM; goto out_rpm_put; } - for (q = RAVB_BE; q < DBAT_ENTRY_NUM; q++) + for (q = RAVB_BE; q < info->dbat_entry_num; q++) priv->desc_bat[q].die_dt = DT_EOS; /* Initialise HW timestamp list */ -- 2.43.0

3 weeks

3
3
0 0

[PATCH 6.1 0/6] fix invalid sleeping in detect_cache_attributes()

by Wen Yang

commit 3fcbf1c77d08 ("arch_topology: Fix cache attributes detection in the CPU hotplug path") adds a call to detect_cache_attributes() to populate the cacheinfo before updating the siblings mask. detect_cache_attributes() allocates memory and can take the PPTT mutex (on ACPI platforms). On PREEMPT_RT kernels, on secondary CPUs, this triggers a: 'BUG: sleeping function called from invalid context' as the code is executed with preemption and interrupts disabled: | BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46 | in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 0, name: swapper/111 | preempt_count: 1, expected: 0 | RCU nest depth: 1, expected: 1 | 3 locks held by swapper/111/0: | #0: (&pcp->lock){+.+.}-{3:3}, at: get_page_from_freelist+0x218/0x12c8 | #1: (rcu_read_lock){....}-{1:3}, at: rt_spin_trylock+0x48/0xf0 | #2: (&zone->lock){+.+.}-{3:3}, at: rmqueue_bulk+0x64/0xa80 | irq event stamp: 0 | hardirqs last enabled at (0): 0x0 | hardirqs last disabled at (0): copy_process+0x5dc/0x1ab8 | softirqs last enabled at (0): copy_process+0x5dc/0x1ab8 | softirqs last disabled at (0): 0x0 | Preemption disabled at: | migrate_enable+0x30/0x130 | CPU: 111 PID: 0 Comm: swapper/111 Tainted: G W 6.0.0-rc4-rt6-[...] | Call trace: | __kmalloc+0xbc/0x1e8 | detect_cache_attributes+0x2d4/0x5f0 | update_siblings_masks+0x30/0x368 | store_cpu_topology+0x78/0xb8 | secondary_start_kernel+0xd0/0x198 | __secondary_switched+0xb0/0xb4 Pierre fixed this issue in the upstream 6.3 and the original series is follows: https://lore.kernel.org/all/167404285593.885445.6219705651301997538.b4-ty@a… We also encountered the same issue on 6.1 stable branch, and need to backport this series. Pierre Gondois (6): cacheinfo: Use RISC-V's init_cache_level() as generic OF implementation cacheinfo: Return error code in init_of_cache_level() cacheinfo: Check 'cache-unified' property to count cache leaves ACPI: PPTT: Remove acpi_find_cache_levels() ACPI: PPTT: Update acpi_find_last_cache_level() to acpi_get_cache_info() arch_topology: Build cacheinfo from primary CPU arch/arm64/kernel/cacheinfo.c | 11 ++- arch/riscv/kernel/cacheinfo.c | 42 ----------- drivers/acpi/pptt.c | 93 +++++++++++++---------- drivers/base/arch_topology.c | 12 ++- drivers/base/cacheinfo.c | 134 +++++++++++++++++++++++++++++----- include/linux/cacheinfo.h | 11 ++- 6 files changed, 196 insertions(+), 107 deletions(-) -- 2.25.1

3 weeks

2
9
0 0

[PATCH net] gve: Check valid ts bit on RX descriptor before hw timestamping

by Harshitha Ramamurthy

From: Tim Hostetler <thostet(a)google.com> The device returns a valid bit in the LSB of the low timestamp byte in the completion descriptor that the driver should check before setting the SKB's hardware timestamp. If the timestamp is not valid, do not hardware timestamp the SKB. Cc: stable(a)vger.kernel.org Fixes: b2c7aeb49056 ("gve: Implement ndo_hwtstamp_get/set for RX timestamping") Reviewed-by: Joshua Washington <joshwash(a)google.com> Signed-off-by: Tim Hostetler <thostet(a)google.com> Signed-off-by: Harshitha Ramamurthy <hramamurthy(a)google.com> --- drivers/net/ethernet/google/gve/gve.h | 2 ++ drivers/net/ethernet/google/gve/gve_desc_dqo.h | 3 ++- drivers/net/ethernet/google/gve/gve_rx_dqo.c | 18 ++++++++++++------ 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/drivers/net/ethernet/google/gve/gve.h b/drivers/net/ethernet/google/gve/gve.h index bceaf9b05cb4..4cc6dcbfd367 100644 --- a/drivers/net/ethernet/google/gve/gve.h +++ b/drivers/net/ethernet/google/gve/gve.h @@ -100,6 +100,8 @@ */ #define GVE_DQO_QPL_ONDEMAND_ALLOC_THRESHOLD 96 +#define GVE_DQO_RX_HWTSTAMP_VALID 0x1 + /* Each slot in the desc ring has a 1:1 mapping to a slot in the data ring */ struct gve_rx_desc_queue { struct gve_rx_desc *desc_ring; /* the descriptor ring */ diff --git a/drivers/net/ethernet/google/gve/gve_desc_dqo.h b/drivers/net/ethernet/google/gve/gve_desc_dqo.h index d17da841b5a0..f7786b03c744 100644 --- a/drivers/net/ethernet/google/gve/gve_desc_dqo.h +++ b/drivers/net/ethernet/google/gve/gve_desc_dqo.h @@ -236,7 +236,8 @@ struct gve_rx_compl_desc_dqo { u8 status_error1; - __le16 reserved5; + u8 reserved5; + u8 ts_sub_nsecs_low; __le16 buf_id; /* Buffer ID which was sent on the buffer queue. */ union { diff --git a/drivers/net/ethernet/google/gve/gve_rx_dqo.c b/drivers/net/ethernet/google/gve/gve_rx_dqo.c index 7380c2b7a2d8..02e25be8a50d 100644 --- a/drivers/net/ethernet/google/gve/gve_rx_dqo.c +++ b/drivers/net/ethernet/google/gve/gve_rx_dqo.c @@ -456,14 +456,20 @@ static void gve_rx_skb_hash(struct sk_buff *skb, * Note that this means if the time delta between packet reception and the last * clock read is greater than ~2 seconds, this will provide invalid results. */ -static void gve_rx_skb_hwtstamp(struct gve_rx_ring *rx, u32 hwts) +static void gve_rx_skb_hwtstamp(struct gve_rx_ring *rx, + const struct gve_rx_compl_desc_dqo *desc) { u64 last_read = READ_ONCE(rx->gve->last_sync_nic_counter); struct sk_buff *skb = rx->ctx.skb_head; - u32 low = (u32)last_read; - s32 diff = hwts - low; - - skb_hwtstamps(skb)->hwtstamp = ns_to_ktime(last_read + diff); + u32 ts, low; + s32 diff; + + if (desc->ts_sub_nsecs_low & GVE_DQO_RX_HWTSTAMP_VALID) { + ts = le32_to_cpu(desc->ts); + low = (u32)last_read; + diff = ts - low; + skb_hwtstamps(skb)->hwtstamp = ns_to_ktime(last_read + diff); + } } static void gve_rx_free_skb(struct napi_struct *napi, struct gve_rx_ring *rx) @@ -919,7 +925,7 @@ static int gve_rx_complete_skb(struct gve_rx_ring *rx, struct napi_struct *napi, gve_rx_skb_csum(rx->ctx.skb_head, desc, ptype); if (rx->gve->ts_config.rx_filter == HWTSTAMP_FILTER_ALL) - gve_rx_skb_hwtstamp(rx, le32_to_cpu(desc->ts)); + gve_rx_skb_hwtstamp(rx, desc); /* RSC packets must set gso_size otherwise the TCP stack will complain * that packets are larger than MTU. -- 2.51.0.740.g6adb054d12-goog

3 weeks

6
7
0 0

[PATCH 2/3] net: ravb: Allocate correct number of queues based on SoC support

by Prabhakar

From: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> On SoCs that only support the best-effort queue and not the network control queue, calling alloc_etherdev_mqs() with fixed values for TX/RX queues is not appropriate. Use the nc_queues flag from the per-SoC match data to determine whether the network control queue is available, and fall back to a single TX/RX queue when it is not. This ensures correct queue allocation across all supported SoCs. Fixes: a92f4f0662bf ("ravb: Add nc_queue to struct ravb_hw_info") Cc: stable(a)vger.kernel.org Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> --- drivers/net/ethernet/renesas/ravb_main.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c index 69d382e8757d..a200e205825a 100644 --- a/drivers/net/ethernet/renesas/ravb_main.c +++ b/drivers/net/ethernet/renesas/ravb_main.c @@ -2926,13 +2926,14 @@ static int ravb_probe(struct platform_device *pdev) return dev_err_probe(&pdev->dev, PTR_ERR(rstc), "failed to get cpg reset\n"); + info = of_device_get_match_data(&pdev->dev); + ndev = alloc_etherdev_mqs(sizeof(struct ravb_private), - NUM_TX_QUEUE, NUM_RX_QUEUE); + info->nc_queues ? NUM_TX_QUEUE : 1, + info->nc_queues ? NUM_RX_QUEUE : 1); if (!ndev) return -ENOMEM; - info = of_device_get_match_data(&pdev->dev); - ndev->features = info->net_features; ndev->hw_features = info->net_hw_features; ndev->vlan_features = info->vlan_features; -- 2.43.0

3 weeks

2
1
0 0

FAILED: patch "[PATCH] btrfs: fix the incorrect max_bytes value for" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 7b26da407420e5054e3f06c5d13271697add9423 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101534-attempt-stubbly-cf5f@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7b26da407420e5054e3f06c5d13271697add9423 Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Fri, 19 Sep 2025 14:33:23 +0930 Subject: [PATCH] btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range() [BUG] With my local branch to enable bs > ps support for btrfs, sometimes I hit the following ASSERT() inside submit_one_sector(): ASSERT(block_start != EXTENT_MAP_HOLE); Please note that it's not yet possible to hit this ASSERT() in the wild yet, as it requires btrfs bs > ps support, which is not even in the development branch. But on the other hand, there is also a very low chance to hit above ASSERT() with bs < ps cases, so this is an existing bug affect not only the incoming bs > ps support but also the existing bs < ps support. [CAUSE] Firstly that ASSERT() means we're trying to submit a dirty block but without a real extent map nor ordered extent map backing it. Furthermore with extra debugging, the folio triggering such ASSERT() is always larger than the fs block size in my bs > ps case. (8K block size, 4K page size) After some more debugging, the ASSERT() is trigger by the following sequence: extent_writepage() | We got a 32K folio (4 fs blocks) at file offset 0, and the fs block | size is 8K, page size is 4K. | And there is another 8K folio at file offset 32K, which is also | dirty. | So the filemap layout looks like the following: | | "||" is the filio boundary in the filemap. | "//| is the dirty range. | | 0 8K 16K 24K 32K 40K | |////////| |//////////////////////||////////| | |- writepage_delalloc() | |- find_lock_delalloc_range() for [0, 8K) | | Now range [0, 8K) is properly locked. | | | |- find_lock_delalloc_range() for [16K, 40K) | | |- btrfs_find_delalloc_range() returned range [16K, 40K) | | |- lock_delalloc_folios() locked folio 0 successfully | | | | | | The filemap range [32K, 40K) got dropped from filemap. | | | | | |- lock_delalloc_folios() failed with -EAGAIN on folio 32K | | | As the folio at 32K is dropped. | | | | | |- loops = 1; | | |- max_bytes = PAGE_SIZE; | | |- goto again; | | | This will re-do the lookup for dirty delalloc ranges. | | | | | |- btrfs_find_delalloc_range() called with @max_bytes == 4K | | | This is smaller than block size, so | | | btrfs_find_delalloc_range() is unable to return any range. | | \- return false; | | | \- Now only range [0, 8K) has an OE for it, but for dirty range | [16K, 32K) it's dirty without an OE. | This breaks the assumption that writepage_delalloc() will find | and lock all dirty ranges inside the folio. | |- extent_writepage_io() |- submit_one_sector() for [0, 8K) | Succeeded | |- submit_one_sector() for [16K, 24K) Triggering the ASSERT(), as there is no OE, and the original extent map is a hole. Please note that, this also exposed the same problem for bs < ps support. E.g. with 64K page size and 4K block size. If we failed to lock a folio, and falls back into the "loops = 1;" branch, we will re-do the search using 64K as max_bytes. Which may fail again to lock the next folio, and exit early without handling all dirty blocks inside the folio. [FIX] Instead of using the fixed size PAGE_SIZE as @max_bytes, use @sectorsize, so that we are ensured to find and lock any remaining blocks inside the folio. And since we're here, add an extra ASSERT() to before calling btrfs_find_delalloc_range() to make sure the @max_bytes is at least no smaller than a block to avoid false negative. Cc: stable(a)vger.kernel.org # 5.15+ Signed-off-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 0782533aad51..2b6027ebf265 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -393,6 +393,13 @@ noinline_for_stack bool find_lock_delalloc_range(struct inode *inode, /* step one, find a bunch of delalloc bytes starting at start */ delalloc_start = *start; delalloc_end = 0; + + /* + * If @max_bytes is smaller than a block, btrfs_find_delalloc_range() can + * return early without handling any dirty ranges. + */ + ASSERT(max_bytes >= fs_info->sectorsize); + found = btrfs_find_delalloc_range(tree, &delalloc_start, &delalloc_end, max_bytes, &cached_state); if (!found || delalloc_end <= *start || delalloc_start > orig_end) { @@ -423,13 +430,14 @@ noinline_for_stack bool find_lock_delalloc_range(struct inode *inode, delalloc_end); ASSERT(!ret || ret == -EAGAIN); if (ret == -EAGAIN) { - /* some of the folios are gone, lets avoid looping by - * shortening the size of the delalloc range we're searching + /* + * Some of the folios are gone, lets avoid looping by + * shortening the size of the delalloc range we're searching. */ btrfs_free_extent_state(cached_state); cached_state = NULL; if (!loops) { - max_bytes = PAGE_SIZE; + max_bytes = fs_info->sectorsize; loops = 1; goto again; } else {

3 weeks

2
1
0 0

[PATCH] PCI: dw-rockchip: Disable L1 substates

by Niklas Cassel

The L1 substates support requires additional steps to work, see e.g. section '11.6.6.4 L1 Substate' in the RK3588 TRM V1.0. These steps are currently missing from the driver. While this has always been a problem when using e.g. CONFIG_PCIEASPM_POWER_SUPERSAVE=y, the problem became more apparent after commit f3ac2ff14834 ("PCI/ASPM: Enable all ClockPM and ASPM states for devicetree platforms"), which enabled ASPM also for CONFIG_PCIEASPM_DEFAULT=y. Disable L1 substates until proper support is added. Cc: stable(a)vger.kernel.org Fixes: 0e898eb8df4e ("PCI: rockchip-dwc: Add Rockchip RK356X host controller driver") Fixes: f3ac2ff14834 ("PCI/ASPM: Enable all ClockPM and ASPM states for devicetree platforms") Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-dw-rockchip.c | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/drivers/pci/controller/dwc/pcie-dw-rockchip.c b/drivers/pci/controller/dwc/pcie-dw-rockchip.c index 3e2752c7dd09..28e0fffe2542 100644 --- a/drivers/pci/controller/dwc/pcie-dw-rockchip.c +++ b/drivers/pci/controller/dwc/pcie-dw-rockchip.c @@ -200,6 +200,26 @@ static bool rockchip_pcie_link_up(struct dw_pcie *pci) return FIELD_GET(PCIE_LINKUP_MASK, val) == PCIE_LINKUP; } +/* + * See e.g. section '11.6.6.4 L1 Substate' in the RK3588 TRM V1.0 for the steps + * needed to support L1 substates. Currently, not a single rockchip platform + * performs these steps, so disable L1 substates until there is proper support. + */ +static void rockchip_pcie_disable_l1sub(struct dw_pcie *pci) +{ + u32 cap, l1subcap; + + cap = dw_pcie_find_ext_capability(pci, PCI_EXT_CAP_ID_L1SS); + if (cap) { + l1subcap = dw_pcie_readl_dbi(pci, cap + PCI_L1SS_CAP); + l1subcap &= ~(PCI_L1SS_CAP_L1_PM_SS | PCI_L1SS_CAP_ASPM_L1_1 | + PCI_L1SS_CAP_ASPM_L1_2 | PCI_L1SS_CAP_PCIPM_L1_1 | + PCI_L1SS_CAP_PCIPM_L1_2); + dw_pcie_writel_dbi(pci, cap + PCI_L1SS_CAP, l1subcap); + l1subcap = dw_pcie_readl_dbi(pci, cap + PCI_L1SS_CAP); + } +} + static void rockchip_pcie_enable_l0s(struct dw_pcie *pci) { u32 cap, lnkcap; @@ -264,6 +284,7 @@ static int rockchip_pcie_host_init(struct dw_pcie_rp *pp) irq_set_chained_handler_and_data(irq, rockchip_pcie_intx_handler, rockchip); + rockchip_pcie_disable_l1sub(pci); rockchip_pcie_enable_l0s(pci); return 0; @@ -301,6 +322,7 @@ static void rockchip_pcie_ep_init(struct dw_pcie_ep *ep) struct dw_pcie *pci = to_dw_pcie_from_ep(ep); enum pci_barno bar; + rockchip_pcie_disable_l1sub(pci); rockchip_pcie_enable_l0s(pci); rockchip_pcie_ep_hide_broken_ats_cap_rk3588(ep); -- 2.51.0

3 weeks

2
3
0 0

[PATCH 0/2] HID: multitouch: fix sticky-fingers quirks

by Benjamin Tissoires

According to Peter, we've had for a very long time an issue on some mutltiouch touchpads where the fingers were stuck in a scrolling mode, or 3 fingers gesture mode. I was unable to debug it because it was rather hard to reproduce. Recently, some people raised the issue again on libinput, and this time added a recording of the actual bug. It turns out that the sticky finger quirk that was introduced back in 2017 was only checking the last report, and that those missing releases also happen when moving from 3 to 1 finger (only 1 is released instead of 2). This solution seems to me to be the most sensible, because we could also add the NSMU quirk to win8 multitouch touchpads, but this would involve a lot more computations at each report for rather annoying corner cases. Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/1194 Signed-off-by: Benjamin Tissoires <bentiss(a)kernel.org> --- Benjamin Tissoires (2): HID: multitouch: fix sticky fingers selftests/hid: add tests for missing release on the Dell Synaptics drivers/hid/hid-multitouch.c | 27 ++++++----- .../testing/selftests/hid/tests/test_multitouch.py | 55 ++++++++++++++++++++++ 2 files changed, 69 insertions(+), 13 deletions(-) --- base-commit: 54ba6d9b1393a0061600c0e49c8ebef65d60a8b2 change-id: 20250926-fix-sticky-fingers-8ae88436ae82 Best regards, -- Benjamin Tissoires <bentiss(a)kernel.org>

3 weeks

2
2
0 0

FAILED: patch "[PATCH] btrfs: fix the incorrect max_bytes value for" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 7b26da407420e5054e3f06c5d13271697add9423 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101530-composed-concave-1075@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7b26da407420e5054e3f06c5d13271697add9423 Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Fri, 19 Sep 2025 14:33:23 +0930 Subject: [PATCH] btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range() [BUG] With my local branch to enable bs > ps support for btrfs, sometimes I hit the following ASSERT() inside submit_one_sector(): ASSERT(block_start != EXTENT_MAP_HOLE); Please note that it's not yet possible to hit this ASSERT() in the wild yet, as it requires btrfs bs > ps support, which is not even in the development branch. But on the other hand, there is also a very low chance to hit above ASSERT() with bs < ps cases, so this is an existing bug affect not only the incoming bs > ps support but also the existing bs < ps support. [CAUSE] Firstly that ASSERT() means we're trying to submit a dirty block but without a real extent map nor ordered extent map backing it. Furthermore with extra debugging, the folio triggering such ASSERT() is always larger than the fs block size in my bs > ps case. (8K block size, 4K page size) After some more debugging, the ASSERT() is trigger by the following sequence: extent_writepage() | We got a 32K folio (4 fs blocks) at file offset 0, and the fs block | size is 8K, page size is 4K. | And there is another 8K folio at file offset 32K, which is also | dirty. | So the filemap layout looks like the following: | | "||" is the filio boundary in the filemap. | "//| is the dirty range. | | 0 8K 16K 24K 32K 40K | |////////| |//////////////////////||////////| | |- writepage_delalloc() | |- find_lock_delalloc_range() for [0, 8K) | | Now range [0, 8K) is properly locked. | | | |- find_lock_delalloc_range() for [16K, 40K) | | |- btrfs_find_delalloc_range() returned range [16K, 40K) | | |- lock_delalloc_folios() locked folio 0 successfully | | | | | | The filemap range [32K, 40K) got dropped from filemap. | | | | | |- lock_delalloc_folios() failed with -EAGAIN on folio 32K | | | As the folio at 32K is dropped. | | | | | |- loops = 1; | | |- max_bytes = PAGE_SIZE; | | |- goto again; | | | This will re-do the lookup for dirty delalloc ranges. | | | | | |- btrfs_find_delalloc_range() called with @max_bytes == 4K | | | This is smaller than block size, so | | | btrfs_find_delalloc_range() is unable to return any range. | | \- return false; | | | \- Now only range [0, 8K) has an OE for it, but for dirty range | [16K, 32K) it's dirty without an OE. | This breaks the assumption that writepage_delalloc() will find | and lock all dirty ranges inside the folio. | |- extent_writepage_io() |- submit_one_sector() for [0, 8K) | Succeeded | |- submit_one_sector() for [16K, 24K) Triggering the ASSERT(), as there is no OE, and the original extent map is a hole. Please note that, this also exposed the same problem for bs < ps support. E.g. with 64K page size and 4K block size. If we failed to lock a folio, and falls back into the "loops = 1;" branch, we will re-do the search using 64K as max_bytes. Which may fail again to lock the next folio, and exit early without handling all dirty blocks inside the folio. [FIX] Instead of using the fixed size PAGE_SIZE as @max_bytes, use @sectorsize, so that we are ensured to find and lock any remaining blocks inside the folio. And since we're here, add an extra ASSERT() to before calling btrfs_find_delalloc_range() to make sure the @max_bytes is at least no smaller than a block to avoid false negative. Cc: stable(a)vger.kernel.org # 5.15+ Signed-off-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 0782533aad51..2b6027ebf265 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -393,6 +393,13 @@ noinline_for_stack bool find_lock_delalloc_range(struct inode *inode, /* step one, find a bunch of delalloc bytes starting at start */ delalloc_start = *start; delalloc_end = 0; + + /* + * If @max_bytes is smaller than a block, btrfs_find_delalloc_range() can + * return early without handling any dirty ranges. + */ + ASSERT(max_bytes >= fs_info->sectorsize); + found = btrfs_find_delalloc_range(tree, &delalloc_start, &delalloc_end, max_bytes, &cached_state); if (!found || delalloc_end <= *start || delalloc_start > orig_end) { @@ -423,13 +430,14 @@ noinline_for_stack bool find_lock_delalloc_range(struct inode *inode, delalloc_end); ASSERT(!ret || ret == -EAGAIN); if (ret == -EAGAIN) { - /* some of the folios are gone, lets avoid looping by - * shortening the size of the delalloc range we're searching + /* + * Some of the folios are gone, lets avoid looping by + * shortening the size of the delalloc range we're searching. */ btrfs_free_extent_state(cached_state); cached_state = NULL; if (!loops) { - max_bytes = PAGE_SIZE; + max_bytes = fs_info->sectorsize; loops = 1; goto again; } else {

3 weeks

2
1
0 0

FAILED: patch "[PATCH] fscontext: do not consume log entries when returning" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 72d271a7baa7062cb27e774ac37c5459c6d20e22 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101543-quake-judicial-9e2e@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 72d271a7baa7062cb27e774ac37c5459c6d20e22 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <cyphar(a)cyphar.com> Date: Thu, 7 Aug 2025 03:55:23 +1000 Subject: [PATCH] fscontext: do not consume log entries when returning -EMSGSIZE Userspace generally expects APIs that return -EMSGSIZE to allow for them to adjust their buffer size and retry the operation. However, the fscontext log would previously clear the message even in the -EMSGSIZE case. Given that it is very cheap for us to check whether the buffer is too small before we remove the message from the ring buffer, let's just do that instead. While we're at it, refactor some fscontext_read() into a separate helper to make the ring buffer logic a bit easier to read. Fixes: 007ec26cdc9f ("vfs: Implement logging through fs_context") Cc: David Howells <dhowells(a)redhat.com> Cc: stable(a)vger.kernel.org # v5.2+ Signed-off-by: Aleksa Sarai <cyphar(a)cyphar.com> Link: https://lore.kernel.org/20250807-fscontext-log-cleanups-v3-1-8d91d6242dc3@c… Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/fsopen.c b/fs/fsopen.c index 1aaf4cb2afb2..f645c99204eb 100644 --- a/fs/fsopen.c +++ b/fs/fsopen.c @@ -18,50 +18,56 @@ #include "internal.h" #include "mount.h" +static inline const char *fetch_message_locked(struct fc_log *log, size_t len, + bool *need_free) +{ + const char *p; + int index; + + if (unlikely(log->head == log->tail)) + return ERR_PTR(-ENODATA); + + index = log->tail & (ARRAY_SIZE(log->buffer) - 1); + p = log->buffer[index]; + if (unlikely(strlen(p) > len)) + return ERR_PTR(-EMSGSIZE); + + log->buffer[index] = NULL; + *need_free = log->need_free & (1 << index); + log->need_free &= ~(1 << index); + log->tail++; + + return p; +} + /* * Allow the user to read back any error, warning or informational messages. + * Only one message is returned for each read(2) call. */ static ssize_t fscontext_read(struct file *file, char __user *_buf, size_t len, loff_t *pos) { struct fs_context *fc = file->private_data; - struct fc_log *log = fc->log.log; - unsigned int logsize = ARRAY_SIZE(log->buffer); - ssize_t ret; - char *p; + ssize_t err; + const char *p __free(kfree) = NULL, *message; bool need_free; - int index, n; + int n; - ret = mutex_lock_interruptible(&fc->uapi_mutex); - if (ret < 0) - return ret; - - if (log->head == log->tail) { - mutex_unlock(&fc->uapi_mutex); - return -ENODATA; - } - - index = log->tail & (logsize - 1); - p = log->buffer[index]; - need_free = log->need_free & (1 << index); - log->buffer[index] = NULL; - log->need_free &= ~(1 << index); - log->tail++; + err = mutex_lock_interruptible(&fc->uapi_mutex); + if (err < 0) + return err; + message = fetch_message_locked(fc->log.log, len, &need_free); mutex_unlock(&fc->uapi_mutex); + if (IS_ERR(message)) + return PTR_ERR(message); - ret = -EMSGSIZE; - n = strlen(p); - if (n > len) - goto err_free; - ret = -EFAULT; - if (copy_to_user(_buf, p, n) != 0) - goto err_free; - ret = n; - -err_free: if (need_free) - kfree(p); - return ret; + p = message; + + n = strlen(message); + if (copy_to_user(_buf, message, n)) + return -EFAULT; + return n; } static int fscontext_release(struct inode *inode, struct file *file)

3 weeks

2
2
0 0

[PATCH] binder: remove "invalid inc weak" check

by Alice Ryhl

There are no scenarios where a weak increment is invalid on binder_node. The only possible case where it could be invalid is if the kernel delivers BR_DECREFS to the process that owns the node, and then increments the weak refcount again, effectively "reviving" a dead node. However, that is not possible: when the BR_DECREFS command is delivered, the kernel removes and frees the binder_node. The fact that you were able to call binder_inc_node_nilocked() implies that the node is not yet destroyed, which implies that BR_DECREFS has not been delivered to userspace, so incrementing the weak refcount is valid. Note that it's currently possible to trigger this condition if the owner calls BINDER_THREAD_EXIT while node->has_weak_ref is true. This causes BC_INCREFS on binder_ref instances to fail when they should not. Cc: stable(a)vger.kernel.org Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") Reported-by: Yu-Ting Tseng <yutingtseng(a)google.com> Signed-off-by: Alice Ryhl <aliceryhl(a)google.com> --- drivers/android/binder.c | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 8c99ceaa303bad8751571a337770df857e72d981..3915d8d2d896d1e3a861c336d900d7a4657a0104 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -851,17 +851,8 @@ static int binder_inc_node_nilocked(struct binder_node *node, int strong, } else { if (!internal) node->local_weak_refs++; - if (!node->has_weak_ref && list_empty(&node->work.entry)) { - if (target_list == NULL) { - pr_err("invalid inc weak node for %d\n", - node->debug_id); - return -EINVAL; - } - /* - * See comment above - */ + if (!node->has_weak_ref && target_list && list_empty(&node->work.entry)) binder_enqueue_work_ilocked(&node->work, target_list); - } } return 0; } --- base-commit: 3a8660878839faadb4f1a6dd72c3179c1df56787 change-id: 20251015-binder-weak-inc-f294e62d2ec6 Best regards, -- Alice Ryhl <aliceryhl(a)google.com>

3 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix the incorrect max_bytes value for" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 7b26da407420e5054e3f06c5d13271697add9423 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101526-rush-bagel-d750@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7b26da407420e5054e3f06c5d13271697add9423 Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Fri, 19 Sep 2025 14:33:23 +0930 Subject: [PATCH] btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range() [BUG] With my local branch to enable bs > ps support for btrfs, sometimes I hit the following ASSERT() inside submit_one_sector(): ASSERT(block_start != EXTENT_MAP_HOLE); Please note that it's not yet possible to hit this ASSERT() in the wild yet, as it requires btrfs bs > ps support, which is not even in the development branch. But on the other hand, there is also a very low chance to hit above ASSERT() with bs < ps cases, so this is an existing bug affect not only the incoming bs > ps support but also the existing bs < ps support. [CAUSE] Firstly that ASSERT() means we're trying to submit a dirty block but without a real extent map nor ordered extent map backing it. Furthermore with extra debugging, the folio triggering such ASSERT() is always larger than the fs block size in my bs > ps case. (8K block size, 4K page size) After some more debugging, the ASSERT() is trigger by the following sequence: extent_writepage() | We got a 32K folio (4 fs blocks) at file offset 0, and the fs block | size is 8K, page size is 4K. | And there is another 8K folio at file offset 32K, which is also | dirty. | So the filemap layout looks like the following: | | "||" is the filio boundary in the filemap. | "//| is the dirty range. | | 0 8K 16K 24K 32K 40K | |////////| |//////////////////////||////////| | |- writepage_delalloc() | |- find_lock_delalloc_range() for [0, 8K) | | Now range [0, 8K) is properly locked. | | | |- find_lock_delalloc_range() for [16K, 40K) | | |- btrfs_find_delalloc_range() returned range [16K, 40K) | | |- lock_delalloc_folios() locked folio 0 successfully | | | | | | The filemap range [32K, 40K) got dropped from filemap. | | | | | |- lock_delalloc_folios() failed with -EAGAIN on folio 32K | | | As the folio at 32K is dropped. | | | | | |- loops = 1; | | |- max_bytes = PAGE_SIZE; | | |- goto again; | | | This will re-do the lookup for dirty delalloc ranges. | | | | | |- btrfs_find_delalloc_range() called with @max_bytes == 4K | | | This is smaller than block size, so | | | btrfs_find_delalloc_range() is unable to return any range. | | \- return false; | | | \- Now only range [0, 8K) has an OE for it, but for dirty range | [16K, 32K) it's dirty without an OE. | This breaks the assumption that writepage_delalloc() will find | and lock all dirty ranges inside the folio. | |- extent_writepage_io() |- submit_one_sector() for [0, 8K) | Succeeded | |- submit_one_sector() for [16K, 24K) Triggering the ASSERT(), as there is no OE, and the original extent map is a hole. Please note that, this also exposed the same problem for bs < ps support. E.g. with 64K page size and 4K block size. If we failed to lock a folio, and falls back into the "loops = 1;" branch, we will re-do the search using 64K as max_bytes. Which may fail again to lock the next folio, and exit early without handling all dirty blocks inside the folio. [FIX] Instead of using the fixed size PAGE_SIZE as @max_bytes, use @sectorsize, so that we are ensured to find and lock any remaining blocks inside the folio. And since we're here, add an extra ASSERT() to before calling btrfs_find_delalloc_range() to make sure the @max_bytes is at least no smaller than a block to avoid false negative. Cc: stable(a)vger.kernel.org # 5.15+ Signed-off-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 0782533aad51..2b6027ebf265 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -393,6 +393,13 @@ noinline_for_stack bool find_lock_delalloc_range(struct inode *inode, /* step one, find a bunch of delalloc bytes starting at start */ delalloc_start = *start; delalloc_end = 0; + + /* + * If @max_bytes is smaller than a block, btrfs_find_delalloc_range() can + * return early without handling any dirty ranges. + */ + ASSERT(max_bytes >= fs_info->sectorsize); + found = btrfs_find_delalloc_range(tree, &delalloc_start, &delalloc_end, max_bytes, &cached_state); if (!found || delalloc_end <= *start || delalloc_start > orig_end) { @@ -423,13 +430,14 @@ noinline_for_stack bool find_lock_delalloc_range(struct inode *inode, delalloc_end); ASSERT(!ret || ret == -EAGAIN); if (ret == -EAGAIN) { - /* some of the folios are gone, lets avoid looping by - * shortening the size of the delalloc range we're searching + /* + * Some of the folios are gone, lets avoid looping by + * shortening the size of the delalloc range we're searching. */ btrfs_free_extent_state(cached_state); cached_state = NULL; if (!loops) { - max_bytes = PAGE_SIZE; + max_bytes = fs_info->sectorsize; loops = 1; goto again; } else {

3 weeks

2
1
0 0

[PATCH 4/9] ASoC: qcom: q6asm-dai: perform correct state check before closing

by Srinivas Kandagatla

Do not stop a q6asm stream if its not started, this can result in unnecessary dsp command which will timeout anyway something like below: q6asm-dai ab00000.remoteproc:glink-edge:apr:service@7:dais: CMD 10bcd timeout Fix this by correctly checking the state. Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver") Cc: <Stable(a)vger.kernel.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> --- sound/soc/qcom/qdsp6/q6asm-dai.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/soc/qcom/qdsp6/q6asm-dai.c b/sound/soc/qcom/qdsp6/q6asm-dai.c index e8129510a734..0eae8c6e42b8 100644 --- a/sound/soc/qcom/qdsp6/q6asm-dai.c +++ b/sound/soc/qcom/qdsp6/q6asm-dai.c @@ -233,13 +233,14 @@ static int q6asm_dai_prepare(struct snd_soc_component *component, prtd->pcm_count = snd_pcm_lib_period_bytes(substream); prtd->pcm_irq_pos = 0; /* rate and channels are sent to audio driver */ - if (prtd->state) { + if (prtd->state == Q6ASM_STREAM_RUNNING) { /* clear the previous setup if any */ q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE); q6asm_unmap_memory_regions(substream->stream, prtd->audio_client); q6routing_stream_close(soc_prtd->dai_link->id, substream->stream); + prtd->state = Q6ASM_STREAM_STOPPED; } ret = q6asm_map_memory_regions(substream->stream, prtd->audio_client, -- 2.51.0

3 weeks

1
0
0 0

[PATCH 3/9] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment.

by Srinivas Kandagatla

DSP expects the periods to be aligned to fragment sizes, currently setting up to hw constriants on periods bytes is not going to work correctly as we can endup with periods sizes aligned to 32 bytes however not aligned to fragment size. Update the constriants to use fragment size, and also set at step of 10ms for period size to accommodate DSP requirements of 10ms latency. Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver") Cc: <Stable(a)vger.kernel.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> --- sound/soc/qcom/qdsp6/q6asm-dai.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/soc/qcom/qdsp6/q6asm-dai.c b/sound/soc/qcom/qdsp6/q6asm-dai.c index b616ce316d2f..e8129510a734 100644 --- a/sound/soc/qcom/qdsp6/q6asm-dai.c +++ b/sound/soc/qcom/qdsp6/q6asm-dai.c @@ -403,13 +403,13 @@ static int q6asm_dai_open(struct snd_soc_component *component, } ret = snd_pcm_hw_constraint_step(runtime, 0, - SNDRV_PCM_HW_PARAM_PERIOD_BYTES, 32); + SNDRV_PCM_HW_PARAM_PERIOD_SIZE, 480); if (ret < 0) { dev_err(dev, "constraint for period bytes step ret = %d\n", ret); } ret = snd_pcm_hw_constraint_step(runtime, 0, - SNDRV_PCM_HW_PARAM_BUFFER_BYTES, 32); + SNDRV_PCM_HW_PARAM_BUFFER_SIZE, 480); if (ret < 0) { dev_err(dev, "constraint for buffer bytes step ret = %d\n", ret); -- 2.51.0

3 weeks

1
0
0 0

[PATCH 1/9] ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr

by Srinivas Kandagatla

Driver does not expect the appl_ptr to move backward and requires explict sync. Make sure that the userspace does not do appl_ptr rewinds by specifying the correct flags in pcm_info. Without this patch, the result could be a forever loop as current logic assumes that appl_ptr can only move forward. Fixes: 3d4a4411aa8b ("ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs") Cc: <Stable(a)vger.kernel.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> --- sound/soc/qcom/qdsp6/q6apm-dai.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/soc/qcom/qdsp6/q6apm-dai.c b/sound/soc/qcom/qdsp6/q6apm-dai.c index 4ecaff45c518..786ab3222515 100644 --- a/sound/soc/qcom/qdsp6/q6apm-dai.c +++ b/sound/soc/qcom/qdsp6/q6apm-dai.c @@ -86,6 +86,7 @@ static const struct snd_pcm_hardware q6apm_dai_hardware_capture = { .info = (SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_BLOCK_TRANSFER | SNDRV_PCM_INFO_MMAP_VALID | SNDRV_PCM_INFO_INTERLEAVED | SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME | + SNDRV_PCM_INFO_NO_REWINDS | SNDRV_PCM_INFO_SYNC_APPLPTR | SNDRV_PCM_INFO_BATCH), .formats = (SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE), .rates = SNDRV_PCM_RATE_8000_48000, @@ -105,6 +106,7 @@ static const struct snd_pcm_hardware q6apm_dai_hardware_playback = { .info = (SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_BLOCK_TRANSFER | SNDRV_PCM_INFO_MMAP_VALID | SNDRV_PCM_INFO_INTERLEAVED | SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME | + SNDRV_PCM_INFO_NO_REWINDS | SNDRV_PCM_INFO_SYNC_APPLPTR | SNDRV_PCM_INFO_BATCH), .formats = (SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE), .rates = SNDRV_PCM_RATE_8000_192000, -- 2.51.0

3 weeks

1
0
0 0

[PATCH 6.12 000/262] 6.12.53-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.53 release. There are 262 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 15 Oct 2025 14:42:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.53-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.53-rc1 Miaoqian Lin <linmq006(a)gmail.com> usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode Sven Peter <sven(a)kernel.org> usb: typec: tipd: Clear interrupts first Oleksij Rempel <o.rempel(a)pengutronix.de> net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Dominique Martinet <asmadeus(a)codewreck.org> net/9p: Fix buffer overflow in USB transport layer Salah Triki <salah.triki(a)gmail.com> bus: fsl-mc: Check return value of platform_get_resource() Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: check the return value of pinmux_ops::get_function_name() Jens Wiklander <jens.wiklander(a)linaro.org> tee: fix register_shm_helper() Zhen Ni <zhen.ni(a)easystack.cn> remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() Lei Lu <llfamsec(a)gmail.com> sunrpc: fix null pointer dereference on zero-length checksum Zhen Ni <zhen.ni(a)easystack.cn> Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Marek Vasut <marek.vasut(a)mailbox.org> Input: atmel_mxt_ts - allow reset GPIO to sleep Ling Xu <quic_lxu5(a)quicinc.com> misc: fastrpc: Skip reference for DMA handles Ling Xu <quic_lxu5(a)quicinc.com> misc: fastrpc: fix possible map leak in fastrpc_put_args Ling Xu <quic_lxu5(a)quicinc.com> misc: fastrpc: Fix fastrpc_map_lookup operation Ling Xu <quic_lxu5(a)quicinc.com> misc: fastrpc: Save actual DMA size in fastrpc_map structure Guangshuo Li <lgs201920130244(a)gmail.com> nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() Yang Shi <yang(a)os.amperecomputing.com> mm: hugetlb: avoid soft lockup when mprotect to large memory area Janne Grunau <j(a)jannau.net> fbdev: simplefb: Fix use after free in simplefb_detach_genpds() Sean Christopherson <seanjc(a)google.com> KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid Jan Kara <jack(a)suse.cz> ext4: fix checks for orphan inodes Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: add max ip connections parameter Matvey Kovalev <matvey.kovalev(a)ispras.ru> ksmbd: fix error code overwriting in smb2_get_info_filesystem() Yunseong Kim <ysk(a)kzalloc.com> ksmbd: Fix race condition in RPC handle list access Youling Tang <tangyouling(a)kylinos.cn> LoongArch: Automatically disable kaslr if boot from kexec_file Zheng Qixing <zhengqixing(a)huawei.com> dm: fix NULL pointer dereference in __dm_suspend() Zheng Qixing <zhengqixing(a)huawei.com> dm: fix queue start/stop imbalance under suspend/load/resume races Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() Cosmin Tanislav <cosmin-gabriel.tanislav.xa(a)renesas.com> mfd: rz-mtu3: Fix MTU5 NFCR register offset Deepak Sharma <deepak.sharma.472935(a)gmail.com> net: nfc: nci: Add parameter validation for packet data Larshin Sergey <Sergey.Larshin(a)kaspersky.com> fs: udf: fix OOB read in lengthAllocDescs handling Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> ASoC: codecs: wcd937x: make stub functions inline Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> ASoC: codecs: wcd937x: set the comp soundwire port correctly Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down Ma Ke <make24(a)iscas.ac.cn> ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data() Jens Axboe <axboe(a)kernel.dk> io_uring/waitid: always prune wait queue entry in io_waitid_wait() Naman Jain <namjain(a)linux.microsoft.com> uio_hv_generic: Let userspace take care of interrupt mask Phillip Lougher <phillip(a)squashfs.org.uk> Squashfs: fix uninit-value in squashfs_get_parent Jarkko Sakkinen <jarkko(a)kernel.org> tpm: Disable TPM2_TCG_HMAC by default Yazhou Tang <tangyazhou518(a)outlook.com> bpf: Reject negative offsets for ALU ops zhang jiao <zhangjiao2(a)cmss.chinamobile.com> vhost: vringh: Modify the return value check Jakub Kicinski <kuba(a)kernel.org> Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" Enzo Matsumiya <ematsumiya(a)suse.de> smb: client: fix crypto buffers in non-linear memory Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: fw reset, add reset timeout work Shay Drory <shayd(a)nvidia.com> net/mlx5: pagealloc: Fix reclaim race during command interface teardown Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: Stop polling for command response if interface goes down Yeounsu Moon <yyyynoom(a)gmail.com> net: dlink: handle copy_thresh allocation failure Kohei Enju <enjuk(a)amazon.com> net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable Kohei Enju <enjuk(a)amazon.com> nfp: fix RSS hash key size when RSS is not supported Alok Tiwari <alok.a.tiwari(a)oracle.com> idpf: fix mismatched free function for dma_alloc_coherent Alok Tiwari <alok.a.tiwari(a)oracle.com> PCI: j721e: Fix incorrect error message in probe() Erick Karanja <karanja99erick(a)gmail.com> mtd: rawnand: atmel: Fix error handling path in atmel_nand_controller_add_nands Donet Tom <donettom(a)linux.ibm.com> drivers/base/node: fix double free in register_one_node() Dan Carpenter <dan.carpenter(a)linaro.org> ocfs2: fix double free in user_cluster_connect() Nishanth Menon <nm(a)ti.com> hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fan Wu <wufan(a)kernel.org> KEYS: X.509: Fix Basic Constraints CA flag parsing Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements Pauli Virtanen <pav(a)iki.fi> Bluetooth: ISO: don't leak skb in ISO_CONT RX Pauli Virtanen <pav(a)iki.fi> Bluetooth: ISO: free rx_skb if not consumed Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix possible UAF on iso_conn_free Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO Michael S. Tsirkin <mst(a)redhat.com> vhost: vringh: Fix copy_to_iter return value check I Viswanath <viswanathiyyappan(a)gmail.com> ptp: Add a upper bound on max_vclocks I Viswanath <viswanathiyyappan(a)gmail.com> net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast Bernard Metzler <bernard.metzler(a)linux.dev> RDMA/siw: Always report immediate post SQ errors Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Disallow dirty tracking if incoherent page walk Marek Vasut <marek.vasut+renesas(a)mailbox.org> PCI: rcar-gen4: Fix inverted break condition in PHY initialization Marek Vasut <marek.vasut+renesas(a)mailbox.org> PCI: rcar-gen4: Assure reset occurs before DBI access Marek Vasut <marek.vasut+renesas(a)mailbox.org> PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> usb: vhci-hcd: Prevent suspending virtually attached devices Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() Fernando Fernandez Mancera <fmancera(a)suse.de> netfilter: nfnetlink: reset nlh pointer during batch replay Slavin Liu <slavin452(a)gmail.com> ipvs: Defer ip_vs_ftp unregister during netns cleanup Anthony Iliopoulos <ailiop(a)suse.com> NFSv4.1: fix backchannel max_resp_sz verification check Lin Yujun <linyujun809(a)h-partners.com> coresight: Fix incorrect handling for return value of devm_kzalloc Jie Gan <jie.gan(a)oss.qualcomm.com> coresight: tpda: fix the logic to setup the element size Leo Yan <leo.yan(a)arm.com> coresight: trbe: Return NULL pointer for allocation failures Leo Yan <leo.yan(a)arm.com> coresight: etm4x: Support atclk Leo Yan <leo.yan(a)arm.com> coresight: catu: Support atclk Leo Yan <leo.yan(a)arm.com> coresight: tmc: Support atclk Yuanfang Zhang <yuanfang.zhang(a)oss.qualcomm.com> coresight-etm4x: Conditionally access register TRCEXTINSELR Ivan Abramov <i.abramov(a)mt-integration.ru> dm vdo: return error on corrupted metadata in start_restoring_volume functions Stephan Gerhold <stephan.gerhold(a)linaro.org> remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice Nagarjuna Kristam <nkristam(a)nvidia.com> PCI: tegra194: Fix duplicate PLL disable in pex_ep_event_pex_rst_assert() Fedor Pchelkin <pchelkin(a)ispras.ru> wifi: rtw89: avoid circular locking dependency in ser_state_run() Gui-Dong Han <hanguidong02(a)gmail.com> RDMA/rxe: Fix race in do_task() when draining Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs Zilin Guan <zilin(a)seu.edu.cn> vfio/pds: replace bitmap_free with vfree Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_{from,to}_user for M7 Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_to_user for Niagara 4 Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC Richard Fitzgerald <rf(a)opensource.cirrus.com> ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback Aditya Kumar Singh <aditya.kumar.singh(a)oss.qualcomm.com> wifi: mac80211: fix Rx packet handling when pubsta information is not available Vineeth Pillai (Google) <vineeth(a)bitbyteword.org> iommu/vt-d: debugfs: Fix legacy mode page table dump logic Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> wifi: ath10k: avoid unnecessary wait for service ready message Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> wifi: ath12k: fix wrong logging ID used for CE Bagas Sanjaya <bagasdotme(a)gmail.com> Documentation: trace: historgram-design: Separate sched_waking histogram section heading and the following diagram Vlad Dumitrescu <vdumitrescu(a)nvidia.com> IB/sa: Fix sa_local_svc_timeout_ms read race Parav Pandit <parav(a)nvidia.com> RDMA/core: Resolve MAC of next-hop device without ARP support Michal Pecio <michal.pecio(a)gmail.com> Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running" wangzijie <wangzijie1(a)honor.com> f2fs: fix zero-sized extent for precache extents Benjamin Tissoires <bentiss(a)kernel.org> HID: hidraw: tighten ioctl command parsing Qianfeng Rong <rongqianfeng(a)vivo.com> scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp() Qianfeng Rong <rongqianfeng(a)vivo.com> scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES() Qianfeng Rong <rongqianfeng(a)vivo.com> scsi: qla2xxx: edif: Fix incorrect sign of error code Colin Ian King <colin.i.king(a)gmail.com> ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT Chao Yu <chao(a)kernel.org> f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page() Chao Yu <chao(a)kernel.org> f2fs: fix to truncate first page in error path of f2fs_truncate() Chao Yu <chao(a)kernel.org> f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks() Zhi-Jun You <hujy652(a)gmail.com> wifi: mt76: mt7915: fix mt7981 pre-calibration Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: mt7996: Fix RX packets configuration for primary WED device Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: mt76: fix potential memory leak in mt76_wmac_probe() Håkon Bugge <haakon.bugge(a)oracle.com> RDMA/cm: Rate limit destroy CM ID timeout error message Donet Tom <donettom(a)linux.ibm.com> drivers/base/node: handle error properly in register_one_node() Christophe Leroy <christophe.leroy(a)csgroup.eu> watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog Zhang Tengfei <zhtfdev(a)gmail.com> ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable Zhen Ni <zhen.ni(a)easystack.cn> netfilter: ipset: Remove unused htable_bits in macro ahash_region Hans de Goede <hansg(a)kernel.org> iio: consumers: Fix offset handling in iio_convert_raw_to_processed() Hans de Goede <hansg(a)kernel.org> iio: consumers: Fix handling of negative channel scale in iio_convert_raw_to_processed() Moon Hee Lee <moonhee.lee.ca(a)gmail.com> fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist Vitaly Grigoryev <Vitaly.Grigoryev(a)kaspersky.com> fs: ntfs3: Fix integer overflow in run_unpack() Qianfeng Rong <rongqianfeng(a)vivo.com> drm/msm/dpu: fix incorrect type for ret Takashi Iwai <tiwai(a)suse.de> ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping Takashi Iwai <tiwai(a)suse.de> ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping Takashi Iwai <tiwai(a)suse.de> ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping Alexander Lobakin <aleksander.lobakin(a)intel.com> idpf: fix Rx descriptor ready check barrier in splitq Liao Yuanhong <liaoyuanhong(a)vivo.com> wifi: iwlwifi: Remove redundant header files Wang Liang <wangliang74(a)huawei.com> pps: fix warning in pps_register_cdev when register device fail Colin Ian King <colin.i.king(a)gmail.com> misc: genwqe: Fix incorrect cmd field being reported in error Seppo Takalo <seppo.takalo(a)nordicsemi.no> tty: n_gsm: Don't block input queue by waiting MSC William Wu <william.wu(a)rock-chips.com> usb: gadget: configfs: Correctly set use_os_string at bind Xichao Zhao <zhao.xichao(a)vivo.com> usb: phy: twl6030: Fix incorrect type for ret Qianfeng Rong <rongqianfeng(a)vivo.com> drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl() Eric Dumazet <edumazet(a)google.com> tcp: fix __tcp_close() to only send RST when required Alok Tiwari <alok.a.tiwari(a)oracle.com> PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation Stefan Kerkmann <s.kerkmann(a)pengutronix.de> wifi: mwifiex: send world regulatory domain to driver Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Adjust si_upload_smc_data register programming (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Fix si_upload_smc_data (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Disable ULV even if unsupported (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amdgpu: Power up UVD 3 for FW validation (v2) Yuanfang Zhang <quic_yuanfang(a)quicinc.com> coresight: Only register perf symlink for sinks with alloc_buffer Eric Dumazet <edumazet(a)google.com> inet: ping: check sock_net() in ping_get_port() and ping_lookup() Zhushuai Yin <yinzhushuai(a)huawei.com> crypto: hisilicon/qm - check whether the input function and PF are on the same device Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon - re-enable address prefetch after device resuming Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon/zip - remove unnecessary validation for high-performance mode configurations Arnd Bergmann <arnd(a)arndb.de> media: st-delta: avoid excessive stack usage Qianfeng Rong <rongqianfeng(a)vivo.com> ALSA: lx_core: use int type to store negative error codes Nirmoy Das <nirmoyd(a)nvidia.com> PCI/ACPI: Fix pci_acpi_preserve_config() memory leak Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback forcing for MPV device Or Har-Toov <ohartoov(a)nvidia.com> RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count Zhang Shurong <zhang_shurong(a)foxmail.com> media: rj54n1cb0c: Fix memleak in rj54n1_probe() Thorsten Blum <thorsten.blum(a)linux.dev> crypto: octeontx2 - Call strscpy() with correct size argument Thomas Fourier <fourier.thomas(a)gmail.com> scsi: myrs: Fix dma_alloc_coherent() error check Niklas Cassel <cassel(a)kernel.org> scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Arnd Bergmann <arnd(a)arndb.de> hwrng: nomadik - add ARM_AMBA dependency Thomas Fourier <fourier.thomas(a)gmail.com> crypto: keembay - Add missing check after sg_nents_for_len() Liao Yuanhong <liaoyuanhong(a)vivo.com> drm/amd/display: Remove redundant semicolons Dan Carpenter <dan.carpenter(a)linaro.org> serial: max310x: Add error checking in probe() Komal Bajaj <komal.bajaj(a)oss.qualcomm.com> usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls Dan Carpenter <dan.carpenter(a)linaro.org> usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup Jonas Karlman <jonas(a)kwiboo.se> phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568 Jacopo Mondi <jacopo.mondi(a)ideasonboard.com> media: zoran: Remove zoran_fh structure Chia-I Wu <olvaffe(a)gmail.com> drm/bridge: it6505: select REGMAP_I2C Chao Yu <chao(a)kernel.org> f2fs: fix condition in __allow_reserved_blocks() Brahmajit Das <listout(a)listout.xyz> drm/radeon/r600_cs: clean up of dead code in r600_cs Brigham Campbell <me(a)brighamcampbell.com> drm/panel: novatek-nt35560: Fix invalid return value Daniel Borkmann <daniel(a)iogearbox.net> bpf: Enforce expected_attach_type for tailcall compatibility D. Wythe <alibuda(a)linux.alibaba.com> libbpf: Fix error when st-prefix_ops and ops from differ btf Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> i2c: designware: Add disabling clocks when probe fails Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> i2c: designware: Fix clock issue when PM is disabled Leilk.Liu <leilk.liu(a)mediatek.com> i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> thermal/drivers/qcom/lmh: Add missing IRQ includes Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> thermal/drivers/qcom: Make LMH select QCOM_SCM Vadim Pasternak <vadimp(a)nvidia.com> hwmon: (mlxreg-fan) Separate methods of fan setting coming from different subsystems Qi Xi <xiqi2(a)huawei.com> once: fix race by moving DO_ONCE to separate section Andrea Righi <arighi(a)nvidia.com> bpf: Mark kfuncs as __noclone Jonas Gorski <jonas.gorski(a)gmail.com> spi: fix return code when spi device has too many chipselects Zhouyi Zhou <zhouzhouyi(a)gmail.com> tools/nolibc: make time_t robust if __kernel_old_time_t is missing in host headers Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> smp: Fix up and expand the smp_call_function_many() kerneldoc Hengqi Chen <hengqi.chen(a)gmail.com> bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free() Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Explicitly check accesses to bpf_sock_addr Akhilesh Patil <akhilesh(a)ee.iitb.ac.in> selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported Stanley Chu <stanley.chuys(a)gmail.com> i3c: master: svc: Recycle unused IBI slot Stanley Chu <yschu(a)nuvoton.com> i3c: master: svc: Use manual response for IBI events Daniel Wagner <wagi(a)kernel.org> nvmet-fc: move lsop put work to nvmet_fc_ls_req_op Hengqi Chen <hengqi.chen(a)gmail.com> riscv, bpf: Sign extend struct ops return values properly Dmitry Antipov <dmantipov(a)yandex.ru> ACPICA: Fix largest possible resource descriptor index Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: tiehrpwm: Fix corner case in clock divisor calculation Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: tiehrpwm: Make code comment in .free() more useful Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: tiehrpwm: Don't drop runtime PM reference in .free() AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value Bean Huo <beanhuo(a)micron.com> mmc: core: Fix variable shadowing in mmc_route_rpmb_frames() AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names Chen-Yu Tsai <wenst(a)chromium.org> arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model Johan Hovold <johan(a)kernel.org> cpuidle: qcom-spm: fix device and OF node leaks at probe Johan Hovold <johan(a)kernel.org> soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure Johan Hovold <johan(a)kernel.org> soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure Johan Hovold <johan(a)kernel.org> firmware: firmware: meson-sm: fix compile-test default Nicolas Frattaroli <nicolas.frattaroli(a)collabora.com> PM / devfreq: rockchip-dfi: double count on RK3588 Eric Dumazet <edumazet(a)google.com> nbd: restrict sockets to TCP and UDP Guoqing Jiang <guoqing.jiang(a)canonical.com> arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0 Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing vDSO Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper Genjian Zhang <zhanggenjian(a)kylinos.cn> null_blk: Fix the description of the cache_size module argument Qianfeng Rong <rongqianfeng(a)vivo.com> pinctrl: renesas: Use int type to store negative error codes Andy Yan <andyshrk(a)163.com> power: supply: cw2015: Fix a alignment coding style issue Dan Carpenter <dan.carpenter(a)linaro.org> PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() Jihed Chaibi <jihed.chaibi.dev(a)gmail.com> ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer property Jihed Chaibi <jihed.chaibi.dev(a)gmail.com> ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property to use correct boolean syntax in DTS Jihed Chaibi <jihed.chaibi.dev(a)gmail.com> ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS to use correct boolean syntax Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> vdso: Add struct __kernel_old_timeval forward declaration to gettime.h Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: sleep: core: Clear power.must_resume in noirq suspend error path Qianfeng Rong <rongqianfeng(a)vivo.com> block: use int to store blk_stack_limits() return value Andrei Lalaev <andrei.lalaev(a)anton-paar.com> leds: leds-lp55xx: Use correct address for memory programming Benjamin Berg <benjamin.berg(a)intel.com> selftests/nolibc: fix EXPECT_NZ macro Qianfeng Rong <rongqianfeng(a)vivo.com> regulator: scmi: Use int type to store negative error codes Janne Grunau <j(a)jannau.net> arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map Nicolas Ferre <nicolas.ferre(a)microchip.com> ARM: at91: pm: fix MCKx restore routine Li Nan <linan122(a)huawei.com> blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx Da Xue <da(a)libre.computer> pinctrl: meson-gxl: add missing i2c_d pinmux Sneh Mankad <sneh.mankad(a)oss.qualcomm.com> soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS Huisong Li <lihuisong(a)huawei.com> ACPI: processor: idle: Fix memory leak when register cpuidle device failed Joy Zou <joy.zou(a)nxp.com> arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid Frieder Schrempf <frieder.schrempf(a)kontron.de> arm64: dts: imx93-kontron: Fix USB port assignment Annette Kobou <annette.kobou(a)kontron.de> arm64: dts: imx93-kontron: Fix GPIO for panel regulator Junnan Wu <junnan01.wu(a)samsung.com> firmware: arm_scmi: Mark VirtIO ready before registering scmi_virtio_driver Florian Fainelli <florian.fainelli(a)broadcom.com> cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus() Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL Fenglin Wu <fenglin.wu(a)oss.qualcomm.com> leds: flash: leds-qcom-flash: Update torch current clamp setting Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: dts: renesas: porter: Fix CAN pin group Yureka Lilian <yuka(a)yuka.dev> libbpf: Fix reuse of DEVMAP Tao Chen <chen.dylane(a)linux.dev> bpf: Remove migrate_disable in kprobe_multi_link_prog_run Matt Bobrowski <mattbobrowski(a)google.com> bpf/selftests: Fix test_tcpnotify_user Geert Uytterhoeven <geert+renesas(a)glider.be> regmap: Remove superfluous check for !config in __regmap_init() Biju Das <biju.das.jz(a)bp.renesas.com> arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0 Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read() Qu Wenruo <wqu(a)suse.com> btrfs: return any hit error from extent_writepage_io() Randy Dunlap <rdunlap(a)infradead.org> lsm: CONFIG_LSM can depend on CONFIG_SECURITY Uros Bizjak <ubizjak(a)gmail.com> x86/vdso: Fix output operand size of RDPID Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller Stefan Metzmacher <metze(a)samba.org> smb: server: fix IRD/ORD negotiation with the client Leo Yan <leo.yan(a)arm.com> perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Leo Yan <leo.yan(a)arm.com> coresight: trbe: Prevent overflow in PERF_IDX2OFF() Jeremy Linton <jeremy.linton(a)arm.com> uprobes: uprobe_warn should use passed task Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/603: Really copy kernel PGD entries into all PGDIRs Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/8xx: Remove left-over instruction and comments in DataStoreTLBMiss handler Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote Bala-Vignesh-Reddy <reddybalavignesh9979(a)gmail.com> selftests: arm64: Check fread return value in exec_target Johannes Nixdorf <johannes(a)nixdorf.dev> seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too fast Geert Uytterhoeven <geert+renesas(a)glider.be> init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD Jeff Layton <jlayton(a)kernel.org> filelock: add FL_RECLAIM to show_fl_flags() macro ------------- Diffstat: Documentation/trace/histogram-design.rst | 4 +- Makefile | 4 +- arch/arm/boot/dts/renesas/r8a7791-porter.dts | 2 +- arch/arm/boot/dts/ti/omap/am335x-baltos.dtsi | 2 +- arch/arm/boot/dts/ti/omap/am335x-cm-t335.dts | 2 - .../dts/ti/omap/omap3-devkit8000-lcd-common.dtsi | 2 +- arch/arm/mach-at91/pm_suspend.S | 4 +- arch/arm64/boot/dts/apple/t8103-j457.dts | 12 +- .../boot/dts/freescale/imx93-kontron-bl-osm-s.dts | 32 ++- arch/arm64/boot/dts/freescale/imx95.dtsi | 4 +- arch/arm64/boot/dts/mediatek/mt6331.dtsi | 10 +- .../boot/dts/mediatek/mt6795-sony-xperia-m5.dts | 2 +- .../boot/dts/mediatek/mt8186-corsola-krabby.dtsi | 8 +- .../mt8186-corsola-tentacruel-sku262144.dts | 4 + arch/arm64/boot/dts/mediatek/mt8195.dtsi | 3 - .../dts/mediatek/mt8395-kontron-3-5-sbc-i1200.dts | 16 +- arch/arm64/boot/dts/mediatek/mt8516-pumpkin.dts | 2 +- arch/arm64/boot/dts/qcom/qcm2290.dtsi | 1 + arch/arm64/boot/dts/renesas/rzg2lc-smarc.dtsi | 5 +- arch/arm64/net/bpf_jit_comp.c | 3 +- arch/loongarch/kernel/relocate.c | 4 + arch/powerpc/include/asm/book3s/32/pgalloc.h | 10 +- arch/powerpc/include/asm/nohash/pgalloc.h | 2 +- arch/powerpc/kernel/head_8xx.S | 9 +- arch/riscv/net/bpf_jit_comp64.c | 42 +++- arch/s390/net/bpf_jit_comp.c | 26 +- arch/sparc/lib/M7memcpy.S | 20 +- arch/sparc/lib/Memcpy_utils.S | 9 + arch/sparc/lib/NG4memcpy.S | 2 +- arch/sparc/lib/NGmemcpy.S | 29 ++- arch/sparc/lib/U1memcpy.S | 19 +- arch/sparc/lib/U3memcpy.S | 2 +- arch/x86/include/asm/segment.h | 8 +- arch/x86/kvm/svm/svm.c | 12 +- block/blk-mq-sysfs.c | 6 +- block/blk-settings.c | 3 +- crypto/asymmetric_keys/x509_cert_parser.c | 16 +- drivers/acpi/acpica/aclocal.h | 2 +- drivers/acpi/nfit/core.c | 2 +- drivers/acpi/processor_idle.c | 3 + drivers/base/node.c | 4 + drivers/base/power/main.c | 14 +- drivers/base/regmap/regmap.c | 2 +- drivers/block/nbd.c | 8 + drivers/block/null_blk/main.c | 2 +- drivers/bus/fsl-mc/fsl-mc-bus.c | 3 + drivers/char/hw_random/Kconfig | 1 + drivers/char/hw_random/ks-sa-rng.c | 4 + drivers/char/tpm/Kconfig | 2 +- drivers/cpufreq/scmi-cpufreq.c | 10 + drivers/cpuidle/cpuidle-qcom-spm.c | 7 +- drivers/crypto/hisilicon/debugfs.c | 1 + drivers/crypto/hisilicon/hpre/hpre_main.c | 3 +- drivers/crypto/hisilicon/qm.c | 7 +- drivers/crypto/hisilicon/sec2/sec_main.c | 80 +++---- drivers/crypto/hisilicon/zip/zip_main.c | 17 +- .../crypto/intel/keembay/keembay-ocs-hcu-core.c | 5 +- .../crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 2 +- drivers/devfreq/event/rockchip-dfi.c | 7 +- drivers/devfreq/mtk-cci-devfreq.c | 3 +- drivers/edac/i10nm_base.c | 14 ++ drivers/firmware/arm_scmi/transports/virtio.c | 3 + drivers/firmware/meson/Kconfig | 2 +- drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 29 ++- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 +- .../display/dc/dml/dcn32/display_rq_dlg_calc_32.c | 1 - drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 7 + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 92 +++++--- drivers/gpu/drm/bridge/Kconfig | 1 + .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 2 +- drivers/gpu/drm/panel/panel-novatek-nt35560.c | 2 +- drivers/gpu/drm/radeon/r600_cs.c | 4 +- drivers/hid/hidraw.c | 262 +++++++++++---------- drivers/hwmon/mlxreg-fan.c | 24 +- drivers/hwtracing/coresight/coresight-catu.c | 22 +- drivers/hwtracing/coresight/coresight-catu.h | 1 + drivers/hwtracing/coresight/coresight-core.c | 5 +- drivers/hwtracing/coresight/coresight-etm4x-core.c | 31 ++- drivers/hwtracing/coresight/coresight-etm4x.h | 6 +- drivers/hwtracing/coresight/coresight-tmc-core.c | 22 +- drivers/hwtracing/coresight/coresight-tmc.h | 2 + drivers/hwtracing/coresight/coresight-tpda.c | 3 + drivers/hwtracing/coresight/coresight-trbe.c | 11 +- drivers/i2c/busses/i2c-designware-platdrv.c | 5 +- drivers/i2c/busses/i2c-mt65xx.c | 17 +- drivers/i3c/master/svc-i3c-master.c | 31 ++- drivers/iio/inkern.c | 30 +-- drivers/infiniband/core/addr.c | 10 +- drivers/infiniband/core/cm.c | 4 +- drivers/infiniband/core/sa_query.c | 6 +- drivers/infiniband/hw/mlx5/main.c | 67 +++++- drivers/infiniband/hw/mlx5/mlx5_ib.h | 1 + drivers/infiniband/sw/rxe/rxe_task.c | 8 +- drivers/infiniband/sw/siw/siw_verbs.c | 25 +- drivers/input/misc/uinput.c | 1 + drivers/input/touchscreen/atmel_mxt_ts.c | 2 +- drivers/iommu/intel/debugfs.c | 17 +- drivers/iommu/intel/iommu.h | 3 +- drivers/leds/flash/leds-qcom-flash.c | 62 +++-- drivers/leds/leds-lp55xx-common.c | 2 +- drivers/md/dm-core.h | 1 + drivers/md/dm-vdo/indexer/volume-index.c | 4 +- drivers/md/dm.c | 13 +- drivers/media/i2c/rj54n1cb0c.c | 9 +- drivers/media/pci/zoran/zoran.h | 6 - drivers/media/pci/zoran/zoran_driver.c | 3 +- .../media/platform/st/sti/delta/delta-mjpeg-dec.c | 20 +- drivers/mfd/rz-mtu3.c | 2 +- drivers/mfd/vexpress-sysreg.c | 6 +- drivers/misc/fastrpc.c | 89 ++++--- drivers/misc/genwqe/card_ddcb.c | 2 +- drivers/mmc/core/block.c | 6 +- drivers/mtd/nand/raw/atmel/nand-controller.c | 4 +- drivers/net/ethernet/amazon/ena/ena_ethtool.c | 5 +- drivers/net/ethernet/dlink/dl2k.c | 7 +- drivers/net/ethernet/intel/idpf/idpf_txrx.c | 8 +- drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 6 +- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 +- .../ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 - drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 17 +- drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 24 ++ .../net/ethernet/mellanox/mlx5/core/pagealloc.c | 7 +- .../net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 +- drivers/net/usb/asix_devices.c | 29 +++ drivers/net/usb/rtl8150.c | 2 - drivers/net/wireless/ath/ath10k/wmi.c | 39 ++- drivers/net/wireless/ath/ath12k/ce.c | 2 +- drivers/net/wireless/ath/ath12k/debug.h | 1 + drivers/net/wireless/intel/iwlwifi/fw/regulatory.h | 1 - drivers/net/wireless/marvell/mwifiex/cfg80211.c | 7 +- drivers/net/wireless/mediatek/mt76/mt7603/soc.c | 2 +- drivers/net/wireless/mediatek/mt76/mt7915/eeprom.h | 6 +- drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 29 +-- drivers/net/wireless/mediatek/mt76/mt7996/init.c | 8 +- drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 11 +- drivers/net/wireless/mediatek/mt76/mt7996/pci.c | 2 +- drivers/net/wireless/realtek/rtw89/ser.c | 3 +- drivers/nvme/target/fc.c | 19 +- drivers/pci/controller/cadence/pci-j721e.c | 2 +- drivers/pci/controller/dwc/pcie-rcar-gen4.c | 26 +- drivers/pci/controller/dwc/pcie-tegra194.c | 4 +- drivers/pci/controller/pci-tegra.c | 2 +- drivers/pci/pci-acpi.c | 6 +- drivers/perf/arm_spe_pmu.c | 3 +- drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 12 + drivers/pinctrl/meson/pinctrl-meson-gxl.c | 10 + drivers/pinctrl/pinmux.c | 2 +- drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 +- drivers/pinctrl/renesas/pinctrl.c | 3 +- drivers/power/supply/cw2015_battery.c | 3 +- drivers/pps/kapi.c | 5 +- drivers/pps/pps.c | 5 +- drivers/ptp/ptp_private.h | 1 + drivers/ptp/ptp_sysfs.c | 2 +- drivers/pwm/pwm-tiehrpwm.c | 154 +++++------- drivers/regulator/scmi-regulator.c | 3 +- drivers/remoteproc/pru_rproc.c | 3 +- drivers/remoteproc/qcom_q6v5.c | 3 - drivers/scsi/mpt3sas/mpt3sas_transport.c | 8 +- drivers/scsi/myrs.c | 8 +- drivers/scsi/pm8001/pm8001_sas.c | 9 +- drivers/scsi/qla2xxx/qla_edif.c | 4 +- drivers/scsi/qla2xxx/qla_init.c | 4 +- drivers/scsi/qla2xxx/qla_nvme.c | 2 +- drivers/soc/mediatek/mtk-svs.c | 23 ++ drivers/soc/qcom/rpmh-rsc.c | 7 +- drivers/spi/spi.c | 2 +- drivers/tee/tee_shm.c | 8 + drivers/thermal/qcom/Kconfig | 3 +- drivers/thermal/qcom/lmh.c | 2 + drivers/tty/n_gsm.c | 25 +- drivers/tty/serial/max310x.c | 2 + drivers/uio/uio_hv_generic.c | 7 +- drivers/usb/cdns3/cdnsp-pci.c | 5 +- drivers/usb/gadget/configfs.c | 2 + drivers/usb/host/max3421-hcd.c | 2 +- drivers/usb/host/xhci-ring.c | 11 +- drivers/usb/misc/Kconfig | 1 + drivers/usb/misc/qcom_eud.c | 33 ++- drivers/usb/phy/phy-twl6030-usb.c | 3 +- drivers/usb/typec/tipd/core.c | 24 +- drivers/usb/usbip/vhci_hcd.c | 22 ++ drivers/vfio/pci/pds/dirty.c | 2 +- drivers/vhost/vringh.c | 14 +- drivers/video/fbdev/simplefb.c | 31 ++- drivers/watchdog/mpc8xxx_wdt.c | 2 + fs/btrfs/extent_io.c | 9 +- fs/ext4/ext4.h | 10 + fs/ext4/file.c | 2 +- fs/ext4/inode.c | 2 +- fs/ext4/orphan.c | 6 +- fs/ext4/super.c | 4 +- fs/f2fs/data.c | 9 +- fs/f2fs/f2fs.h | 4 +- fs/f2fs/file.c | 49 ++-- fs/gfs2/glock.c | 2 - fs/nfs/nfs4proc.c | 2 +- fs/ntfs3/index.c | 10 + fs/ntfs3/run.c | 12 +- fs/ocfs2/stack_user.c | 1 + fs/smb/client/smb2ops.c | 17 +- fs/smb/server/ksmbd_netlink.h | 5 +- fs/smb/server/mgmt/user_session.c | 26 +- fs/smb/server/server.h | 1 + fs/smb/server/smb2pdu.c | 3 +- fs/smb/server/transport_ipc.c | 3 + fs/smb/server/transport_rdma.c | 97 +++++++- fs/smb/server/transport_tcp.c | 27 ++- fs/squashfs/inode.c | 7 + fs/squashfs/squashfs_fs_i.h | 2 +- fs/udf/inode.c | 3 + include/asm-generic/vmlinux.lds.h | 1 + include/linux/bpf.h | 1 + include/linux/btf.h | 2 +- include/linux/once.h | 4 +- include/trace/events/filelock.h | 3 +- include/uapi/linux/hidraw.h | 2 + include/vdso/gettime.h | 1 + init/Kconfig | 1 + io_uring/waitid.c | 3 +- kernel/bpf/core.c | 5 + kernel/bpf/verifier.c | 4 +- kernel/events/uprobes.c | 2 +- kernel/seccomp.c | 12 +- kernel/smp.c | 11 +- kernel/trace/bpf_trace.c | 9 +- mm/hugetlb.c | 2 + net/9p/trans_usbg.c | 16 +- net/bluetooth/hci_sync.c | 10 +- net/bluetooth/iso.c | 11 +- net/bluetooth/mgmt.c | 10 +- net/core/filter.c | 16 +- net/ipv4/ping.c | 14 +- net/ipv4/tcp.c | 9 +- net/mac80211/rx.c | 28 ++- net/netfilter/ipset/ip_set_hash_gen.h | 8 +- net/netfilter/ipvs/ip_vs_conn.c | 4 +- net/netfilter/ipvs/ip_vs_core.c | 11 +- net/netfilter/ipvs/ip_vs_ctl.c | 6 +- net/netfilter/ipvs/ip_vs_est.c | 16 +- net/netfilter/ipvs/ip_vs_ftp.c | 4 +- net/netfilter/nfnetlink.c | 2 + net/nfc/nci/ntf.c | 135 ++++++++--- net/sunrpc/auth_gss/svcauth_gss.c | 2 +- security/Kconfig | 1 + sound/core/pcm_native.c | 21 +- sound/pci/lx6464es/lx_core.c | 4 +- sound/soc/codecs/wcd934x.c | 17 +- sound/soc/codecs/wcd937x.c | 4 +- sound/soc/codecs/wcd937x.h | 6 +- sound/soc/intel/boards/bytcht_es8316.c | 20 +- sound/soc/intel/boards/bytcr_rt5640.c | 7 +- sound/soc/intel/boards/bytcr_rt5651.c | 26 +- sound/soc/intel/boards/sof_sdw.c | 2 +- sound/soc/sof/ipc3-topology.c | 10 +- tools/include/nolibc/std.h | 2 +- tools/lib/bpf/libbpf.c | 46 ++-- tools/testing/nvdimm/test/ndtest.c | 13 +- tools/testing/selftests/arm64/pauth/exec_target.c | 7 +- .../selftests/bpf/progs/test_tcpnotify_kern.c | 1 - tools/testing/selftests/bpf/test_tcpnotify_user.c | 20 +- tools/testing/selftests/nolibc/nolibc-test.c | 4 +- tools/testing/selftests/vDSO/vdso_call.h | 7 +- tools/testing/selftests/vDSO/vdso_test_abi.c | 9 +- tools/testing/selftests/watchdog/watchdog-test.c | 6 + 265 files changed, 2074 insertions(+), 1143 deletions(-)

3 weeks

12
276
0 0

FAILED: patch "[PATCH] btrfs: fix the incorrect max_bytes value for" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 7b26da407420e5054e3f06c5d13271697add9423 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101522-repugnant-demystify-deee@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7b26da407420e5054e3f06c5d13271697add9423 Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Fri, 19 Sep 2025 14:33:23 +0930 Subject: [PATCH] btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range() [BUG] With my local branch to enable bs > ps support for btrfs, sometimes I hit the following ASSERT() inside submit_one_sector(): ASSERT(block_start != EXTENT_MAP_HOLE); Please note that it's not yet possible to hit this ASSERT() in the wild yet, as it requires btrfs bs > ps support, which is not even in the development branch. But on the other hand, there is also a very low chance to hit above ASSERT() with bs < ps cases, so this is an existing bug affect not only the incoming bs > ps support but also the existing bs < ps support. [CAUSE] Firstly that ASSERT() means we're trying to submit a dirty block but without a real extent map nor ordered extent map backing it. Furthermore with extra debugging, the folio triggering such ASSERT() is always larger than the fs block size in my bs > ps case. (8K block size, 4K page size) After some more debugging, the ASSERT() is trigger by the following sequence: extent_writepage() | We got a 32K folio (4 fs blocks) at file offset 0, and the fs block | size is 8K, page size is 4K. | And there is another 8K folio at file offset 32K, which is also | dirty. | So the filemap layout looks like the following: | | "||" is the filio boundary in the filemap. | "//| is the dirty range. | | 0 8K 16K 24K 32K 40K | |////////| |//////////////////////||////////| | |- writepage_delalloc() | |- find_lock_delalloc_range() for [0, 8K) | | Now range [0, 8K) is properly locked. | | | |- find_lock_delalloc_range() for [16K, 40K) | | |- btrfs_find_delalloc_range() returned range [16K, 40K) | | |- lock_delalloc_folios() locked folio 0 successfully | | | | | | The filemap range [32K, 40K) got dropped from filemap. | | | | | |- lock_delalloc_folios() failed with -EAGAIN on folio 32K | | | As the folio at 32K is dropped. | | | | | |- loops = 1; | | |- max_bytes = PAGE_SIZE; | | |- goto again; | | | This will re-do the lookup for dirty delalloc ranges. | | | | | |- btrfs_find_delalloc_range() called with @max_bytes == 4K | | | This is smaller than block size, so | | | btrfs_find_delalloc_range() is unable to return any range. | | \- return false; | | | \- Now only range [0, 8K) has an OE for it, but for dirty range | [16K, 32K) it's dirty without an OE. | This breaks the assumption that writepage_delalloc() will find | and lock all dirty ranges inside the folio. | |- extent_writepage_io() |- submit_one_sector() for [0, 8K) | Succeeded | |- submit_one_sector() for [16K, 24K) Triggering the ASSERT(), as there is no OE, and the original extent map is a hole. Please note that, this also exposed the same problem for bs < ps support. E.g. with 64K page size and 4K block size. If we failed to lock a folio, and falls back into the "loops = 1;" branch, we will re-do the search using 64K as max_bytes. Which may fail again to lock the next folio, and exit early without handling all dirty blocks inside the folio. [FIX] Instead of using the fixed size PAGE_SIZE as @max_bytes, use @sectorsize, so that we are ensured to find and lock any remaining blocks inside the folio. And since we're here, add an extra ASSERT() to before calling btrfs_find_delalloc_range() to make sure the @max_bytes is at least no smaller than a block to avoid false negative. Cc: stable(a)vger.kernel.org # 5.15+ Signed-off-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 0782533aad51..2b6027ebf265 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -393,6 +393,13 @@ noinline_for_stack bool find_lock_delalloc_range(struct inode *inode, /* step one, find a bunch of delalloc bytes starting at start */ delalloc_start = *start; delalloc_end = 0; + + /* + * If @max_bytes is smaller than a block, btrfs_find_delalloc_range() can + * return early without handling any dirty ranges. + */ + ASSERT(max_bytes >= fs_info->sectorsize); + found = btrfs_find_delalloc_range(tree, &delalloc_start, &delalloc_end, max_bytes, &cached_state); if (!found || delalloc_end <= *start || delalloc_start > orig_end) { @@ -423,13 +430,14 @@ noinline_for_stack bool find_lock_delalloc_range(struct inode *inode, delalloc_end); ASSERT(!ret || ret == -EAGAIN); if (ret == -EAGAIN) { - /* some of the folios are gone, lets avoid looping by - * shortening the size of the delalloc range we're searching + /* + * Some of the folios are gone, lets avoid looping by + * shortening the size of the delalloc range we're searching. */ btrfs_free_extent_state(cached_state); cached_state = NULL; if (!loops) { - max_bytes = PAGE_SIZE; + max_bytes = fs_info->sectorsize; loops = 1; goto again; } else {

3 weeks

2
1
0 0

Re: Patch "clk: at91: peripheral: fix return value" has been added to the 6.17-stable tree

by Brian Masney

Hi Sasha, On Wed, Oct 15, 2025 at 07:36:02AM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > clk: at91: peripheral: fix return value > > to the 6.17-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > clk-at91-peripheral-fix-return-value.patch > and it can be found in the queue-6.17 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit cbddc84a11e6112835fced8f7266d9810efc52f3 > Author: Brian Masney <bmasney(a)redhat.com> > Date: Mon Aug 11 11:17:53 2025 -0400 > > clk: at91: peripheral: fix return value > > [ Upstream commit 47b13635dabc14f1c2fdcaa5468b47ddadbdd1b5 ] > > determine_rate() is expected to return an error code, or 0 on success. > clk_sam9x5_peripheral_determine_rate() has a branch that returns the > parent rate on a certain case. This is the behavior of round_rate(), > so let's go ahead and fix this by setting req->rate. > > Fixes: b4c115c76184f ("clk: at91: clk-peripheral: add support for changeable parent rate") > Reviewed-by: Alexander Sverdlin <alexander.sverdlin(a)gmail.com> > Acked-by: Nicolas Ferre <nicolas.ferre(a)microchip.com> > Signed-off-by: Brian Masney <bmasney(a)redhat.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> Please don't backport any of my round_rate() to determine_rate() migrations to the stable kernels. I have maybe close to 200 of these patches for various clk drivers, and stable can stay on round_rate(). There's no functional change. Stephen mentioned this work on his pull to Linus about how this is all prerequisite work to get to the real task of improving the clk rate setting process. https://lore.kernel.org/linux-clk/20251007051720.11386-1-sboyd@kernel.org/ Thanks, Brian

3 weeks

1
0
0 0

[PATCH 1/1] firmware: stratix10-svc: fix bug in saving controller data

by Khairul Anuar Romli

Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They both are of the same data and overrides each other. This resulted in the rmmod of the svc driver to fail and throw a kernel panic for kthread_stop and fifo free. Fixes: bf0e5bf68a20 ("firmware: stratix10-svc: extend svc to support new RSU features") Signed-off-by: Ang Tien Sung <tiensung.ang(a)altera.com> Signed-off-by: Khairul Anuar Romli <khairul.anuar.romli(a)altera.com> --- drivers/firmware/stratix10-svc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c index e3f990d888d7..00f58e27f6de 100644 --- a/drivers/firmware/stratix10-svc.c +++ b/drivers/firmware/stratix10-svc.c @@ -134,6 +134,7 @@ struct stratix10_svc_data { * @complete_status: state for completion * @svc_fifo_lock: protect access to service message data queue * @invoke_fn: function to issue secure monitor call or hypervisor call + * @svc: manages the list of client svc drivers * * This struct is used to create communication channels for service clients, to * handle secure monitor or hypervisor call. @@ -150,6 +151,7 @@ struct stratix10_svc_controller { struct completion complete_status; spinlock_t svc_fifo_lock; svc_invoke_fn *invoke_fn; + struct stratix10_svc *svc; }; /** @@ -1206,6 +1208,7 @@ static int stratix10_svc_drv_probe(struct platform_device *pdev) ret = -ENOMEM; goto err_free_kfifo; } + controller->svc = svc; svc->stratix10_svc_rsu = platform_device_alloc(STRATIX10_RSU, 0); if (!svc->stratix10_svc_rsu) { @@ -1237,8 +1240,6 @@ static int stratix10_svc_drv_probe(struct platform_device *pdev) if (ret) goto err_unregister_fcs_dev; - dev_set_drvdata(dev, svc); - pr_info("Intel Service Layer Driver Initialized\n"); return 0; @@ -1256,8 +1257,8 @@ static int stratix10_svc_drv_probe(struct platform_device *pdev) static void stratix10_svc_drv_remove(struct platform_device *pdev) { - struct stratix10_svc *svc = dev_get_drvdata(&pdev->dev); struct stratix10_svc_controller *ctrl = platform_get_drvdata(pdev); + struct stratix10_svc *svc = ctrl->svc; of_platform_depopulate(ctrl->dev); -- 2.35.3

3 weeks

2
1
0 0

FAILED: patch "[PATCH] cxl, acpi/hmat: Update CXL access coordinates directly" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 2e454fb8056df6da4bba7d89a57bf60e217463c0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101518-thriving-lend-6587@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2e454fb8056df6da4bba7d89a57bf60e217463c0 Mon Sep 17 00:00:00 2001 From: Dave Jiang <dave.jiang(a)intel.com> Date: Fri, 29 Aug 2025 15:29:06 -0700 Subject: [PATCH] cxl, acpi/hmat: Update CXL access coordinates directly instead of through HMAT The current implementation of CXL memory hotplug notifier gets called before the HMAT memory hotplug notifier. The CXL driver calculates the access coordinates (bandwidth and latency values) for the CXL end to end path (i.e. CPU to endpoint). When the CXL region is onlined, the CXL memory hotplug notifier writes the access coordinates to the HMAT target structs. Then the HMAT memory hotplug notifier is called and it creates the access coordinates for the node sysfs attributes. During testing on an Intel platform, it was found that although the newly calculated coordinates were pushed to sysfs, the sysfs attributes for the access coordinates showed up with the wrong initiator. The system has 4 nodes (0, 1, 2, 3) where node 0 and 1 are CPU nodes and node 2 and 3 are CXL nodes. The expectation is that node 2 would show up as a target to node 0: /sys/devices/system/node/node2/access0/initiators/node0 However it was observed that node 2 showed up as a target under node 1: /sys/devices/system/node/node2/access0/initiators/node1 The original intent of the 'ext_updated' flag in HMAT handling code was to stop HMAT memory hotplug callback from clobbering the access coordinates after CXL has injected its calculated coordinates and replaced the generic target access coordinates provided by the HMAT table in the HMAT target structs. However the flag is hacky at best and blocks the updates from other CXL regions that are onlined in the same node later on. Remove the 'ext_updated' flag usage and just update the access coordinates for the nodes directly without touching HMAT target data. The hotplug memory callback ordering is changed. Instead of changing CXL, move HMAT back so there's room for the levels rather than have CXL share the same level as SLAB_CALLBACK_PRI. The change will resulting in the CXL callback to be executed after the HMAT callback. With the change, the CXL hotplug memory notifier runs after the HMAT callback. The HMAT callback will create the node sysfs attributes for access coordinates. The CXL callback will write the access coordinates to the now created node sysfs attributes directly and will not pollute the HMAT target values. A nodemask is introduced to keep track if a node has been updated and prevents further updates. Fixes: 067353a46d8c ("cxl/region: Add memory hotplug notifier for cxl region") Cc: stable(a)vger.kernel.org Tested-by: Marc Herbert <marc.herbert(a)linux.intel.com> Reviewed-by: Dan Williams <dan.j.williams(a)intel.com> Reviewed-by: Jonathan Cameron <jonathan.cameron(a)huawei.com> Link: https://patch.msgid.link/20250829222907.1290912-4-dave.jiang@intel.com Signed-off-by: Dave Jiang <dave.jiang(a)intel.com> diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c index 4958301f5417..5d32490dc4ab 100644 --- a/drivers/acpi/numa/hmat.c +++ b/drivers/acpi/numa/hmat.c @@ -74,7 +74,6 @@ struct memory_target { struct node_cache_attrs cache_attrs; u8 gen_port_device_handle[ACPI_SRAT_DEVICE_HANDLE_SIZE]; bool registered; - bool ext_updated; /* externally updated */ }; struct memory_initiator { @@ -391,7 +390,6 @@ int hmat_update_target_coordinates(int nid, struct access_coordinate *coord, coord->read_bandwidth, access); hmat_update_target_access(target, ACPI_HMAT_WRITE_BANDWIDTH, coord->write_bandwidth, access); - target->ext_updated = true; return 0; } @@ -773,10 +771,6 @@ static void hmat_update_target_attrs(struct memory_target *target, u32 best = 0; int i; - /* Don't update if an external agent has changed the data. */ - if (target->ext_updated) - return; - /* Don't update for generic port if there's no device handle */ if ((access == NODE_ACCESS_CLASS_GENPORT_SINK_LOCAL || access == NODE_ACCESS_CLASS_GENPORT_SINK_CPU) && diff --git a/drivers/cxl/core/cdat.c b/drivers/cxl/core/cdat.c index c0af645425f4..c891fd618cfd 100644 --- a/drivers/cxl/core/cdat.c +++ b/drivers/cxl/core/cdat.c @@ -1081,8 +1081,3 @@ int cxl_update_hmat_access_coordinates(int nid, struct cxl_region *cxlr, { return hmat_update_target_coordinates(nid, &cxlr->coord[access], access); } - -bool cxl_need_node_perf_attrs_update(int nid) -{ - return !acpi_node_backed_by_real_pxm(nid); -} diff --git a/drivers/cxl/core/core.h b/drivers/cxl/core/core.h index 2669f251d677..a253d308f3c9 100644 --- a/drivers/cxl/core/core.h +++ b/drivers/cxl/core/core.h @@ -139,7 +139,6 @@ long cxl_pci_get_latency(struct pci_dev *pdev); int cxl_pci_get_bandwidth(struct pci_dev *pdev, struct access_coordinate *c); int cxl_update_hmat_access_coordinates(int nid, struct cxl_region *cxlr, enum access_coordinate_class access); -bool cxl_need_node_perf_attrs_update(int nid); int cxl_port_get_switch_dport_bandwidth(struct cxl_port *port, struct access_coordinate *c); diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c index 71cc42d05248..0ed95cbc5d5b 100644 --- a/drivers/cxl/core/region.c +++ b/drivers/cxl/core/region.c @@ -30,6 +30,12 @@ * 3. Decoder targets */ +/* + * nodemask that sets per node when the access_coordinates for the node has + * been updated by the CXL memory hotplug notifier. + */ +static nodemask_t nodemask_region_seen = NODE_MASK_NONE; + static struct cxl_region *to_cxl_region(struct device *dev); #define __ACCESS_ATTR_RO(_level, _name) { \ @@ -2442,14 +2448,8 @@ static bool cxl_region_update_coordinates(struct cxl_region *cxlr, int nid) for (int i = 0; i < ACCESS_COORDINATE_MAX; i++) { if (cxlr->coord[i].read_bandwidth) { - rc = 0; - if (cxl_need_node_perf_attrs_update(nid)) - node_set_perf_attrs(nid, &cxlr->coord[i], i); - else - rc = cxl_update_hmat_access_coordinates(nid, cxlr, i); - - if (rc == 0) - cset++; + node_update_perf_attrs(nid, &cxlr->coord[i], i); + cset++; } } @@ -2487,6 +2487,10 @@ static int cxl_region_perf_attrs_callback(struct notifier_block *nb, if (nid != region_nid) return NOTIFY_DONE; + /* No action needed if node bit already set */ + if (node_test_and_set(nid, nodemask_region_seen)) + return NOTIFY_DONE; + if (!cxl_region_update_coordinates(cxlr, nid)) return NOTIFY_DONE; diff --git a/include/linux/memory.h b/include/linux/memory.h index 1305102688d0..0b755d1ef1ec 100644 --- a/include/linux/memory.h +++ b/include/linux/memory.h @@ -120,8 +120,8 @@ struct mem_section; */ #define DEFAULT_CALLBACK_PRI 0 #define SLAB_CALLBACK_PRI 1 -#define HMAT_CALLBACK_PRI 2 #define CXL_CALLBACK_PRI 5 +#define HMAT_CALLBACK_PRI 6 #define MM_COMPUTE_BATCH_PRI 10 #define CPUSET_CALLBACK_PRI 10 #define MEMTIER_HOTPLUG_PRI 100

3 weeks

1
0
0 0

FAILED: patch "[PATCH] cxl, acpi/hmat: Update CXL access coordinates directly" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x 2e454fb8056df6da4bba7d89a57bf60e217463c0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101516-stowaway-bogged-2173@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2e454fb8056df6da4bba7d89a57bf60e217463c0 Mon Sep 17 00:00:00 2001 From: Dave Jiang <dave.jiang(a)intel.com> Date: Fri, 29 Aug 2025 15:29:06 -0700 Subject: [PATCH] cxl, acpi/hmat: Update CXL access coordinates directly instead of through HMAT The current implementation of CXL memory hotplug notifier gets called before the HMAT memory hotplug notifier. The CXL driver calculates the access coordinates (bandwidth and latency values) for the CXL end to end path (i.e. CPU to endpoint). When the CXL region is onlined, the CXL memory hotplug notifier writes the access coordinates to the HMAT target structs. Then the HMAT memory hotplug notifier is called and it creates the access coordinates for the node sysfs attributes. During testing on an Intel platform, it was found that although the newly calculated coordinates were pushed to sysfs, the sysfs attributes for the access coordinates showed up with the wrong initiator. The system has 4 nodes (0, 1, 2, 3) where node 0 and 1 are CPU nodes and node 2 and 3 are CXL nodes. The expectation is that node 2 would show up as a target to node 0: /sys/devices/system/node/node2/access0/initiators/node0 However it was observed that node 2 showed up as a target under node 1: /sys/devices/system/node/node2/access0/initiators/node1 The original intent of the 'ext_updated' flag in HMAT handling code was to stop HMAT memory hotplug callback from clobbering the access coordinates after CXL has injected its calculated coordinates and replaced the generic target access coordinates provided by the HMAT table in the HMAT target structs. However the flag is hacky at best and blocks the updates from other CXL regions that are onlined in the same node later on. Remove the 'ext_updated' flag usage and just update the access coordinates for the nodes directly without touching HMAT target data. The hotplug memory callback ordering is changed. Instead of changing CXL, move HMAT back so there's room for the levels rather than have CXL share the same level as SLAB_CALLBACK_PRI. The change will resulting in the CXL callback to be executed after the HMAT callback. With the change, the CXL hotplug memory notifier runs after the HMAT callback. The HMAT callback will create the node sysfs attributes for access coordinates. The CXL callback will write the access coordinates to the now created node sysfs attributes directly and will not pollute the HMAT target values. A nodemask is introduced to keep track if a node has been updated and prevents further updates. Fixes: 067353a46d8c ("cxl/region: Add memory hotplug notifier for cxl region") Cc: stable(a)vger.kernel.org Tested-by: Marc Herbert <marc.herbert(a)linux.intel.com> Reviewed-by: Dan Williams <dan.j.williams(a)intel.com> Reviewed-by: Jonathan Cameron <jonathan.cameron(a)huawei.com> Link: https://patch.msgid.link/20250829222907.1290912-4-dave.jiang@intel.com Signed-off-by: Dave Jiang <dave.jiang(a)intel.com> diff --git a/drivers/acpi/numa/hmat.c b/drivers/acpi/numa/hmat.c index 4958301f5417..5d32490dc4ab 100644 --- a/drivers/acpi/numa/hmat.c +++ b/drivers/acpi/numa/hmat.c @@ -74,7 +74,6 @@ struct memory_target { struct node_cache_attrs cache_attrs; u8 gen_port_device_handle[ACPI_SRAT_DEVICE_HANDLE_SIZE]; bool registered; - bool ext_updated; /* externally updated */ }; struct memory_initiator { @@ -391,7 +390,6 @@ int hmat_update_target_coordinates(int nid, struct access_coordinate *coord, coord->read_bandwidth, access); hmat_update_target_access(target, ACPI_HMAT_WRITE_BANDWIDTH, coord->write_bandwidth, access); - target->ext_updated = true; return 0; } @@ -773,10 +771,6 @@ static void hmat_update_target_attrs(struct memory_target *target, u32 best = 0; int i; - /* Don't update if an external agent has changed the data. */ - if (target->ext_updated) - return; - /* Don't update for generic port if there's no device handle */ if ((access == NODE_ACCESS_CLASS_GENPORT_SINK_LOCAL || access == NODE_ACCESS_CLASS_GENPORT_SINK_CPU) && diff --git a/drivers/cxl/core/cdat.c b/drivers/cxl/core/cdat.c index c0af645425f4..c891fd618cfd 100644 --- a/drivers/cxl/core/cdat.c +++ b/drivers/cxl/core/cdat.c @@ -1081,8 +1081,3 @@ int cxl_update_hmat_access_coordinates(int nid, struct cxl_region *cxlr, { return hmat_update_target_coordinates(nid, &cxlr->coord[access], access); } - -bool cxl_need_node_perf_attrs_update(int nid) -{ - return !acpi_node_backed_by_real_pxm(nid); -} diff --git a/drivers/cxl/core/core.h b/drivers/cxl/core/core.h index 2669f251d677..a253d308f3c9 100644 --- a/drivers/cxl/core/core.h +++ b/drivers/cxl/core/core.h @@ -139,7 +139,6 @@ long cxl_pci_get_latency(struct pci_dev *pdev); int cxl_pci_get_bandwidth(struct pci_dev *pdev, struct access_coordinate *c); int cxl_update_hmat_access_coordinates(int nid, struct cxl_region *cxlr, enum access_coordinate_class access); -bool cxl_need_node_perf_attrs_update(int nid); int cxl_port_get_switch_dport_bandwidth(struct cxl_port *port, struct access_coordinate *c); diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c index 71cc42d05248..0ed95cbc5d5b 100644 --- a/drivers/cxl/core/region.c +++ b/drivers/cxl/core/region.c @@ -30,6 +30,12 @@ * 3. Decoder targets */ +/* + * nodemask that sets per node when the access_coordinates for the node has + * been updated by the CXL memory hotplug notifier. + */ +static nodemask_t nodemask_region_seen = NODE_MASK_NONE; + static struct cxl_region *to_cxl_region(struct device *dev); #define __ACCESS_ATTR_RO(_level, _name) { \ @@ -2442,14 +2448,8 @@ static bool cxl_region_update_coordinates(struct cxl_region *cxlr, int nid) for (int i = 0; i < ACCESS_COORDINATE_MAX; i++) { if (cxlr->coord[i].read_bandwidth) { - rc = 0; - if (cxl_need_node_perf_attrs_update(nid)) - node_set_perf_attrs(nid, &cxlr->coord[i], i); - else - rc = cxl_update_hmat_access_coordinates(nid, cxlr, i); - - if (rc == 0) - cset++; + node_update_perf_attrs(nid, &cxlr->coord[i], i); + cset++; } } @@ -2487,6 +2487,10 @@ static int cxl_region_perf_attrs_callback(struct notifier_block *nb, if (nid != region_nid) return NOTIFY_DONE; + /* No action needed if node bit already set */ + if (node_test_and_set(nid, nodemask_region_seen)) + return NOTIFY_DONE; + if (!cxl_region_update_coordinates(cxlr, nid)) return NOTIFY_DONE; diff --git a/include/linux/memory.h b/include/linux/memory.h index 1305102688d0..0b755d1ef1ec 100644 --- a/include/linux/memory.h +++ b/include/linux/memory.h @@ -120,8 +120,8 @@ struct mem_section; */ #define DEFAULT_CALLBACK_PRI 0 #define SLAB_CALLBACK_PRI 1 -#define HMAT_CALLBACK_PRI 2 #define CXL_CALLBACK_PRI 5 +#define HMAT_CALLBACK_PRI 6 #define MM_COMPUTE_BATCH_PRI 10 #define CPUSET_CALLBACK_PRI 10 #define MEMTIER_HOTPLUG_PRI 100

3 weeks

1
0
0 0

FAILED: patch "[PATCH] rseq: Protect event mask against membarrier IPI" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 6eb350a2233100a283f882c023e5ad426d0ed63b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101556-district-timid-1eda@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6eb350a2233100a283f882c023e5ad426d0ed63b Mon Sep 17 00:00:00 2001 From: Thomas Gleixner <tglx(a)linutronix.de> Date: Wed, 13 Aug 2025 17:02:30 +0200 Subject: [PATCH] rseq: Protect event mask against membarrier IPI rseq_need_restart() reads and clears task::rseq_event_mask with preemption disabled to guard against the scheduler. But membarrier() uses an IPI and sets the PREEMPT bit in the event mask from the IPI, which leaves that RMW operation unprotected. Use guard(irq) if CONFIG_MEMBARRIER is enabled to fix that. Fixes: 2a36ab717e8f ("rseq/membarrier: Add MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ") Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Boqun Feng <boqun.feng(a)gmail.com> Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: stable(a)vger.kernel.org diff --git a/include/linux/rseq.h b/include/linux/rseq.h index bc8af3eb5598..1fbeb61babeb 100644 --- a/include/linux/rseq.h +++ b/include/linux/rseq.h @@ -7,6 +7,12 @@ #include <linux/preempt.h> #include <linux/sched.h> +#ifdef CONFIG_MEMBARRIER +# define RSEQ_EVENT_GUARD irq +#else +# define RSEQ_EVENT_GUARD preempt +#endif + /* * Map the event mask on the user-space ABI enum rseq_cs_flags * for direct mask checks. @@ -41,9 +47,8 @@ static inline void rseq_handle_notify_resume(struct ksignal *ksig, static inline void rseq_signal_deliver(struct ksignal *ksig, struct pt_regs *regs) { - preempt_disable(); - __set_bit(RSEQ_EVENT_SIGNAL_BIT, &current->rseq_event_mask); - preempt_enable(); + scoped_guard(RSEQ_EVENT_GUARD) + __set_bit(RSEQ_EVENT_SIGNAL_BIT, &current->rseq_event_mask); rseq_handle_notify_resume(ksig, regs); } diff --git a/kernel/rseq.c b/kernel/rseq.c index b7a1ec327e81..2452b7366b00 100644 --- a/kernel/rseq.c +++ b/kernel/rseq.c @@ -342,12 +342,12 @@ static int rseq_need_restart(struct task_struct *t, u32 cs_flags) /* * Load and clear event mask atomically with respect to - * scheduler preemption. + * scheduler preemption and membarrier IPIs. */ - preempt_disable(); - event_mask = t->rseq_event_mask; - t->rseq_event_mask = 0; - preempt_enable(); + scoped_guard(RSEQ_EVENT_GUARD) { + event_mask = t->rseq_event_mask; + t->rseq_event_mask = 0; + } return !!event_mask; }

3 weeks

1
0
0 0

FAILED: patch "[PATCH] rseq: Protect event mask against membarrier IPI" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 6eb350a2233100a283f882c023e5ad426d0ed63b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101556-riches-vivacious-ee8f@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6eb350a2233100a283f882c023e5ad426d0ed63b Mon Sep 17 00:00:00 2001 From: Thomas Gleixner <tglx(a)linutronix.de> Date: Wed, 13 Aug 2025 17:02:30 +0200 Subject: [PATCH] rseq: Protect event mask against membarrier IPI rseq_need_restart() reads and clears task::rseq_event_mask with preemption disabled to guard against the scheduler. But membarrier() uses an IPI and sets the PREEMPT bit in the event mask from the IPI, which leaves that RMW operation unprotected. Use guard(irq) if CONFIG_MEMBARRIER is enabled to fix that. Fixes: 2a36ab717e8f ("rseq/membarrier: Add MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ") Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Boqun Feng <boqun.feng(a)gmail.com> Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: stable(a)vger.kernel.org diff --git a/include/linux/rseq.h b/include/linux/rseq.h index bc8af3eb5598..1fbeb61babeb 100644 --- a/include/linux/rseq.h +++ b/include/linux/rseq.h @@ -7,6 +7,12 @@ #include <linux/preempt.h> #include <linux/sched.h> +#ifdef CONFIG_MEMBARRIER +# define RSEQ_EVENT_GUARD irq +#else +# define RSEQ_EVENT_GUARD preempt +#endif + /* * Map the event mask on the user-space ABI enum rseq_cs_flags * for direct mask checks. @@ -41,9 +47,8 @@ static inline void rseq_handle_notify_resume(struct ksignal *ksig, static inline void rseq_signal_deliver(struct ksignal *ksig, struct pt_regs *regs) { - preempt_disable(); - __set_bit(RSEQ_EVENT_SIGNAL_BIT, &current->rseq_event_mask); - preempt_enable(); + scoped_guard(RSEQ_EVENT_GUARD) + __set_bit(RSEQ_EVENT_SIGNAL_BIT, &current->rseq_event_mask); rseq_handle_notify_resume(ksig, regs); } diff --git a/kernel/rseq.c b/kernel/rseq.c index b7a1ec327e81..2452b7366b00 100644 --- a/kernel/rseq.c +++ b/kernel/rseq.c @@ -342,12 +342,12 @@ static int rseq_need_restart(struct task_struct *t, u32 cs_flags) /* * Load and clear event mask atomically with respect to - * scheduler preemption. + * scheduler preemption and membarrier IPIs. */ - preempt_disable(); - event_mask = t->rseq_event_mask; - t->rseq_event_mask = 0; - preempt_enable(); + scoped_guard(RSEQ_EVENT_GUARD) { + event_mask = t->rseq_event_mask; + t->rseq_event_mask = 0; + } return !!event_mask; }

3 weeks

1
0
0 0

FAILED: patch "[PATCH] arm64: map [_text, _stext) virtual address range" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 5973a62efa34c80c9a4e5eac1fca6f6209b902af # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101551-unsealed-whisking-8514@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5973a62efa34c80c9a4e5eac1fca6f6209b902af Mon Sep 17 00:00:00 2001 From: Omar Sandoval <osandov(a)fb.com> Date: Fri, 19 Sep 2025 14:27:51 -0700 Subject: [PATCH] arm64: map [_text, _stext) virtual address range non-executable+read-only Since the referenced fixes commit, the kernel's .text section is only mapped starting from _stext; the region [_text, _stext) is omitted. As a result, other vmalloc/vmap allocations may use the virtual addresses nominally in the range [_text, _stext). This address reuse confuses multiple things: 1. crash_prepare_elf64_headers() sets up a segment in /proc/vmcore mapping the entire range [_text, _end) to [__pa_symbol(_text), __pa_symbol(_end)). Reading an address in [_text, _stext) from /proc/vmcore therefore gives the incorrect result. 2. Tools doing symbolization (either by reading /proc/kallsyms or based on the vmlinux ELF file) will incorrectly identify vmalloc/vmap allocations in [_text, _stext) as kernel symbols. In practice, both of these issues affect the drgn debugger. Specifically, there were cases where the vmap IRQ stacks for some CPUs were allocated in [_text, _stext). As a result, drgn could not get the stack trace for a crash in an IRQ handler because the core dump contained invalid data for the IRQ stack address. The stack addresses were also symbolized as being in the _text symbol. Fix this by bringing back the mapping of [_text, _stext), but now make it non-executable and read-only. This prevents other allocations from using it while still achieving the original goal of not mapping unpredictable data as executable. Other than the changed protection, this is effectively a revert of the fixes commit. Fixes: e2a073dde921 ("arm64: omit [_text, _stext) from permanent kernel mapping") Cc: stable(a)vger.kernel.org Signed-off-by: Omar Sandoval <osandov(a)fb.com> Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/pi/map_kernel.c b/arch/arm64/kernel/pi/map_kernel.c index e6d35eff1486..e8ddbde31a83 100644 --- a/arch/arm64/kernel/pi/map_kernel.c +++ b/arch/arm64/kernel/pi/map_kernel.c @@ -78,6 +78,12 @@ static void __init map_kernel(u64 kaslr_offset, u64 va_offset, int root_level) twopass |= enable_scs; prot = twopass ? data_prot : text_prot; + /* + * [_stext, _text) isn't executed after boot and contains some + * non-executable, unpredictable data, so map it non-executable. + */ + map_segment(init_pg_dir, &pgdp, va_offset, _text, _stext, data_prot, + false, root_level); map_segment(init_pg_dir, &pgdp, va_offset, _stext, _etext, prot, !twopass, root_level); map_segment(init_pg_dir, &pgdp, va_offset, __start_rodata, diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c index 77c7926a4df6..23c05dc7a8f2 100644 --- a/arch/arm64/kernel/setup.c +++ b/arch/arm64/kernel/setup.c @@ -214,7 +214,7 @@ static void __init request_standard_resources(void) unsigned long i = 0; size_t res_size; - kernel_code.start = __pa_symbol(_stext); + kernel_code.start = __pa_symbol(_text); kernel_code.end = __pa_symbol(__init_begin - 1); kernel_data.start = __pa_symbol(_sdata); kernel_data.end = __pa_symbol(_end - 1); @@ -280,7 +280,7 @@ u64 cpu_logical_map(unsigned int cpu) void __init __no_sanitize_address setup_arch(char **cmdline_p) { - setup_initial_init_mm(_stext, _etext, _edata, _end); + setup_initial_init_mm(_text, _etext, _edata, _end); *cmdline_p = boot_command_line; diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c index 70c2ca813c18..524d34a0e921 100644 --- a/arch/arm64/mm/init.c +++ b/arch/arm64/mm/init.c @@ -279,7 +279,7 @@ void __init arm64_memblock_init(void) * Register the kernel text, kernel data, initrd, and initial * pagetables with memblock. */ - memblock_reserve(__pa_symbol(_stext), _end - _stext); + memblock_reserve(__pa_symbol(_text), _end - _text); if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && phys_initrd_size) { /* the generic initrd code expects virtual addresses */ initrd_start = __phys_to_virt(phys_initrd_start); diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index 0ba1a15e7e74..10c258099581 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -965,8 +965,8 @@ void __init mark_linear_text_alias_ro(void) /* * Remove the write permissions from the linear alias of .text/.rodata */ - update_mapping_prot(__pa_symbol(_stext), (unsigned long)lm_alias(_stext), - (unsigned long)__init_begin - (unsigned long)_stext, + update_mapping_prot(__pa_symbol(_text), (unsigned long)lm_alias(_text), + (unsigned long)__init_begin - (unsigned long)_text, PAGE_KERNEL_RO); } @@ -1037,7 +1037,7 @@ static inline bool force_pte_mapping(void) static void __init map_mem(pgd_t *pgdp) { static const u64 direct_map_end = _PAGE_END(VA_BITS_MIN); - phys_addr_t kernel_start = __pa_symbol(_stext); + phys_addr_t kernel_start = __pa_symbol(_text); phys_addr_t kernel_end = __pa_symbol(__init_begin); phys_addr_t start, end; phys_addr_t early_kfence_pool; @@ -1086,7 +1086,7 @@ static void __init map_mem(pgd_t *pgdp) } /* - * Map the linear alias of the [_stext, __init_begin) interval + * Map the linear alias of the [_text, __init_begin) interval * as non-executable now, and remove the write permission in * mark_linear_text_alias_ro() below (which will be called after * alternative patching has completed). This makes the contents @@ -1113,6 +1113,10 @@ void mark_rodata_ro(void) WRITE_ONCE(rodata_is_rw, false); update_mapping_prot(__pa_symbol(__start_rodata), (unsigned long)__start_rodata, section_size, PAGE_KERNEL_RO); + /* mark the range between _text and _stext as read only. */ + update_mapping_prot(__pa_symbol(_text), (unsigned long)_text, + (unsigned long)_stext - (unsigned long)_text, + PAGE_KERNEL_RO); } static void __init declare_vma(struct vm_struct *vma, @@ -1183,7 +1187,7 @@ static void __init declare_kernel_vmas(void) { static struct vm_struct vmlinux_seg[KERNEL_SEGMENT_COUNT]; - declare_vma(&vmlinux_seg[0], _stext, _etext, VM_NO_GUARD); + declare_vma(&vmlinux_seg[0], _text, _etext, VM_NO_GUARD); declare_vma(&vmlinux_seg[1], __start_rodata, __inittext_begin, VM_NO_GUARD); declare_vma(&vmlinux_seg[2], __inittext_begin, __inittext_end, VM_NO_GUARD); declare_vma(&vmlinux_seg[3], __initdata_begin, __initdata_end, VM_NO_GUARD);

3 weeks

1
0
0 0

FAILED: patch "[PATCH] arm64: map [_text, _stext) virtual address range" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 5973a62efa34c80c9a4e5eac1fca6f6209b902af # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101549-slurp-darkened-955a@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5973a62efa34c80c9a4e5eac1fca6f6209b902af Mon Sep 17 00:00:00 2001 From: Omar Sandoval <osandov(a)fb.com> Date: Fri, 19 Sep 2025 14:27:51 -0700 Subject: [PATCH] arm64: map [_text, _stext) virtual address range non-executable+read-only Since the referenced fixes commit, the kernel's .text section is only mapped starting from _stext; the region [_text, _stext) is omitted. As a result, other vmalloc/vmap allocations may use the virtual addresses nominally in the range [_text, _stext). This address reuse confuses multiple things: 1. crash_prepare_elf64_headers() sets up a segment in /proc/vmcore mapping the entire range [_text, _end) to [__pa_symbol(_text), __pa_symbol(_end)). Reading an address in [_text, _stext) from /proc/vmcore therefore gives the incorrect result. 2. Tools doing symbolization (either by reading /proc/kallsyms or based on the vmlinux ELF file) will incorrectly identify vmalloc/vmap allocations in [_text, _stext) as kernel symbols. In practice, both of these issues affect the drgn debugger. Specifically, there were cases where the vmap IRQ stacks for some CPUs were allocated in [_text, _stext). As a result, drgn could not get the stack trace for a crash in an IRQ handler because the core dump contained invalid data for the IRQ stack address. The stack addresses were also symbolized as being in the _text symbol. Fix this by bringing back the mapping of [_text, _stext), but now make it non-executable and read-only. This prevents other allocations from using it while still achieving the original goal of not mapping unpredictable data as executable. Other than the changed protection, this is effectively a revert of the fixes commit. Fixes: e2a073dde921 ("arm64: omit [_text, _stext) from permanent kernel mapping") Cc: stable(a)vger.kernel.org Signed-off-by: Omar Sandoval <osandov(a)fb.com> Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/pi/map_kernel.c b/arch/arm64/kernel/pi/map_kernel.c index e6d35eff1486..e8ddbde31a83 100644 --- a/arch/arm64/kernel/pi/map_kernel.c +++ b/arch/arm64/kernel/pi/map_kernel.c @@ -78,6 +78,12 @@ static void __init map_kernel(u64 kaslr_offset, u64 va_offset, int root_level) twopass |= enable_scs; prot = twopass ? data_prot : text_prot; + /* + * [_stext, _text) isn't executed after boot and contains some + * non-executable, unpredictable data, so map it non-executable. + */ + map_segment(init_pg_dir, &pgdp, va_offset, _text, _stext, data_prot, + false, root_level); map_segment(init_pg_dir, &pgdp, va_offset, _stext, _etext, prot, !twopass, root_level); map_segment(init_pg_dir, &pgdp, va_offset, __start_rodata, diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c index 77c7926a4df6..23c05dc7a8f2 100644 --- a/arch/arm64/kernel/setup.c +++ b/arch/arm64/kernel/setup.c @@ -214,7 +214,7 @@ static void __init request_standard_resources(void) unsigned long i = 0; size_t res_size; - kernel_code.start = __pa_symbol(_stext); + kernel_code.start = __pa_symbol(_text); kernel_code.end = __pa_symbol(__init_begin - 1); kernel_data.start = __pa_symbol(_sdata); kernel_data.end = __pa_symbol(_end - 1); @@ -280,7 +280,7 @@ u64 cpu_logical_map(unsigned int cpu) void __init __no_sanitize_address setup_arch(char **cmdline_p) { - setup_initial_init_mm(_stext, _etext, _edata, _end); + setup_initial_init_mm(_text, _etext, _edata, _end); *cmdline_p = boot_command_line; diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c index 70c2ca813c18..524d34a0e921 100644 --- a/arch/arm64/mm/init.c +++ b/arch/arm64/mm/init.c @@ -279,7 +279,7 @@ void __init arm64_memblock_init(void) * Register the kernel text, kernel data, initrd, and initial * pagetables with memblock. */ - memblock_reserve(__pa_symbol(_stext), _end - _stext); + memblock_reserve(__pa_symbol(_text), _end - _text); if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && phys_initrd_size) { /* the generic initrd code expects virtual addresses */ initrd_start = __phys_to_virt(phys_initrd_start); diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index 0ba1a15e7e74..10c258099581 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -965,8 +965,8 @@ void __init mark_linear_text_alias_ro(void) /* * Remove the write permissions from the linear alias of .text/.rodata */ - update_mapping_prot(__pa_symbol(_stext), (unsigned long)lm_alias(_stext), - (unsigned long)__init_begin - (unsigned long)_stext, + update_mapping_prot(__pa_symbol(_text), (unsigned long)lm_alias(_text), + (unsigned long)__init_begin - (unsigned long)_text, PAGE_KERNEL_RO); } @@ -1037,7 +1037,7 @@ static inline bool force_pte_mapping(void) static void __init map_mem(pgd_t *pgdp) { static const u64 direct_map_end = _PAGE_END(VA_BITS_MIN); - phys_addr_t kernel_start = __pa_symbol(_stext); + phys_addr_t kernel_start = __pa_symbol(_text); phys_addr_t kernel_end = __pa_symbol(__init_begin); phys_addr_t start, end; phys_addr_t early_kfence_pool; @@ -1086,7 +1086,7 @@ static void __init map_mem(pgd_t *pgdp) } /* - * Map the linear alias of the [_stext, __init_begin) interval + * Map the linear alias of the [_text, __init_begin) interval * as non-executable now, and remove the write permission in * mark_linear_text_alias_ro() below (which will be called after * alternative patching has completed). This makes the contents @@ -1113,6 +1113,10 @@ void mark_rodata_ro(void) WRITE_ONCE(rodata_is_rw, false); update_mapping_prot(__pa_symbol(__start_rodata), (unsigned long)__start_rodata, section_size, PAGE_KERNEL_RO); + /* mark the range between _text and _stext as read only. */ + update_mapping_prot(__pa_symbol(_text), (unsigned long)_text, + (unsigned long)_stext - (unsigned long)_text, + PAGE_KERNEL_RO); } static void __init declare_vma(struct vm_struct *vma, @@ -1183,7 +1187,7 @@ static void __init declare_kernel_vmas(void) { static struct vm_struct vmlinux_seg[KERNEL_SEGMENT_COUNT]; - declare_vma(&vmlinux_seg[0], _stext, _etext, VM_NO_GUARD); + declare_vma(&vmlinux_seg[0], _text, _etext, VM_NO_GUARD); declare_vma(&vmlinux_seg[1], __start_rodata, __inittext_begin, VM_NO_GUARD); declare_vma(&vmlinux_seg[2], __inittext_begin, __inittext_end, VM_NO_GUARD); declare_vma(&vmlinux_seg[3], __initdata_begin, __initdata_end, VM_NO_GUARD);

3 weeks

1
0
0 0

FAILED: patch "[PATCH] arm64: map [_text, _stext) virtual address range" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 5973a62efa34c80c9a4e5eac1fca6f6209b902af # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101548-stiffly-eagle-d9a5@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5973a62efa34c80c9a4e5eac1fca6f6209b902af Mon Sep 17 00:00:00 2001 From: Omar Sandoval <osandov(a)fb.com> Date: Fri, 19 Sep 2025 14:27:51 -0700 Subject: [PATCH] arm64: map [_text, _stext) virtual address range non-executable+read-only Since the referenced fixes commit, the kernel's .text section is only mapped starting from _stext; the region [_text, _stext) is omitted. As a result, other vmalloc/vmap allocations may use the virtual addresses nominally in the range [_text, _stext). This address reuse confuses multiple things: 1. crash_prepare_elf64_headers() sets up a segment in /proc/vmcore mapping the entire range [_text, _end) to [__pa_symbol(_text), __pa_symbol(_end)). Reading an address in [_text, _stext) from /proc/vmcore therefore gives the incorrect result. 2. Tools doing symbolization (either by reading /proc/kallsyms or based on the vmlinux ELF file) will incorrectly identify vmalloc/vmap allocations in [_text, _stext) as kernel symbols. In practice, both of these issues affect the drgn debugger. Specifically, there were cases where the vmap IRQ stacks for some CPUs were allocated in [_text, _stext). As a result, drgn could not get the stack trace for a crash in an IRQ handler because the core dump contained invalid data for the IRQ stack address. The stack addresses were also symbolized as being in the _text symbol. Fix this by bringing back the mapping of [_text, _stext), but now make it non-executable and read-only. This prevents other allocations from using it while still achieving the original goal of not mapping unpredictable data as executable. Other than the changed protection, this is effectively a revert of the fixes commit. Fixes: e2a073dde921 ("arm64: omit [_text, _stext) from permanent kernel mapping") Cc: stable(a)vger.kernel.org Signed-off-by: Omar Sandoval <osandov(a)fb.com> Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/pi/map_kernel.c b/arch/arm64/kernel/pi/map_kernel.c index e6d35eff1486..e8ddbde31a83 100644 --- a/arch/arm64/kernel/pi/map_kernel.c +++ b/arch/arm64/kernel/pi/map_kernel.c @@ -78,6 +78,12 @@ static void __init map_kernel(u64 kaslr_offset, u64 va_offset, int root_level) twopass |= enable_scs; prot = twopass ? data_prot : text_prot; + /* + * [_stext, _text) isn't executed after boot and contains some + * non-executable, unpredictable data, so map it non-executable. + */ + map_segment(init_pg_dir, &pgdp, va_offset, _text, _stext, data_prot, + false, root_level); map_segment(init_pg_dir, &pgdp, va_offset, _stext, _etext, prot, !twopass, root_level); map_segment(init_pg_dir, &pgdp, va_offset, __start_rodata, diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c index 77c7926a4df6..23c05dc7a8f2 100644 --- a/arch/arm64/kernel/setup.c +++ b/arch/arm64/kernel/setup.c @@ -214,7 +214,7 @@ static void __init request_standard_resources(void) unsigned long i = 0; size_t res_size; - kernel_code.start = __pa_symbol(_stext); + kernel_code.start = __pa_symbol(_text); kernel_code.end = __pa_symbol(__init_begin - 1); kernel_data.start = __pa_symbol(_sdata); kernel_data.end = __pa_symbol(_end - 1); @@ -280,7 +280,7 @@ u64 cpu_logical_map(unsigned int cpu) void __init __no_sanitize_address setup_arch(char **cmdline_p) { - setup_initial_init_mm(_stext, _etext, _edata, _end); + setup_initial_init_mm(_text, _etext, _edata, _end); *cmdline_p = boot_command_line; diff --git a/arch/arm64/mm/init.c b/arch/arm64/mm/init.c index 70c2ca813c18..524d34a0e921 100644 --- a/arch/arm64/mm/init.c +++ b/arch/arm64/mm/init.c @@ -279,7 +279,7 @@ void __init arm64_memblock_init(void) * Register the kernel text, kernel data, initrd, and initial * pagetables with memblock. */ - memblock_reserve(__pa_symbol(_stext), _end - _stext); + memblock_reserve(__pa_symbol(_text), _end - _text); if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && phys_initrd_size) { /* the generic initrd code expects virtual addresses */ initrd_start = __phys_to_virt(phys_initrd_start); diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index 0ba1a15e7e74..10c258099581 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -965,8 +965,8 @@ void __init mark_linear_text_alias_ro(void) /* * Remove the write permissions from the linear alias of .text/.rodata */ - update_mapping_prot(__pa_symbol(_stext), (unsigned long)lm_alias(_stext), - (unsigned long)__init_begin - (unsigned long)_stext, + update_mapping_prot(__pa_symbol(_text), (unsigned long)lm_alias(_text), + (unsigned long)__init_begin - (unsigned long)_text, PAGE_KERNEL_RO); } @@ -1037,7 +1037,7 @@ static inline bool force_pte_mapping(void) static void __init map_mem(pgd_t *pgdp) { static const u64 direct_map_end = _PAGE_END(VA_BITS_MIN); - phys_addr_t kernel_start = __pa_symbol(_stext); + phys_addr_t kernel_start = __pa_symbol(_text); phys_addr_t kernel_end = __pa_symbol(__init_begin); phys_addr_t start, end; phys_addr_t early_kfence_pool; @@ -1086,7 +1086,7 @@ static void __init map_mem(pgd_t *pgdp) } /* - * Map the linear alias of the [_stext, __init_begin) interval + * Map the linear alias of the [_text, __init_begin) interval * as non-executable now, and remove the write permission in * mark_linear_text_alias_ro() below (which will be called after * alternative patching has completed). This makes the contents @@ -1113,6 +1113,10 @@ void mark_rodata_ro(void) WRITE_ONCE(rodata_is_rw, false); update_mapping_prot(__pa_symbol(__start_rodata), (unsigned long)__start_rodata, section_size, PAGE_KERNEL_RO); + /* mark the range between _text and _stext as read only. */ + update_mapping_prot(__pa_symbol(_text), (unsigned long)_text, + (unsigned long)_stext - (unsigned long)_text, + PAGE_KERNEL_RO); } static void __init declare_vma(struct vm_struct *vma, @@ -1183,7 +1187,7 @@ static void __init declare_kernel_vmas(void) { static struct vm_struct vmlinux_seg[KERNEL_SEGMENT_COUNT]; - declare_vma(&vmlinux_seg[0], _stext, _etext, VM_NO_GUARD); + declare_vma(&vmlinux_seg[0], _text, _etext, VM_NO_GUARD); declare_vma(&vmlinux_seg[1], __start_rodata, __inittext_begin, VM_NO_GUARD); declare_vma(&vmlinux_seg[2], __inittext_begin, __inittext_end, VM_NO_GUARD); declare_vma(&vmlinux_seg[3], __initdata_begin, __initdata_end, VM_NO_GUARD);

3 weeks

1
0
0 0

FAILED: patch "[PATCH] debugfs: fix mount options not being applied" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 8e7e265d558e0257d6dacc78ec64aff4ba75f61e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101502-elf-bootie-19bf@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8e7e265d558e0257d6dacc78ec64aff4ba75f61e Mon Sep 17 00:00:00 2001 From: Charalampos Mitrodimas <charmitro(a)posteo.net> Date: Sat, 16 Aug 2025 14:14:37 +0000 Subject: [PATCH] debugfs: fix mount options not being applied Mount options (uid, gid, mode) are silently ignored when debugfs is mounted. This is a regression introduced during the conversion to the new mount API. When the mount API conversion was done, the parsed options were never applied to the superblock when it was reused. As a result, the mount options were ignored when debugfs was mounted. Fix this by following the same pattern as the tracefs fix in commit e4d32142d1de ("tracing: Fix tracefs mount options"). Call debugfs_reconfigure() in debugfs_get_tree() to apply the mount options to the superblock after it has been created or reused. As an example, with the bug the "mode" mount option is ignored: $ mount -o mode=0666 -t debugfs debugfs /tmp/debugfs_test $ mount | grep debugfs_test debugfs on /tmp/debugfs_test type debugfs (rw,relatime) $ ls -ld /tmp/debugfs_test drwx------ 25 root root 0 Aug 4 14:16 /tmp/debugfs_test With the fix applied, it works as expected: $ mount -o mode=0666 -t debugfs debugfs /tmp/debugfs_test $ mount | grep debugfs_test debugfs on /tmp/debugfs_test type debugfs (rw,relatime,mode=666) $ ls -ld /tmp/debugfs_test drw-rw-rw- 37 root root 0 Aug 2 17:28 /tmp/debugfs_test Fixes: a20971c18752 ("vfs: Convert debugfs to use the new mount API") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220406 Cc: stable(a)vger.kernel.org Reviewed-by: Eric Sandeen <sandeen(a)redhat.com> Signed-off-by: Charalampos Mitrodimas <charmitro(a)posteo.net> Link: https://lore.kernel.org/20250816-debugfs-mount-opts-v3-1-d271dad57b5b@poste… Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c index a0357b0cf362..c12d649df6a5 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c @@ -183,6 +183,9 @@ static int debugfs_reconfigure(struct fs_context *fc) struct debugfs_fs_info *sb_opts = sb->s_fs_info; struct debugfs_fs_info *new_opts = fc->s_fs_info; + if (!new_opts) + return 0; + sync_filesystem(sb); /* structure copy of new mount options to sb */ @@ -282,10 +285,16 @@ static int debugfs_fill_super(struct super_block *sb, struct fs_context *fc) static int debugfs_get_tree(struct fs_context *fc) { + int err; + if (!(debugfs_allow & DEBUGFS_ALLOW_API)) return -EPERM; - return get_tree_single(fc, debugfs_fill_super); + err = get_tree_single(fc, debugfs_fill_super); + if (err) + return err; + + return debugfs_reconfigure(fc); } static void debugfs_free_fc(struct fs_context *fc)

3 weeks

1
0
0 0

FAILED: patch "[PATCH] debugfs: fix mount options not being applied" failed to apply to 6.17-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.17-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y git checkout FETCH_HEAD git cherry-pick -x 8e7e265d558e0257d6dacc78ec64aff4ba75f61e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101559-usher-corroding-5b5a@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8e7e265d558e0257d6dacc78ec64aff4ba75f61e Mon Sep 17 00:00:00 2001 From: Charalampos Mitrodimas <charmitro(a)posteo.net> Date: Sat, 16 Aug 2025 14:14:37 +0000 Subject: [PATCH] debugfs: fix mount options not being applied Mount options (uid, gid, mode) are silently ignored when debugfs is mounted. This is a regression introduced during the conversion to the new mount API. When the mount API conversion was done, the parsed options were never applied to the superblock when it was reused. As a result, the mount options were ignored when debugfs was mounted. Fix this by following the same pattern as the tracefs fix in commit e4d32142d1de ("tracing: Fix tracefs mount options"). Call debugfs_reconfigure() in debugfs_get_tree() to apply the mount options to the superblock after it has been created or reused. As an example, with the bug the "mode" mount option is ignored: $ mount -o mode=0666 -t debugfs debugfs /tmp/debugfs_test $ mount | grep debugfs_test debugfs on /tmp/debugfs_test type debugfs (rw,relatime) $ ls -ld /tmp/debugfs_test drwx------ 25 root root 0 Aug 4 14:16 /tmp/debugfs_test With the fix applied, it works as expected: $ mount -o mode=0666 -t debugfs debugfs /tmp/debugfs_test $ mount | grep debugfs_test debugfs on /tmp/debugfs_test type debugfs (rw,relatime,mode=666) $ ls -ld /tmp/debugfs_test drw-rw-rw- 37 root root 0 Aug 2 17:28 /tmp/debugfs_test Fixes: a20971c18752 ("vfs: Convert debugfs to use the new mount API") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220406 Cc: stable(a)vger.kernel.org Reviewed-by: Eric Sandeen <sandeen(a)redhat.com> Signed-off-by: Charalampos Mitrodimas <charmitro(a)posteo.net> Link: https://lore.kernel.org/20250816-debugfs-mount-opts-v3-1-d271dad57b5b@poste… Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c index a0357b0cf362..c12d649df6a5 100644 --- a/fs/debugfs/inode.c +++ b/fs/debugfs/inode.c @@ -183,6 +183,9 @@ static int debugfs_reconfigure(struct fs_context *fc) struct debugfs_fs_info *sb_opts = sb->s_fs_info; struct debugfs_fs_info *new_opts = fc->s_fs_info; + if (!new_opts) + return 0; + sync_filesystem(sb); /* structure copy of new mount options to sb */ @@ -282,10 +285,16 @@ static int debugfs_fill_super(struct super_block *sb, struct fs_context *fc) static int debugfs_get_tree(struct fs_context *fc) { + int err; + if (!(debugfs_allow & DEBUGFS_ALLOW_API)) return -EPERM; - return get_tree_single(fc, debugfs_fill_super); + err = get_tree_single(fc, debugfs_fill_super); + if (err) + return err; + + return debugfs_reconfigure(fc); } static void debugfs_free_fc(struct fs_context *fc)

3 weeks

1
0
0 0

FAILED: patch "[PATCH] fscontext: do not consume log entries when returning" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 72d271a7baa7062cb27e774ac37c5459c6d20e22 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101537-visor-thank-7800@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 72d271a7baa7062cb27e774ac37c5459c6d20e22 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <cyphar(a)cyphar.com> Date: Thu, 7 Aug 2025 03:55:23 +1000 Subject: [PATCH] fscontext: do not consume log entries when returning -EMSGSIZE Userspace generally expects APIs that return -EMSGSIZE to allow for them to adjust their buffer size and retry the operation. However, the fscontext log would previously clear the message even in the -EMSGSIZE case. Given that it is very cheap for us to check whether the buffer is too small before we remove the message from the ring buffer, let's just do that instead. While we're at it, refactor some fscontext_read() into a separate helper to make the ring buffer logic a bit easier to read. Fixes: 007ec26cdc9f ("vfs: Implement logging through fs_context") Cc: David Howells <dhowells(a)redhat.com> Cc: stable(a)vger.kernel.org # v5.2+ Signed-off-by: Aleksa Sarai <cyphar(a)cyphar.com> Link: https://lore.kernel.org/20250807-fscontext-log-cleanups-v3-1-8d91d6242dc3@c… Signed-off-by: Christian Brauner <brauner(a)kernel.org> diff --git a/fs/fsopen.c b/fs/fsopen.c index 1aaf4cb2afb2..f645c99204eb 100644 --- a/fs/fsopen.c +++ b/fs/fsopen.c @@ -18,50 +18,56 @@ #include "internal.h" #include "mount.h" +static inline const char *fetch_message_locked(struct fc_log *log, size_t len, + bool *need_free) +{ + const char *p; + int index; + + if (unlikely(log->head == log->tail)) + return ERR_PTR(-ENODATA); + + index = log->tail & (ARRAY_SIZE(log->buffer) - 1); + p = log->buffer[index]; + if (unlikely(strlen(p) > len)) + return ERR_PTR(-EMSGSIZE); + + log->buffer[index] = NULL; + *need_free = log->need_free & (1 << index); + log->need_free &= ~(1 << index); + log->tail++; + + return p; +} + /* * Allow the user to read back any error, warning or informational messages. + * Only one message is returned for each read(2) call. */ static ssize_t fscontext_read(struct file *file, char __user *_buf, size_t len, loff_t *pos) { struct fs_context *fc = file->private_data; - struct fc_log *log = fc->log.log; - unsigned int logsize = ARRAY_SIZE(log->buffer); - ssize_t ret; - char *p; + ssize_t err; + const char *p __free(kfree) = NULL, *message; bool need_free; - int index, n; + int n; - ret = mutex_lock_interruptible(&fc->uapi_mutex); - if (ret < 0) - return ret; - - if (log->head == log->tail) { - mutex_unlock(&fc->uapi_mutex); - return -ENODATA; - } - - index = log->tail & (logsize - 1); - p = log->buffer[index]; - need_free = log->need_free & (1 << index); - log->buffer[index] = NULL; - log->need_free &= ~(1 << index); - log->tail++; + err = mutex_lock_interruptible(&fc->uapi_mutex); + if (err < 0) + return err; + message = fetch_message_locked(fc->log.log, len, &need_free); mutex_unlock(&fc->uapi_mutex); + if (IS_ERR(message)) + return PTR_ERR(message); - ret = -EMSGSIZE; - n = strlen(p); - if (n > len) - goto err_free; - ret = -EFAULT; - if (copy_to_user(_buf, p, n) != 0) - goto err_free; - ret = n; - -err_free: if (need_free) - kfree(p); - return ret; + p = message; + + n = strlen(message); + if (copy_to_user(_buf, message, n)) + return -EFAULT; + return n; } static int fscontext_release(struct inode *inode, struct file *file)

3 weeks

1
0
0 0

Linux 6.17.3

by Greg Kroah-Hartman

I'm announcing the release of the 6.17.3 kernel. All users of the 6.17 kernel series must upgrade. The updated 6.17.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.17.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/vendor-prefixes.yaml | 50 + Documentation/iio/ad3552r.rst | 3 Documentation/trace/histogram-design.rst | 4 Makefile | 2 arch/alpha/kernel/process.c | 2 arch/arc/kernel/process.c | 2 arch/arm/boot/dts/renesas/r8a7791-porter.dts | 2 arch/arm/boot/dts/st/stm32mp151c-plyaqm.dts | 2 arch/arm/boot/dts/ti/omap/am335x-baltos.dtsi | 2 arch/arm/boot/dts/ti/omap/am335x-cm-t335.dts | 2 arch/arm/boot/dts/ti/omap/omap3-devkit8000-lcd-common.dtsi | 2 arch/arm/kernel/process.c | 2 arch/arm/mach-at91/pm_suspend.S | 4 arch/arm64/boot/dts/allwinner/sun55i-a527-cubie-a5e.dts | 25 arch/arm64/boot/dts/allwinner/sun55i-t527-avaota-a1.dts | 11 arch/arm64/boot/dts/allwinner/sun55i-t527-orangepi-4a.dts | 8 arch/arm64/boot/dts/amlogic/amlogic-c3.dtsi | 2 arch/arm64/boot/dts/apple/t6000-j314s.dts | 8 arch/arm64/boot/dts/apple/t6000-j316s.dts | 8 arch/arm64/boot/dts/apple/t6001-j314c.dts | 8 arch/arm64/boot/dts/apple/t6001-j316c.dts | 8 arch/arm64/boot/dts/apple/t6001-j375c.dts | 8 arch/arm64/boot/dts/apple/t6002-j375d.dts | 8 arch/arm64/boot/dts/apple/t600x-j314-j316.dtsi | 10 arch/arm64/boot/dts/apple/t600x-j375.dtsi | 11 arch/arm64/boot/dts/apple/t8103-j457.dts | 12 arch/arm64/boot/dts/freescale/imx93-kontron-bl-osm-s.dts | 32 - arch/arm64/boot/dts/freescale/imx95.dtsi | 4 arch/arm64/boot/dts/mediatek/mt6331.dtsi | 10 arch/arm64/boot/dts/mediatek/mt6795-sony-xperia-m5.dts | 2 arch/arm64/boot/dts/mediatek/mt7986a.dtsi | 12 arch/arm64/boot/dts/mediatek/mt8183-kukui.dtsi | 14 arch/arm64/boot/dts/mediatek/mt8183-pumpkin.dts | 14 arch/arm64/boot/dts/mediatek/mt8186-corsola-krabby.dtsi | 8 arch/arm64/boot/dts/mediatek/mt8186-corsola-tentacruel-sku262144.dts | 4 arch/arm64/boot/dts/mediatek/mt8188.dtsi | 2 arch/arm64/boot/dts/mediatek/mt8195.dtsi | 3 arch/arm64/boot/dts/mediatek/mt8395-kontron-3-5-sbc-i1200.dts | 16 arch/arm64/boot/dts/mediatek/mt8516-pumpkin.dts | 2 arch/arm64/boot/dts/qcom/qcm2290.dtsi | 1 arch/arm64/boot/dts/renesas/r8a779g3-sparrow-hawk.dts | 6 arch/arm64/boot/dts/renesas/r9a09g047e57-smarc.dts | 6 arch/arm64/boot/dts/renesas/rzg2lc-smarc.dtsi | 5 arch/arm64/boot/dts/rockchip/rk3576-evb1-v10.dts | 118 +++- arch/arm64/boot/dts/ti/k3-am62-phycore-som.dtsi | 10 arch/arm64/boot/dts/ti/k3-am62-pocketbeagle2.dts | 6 arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi | 2 arch/arm64/boot/dts/ti/k3-am625-beagleplay.dts | 2 arch/arm64/boot/dts/ti/k3-am62a-phycore-som.dtsi | 12 arch/arm64/boot/dts/ti/k3-am62a7-sk.dts | 12 arch/arm64/boot/dts/ti/k3-am62d2-evm.dts | 14 arch/arm64/boot/dts/ti/k3-am62p-verdin.dtsi | 2 arch/arm64/boot/dts/ti/k3-am62p5-sk.dts | 8 arch/arm64/boot/dts/ti/k3-am62x-sk-common.dtsi | 8 arch/arm64/boot/dts/ti/k3-am64-phycore-som.dtsi | 22 arch/arm64/boot/dts/ti/k3-am642-evm.dts | 22 arch/arm64/boot/dts/ti/k3-am642-sk.dts | 22 arch/arm64/boot/dts/ti/k3-am642-sr-som.dtsi | 16 arch/arm64/boot/dts/ti/k3-am642-tqma64xxl.dtsi | 18 arch/arm64/boot/dts/ti/k3-am65-iot2050-common.dtsi | 10 arch/arm64/boot/dts/ti/k3-am654-base-board.dts | 10 arch/arm64/boot/dts/ti/k3-am67a-beagley-ai.dts | 22 arch/arm64/boot/dts/ti/k3-am68-phycore-som.dtsi | 34 - arch/arm64/boot/dts/ti/k3-am68-sk-som.dtsi | 34 - arch/arm64/boot/dts/ti/k3-am69-sk.dts | 48 - arch/arm64/boot/dts/ti/k3-j7200-som-p0.dtsi | 18 arch/arm64/boot/dts/ti/k3-j721e-beagleboneai64.dts | 40 - arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 40 - arch/arm64/boot/dts/ti/k3-j721e-som-p0.dtsi | 38 - arch/arm64/boot/dts/ti/k3-j721s2-som-p0.dtsi | 34 - arch/arm64/boot/dts/ti/k3-j722s-evm.dts | 22 arch/arm64/boot/dts/ti/k3-j742s2-mcu-wakeup.dtsi | 17 arch/arm64/boot/dts/ti/k3-j742s2.dtsi | 1 arch/arm64/boot/dts/ti/k3-j784s4-evm.dts | 4 arch/arm64/boot/dts/ti/k3-j784s4-j742s2-evm-common.dtsi | 44 - arch/arm64/boot/dts/ti/k3-pinctrl.h | 4 arch/arm64/kernel/process.c | 2 arch/arm64/net/bpf_jit_comp.c | 3 arch/csky/kernel/process.c | 2 arch/hexagon/kernel/process.c | 2 arch/loongarch/kernel/process.c | 2 arch/loongarch/kernel/relocate.c | 4 arch/loongarch/net/bpf_jit.c | 80 ++ arch/m68k/kernel/process.c | 2 arch/microblaze/kernel/process.c | 2 arch/mips/kernel/process.c | 2 arch/nios2/kernel/process.c | 2 arch/openrisc/kernel/process.c | 2 arch/parisc/kernel/process.c | 2 arch/powerpc/Kconfig | 4 arch/powerpc/Makefile | 2 arch/powerpc/include/asm/book3s/32/pgalloc.h | 10 arch/powerpc/include/asm/nohash/pgalloc.h | 2 arch/powerpc/include/asm/topology.h | 2 arch/powerpc/kernel/head_8xx.S | 9 arch/powerpc/kernel/module_64.c | 2 arch/powerpc/kernel/process.c | 2 arch/powerpc/kernel/smp.c | 27 arch/powerpc/kernel/trace/ftrace.c | 10 arch/riscv/kernel/process.c | 2 arch/riscv/kvm/vmid.c | 3 arch/riscv/net/bpf_jit_comp64.c | 42 + arch/s390/kernel/process.c | 2 arch/s390/kernel/topology.c | 20 arch/s390/net/bpf_jit_comp.c | 42 + arch/sh/kernel/process_32.c | 2 arch/sparc/kernel/process_32.c | 2 arch/sparc/kernel/process_64.c | 2 arch/sparc/lib/M7memcpy.S | 20 arch/sparc/lib/Memcpy_utils.S | 9 arch/sparc/lib/NG4memcpy.S | 2 arch/sparc/lib/NGmemcpy.S | 29 - arch/sparc/lib/U1memcpy.S | 19 arch/sparc/lib/U3memcpy.S | 2 arch/um/kernel/process.c | 2 arch/x86/events/intel/bts.c | 2 arch/x86/events/intel/core.c | 3 arch/x86/include/asm/fpu/sched.h | 2 arch/x86/include/asm/segment.h | 8 arch/x86/include/asm/shstk.h | 4 arch/x86/kernel/fpu/core.c | 2 arch/x86/kernel/process.c | 2 arch/x86/kernel/shstk.c | 2 arch/x86/kernel/smpboot.c | 8 arch/x86/kvm/svm/svm.c | 12 arch/xtensa/kernel/process.c | 2 block/bfq-iosched.c | 22 block/bio.c | 2 block/blk-cgroup.c | 6 block/blk-cgroup.h | 12 block/blk-core.c | 19 block/blk-iolatency.c | 14 block/blk-merge.c | 64 +- block/blk-mq-sched.c | 14 block/blk-mq-sched.h | 13 block/blk-mq-sysfs.c | 6 block/blk-mq-tag.c | 23 block/blk-mq.c | 84 +-- block/blk-mq.h | 18 block/blk-settings.c | 44 - block/blk-sysfs.c | 57 +- block/blk-throttle.c | 15 block/blk-throttle.h | 18 block/blk.h | 45 - block/elevator.c | 3 block/elevator.h | 2 block/kyber-iosched.c | 19 block/mq-deadline.c | 16 crypto/842.c | 6 crypto/asymmetric_keys/x509_cert_parser.c | 16 crypto/lz4.c | 6 crypto/lz4hc.c | 6 crypto/lzo-rle.c | 6 crypto/lzo.c | 6 drivers/accel/amdxdna/aie2_ctx.c | 6 drivers/acpi/acpica/aclocal.h | 2 drivers/acpi/nfit/core.c | 2 drivers/acpi/processor_idle.c | 3 drivers/base/node.c | 4 drivers/base/power/main.c | 14 drivers/base/regmap/regmap.c | 2 drivers/block/nbd.c | 8 drivers/block/null_blk/main.c | 2 drivers/bluetooth/btintel_pcie.c | 220 ++----- drivers/bluetooth/btintel_pcie.h | 2 drivers/bus/fsl-mc/fsl-mc-bus.c | 3 drivers/cdx/Kconfig | 1 drivers/cdx/cdx.c | 4 drivers/cdx/controller/Kconfig | 1 drivers/cdx/controller/cdx_controller.c | 3 drivers/char/hw_random/Kconfig | 1 drivers/char/hw_random/ks-sa-rng.c | 4 drivers/char/tpm/Kconfig | 2 drivers/clocksource/timer-tegra186.c | 4 drivers/cpufreq/scmi-cpufreq.c | 10 drivers/cpuidle/cpuidle-qcom-spm.c | 7 drivers/crypto/hisilicon/debugfs.c | 1 drivers/crypto/hisilicon/hpre/hpre_main.c | 66 +- drivers/crypto/hisilicon/qm.c | 45 + drivers/crypto/hisilicon/sec2/sec_main.c | 126 +++- drivers/crypto/hisilicon/zip/zip_main.c | 94 ++- drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c | 5 drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 2 drivers/crypto/nx/nx-common-powernv.c | 6 drivers/crypto/nx/nx-common-pseries.c | 6 drivers/devfreq/event/rockchip-dfi.c | 7 drivers/devfreq/mtk-cci-devfreq.c | 3 drivers/edac/i10nm_base.c | 14 drivers/firmware/arm_scmi/transports/virtio.c | 3 drivers/firmware/efi/Kconfig | 7 drivers/firmware/meson/Kconfig | 2 drivers/fwctl/mlx5/main.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 20 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 13 drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 170 +++++- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 11 drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 2 drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 29 - drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 27 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 1 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 2 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_3.c | 4 drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 8 drivers/gpu/drm/amd/display/dc/dml/dcn32/display_rq_dlg_calc_32.c | 1 drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 32 - drivers/gpu/drm/amd/display/dc/inc/core_types.h | 5 drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c | 12 drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c | 5 drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.h | 3 drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 7 drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 92 ++- drivers/gpu/drm/bridge/Kconfig | 1 drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 4 drivers/gpu/drm/display/drm_bridge_connector.c | 4 drivers/gpu/drm/display/drm_dp_helper.c | 4 drivers/gpu/drm/drm_atomic_uapi.c | 23 drivers/gpu/drm/drm_panel.c | 73 ++ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 2 drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 4 drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c | 6 drivers/gpu/drm/msm/msm_drv.c | 1 drivers/gpu/drm/msm/msm_gem_vma.c | 31 - drivers/gpu/drm/msm/msm_kms.c | 5 drivers/gpu/drm/panel/panel-edp.c | 20 drivers/gpu/drm/panel/panel-novatek-nt35560.c | 2 drivers/gpu/drm/radeon/r600_cs.c | 4 drivers/gpu/drm/scheduler/tests/mock_scheduler.c | 2 drivers/gpu/drm/scheduler/tests/sched_tests.h | 7 drivers/gpu/drm/scheduler/tests/tests_basic.c | 4 drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 2 drivers/hid/hid-ids.h | 2 drivers/hid/hid-quirks.c | 2 drivers/hid/hid-steelseries.c | 108 +-- drivers/hid/hidraw.c | 224 ++++---- drivers/hid/i2c-hid/i2c-hid-core.c | 46 + drivers/hid/i2c-hid/i2c-hid-of-elan.c | 11 drivers/hwmon/asus-ec-sensors.c | 2 drivers/hwmon/mlxreg-fan.c | 24 drivers/hwtracing/coresight/coresight-catu.c | 31 - drivers/hwtracing/coresight/coresight-catu.h | 1 drivers/hwtracing/coresight/coresight-core.c | 6 drivers/hwtracing/coresight/coresight-cpu-debug.c | 6 drivers/hwtracing/coresight/coresight-ctcu-core.c | 10 drivers/hwtracing/coresight/coresight-etb10.c | 10 drivers/hwtracing/coresight/coresight-etm3x-core.c | 9 drivers/hwtracing/coresight/coresight-etm4x-core.c | 41 - drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 1 drivers/hwtracing/coresight/coresight-etm4x.h | 6 drivers/hwtracing/coresight/coresight-funnel.c | 42 - drivers/hwtracing/coresight/coresight-replicator.c | 40 - drivers/hwtracing/coresight/coresight-stm.c | 13 drivers/hwtracing/coresight/coresight-syscfg.c | 2 drivers/hwtracing/coresight/coresight-tmc-core.c | 26 drivers/hwtracing/coresight/coresight-tmc.h | 2 drivers/hwtracing/coresight/coresight-tpda.c | 3 drivers/hwtracing/coresight/coresight-tpiu.c | 14 drivers/hwtracing/coresight/coresight-trbe.c | 12 drivers/hwtracing/coresight/ultrasoc-smb.h | 1 drivers/i2c/busses/i2c-designware-platdrv.c | 5 drivers/i2c/busses/i2c-k1.c | 71 +- drivers/i2c/busses/i2c-mt65xx.c | 17 drivers/i3c/internals.h | 12 drivers/i3c/master/svc-i3c-master.c | 31 - drivers/iio/inkern.c | 30 - drivers/infiniband/core/addr.c | 10 drivers/infiniband/core/cm.c | 4 drivers/infiniband/core/sa_query.c | 6 drivers/infiniband/hw/mlx5/main.c | 67 ++ drivers/infiniband/hw/mlx5/mlx5_ib.h | 5 drivers/infiniband/sw/rxe/rxe_task.c | 8 drivers/infiniband/sw/siw/siw_verbs.c | 25 drivers/input/misc/uinput.c | 1 drivers/input/touchscreen/atmel_mxt_ts.c | 2 drivers/iommu/intel/debugfs.c | 17 drivers/iommu/intel/iommu.h | 3 drivers/iommu/iommu-priv.h | 2 drivers/iommu/iommu.c | 26 drivers/iommu/iommufd/selftest.c | 2 drivers/irqchip/irq-gic-v5-its.c | 24 drivers/irqchip/irq-sg2042-msi.c | 18 drivers/leds/flash/leds-qcom-flash.c | 62 +- drivers/leds/leds-lp55xx-common.c | 2 drivers/leds/leds-max77705.c | 2 drivers/md/dm-core.h | 1 drivers/md/dm-vdo/indexer/volume-index.c | 4 drivers/md/dm.c | 13 drivers/media/i2c/rj54n1cb0c.c | 9 drivers/media/i2c/vd55g1.c | 2 drivers/media/pci/zoran/zoran.h | 6 drivers/media/pci/zoran/zoran_driver.c | 3 drivers/media/platform/st/sti/delta/delta-mjpeg-dec.c | 20 drivers/mfd/intel_soc_pmic_chtdc_ti.c | 2 drivers/mfd/max77705.c | 38 - drivers/mfd/rz-mtu3.c | 2 drivers/mfd/vexpress-sysreg.c | 6 drivers/misc/fastrpc.c | 89 ++- drivers/misc/genwqe/card_ddcb.c | 2 drivers/misc/pci_endpoint_test.c | 2 drivers/mmc/core/block.c | 6 drivers/mmc/host/Kconfig | 1 drivers/mtd/nand/raw/atmel/nand-controller.c | 4 drivers/net/bonding/bond_main.c | 2 drivers/net/bonding/bond_netlink.c | 16 drivers/net/ethernet/amazon/ena/ena_ethtool.c | 5 drivers/net/ethernet/cadence/macb.h | 4 drivers/net/ethernet/cadence/macb_main.c | 134 ++-- drivers/net/ethernet/dlink/dl2k.c | 7 drivers/net/ethernet/freescale/enetc/enetc4_pf.c | 2 drivers/net/ethernet/freescale/enetc/ntmp.c | 15 drivers/net/ethernet/intel/idpf/idpf_txrx.c | 8 drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 6 drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 1 drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c | 1 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 17 drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 24 drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 7 drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 drivers/net/phy/as21xxx.c | 7 drivers/net/usb/asix_devices.c | 29 + drivers/net/usb/rtl8150.c | 2 drivers/net/wireless/ath/ath10k/wmi.c | 39 - drivers/net/wireless/ath/ath12k/ce.c | 2 drivers/net/wireless/ath/ath12k/debug.h | 1 drivers/net/wireless/ath/ath12k/dp_mon.c | 56 +- drivers/net/wireless/ath/ath12k/dp_rx.c | 45 + drivers/net/wireless/ath/ath12k/hal_rx.h | 12 drivers/net/wireless/ath/ath12k/mac.c | 16 drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 2 drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c | 4 drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 8 drivers/net/wireless/broadcom/brcm80211/include/brcm_hw_ids.h | 1 drivers/net/wireless/intel/iwlwifi/fw/regulatory.h | 1 drivers/net/wireless/marvell/mwifiex/cfg80211.c | 7 drivers/net/wireless/mediatek/mt76/mt7603/soc.c | 2 drivers/net/wireless/mediatek/mt76/mt7915/eeprom.h | 6 drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 29 - drivers/net/wireless/mediatek/mt76/mt7996/init.c | 29 - drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 137 +--- drivers/net/wireless/mediatek/mt76/mt7996/main.c | 106 ++- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 38 - drivers/net/wireless/mediatek/mt76/mt7996/mcu.h | 3 drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 22 drivers/net/wireless/mediatek/mt76/mt7996/pci.c | 2 drivers/net/wireless/realtek/rtw88/led.c | 13 drivers/net/wireless/realtek/rtw89/core.c | 1 drivers/net/wireless/realtek/rtw89/ser.c | 3 drivers/nvme/host/auth.c | 5 drivers/nvme/host/tcp.c | 3 drivers/nvme/target/fc.c | 19 drivers/nvme/target/fcloop.c | 8 drivers/pci/controller/cadence/pci-j721e.c | 2 drivers/pci/controller/dwc/pcie-designware.h | 1 drivers/pci/controller/dwc/pcie-qcom-common.c | 58 +- drivers/pci/controller/dwc/pcie-qcom-common.h | 2 drivers/pci/controller/dwc/pcie-qcom-ep.c | 6 drivers/pci/controller/dwc/pcie-qcom.c | 8 drivers/pci/controller/dwc/pcie-rcar-gen4.c | 26 drivers/pci/controller/dwc/pcie-tegra194.c | 4 drivers/pci/controller/pci-tegra.c | 2 drivers/pci/controller/pci-xgene-msi.c | 2 drivers/pci/controller/pcie-rcar-host.c | 2 drivers/pci/endpoint/functions/pci-epf-test.c | 31 - drivers/pci/endpoint/pci-ep-msi.c | 2 drivers/pci/msi/irqdomain.c | 57 ++ drivers/pci/pci-acpi.c | 6 drivers/pci/pcie/aer.c | 3 drivers/pci/pwrctrl/slot.c | 12 drivers/perf/arm_spe_pmu.c | 3 drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 12 drivers/pinctrl/Kconfig | 2 drivers/pinctrl/meson/pinctrl-meson-gxl.c | 10 drivers/pinctrl/pinctrl-eic7700.c | 2 drivers/pinctrl/pinmux.c | 2 drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 drivers/pinctrl/renesas/pinctrl.c | 3 drivers/power/supply/cw2015_battery.c | 3 drivers/power/supply/max77705_charger.c | 200 +++---- drivers/pps/kapi.c | 5 drivers/pps/pps.c | 5 drivers/ptp/ptp_private.h | 1 drivers/ptp/ptp_sysfs.c | 2 drivers/pwm/pwm-loongson.c | 2 drivers/pwm/pwm-tiehrpwm.c | 154 ++--- drivers/regulator/scmi-regulator.c | 3 drivers/remoteproc/pru_rproc.c | 3 drivers/remoteproc/qcom_q6v5.c | 3 drivers/remoteproc/qcom_q6v5_mss.c | 11 drivers/remoteproc/qcom_q6v5_pas.c | 6 drivers/rpmsg/qcom_smd.c | 2 drivers/scsi/libsas/sas_expander.c | 5 drivers/scsi/mpt3sas/mpt3sas_transport.c | 8 drivers/scsi/myrs.c | 8 drivers/scsi/pm8001/pm8001_hwi.c | 11 drivers/scsi/pm8001/pm8001_sas.c | 31 - drivers/scsi/pm8001/pm8001_sas.h | 1 drivers/scsi/pm8001/pm80xx_hwi.c | 10 drivers/scsi/qla2xxx/qla_edif.c | 4 drivers/scsi/qla2xxx/qla_init.c | 4 drivers/scsi/qla2xxx/qla_nvme.c | 2 drivers/soc/mediatek/mtk-svs.c | 23 drivers/soc/qcom/rpmh-rsc.c | 7 drivers/spi/spi.c | 2 drivers/staging/media/ipu7/ipu7.c | 28 - drivers/tee/tee_shm.c | 8 drivers/thermal/qcom/Kconfig | 3 drivers/thermal/qcom/lmh.c | 2 drivers/thunderbolt/tunnel.c | 5 drivers/tty/n_gsm.c | 25 drivers/tty/serial/max310x.c | 2 drivers/ufs/core/ufs-sysfs.c | 2 drivers/ufs/core/ufshcd.c | 9 drivers/uio/uio_hv_generic.c | 7 drivers/usb/cdns3/cdnsp-pci.c | 5 drivers/usb/gadget/configfs.c | 2 drivers/usb/host/max3421-hcd.c | 2 drivers/usb/host/xhci-ring.c | 11 drivers/usb/misc/Kconfig | 1 drivers/usb/misc/qcom_eud.c | 33 - drivers/usb/phy/phy-twl6030-usb.c | 3 drivers/usb/typec/tipd/core.c | 24 drivers/usb/usbip/vhci_hcd.c | 22 drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 6 drivers/vfio/pci/pds/dirty.c | 2 drivers/vhost/vringh.c | 14 drivers/video/fbdev/simplefb.c | 31 - drivers/watchdog/intel_oc_wdt.c | 8 drivers/watchdog/mpc8xxx_wdt.c | 2 fs/btrfs/extent_io.c | 9 fs/btrfs/inode.c | 2 fs/cramfs/inode.c | 2 fs/erofs/zdata.c | 4 fs/ext4/ext4.h | 10 fs/ext4/file.c | 2 fs/ext4/inode.c | 2 fs/ext4/mballoc.c | 10 fs/ext4/orphan.c | 6 fs/ext4/super.c | 4 fs/f2fs/compress.c | 25 fs/f2fs/data.c | 11 fs/f2fs/f2fs.h | 4 fs/f2fs/file.c | 49 + fs/f2fs/gc.c | 16 fs/f2fs/super.c | 10 fs/fuse/file.c | 1 fs/gfs2/file.c | 23 fs/gfs2/glock.c | 115 +--- fs/gfs2/glock.h | 4 fs/gfs2/incore.h | 3 fs/gfs2/lock_dlm.c | 72 +- fs/gfs2/trace_gfs2.h | 1 fs/hfsplus/dir.c | 2 fs/hfsplus/hfsplus_fs.h | 8 fs/hfsplus/unicode.c | 24 fs/hfsplus/xattr.c | 6 fs/nfs/localio.c | 65 +- fs/nfs/nfs4proc.c | 2 fs/nfsd/filecache.c | 34 + fs/nfsd/filecache.h | 4 fs/nfsd/localio.c | 11 fs/nfsd/trace.h | 27 fs/nfsd/vfs.h | 4 fs/notify/fanotify/fanotify_user.c | 3 fs/ntfs3/index.c | 10 fs/ntfs3/run.c | 12 fs/ocfs2/stack_user.c | 1 fs/smb/client/smb2ops.c | 17 fs/smb/client/smbdirect.c | 110 +++ fs/smb/client/smbdirect.h | 4 fs/smb/server/ksmbd_netlink.h | 5 fs/smb/server/mgmt/user_session.c | 26 fs/smb/server/server.h | 1 fs/smb/server/smb2pdu.c | 3 fs/smb/server/transport_ipc.c | 3 fs/smb/server/transport_rdma.c | 99 +++ fs/smb/server/transport_tcp.c | 27 fs/squashfs/inode.c | 7 fs/squashfs/squashfs_fs_i.h | 2 fs/udf/inode.c | 3 include/acpi/actbl.h | 2 include/asm-generic/vmlinux.lds.h | 1 include/crypto/internal/scompress.h | 11 include/drm/drm_panel.h | 14 include/linux/blk_types.h | 7 include/linux/blkdev.h | 2 include/linux/bpf.h | 1 include/linux/bpf_verifier.h | 12 include/linux/btf.h | 2 include/linux/coresight.h | 27 include/linux/dmaengine.h | 2 include/linux/hid.h | 2 include/linux/irq.h | 2 include/linux/memcontrol.h | 6 include/linux/mm.h | 2 include/linux/mmc/sdio_ids.h | 2 include/linux/msi.h | 2 include/linux/nfslocalio.h | 2 include/linux/once.h | 4 include/linux/phy.h | 23 include/linux/power/max77705_charger.h | 102 +-- include/linux/sched/topology.h | 28 - include/linux/topology.h | 2 include/net/bonding.h | 1 include/net/dst.h | 16 include/net/ip.h | 30 + include/net/ip6_route.h | 2 include/net/route.h | 2 include/scsi/libsas.h | 8 include/trace/events/filelock.h | 3 include/trace/misc/fs.h | 22 include/uapi/linux/hidraw.h | 2 include/ufs/ufshcd.h | 3 include/vdso/gettime.h | 1 init/Kconfig | 3 io_uring/waitid.c | 3 io_uring/zcrx.c | 4 kernel/bpf/core.c | 5 kernel/bpf/helpers.c | 3 kernel/bpf/verifier.c | 28 - kernel/cgroup/cpuset.c | 2 kernel/events/uprobes.c | 2 kernel/irq/Kconfig | 2 kernel/irq/chip.c | 37 + kernel/irq/irq_test.c | 18 kernel/pid.c | 2 kernel/rcu/srcutiny.c | 4 kernel/sched/topology.c | 28 - kernel/seccomp.c | 12 kernel/smp.c | 11 kernel/time/clockevents.c | 2 kernel/time/tick-common.c | 16 kernel/time/tick-internal.h | 2 kernel/trace/bpf_trace.c | 9 kernel/trace/trace.c | 278 ++++++++-- kernel/trace/trace_events.c | 3 kernel/trace/trace_fprobe.c | 10 kernel/trace/trace_irqsoff.c | 23 kernel/trace/trace_kprobe.c | 11 kernel/trace/trace_probe.h | 9 kernel/trace/trace_sched_wakeup.c | 16 kernel/trace/trace_uprobe.c | 12 lib/raid6/recov_rvv.c | 2 lib/raid6/rvv.c | 3 lib/vdso/datastore.c | 6 mm/hugetlb.c | 2 mm/memcontrol.c | 13 mm/slub.c | 5 net/9p/trans_usbg.c | 16 net/bluetooth/hci_sync.c | 10 net/bluetooth/iso.c | 11 net/bluetooth/mgmt.c | 10 net/core/dst.c | 2 net/core/filter.c | 16 net/core/sock.c | 16 net/ethtool/tsconfig.c | 12 net/ipv4/icmp.c | 6 net/ipv4/ip_fragment.c | 6 net/ipv4/ipmr.c | 6 net/ipv4/ping.c | 14 net/ipv4/route.c | 8 net/ipv4/tcp.c | 9 net/ipv4/tcp_input.c | 15 net/ipv4/tcp_metrics.c | 6 net/ipv6/anycast.c | 2 net/ipv6/icmp.c | 9 net/ipv6/ip6_output.c | 64 +- net/ipv6/mcast.c | 67 +- net/ipv6/ndisc.c | 2 net/ipv6/output_core.c | 8 net/ipv6/proc.c | 47 + net/ipv6/route.c | 7 net/mac80211/cfg.c | 21 net/mac80211/main.c | 3 net/mac80211/rx.c | 28 - net/mac80211/sta_info.c | 10 net/mptcp/ctrl.c | 9 net/mptcp/subflow.c | 11 net/netfilter/ipset/ip_set_hash_gen.h | 8 net/netfilter/ipvs/ip_vs_conn.c | 4 net/netfilter/ipvs/ip_vs_core.c | 11 net/netfilter/ipvs/ip_vs_ctl.c | 6 net/netfilter/ipvs/ip_vs_est.c | 16 net/netfilter/ipvs/ip_vs_ftp.c | 4 net/netfilter/nf_conntrack_standalone.c | 3 net/netfilter/nfnetlink.c | 2 net/nfc/nci/ntf.c | 135 +++- net/smc/smc_clc.c | 67 +- net/smc/smc_core.c | 27 net/smc/smc_pnet.c | 43 - net/sunrpc/auth_gss/svcauth_gss.c | 2 net/tls/tls_device.c | 18 net/wireless/util.c | 2 rust/bindings/bindings_helper.h | 1 rust/kernel/cpumask.rs | 1 scripts/misc-check | 4 security/Kconfig | 1 sound/core/pcm_native.c | 25 sound/hda/codecs/hdmi/hdmi.c | 1 sound/hda/codecs/realtek/alc269.c | 1 sound/pci/lx6464es/lx_core.c | 4 sound/soc/codecs/wcd934x.c | 17 sound/soc/codecs/wcd937x.c | 4 sound/soc/codecs/wcd937x.h | 6 sound/soc/intel/boards/bytcht_es8316.c | 20 sound/soc/intel/boards/bytcr_rt5640.c | 7 sound/soc/intel/boards/bytcr_rt5651.c | 26 sound/soc/intel/boards/sof_sdw.c | 2 sound/soc/qcom/sc8280xp.c | 4 sound/soc/sof/intel/hda-sdw-bpt.c | 2 sound/soc/sof/ipc3-topology.c | 10 sound/soc/sof/ipc4-pcm.c | 101 ++- sound/soc/sof/ipc4-topology.c | 1 sound/soc/sof/ipc4-topology.h | 2 tools/include/nolibc/nolibc.h | 1 tools/include/nolibc/std.h | 2 tools/include/nolibc/sys.h | 13 tools/include/nolibc/time.h | 5 tools/lib/bpf/libbpf.c | 46 - tools/lib/bpf/libbpf.h | 2 tools/net/ynl/pyynl/lib/ynl.py | 2 tools/power/acpi/os_specific/service_layers/oslinuxtbl.c | 4 tools/testing/nvdimm/test/ndtest.c | 13 tools/testing/selftests/arm64/abi/tpidr2.c | 8 tools/testing/selftests/arm64/gcs/basic-gcs.c | 2 tools/testing/selftests/arm64/pauth/exec_target.c | 7 tools/testing/selftests/bpf/Makefile | 4 tools/testing/selftests/bpf/bench.c | 2 tools/testing/selftests/bpf/prog_tests/btf_dump.c | 2 tools/testing/selftests/bpf/prog_tests/fd_array.c | 2 tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c | 220 ------- tools/testing/selftests/bpf/prog_tests/module_attach.c | 2 tools/testing/selftests/bpf/prog_tests/reg_bounds.c | 4 tools/testing/selftests/bpf/prog_tests/stacktrace_build_id.c | 2 tools/testing/selftests/bpf/prog_tests/stacktrace_build_id_nmi.c | 2 tools/testing/selftests/bpf/prog_tests/stacktrace_map.c | 2 tools/testing/selftests/bpf/prog_tests/stacktrace_map_raw_tp.c | 2 tools/testing/selftests/bpf/prog_tests/stacktrace_map_skip.c | 2 tools/testing/selftests/bpf/progs/bpf_cc_cubic.c | 2 tools/testing/selftests/bpf/progs/bpf_dctcp.c | 2 tools/testing/selftests/bpf/progs/freplace_connect_v4_prog.c | 2 tools/testing/selftests/bpf/progs/iters_state_safety.c | 2 tools/testing/selftests/bpf/progs/rbtree_search.c | 2 tools/testing/selftests/bpf/progs/struct_ops_kptr_return.c | 2 tools/testing/selftests/bpf/progs/struct_ops_refcounted.c | 2 tools/testing/selftests/bpf/progs/test_cls_redirect.c | 2 tools/testing/selftests/bpf/progs/test_cls_redirect_dynptr.c | 2 tools/testing/selftests/bpf/progs/test_tcpnotify_kern.c | 1 tools/testing/selftests/bpf/progs/uretprobe_stack.c | 4 tools/testing/selftests/bpf/progs/verifier_scalar_ids.c | 2 tools/testing/selftests/bpf/progs/verifier_var_off.c | 6 tools/testing/selftests/bpf/test_sockmap.c | 2 tools/testing/selftests/bpf/test_tcpnotify_user.c | 20 tools/testing/selftests/bpf/trace_helpers.c | 214 +++++++ tools/testing/selftests/bpf/trace_helpers.h | 3 tools/testing/selftests/bpf/verifier/calls.c | 8 tools/testing/selftests/bpf/xdping.c | 2 tools/testing/selftests/bpf/xsk.h | 4 tools/testing/selftests/bpf/xskxceiver.c | 14 tools/testing/selftests/cgroup/lib/cgroup_util.c | 12 tools/testing/selftests/cgroup/lib/include/cgroup_util.h | 1 tools/testing/selftests/cgroup/test_pids.c | 3 tools/testing/selftests/futex/functional/Makefile | 5 tools/testing/selftests/futex/functional/futex_numa_mpol.c | 59 +- tools/testing/selftests/futex/functional/futex_priv_hash.c | 1 tools/testing/selftests/futex/functional/run.sh | 1 tools/testing/selftests/futex/include/futextest.h | 11 tools/testing/selftests/iommu/iommufd_utils.h | 8 tools/testing/selftests/kselftest_harness/Makefile | 1 tools/testing/selftests/lib.mk | 5 tools/testing/selftests/mm/madv_populate.c | 21 tools/testing/selftests/mm/soft-dirty.c | 5 tools/testing/selftests/mm/va_high_addr_switch.c | 4 tools/testing/selftests/mm/vm_util.c | 17 tools/testing/selftests/mm/vm_util.h | 1 tools/testing/selftests/nolibc/nolibc-test.c | 5 tools/testing/selftests/vDSO/vdso_call.h | 7 tools/testing/selftests/vDSO/vdso_test_abi.c | 9 tools/testing/selftests/watchdog/watchdog-test.c | 6 683 files changed, 6492 insertions(+), 3927 deletions(-) Abdun Nihaal (1): wifi: mt76: fix potential memory leak in mt76_wmac_probe() Aditya Kumar Singh (2): wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan request during MLO wifi: mac80211: fix Rx packet handling when pubsta information is not available Ahmed Salem (1): ACPICA: Apply ACPI_NONSTRING Akashdeep Kaur (1): arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros Akhil P Oommen (1): drm/msm: Fix bootup splat with separate_gpu_drm modparam Akhilesh Patil (2): selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc() Alessandro Zanni (1): iommu/selftest: prevent use of uninitialized variable Alexander Lobakin (1): idpf: fix Rx descriptor ready check barrier in splitq Alexey Charkov (2): arm64: dts: rockchip: Add RTC on rk3576-evb1-v10 arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10 Alistair Popple (1): cramfs: fix incorrect physical page address calculation Alok Tiwari (3): PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation PCI: j721e: Fix incorrect error message in probe() idpf: fix mismatched free function for dma_alloc_coherent Amery Hung (1): selftests/bpf: Copy test_kmods when installing selftest Anderson Nascimento (1): fanotify: Validate the return value of mnt_ns_from_dentry() before dereferencing Andrea Righi (1): bpf: Mark kfuncs as __noclone Andreas Gruenbacher (7): gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote gfs2: Further sanitize lock_dlm.c gfs2: Fix LM_FLAG_TRY* logic in add_to_queue gfs2: Remove duplicate check in do_xmote gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS gfs2: do_xmote cleanup gfs2: Add proper lockspace locking Andrei Lalaev (1): leds: leds-lp55xx: Use correct address for memory programming André Almeida (2): selftest/futex: Make the error check more precise for futex_numa_mpol tools/nolibc: add stdbool.h to nolibc includes Andy Yan (1): power: supply: cw2015: Fix a alignment coding style issue AngeloGioacchino Del Regno (5): arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible Annette Kobou (1): arm64: dts: imx93-kontron: Fix GPIO for panel regulator Anthony Iliopoulos (1): NFSv4.1: fix backchannel max_resp_sz verification check Aradhya Bhatia (1): drm/bridge: cdns-dsi: Fix the _atomic_check() Arnd Bergmann (5): clocksource/drivers/tegra186: Avoid 64-bit division i3c: fix big-endian FIFO transfers drm/amdgpu: fix link error for !PM_SLEEP hwrng: nomadik - add ARM_AMBA dependency media: st-delta: avoid excessive stack usage Bagas Sanjaya (1): Documentation: trace: historgram-design: Separate sched_waking histogram section heading and the following diagram Bala-Vignesh-Reddy (2): selftests: arm64: Check fread return value in exec_target selftests: arm64: Fix -Waddress warning in tpidr2 test Baochen Qiang (4): wifi: ath12k: initialize eirp_power before use wifi: ath12k: fix overflow warning on num_pwr_levels wifi: ath12k: fix wrong logging ID used for CE wifi: ath10k: avoid unnecessary wait for service ready message Baokun Li (1): ext4: fix potential null deref in ext4_mb_init() Baptiste Lepers (1): rust: cpumask: Mark CpumaskVar as transparent Bard Liao (1): ASoC: Intel: hda-sdw-bpt: set persistent_buffer false Barnabás Czémán (1): rpmsg: qcom_smd: Fix fallback to qcom,ipc parse Bartosz Golaszewski (2): mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() pinctrl: check the return value of pinmux_ops::get_function_name() Bean Huo (1): mmc: core: Fix variable shadowing in mmc_route_rpmb_frames() Beleswar Padhi (4): arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F cores arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr' Revert "arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout locations" Revert "arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x carveout locations" Benjamin Berg (1): selftests/nolibc: fix EXPECT_NZ macro Benjamin Mugnier (1): media: i2c: vd55g1: Fix duster register address Benjamin Tissoires (1): HID: hidraw: tighten ioctl command parsing Bernard Metzler (1): RDMA/siw: Always report immediate post SQ errors Bibo Mao (1): tick: Do not set device to detached state in tick_shutdown() Biju Das (2): arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0 arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node Bingbu Cao (3): media: staging/ipu7: convert to use pci_alloc_irq_vectors() API media: staging/ipu7: Don't set name for IPU7 PCI device media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release Bitterblue Smith (2): wifi: rtw88: Lock rtwdev->mutex before setting the LED wifi: rtw88: Use led->brightness_set_blocking for PCI too Bo Sun (2): octeontx2-vf: fix bitmap leak octeontx2-pf: fix bitmap leak Brahmajit Das (2): drm/radeon/r600_cs: clean up of dead code in r600_cs bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer Breno Leitao (1): PCI/AER: Avoid NULL pointer dereference in aer_ratelimit() Brian Norris (4): genirq/test: Select IRQ_DOMAIN genirq/test: Depend on SPARSE_IRQ genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions genirq/test: Ensure CPU 1 is online for hotplug test Brigham Campbell (1): drm/panel: novatek-nt35560: Fix invalid return value Chao Yu (11): f2fs: fix condition in __allow_reserved_blocks() f2fs: fix to avoid overflow while left shift operation f2fs: fix to zero data after EOF for compressed file correctly f2fs: fix to clear unusable_cap for checkpoint=enable f2fs: fix to avoid NULL pointer dereference in f2fs_check_quota_consistency() f2fs: fix to allow removing qf_name f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks() f2fs: fix to truncate first page in error path of f2fs_truncate() f2fs: fix to avoid migrating empty section f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page() f2fs: fix UAF issue in f2fs_merge_page_bio() Chen Ridong (1): cpuset: fix failure to enable isolated partition when containing isolcpus Chen-Yu Tsai (8): arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186 arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model arm64: dts: allwinner: a527: cubie-a5e: Add LEDs arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal Chenghai Huang (3): crypto: hisilicon/zip - remove unnecessary validation for high-performance mode configurations crypto: hisilicon - re-enable address prefetch after device resuming crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs Chia-I Wu (1): drm/bridge: it6505: select REGMAP_I2C Christian Göttsche (1): pid: use ns_capable_noaudit() when determining net sysctl permissions Christian Marangi (2): net: phy: introduce phy_id_compare_vendor() PHY ID helper net: phy: as21xxx: better handle PHY HW reset on soft-reboot Christophe Leroy (3): powerpc/8xx: Remove left-over instruction and comments in DataStoreTLBMiss handler powerpc/603: Really copy kernel PGD entries into all PGDIRs watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog Chunyan Zhang (1): raid6: riscv: Clean up unused header file inclusion Chunyu Hu (1): selftests/mm: fix va_high_addr_switch.sh failure on x86_64 Claudiu Beznea (1): PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq() Claudiu Manoil (1): net: enetc: Fix probing error message typo for the ENETCv4 PF driver Colin Ian King (4): gfs2: Remove space before newline drm/vmwgfx: fix missing assignment to ts misc: genwqe: Fix incorrect cmd field being reported in error ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message Cosmin Tanislav (1): mfd: rz-mtu3: Fix MTU5 NFCR register offset Cristian Ciocaltea (1): usb: vhci-hcd: Prevent suspending virtually attached devices D. Wythe (1): libbpf: Fix error when st-prefix_ops and ops from differ btf Da Xue (1): pinctrl: meson-gxl: add missing i2c_d pinmux Dan Carpenter (11): PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup path irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc() selftests/futex: Fix futex_wait() for 32bit ARM PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in pci_epf_write_msi_msg() PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup() usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup misc: pci_endpoint_test: Fix array underflow in pci_endpoint_test_ioctl() serial: max310x: Add error checking in probe() HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower() ocfs2: fix double free in user_cluster_connect() Dan Moulding (1): crypto: comp - Use same definition of context alloc and free ops Daniel Borkmann (1): bpf: Enforce expected_attach_type for tailcall compatibility Daniel Wagner (2): nvmet-fc: move lsop put work to nvmet_fc_ls_req_op nvmet-fcloop: call done callback even when remote port is gone Dapeng Mi (2): perf/x86/intel: Use early_initcall() to hook bts_init() perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error David Gow (1): genirq/test: Fix depth tests on architectures with NOREQUEST by default. Deepak Sharma (1): net: nfc: nci: Add parameter validation for packet data Dmitry Antipov (1): ACPICA: Fix largest possible resource descriptor index Dmitry Baryshkov (7): thermal/drivers/qcom: Make LMH select QCOM_SCM thermal/drivers/qcom/lmh: Add missing IRQ includes drm/display: bridge-connector: correct CEC bridge pointers in drm_bridge_connector_init drm/msm/mdp4: stop supporting no-IOMMU configuration drm/msm: stop supporting no-IOMMU configuration remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974 ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075 Dominique Martinet (1): net/9p: Fix buffer overflow in USB transport layer Donet Tom (2): drivers/base/node: handle error properly in register_one_node() drivers/base/node: fix double free in register_one_node() Duoming Zhou (1): thunderbolt: Fix use-after-free in tb_dp_dprx_work Dzmitry Sankouski (5): mfd: max77705: max77705_charger: move active discharge setting to mfd parent power: supply: max77705_charger: refactoring: rename charger to chg power: supply: max77705_charger: use regfields for config registers power: supply: max77705_charger: rework interrupts mfd: max77705: Setup the core driver as an interrupt controller Eduard Zingerman (1): bpf: dont report verifier bug for missing bpf_scc_visit on speculative path Edward Srouji (1): RDMA/mlx5: Fix page size bitmap calculation for KSM mode Enzo Matsumiya (1): smb: client: fix crypto buffers in non-linear memory Eric Dumazet (14): nbd: restrict sockets to TCP and UDP net: dst: introduce dst->dev_rcu ipv6: start using dst_dev_rcu() ipv6: use RCU in ip6_xmit() ipv6: use RCU in ip6_output() net: use dst_dev_rcu() in sk_setup_caps() tcp_metrics: use dst_dev_net_rcu() ipv4: start using dst_dev_rcu() inet: ping: check sock_net() in ping_get_port() and ping_lookup() tcp: fix __tcp_close() to only send RST when required ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack tcp: use skb->len instead of skb->truesize in tcp_can_ingest() Erick Karanja (1): mtd: rawnand: atmel: Fix error handling path in atmel_nand_controller_add_nands Eugene Shalygin (1): hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI Fan Wu (1): KEYS: X.509: Fix Basic Constraints CA flag parsing Fangyu Yu (1): RISC-V: KVM: Write hgatp register with valid mode bits Fedor Pchelkin (2): wifi: rtw89: fix leak in rtw89_core_send_nullfunc() wifi: rtw89: avoid circular locking dependency in ser_state_run() Felix Fietkau (1): wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during restart Fenglin Wu (1): leds: flash: leds-qcom-flash: Update torch current clamp setting Fernando Fernandez Mancera (1): netfilter: nfnetlink: reset nlh pointer during batch replay Florian Fainelli (1): cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus() Frieder Schrempf (1): arm64: dts: imx93-kontron: Fix USB port assignment Gao Xiang (1): erofs: avoid reading more for fragment maps Geert Uytterhoeven (5): init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD regmap: Remove superfluous check for !config in __regmap_init() ARM: dts: renesas: porter: Fix CAN pin group PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text Genjian Zhang (1): null_blk: Fix the description of the cache_size module argument Gokul Sivakumar (1): wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress (CYW) Greg Kroah-Hartman (1): Linux 6.17.3 Guangshuo Li (1): nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() Guenter Roeck (2): clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation watchdog: intel_oc_wdt: Do not try to write into const memory Gui-Dong Han (1): RDMA/rxe: Fix race in do_task() when draining Guixin Liu (1): iommufd: Register iommufd mock devices with fwspec Guoqing Jiang (1): arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0 Han Guangjiang (1): blk-throttle: fix access race during throttle policy activation Hangbin Liu (1): bonding: fix xfrm offload feature setup on active-backup mode Hans de Goede (3): iio: consumers: Fix handling of negative channel scale in iio_convert_raw_to_processed() iio: consumers: Fix offset handling in iio_convert_raw_to_processed() mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag Hari Chandrakanthan (1): wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu() Hector Martin (2): arm64: dts: apple: t600x: Add missing WiFi properties arm64: dts: apple: t600x: Add bluetooth device nodes Hengqi Chen (10): riscv, bpf: Sign extend struct ops return values properly bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free() LoongArch: BPF: Sign-extend struct ops return values properly LoongArch: BPF: No support of struct argument in trampoline programs LoongArch: BPF: Don't align trampoline size LoongArch: BPF: Make trampoline size stable LoongArch: BPF: Make error handling robust in arch_prepare_bpf_trampoline() LoongArch: BPF: Remove duplicated bpf_flush_icache() LoongArch: BPF: No text_poke() for kernel text LoongArch: BPF: Remove duplicated flags check Huacai Chen (1): LoongArch: BPF: Fix uninitialized symbol 'retval_off' Huisong Li (1): ACPI: processor: idle: Fix memory leak when register cpuidle device failed Håkon Bugge (1): RDMA/cm: Rate limit destroy CM ID timeout error message I Viswanath (2): net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast ptp: Add a upper bound on max_vclocks Ilya Leoshkevich (3): s390/bpf: Do not write tail call counter into helper and kfunc frames s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG Inochi Amaoto (4): genirq: Add irq_chip_(startup/shutdown)_parent() PCI/MSI: Add startup/shutdown for per device domains irqchip/sg2042-msi: Fix broken affinity setting PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in cond_[startup|shutdown]_parent() Ivan Abramov (1): dm vdo: return error on corrupted metadata in start_restoring_volume functions Jacopo Mondi (1): media: zoran: Remove zoran_fh structure Jakub Acs (1): mm/ksm: fix flag-dropping behavior in ksm_madvise Jakub Kicinski (1): Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" James Clark (2): coresight: trbe: Add ISB after TRBLIMITR write coresight: Fix missing include for FIELD_GET Jan Kara (1): ext4: fix checks for orphan inodes Janne Grunau (3): arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map arm64: dts: apple: Add ethernet0 alias for J375 template fbdev: simplefb: Fix use after free in simplefb_detach_genpds() Jarkko Sakkinen (1): tpm: Disable TPM2_TCG_HMAC by default Jeff Layton (1): filelock: add FL_RECLAIM to show_fl_flags() macro Jens Axboe (1): io_uring/waitid: always prune wait queue entry in io_waitid_wait() Jens Wiklander (1): tee: fix register_shm_helper() Jeongjun Park (1): HID: steelseries: refactor probe() and remove() Jeremy Linton (1): uprobes: uprobe_warn should use passed task Jie Gan (1): coresight: tpda: fix the logic to setup the element size Jihed Chaibi (4): ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS to use correct boolean syntax ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property to use correct boolean syntax in DTS ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer property Jiri Kosina (1): HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove() Jiri Olsa (1): selftests/bpf: Fix realloc size in bpf_get_addrs Joanne Koong (1): fuse: remove unneeded offset assignment when filling write pages Joe Lawrence (2): powerpc/ftrace: ensure ftrace record ops are always set for NOPs powerpc64/modules: correctly iterate over stubs in setup_ftrace_ool_stubs Johan Hovold (4): firmware: firmware: meson-sm: fix compile-test default soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure cpuidle: qcom-spm: fix device and OF node leaks at probe Johannes Nixdorf (1): seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too fast John Garry (2): block: update validation of atomic writes boundary for stacked devices block: fix stacking of atomic writes when atomics are not supported Jonas Gorski (1): spi: fix return code when spi device has too many chipselects Jonas Karlman (1): phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568 Jorge Marques (1): docs: iio: ad3552r: Fix malformed code-block directive Joy Zou (1): arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid Jun Nie (1): drm/msm: Do not validate SSPP when it is not ready Junnan Wu (1): firmware: arm_scmi: Mark VirtIO ready before registering scmi_virtio_driver Kai Vehmanen (2): ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA Kang Chen (1): hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() Kang Yang (3): wifi: ath12k: fix signal in radiotap for WCN7850 wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode wifi: ath12k: fix the fetching of combined rssi Kienan Stewart (1): kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact Kiran K (1): Bluetooth: btintel_pcie: Refactor Device Coredump Kohei Enju (2): nfp: fix RSS hash key size when RSS is not supported net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable Komal Bajaj (1): usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls Konrad Dybcio (1): arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode Krishna Chaitanya Chundru (1): PCI: qcom: Restrict port parsing only to PCIe bridge child nodes Kuan-Wei Chiu (1): mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal Kunihiko Hayashi (2): i2c: designware: Fix clock issue when PM is disabled i2c: designware: Add disabling clocks when probe fails Kuniyuki Iwashima (8): mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n. smc: Fix use-after-free in __pnet_find_base_ndev(). smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set(). smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match(). smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk(). tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). mptcp: Call dst_release() in mptcp_active_enable(). mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable(). Lad Prabhakar (1): pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read() Lance Yang (1): selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is disabled Langyan Ye (2): drm/panel-edp: Add disable to 100ms for MNB601LS1-4 drm/panel-edp: Add 50ms disable delay for four panels Larshin Sergey (1): fs: udf: fix OOB read in lengthAllocDescs handling Lei Lu (1): sunrpc: fix null pointer dereference on zero-length checksum Leilk.Liu (1): i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD Len Bao (1): leds: max77705: Function return instead of variable assignment Leo Yan (9): coresight: trbe: Prevent overflow in PERF_IDX2OFF() perf: arm_spe: Prevent overflow in PERF_IDX2OFF() coresight: tmc: Support atclk coresight: catu: Support atclk coresight: etm4x: Support atclk coresight: Appropriately disable programming clocks coresight: Appropriately disable trace bus clocks coresight: Avoid enable programming clock duplicately coresight: trbe: Return NULL pointer for allocation failures Li Nan (1): blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx Liao Yuanhong (2): drm/amd/display: Remove redundant semicolons wifi: iwlwifi: Remove redundant header files Lijo Lazar (2): drm/amdgpu: Check vcn state before profile switch drm/amdgpu/vcn: Fix double-free of vcn dump buffer Lin Yujun (1): coresight: Fix incorrect handling for return value of devm_kzalloc Ling Xu (4): misc: fastrpc: Save actual DMA size in fastrpc_map structure misc: fastrpc: Fix fastrpc_map_lookup operation misc: fastrpc: fix possible map leak in fastrpc_put_args misc: fastrpc: Skip reference for DMA handles Linus Torvalds (1): Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures Lorenzo Bianconi (8): wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback wifi: mt76: mt7996: Check phy before init msta_link in mt7996_mac_sta_add_links() wifi: mt76: mt7996: Fix tx-queues initialization for second phy on mt7996 wifi: mt76: mt7996: Fix RX packets configuration for primary WED device wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE Lu Baolu (1): iommu/vt-d: Disallow dirty tracking if incoherent page walk Luiz Augusto von Dentz (3): Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO Bluetooth: ISO: Fix possible UAF on iso_conn_free Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements Ma Ke (1): ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data() Marek Szyprowski (1): scsi: ufs: core: Fix PM QoS mutex initialization Marek Vasut (6): arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on EVTB1 arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1 PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion PCI: rcar-gen4: Assure reset occurs before DBI access PCI: rcar-gen4: Fix inverted break condition in PHY initialization Input: atmel_mxt_ts - allow reset GPIO to sleep Martin George (2): nvme-auth: update bi_directional flag nvme-tcp: send only permitted commands for secure concat Matt Bobrowski (1): bpf/selftests: Fix test_tcpnotify_user Matthieu Baerts (NGI0) (1): tools: ynl: fix undefined variable name Matvey Kovalev (1): ksmbd: fix error code overwriting in smb2_get_info_filesystem() Menglong Dong (1): selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c Miaoqian Lin (2): hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call Michael Karcher (5): sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara sparc: fix accurate exception reporting in copy_to_user for Niagara 4 sparc: fix accurate exception reporting in copy_{from,to}_user for M7 Michael S. Tsirkin (1): vhost: vringh: Fix copy_to_iter return value check Michal Koutný (1): selftests: cgroup: Make test_pids backwards compatible Michal Pecio (1): Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running" Mike Snitzer (2): NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support nfs/localio: avoid issuing misaligned IO using O_DIRECT Mikko Rapeli (1): mmc: select REGMAP_MMIO with MMC_LOONGSON2 Moon Hee Lee (1): fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist Moshe Shemesh (2): net/mlx5: Stop polling for command response if interface goes down net/mlx5: fw reset, add reset timeout work Mykyta Yatsenko (1): libbpf: Export bpf_object__prepare symbol Nagarjuna Kristam (1): PCI: tegra194: Fix duplicate PLL disable in pex_ep_event_pex_rst_assert() Naman Jain (1): uio_hv_generic: Let userspace take care of interrupt mask Namjae Jeon (1): ksmbd: add max ip connections parameter Nathan Lynch (1): dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation Nicolas Ferre (1): ARM: at91: pm: fix MCKx restore routine Nicolas Frattaroli (1): PM / devfreq: rockchip-dfi: double count on RK3588 Niklas Cassel (7): scsi: pm80xx: Restore support for expanders scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod scsi: libsas: Add dev_parent_is_expander() helper scsi: pm80xx: Use dev_parent_is_expander() helper scsi: pm80xx: Add helper function to get the local phy id scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an expander PCI: endpoint: pci-epf-test: Fix doorbell test support Nipun Gupta (1): cdx: don't select CONFIG_GENERIC_MSI_IRQ Nirmoy Das (1): PCI/ACPI: Fix pci_acpi_preserve_config() memory leak Nishanth Menon (1): hwrng: ks-sa - fix division by zero in ks_sa_rng_init Nithyanantham Paramasivam (2): wifi: ath12k: Refactor RX TID deletion handling into helper function wifi: ath12k: Fix flush cache failure during RX queue update Oleksij Rempel (1): net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Or Har-Toov (1): RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count Parav Pandit (1): RDMA/core: Resolve MAC of next-hop device without ARP support Patrisious Haddad (1): RDMA/mlx5: Fix vport loopback forcing for MPV device Paul Chaignon (2): bpf: Tidy verifier bug message bpf: Explicitly check accesses to bpf_sock_addr Pauli Virtanen (2): Bluetooth: ISO: free rx_skb if not consumed Bluetooth: ISO: don't leak skb in ISO_CONT RX Pavel Begunkov (1): io_uring/zcrx: fix overshooting recv limit Peter Zijlstra (1): sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask() Phillip Lougher (1): Squashfs: fix uninit-value in squashfs_get_parent Pin-yen Lin (2): drm/panel: Allow powering on panel follower after panel is enabled HID: i2c-hid: Make elan touch controllers power on after panel is enabled Qi Xi (1): once: fix race by moving DO_ONCE to separate section Qianfeng Rong (10): regulator: scmi: Use int type to store negative error codes block: use int to store blk_stack_limits() return value pinctrl: renesas: Use int type to store negative error codes ALSA: lx_core: use int type to store negative error codes accel/amdxdna: Use int instead of u32 to store error codes drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl() drm/msm/dpu: fix incorrect type for ret scsi: qla2xxx: edif: Fix incorrect sign of error code scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES() scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp() Qiuxu Zhuo (1): EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller Qu Wenruo (2): btrfs: return any hit error from extent_writepage_io() btrfs: fix symbolic link reading when bs > ps Rafael J. Wysocki (2): PM: sleep: core: Clear power.must_resume in noirq suspend error path smp: Fix up and expand the smp_call_function_many() kerneldoc Randy Dunlap (1): lsm: CONFIG_LSM can depend on CONFIG_SECURITY Ranjan Kumar (1): scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() Ranjani Sridharan (1): ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down Ricardo B. Marlière (1): selftests/bpf: Fix count write in testapp_xdp_metadata_copy() Richard Fitzgerald (2): ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback Rob Clark (2): drm/msm: Fix obj leak in VM_BIND error path drm/msm: Fix missing VM_BIND offset/range validation Rob Herring (Arm) (2): dt-bindings: vendor-prefixes: Add undocumented vendor prefixes arm64: dts: mediatek: mt8183: Fix out of range pull values Ryder Lee (1): wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid() Salah Triki (1): bus: fsl-mc: Check return value of platform_get_resource() Sarika Sharma (1): wifi: mac80211: fix reporting of all valid links in sta_set_sinfo() Sasha Levin (1): tracing: Fix lock imbalance in s_start() memory allocation failure path Sathishkumar S (2): drm/amdgpu/vcn: Add regdump helper functions drm/amdgpu/vcn: Hold pg_lock before vcn power off Sean Christopherson (1): KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid Sebastian Andrzej Siewior (3): selftests/futex: Remove the -g parameter from futex_priv_hash selftest/futex: Compile also with libnuma < 2.0.16 ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT Sebastian Reichel (1): arm64: dts: rockchip: Fix network on rk3576 evb1 board Seppo Takalo (1): tty: n_gsm: Don't block input queue by waiting MSC Shay Drory (1): net/mlx5: pagealloc: Fix reclaim race during command interface teardown Shin'ichiro Kawasaki (1): PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release Shubham Sharma (1): selftests/bpf: Fix typos and grammar in test sources Simon Schuster (1): arch: copy_thread: pass clone_flags as u64 Slavin Liu (1): ipvs: Defer ip_vs_ftp unregister during netns cleanup Sneh Mankad (1): soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS Srinivas Kandagatla (2): ASoC: codecs: wcd937x: set the comp soundwire port correctly ASoC: codecs: wcd937x: make stub functions inline Srinivasan Shanmugam (2): drm/amd/display: Reduce Stack Usage by moving 'audio_output' into 'stream_res' v4 drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute functions Sriram R (1): wifi: ath12k: Add fallback for invalid channel number in PHY metadata Stanley Chu (2): i3c: master: svc: Use manual response for IBI events i3c: master: svc: Recycle unused IBI slot Stefan Kerkmann (1): wifi: mwifiex: send world regulatory domain to driver Stefan Metzmacher (2): smb: client: fix sending the iwrap custom IRD/ORD negotiation messages smb: server: fix IRD/ORD negotiation with the client Stephan Gerhold (2): remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E Steven 'Steve' Kendall (1): ALSA: hda/hdmi: Add pin fix for HP ProDesk model Steven Rostedt (5): tracing: Fix wakeup tracers on failure of acquiring calltime tracing: Fix irqoff tracers on failure of acquiring calltime tracing: Have trace_marker use per-cpu data to read user space tracing: Fix tracing_mark_raw_write() to use buf and not ubuf tracing: Stop fortify-string from warning in tracing_mark_raw_write() Sven Peter (1): usb: typec: tipd: Clear interrupts first Takashi Iwai (4): ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100 Tao Chen (2): bpf: Remove migrate_disable in kprobe_multi_link_prog_run bpf: Remove preempt_disable in bpf_try_get_buffers Thomas Fourier (2): crypto: keembay - Add missing check after sg_nents_for_len() scsi: myrs: Fix dma_alloc_coherent() error check Thomas Weißschuh (8): kselftest/arm64/gcs: Correctly check return value when disabling GCS tools/nolibc: fix error return value of clock_nanosleep() tools/nolibc: avoid error in dup2() if old fd equals new fd vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY vdso: Add struct __kernel_old_timeval forward declaration to gettime.h selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing vDSO selftests: always install UAPI headers to the correct directory Thorsten Blum (1): crypto: octeontx2 - Call strscpy() with correct size argument Théo Lebrun (3): net: macb: remove illusion about TBQPH/RBQPH being per-queue net: macb: move ring size computation to functions net: macb: single dma_alloc_coherent() for DMA descriptors Timur Kristóf (8): drm/amdgpu: Power up UVD 3 for FW validation (v2) drm/amd/pm: Disable ULV even if unsupported (v3) drm/amd/pm: Fix si_upload_smc_data (v3) drm/amd/pm: Adjust si_upload_smc_data register programming (v3) drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3) drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2) drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3) drm/amdgpu: Fix allocating extra dwords for rings (v2) Troy Mitchell (5): i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails i2c: spacemit: remove stop function to avoid bus error i2c: spacemit: disable SDA glitch fix to avoid restart delay i2c: spacemit: check SDA instead of SCL after bus reset i2c: spacemit: ensure SDA is released after bus reset Tvrtko Ursulin (1): drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test Uros Bizjak (1): x86/vdso: Fix output operand size of RDPID Uwe Kleine-König (4): pwm: tiehrpwm: Don't drop runtime PM reference in .free() pwm: tiehrpwm: Make code comment in .free() more useful pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation pwm: tiehrpwm: Fix corner case in clock divisor calculation Vadim Fedorenko (1): net: ethtool: tsconfig: set command must provide a reply Vadim Pasternak (1): hwmon: (mlxreg-fan) Separate methods of fan setting coming from different subsystems Val Packett (1): drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands Vineeth Pillai (Google) (1): iommu/vt-d: debugfs: Fix legacy mode page table dump logic Vitaly Grigoryev (1): fs: ntfs3: Fix integer overflow in run_unpack() Vlad Dumitrescu (1): IB/sa: Fix sa_local_svc_timeout_ms read race Vlastimil Babka (1): scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES() Waiman Long (1): selftests/futex: Fix some futex_numa_mpol subtests Wang Liang (1): pps: fix warning in pps_register_cdev when register device fail Wei Fang (1): net: enetc: initialize SW PIR and CIR based HW PIR and CIR values Weili Qian (2): crypto: hisilicon - check the sva module status while enabling or disabling address prefetch crypto: hisilicon/qm - request reserved interrupt for virtual function William Wu (1): usb: gadget: configfs: Correctly set use_os_string at bind Xaver Hugl (1): drm: re-allow no-op changes on non-primary planes in async flips Xi Ruoyao (1): pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT Xiang Liu (2): drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest Xianwei Zhao (1): dts: arm: amlogic: fix pwm node for c3 Xichao Zhao (1): usb: phy: twl6030: Fix incorrect type for ret Yang Shi (1): mm: hugetlb: avoid soft lockup when mprotect to large memory area Yazhou Tang (1): bpf: Reject negative offsets for ALU ops Yeoreum Yun (1): coresight: fix indentation error in cscfg_remove_owned_csdev_configs() Yeounsu Moon (1): net: dlink: handle copy_thresh allocation failure Yi Lai (1): selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES Youling Tang (1): LoongArch: Automatically disable kaslr if boot from kexec_file Yu Kuai (14): blk-mq: fix elevator depth_updated method block: cleanup bio_issue block: initialize bio issue time in blk_mq_submit_bio() block: factor out a helper bio_submit_split_bioset() block: skip unnecessary checks for split bio block: fix ordering of recursive split IO blk-mq: remove useless checkings in blk_mq_update_nr_requests() blk-mq: check invalid nr_requests in queue_requests_store() blk-mq: convert to serialize updating nr_requests with update_nr_hwq_lock blk-mq: cleanup shared tags case in blk_mq_update_nr_requests() blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests() blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags() blk-mq: fix potential deadlock while nr_requests grown blk-throttle: fix throtl_data leak during disk release Yuan Chen (1): tracing: Fix race condition in kprobe initialization causing NULL pointer dereference Yuanfang Zhang (2): coresight: Only register perf symlink for sinks with alloc_buffer coresight-etm4x: Conditionally access register TRCEXTINSELR Yue Haibing (1): ipv6: mcast: Add ip6_mc_find_idev() helper Yulin Lu (1): pinctrl: eswin: Fix regulator error check and Kconfig dependency Yunseong Kim (1): ksmbd: Fix race condition in RPC handle list access Yureka Lilian (1): libbpf: Fix reuse of DEVMAP Zhang Shurong (1): media: rj54n1cb0c: Fix memleak in rj54n1_probe() Zhang Tengfei (1): ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable Zhen Ni (3): netfilter: ipset: Remove unused htable_bits in macro ahash_region Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() Zheng Qixing (2): dm: fix queue start/stop imbalance under suspend/load/resume races dm: fix NULL pointer dereference in __dm_suspend() Zhi-Jun You (1): wifi: mt76: mt7915: fix mt7981 pre-calibration Zhongqiu Han (1): scsi: ufs: core: Fix data race in CPU latency PM QoS request handling Zhouyi Zhou (1): tools/nolibc: make time_t robust if __kernel_old_time_t is missing in host headers Zhushuai Yin (1): crypto: hisilicon/qm - check whether the input function and PF are on the same device Zilin Guan (1): vfio/pds: replace bitmap_free with vfree Ziyue Zhang (1): PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s Zqiang (1): srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed() wangzijie (1): f2fs: fix zero-sized extent for precache extents zhang jiao (1): vhost: vringh: Modify the return value check

3 weeks

1
1
0 0

Linux 6.12.53

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.53 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/trace/histogram-design.rst | 4 Makefile | 2 arch/arm/boot/dts/renesas/r8a7791-porter.dts | 2 arch/arm/boot/dts/ti/omap/am335x-baltos.dtsi | 2 arch/arm/boot/dts/ti/omap/am335x-cm-t335.dts | 2 arch/arm/boot/dts/ti/omap/omap3-devkit8000-lcd-common.dtsi | 2 arch/arm/mach-at91/pm_suspend.S | 4 arch/arm64/boot/dts/apple/t8103-j457.dts | 12 arch/arm64/boot/dts/freescale/imx93-kontron-bl-osm-s.dts | 32 - arch/arm64/boot/dts/freescale/imx95.dtsi | 4 arch/arm64/boot/dts/mediatek/mt6331.dtsi | 10 arch/arm64/boot/dts/mediatek/mt6795-sony-xperia-m5.dts | 2 arch/arm64/boot/dts/mediatek/mt8186-corsola-krabby.dtsi | 8 arch/arm64/boot/dts/mediatek/mt8186-corsola-tentacruel-sku262144.dts | 4 arch/arm64/boot/dts/mediatek/mt8195.dtsi | 3 arch/arm64/boot/dts/mediatek/mt8395-kontron-3-5-sbc-i1200.dts | 16 arch/arm64/boot/dts/mediatek/mt8516-pumpkin.dts | 2 arch/arm64/boot/dts/qcom/qcm2290.dtsi | 1 arch/arm64/boot/dts/renesas/rzg2lc-smarc.dtsi | 5 arch/arm64/net/bpf_jit_comp.c | 3 arch/loongarch/kernel/relocate.c | 4 arch/powerpc/include/asm/book3s/32/pgalloc.h | 10 arch/powerpc/include/asm/nohash/pgalloc.h | 2 arch/powerpc/kernel/head_8xx.S | 9 arch/riscv/net/bpf_jit_comp64.c | 42 + arch/sparc/lib/M7memcpy.S | 20 arch/sparc/lib/Memcpy_utils.S | 9 arch/sparc/lib/NG4memcpy.S | 2 arch/sparc/lib/NGmemcpy.S | 29 - arch/sparc/lib/U1memcpy.S | 19 arch/sparc/lib/U3memcpy.S | 2 arch/x86/include/asm/segment.h | 8 arch/x86/kvm/svm/svm.c | 12 block/blk-mq-sysfs.c | 6 block/blk-settings.c | 3 crypto/asymmetric_keys/x509_cert_parser.c | 16 drivers/acpi/acpica/aclocal.h | 2 drivers/acpi/nfit/core.c | 2 drivers/acpi/processor_idle.c | 3 drivers/base/node.c | 4 drivers/base/power/main.c | 14 drivers/base/regmap/regmap.c | 2 drivers/block/nbd.c | 8 drivers/block/null_blk/main.c | 2 drivers/bus/fsl-mc/fsl-mc-bus.c | 3 drivers/char/hw_random/Kconfig | 1 drivers/char/hw_random/ks-sa-rng.c | 4 drivers/char/tpm/Kconfig | 2 drivers/cpufreq/scmi-cpufreq.c | 10 drivers/cpuidle/cpuidle-qcom-spm.c | 7 drivers/crypto/hisilicon/debugfs.c | 1 drivers/crypto/hisilicon/hpre/hpre_main.c | 3 drivers/crypto/hisilicon/qm.c | 7 drivers/crypto/hisilicon/sec2/sec_main.c | 80 +-- drivers/crypto/hisilicon/zip/zip_main.c | 17 drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c | 5 drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 2 drivers/devfreq/event/rockchip-dfi.c | 7 drivers/devfreq/mtk-cci-devfreq.c | 3 drivers/edac/i10nm_base.c | 14 drivers/firmware/arm_scmi/transports/virtio.c | 3 drivers/firmware/meson/Kconfig | 2 drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 29 + drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn32/display_rq_dlg_calc_32.c | 1 drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 7 drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 92 ++-- drivers/gpu/drm/bridge/Kconfig | 1 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 2 drivers/gpu/drm/panel/panel-novatek-nt35560.c | 2 drivers/gpu/drm/radeon/r600_cs.c | 4 drivers/hid/hidraw.c | 224 +++++----- drivers/hwmon/mlxreg-fan.c | 24 - drivers/hwtracing/coresight/coresight-catu.c | 22 drivers/hwtracing/coresight/coresight-catu.h | 1 drivers/hwtracing/coresight/coresight-core.c | 5 drivers/hwtracing/coresight/coresight-etm4x-core.c | 31 + drivers/hwtracing/coresight/coresight-etm4x.h | 6 drivers/hwtracing/coresight/coresight-tmc-core.c | 22 drivers/hwtracing/coresight/coresight-tmc.h | 2 drivers/hwtracing/coresight/coresight-tpda.c | 3 drivers/hwtracing/coresight/coresight-trbe.c | 11 drivers/i2c/busses/i2c-designware-platdrv.c | 5 drivers/i2c/busses/i2c-mt65xx.c | 17 drivers/i3c/master/svc-i3c-master.c | 31 + drivers/iio/inkern.c | 30 - drivers/infiniband/core/addr.c | 10 drivers/infiniband/core/cm.c | 4 drivers/infiniband/core/sa_query.c | 6 drivers/infiniband/hw/mlx5/main.c | 67 ++ drivers/infiniband/hw/mlx5/mlx5_ib.h | 1 drivers/infiniband/sw/rxe/rxe_task.c | 8 drivers/infiniband/sw/siw/siw_verbs.c | 25 - drivers/input/misc/uinput.c | 1 drivers/input/touchscreen/atmel_mxt_ts.c | 2 drivers/iommu/intel/debugfs.c | 17 drivers/iommu/intel/iommu.h | 3 drivers/leds/flash/leds-qcom-flash.c | 62 +- drivers/leds/leds-lp55xx-common.c | 2 drivers/md/dm-core.h | 1 drivers/md/dm-vdo/indexer/volume-index.c | 4 drivers/md/dm.c | 13 drivers/media/i2c/rj54n1cb0c.c | 9 drivers/media/pci/zoran/zoran.h | 6 drivers/media/pci/zoran/zoran_driver.c | 3 drivers/media/platform/st/sti/delta/delta-mjpeg-dec.c | 20 drivers/mfd/rz-mtu3.c | 2 drivers/mfd/vexpress-sysreg.c | 6 drivers/misc/fastrpc.c | 89 ++- drivers/misc/genwqe/card_ddcb.c | 2 drivers/mmc/core/block.c | 6 drivers/mtd/nand/raw/atmel/nand-controller.c | 4 drivers/net/ethernet/amazon/ena/ena_ethtool.c | 5 drivers/net/ethernet/dlink/dl2k.c | 7 drivers/net/ethernet/intel/idpf/idpf_txrx.c | 8 drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 6 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 17 drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 24 + drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 7 drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 drivers/net/usb/asix_devices.c | 29 + drivers/net/usb/rtl8150.c | 2 drivers/net/wireless/ath/ath10k/wmi.c | 39 - drivers/net/wireless/ath/ath12k/ce.c | 2 drivers/net/wireless/ath/ath12k/debug.h | 1 drivers/net/wireless/intel/iwlwifi/fw/regulatory.h | 1 drivers/net/wireless/marvell/mwifiex/cfg80211.c | 7 drivers/net/wireless/mediatek/mt76/mt7603/soc.c | 2 drivers/net/wireless/mediatek/mt76/mt7915/eeprom.h | 6 drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 29 - drivers/net/wireless/mediatek/mt76/mt7996/init.c | 8 drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 11 drivers/net/wireless/mediatek/mt76/mt7996/pci.c | 2 drivers/net/wireless/realtek/rtw89/ser.c | 3 drivers/nvme/target/fc.c | 19 drivers/pci/controller/cadence/pci-j721e.c | 2 drivers/pci/controller/dwc/pcie-rcar-gen4.c | 26 + drivers/pci/controller/dwc/pcie-tegra194.c | 4 drivers/pci/controller/pci-tegra.c | 2 drivers/pci/pci-acpi.c | 6 drivers/perf/arm_spe_pmu.c | 3 drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 12 drivers/pinctrl/meson/pinctrl-meson-gxl.c | 10 drivers/pinctrl/pinmux.c | 2 drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 drivers/pinctrl/renesas/pinctrl.c | 3 drivers/power/supply/cw2015_battery.c | 3 drivers/pps/kapi.c | 5 drivers/pps/pps.c | 5 drivers/ptp/ptp_private.h | 1 drivers/ptp/ptp_sysfs.c | 2 drivers/pwm/pwm-tiehrpwm.c | 154 ++---- drivers/regulator/scmi-regulator.c | 3 drivers/remoteproc/pru_rproc.c | 3 drivers/remoteproc/qcom_q6v5.c | 3 drivers/scsi/mpt3sas/mpt3sas_transport.c | 8 drivers/scsi/myrs.c | 8 drivers/scsi/pm8001/pm8001_sas.c | 9 drivers/scsi/qla2xxx/qla_edif.c | 4 drivers/scsi/qla2xxx/qla_init.c | 4 drivers/scsi/qla2xxx/qla_nvme.c | 2 drivers/soc/mediatek/mtk-svs.c | 23 + drivers/soc/qcom/rpmh-rsc.c | 7 drivers/spi/spi.c | 2 drivers/tee/tee_shm.c | 8 drivers/thermal/qcom/Kconfig | 3 drivers/thermal/qcom/lmh.c | 2 drivers/tty/n_gsm.c | 25 + drivers/tty/serial/max310x.c | 2 drivers/uio/uio_hv_generic.c | 7 drivers/usb/cdns3/cdnsp-pci.c | 5 drivers/usb/gadget/configfs.c | 2 drivers/usb/host/max3421-hcd.c | 2 drivers/usb/host/xhci-ring.c | 11 drivers/usb/misc/Kconfig | 1 drivers/usb/misc/qcom_eud.c | 33 + drivers/usb/phy/phy-twl6030-usb.c | 3 drivers/usb/typec/tipd/core.c | 24 - drivers/usb/usbip/vhci_hcd.c | 22 drivers/vfio/pci/pds/dirty.c | 2 drivers/vhost/vringh.c | 14 drivers/video/fbdev/simplefb.c | 31 + drivers/watchdog/mpc8xxx_wdt.c | 2 fs/btrfs/extent_io.c | 9 fs/ext4/ext4.h | 10 fs/ext4/file.c | 2 fs/ext4/inode.c | 2 fs/ext4/orphan.c | 6 fs/ext4/super.c | 4 fs/f2fs/data.c | 9 fs/f2fs/f2fs.h | 4 fs/f2fs/file.c | 49 +- fs/gfs2/glock.c | 2 fs/nfs/nfs4proc.c | 2 fs/ntfs3/index.c | 10 fs/ntfs3/run.c | 12 fs/ocfs2/stack_user.c | 1 fs/smb/client/smb2ops.c | 17 fs/smb/server/ksmbd_netlink.h | 5 fs/smb/server/mgmt/user_session.c | 26 - fs/smb/server/server.h | 1 fs/smb/server/smb2pdu.c | 3 fs/smb/server/transport_ipc.c | 3 fs/smb/server/transport_rdma.c | 99 +++- fs/smb/server/transport_tcp.c | 27 - fs/squashfs/inode.c | 7 fs/squashfs/squashfs_fs_i.h | 2 fs/udf/inode.c | 3 include/asm-generic/vmlinux.lds.h | 1 include/linux/bpf.h | 1 include/linux/btf.h | 2 include/linux/once.h | 4 include/trace/events/filelock.h | 3 include/uapi/linux/hidraw.h | 2 include/vdso/gettime.h | 1 init/Kconfig | 1 io_uring/waitid.c | 3 kernel/bpf/core.c | 5 kernel/bpf/verifier.c | 4 kernel/events/uprobes.c | 2 kernel/seccomp.c | 12 kernel/smp.c | 11 kernel/trace/bpf_trace.c | 9 mm/hugetlb.c | 2 net/9p/trans_usbg.c | 16 net/bluetooth/hci_sync.c | 10 net/bluetooth/iso.c | 11 net/bluetooth/mgmt.c | 10 net/core/filter.c | 16 net/ipv4/ping.c | 14 net/ipv4/tcp.c | 9 net/mac80211/rx.c | 28 - net/netfilter/ipset/ip_set_hash_gen.h | 8 net/netfilter/ipvs/ip_vs_conn.c | 4 net/netfilter/ipvs/ip_vs_core.c | 11 net/netfilter/ipvs/ip_vs_ctl.c | 6 net/netfilter/ipvs/ip_vs_est.c | 16 net/netfilter/ipvs/ip_vs_ftp.c | 4 net/netfilter/nfnetlink.c | 2 net/nfc/nci/ntf.c | 135 ++++-- net/sunrpc/auth_gss/svcauth_gss.c | 2 security/Kconfig | 1 sound/core/pcm_native.c | 25 - sound/pci/lx6464es/lx_core.c | 4 sound/soc/codecs/wcd934x.c | 17 sound/soc/codecs/wcd937x.c | 4 sound/soc/codecs/wcd937x.h | 6 sound/soc/intel/boards/bytcht_es8316.c | 20 sound/soc/intel/boards/bytcr_rt5640.c | 7 sound/soc/intel/boards/bytcr_rt5651.c | 26 - sound/soc/intel/boards/sof_sdw.c | 2 sound/soc/sof/ipc3-topology.c | 10 tools/include/nolibc/std.h | 2 tools/lib/bpf/libbpf.c | 46 +- tools/testing/nvdimm/test/ndtest.c | 13 tools/testing/selftests/arm64/pauth/exec_target.c | 7 tools/testing/selftests/bpf/progs/test_tcpnotify_kern.c | 1 tools/testing/selftests/bpf/test_tcpnotify_user.c | 20 tools/testing/selftests/nolibc/nolibc-test.c | 4 tools/testing/selftests/vDSO/vdso_call.h | 7 tools/testing/selftests/vDSO/vdso_test_abi.c | 9 tools/testing/selftests/watchdog/watchdog-test.c | 6 264 files changed, 2038 insertions(+), 1119 deletions(-) Abdun Nihaal (1): wifi: mt76: fix potential memory leak in mt76_wmac_probe() Aditya Kumar Singh (1): wifi: mac80211: fix Rx packet handling when pubsta information is not available Akhilesh Patil (1): selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported Alexander Lobakin (1): idpf: fix Rx descriptor ready check barrier in splitq Alok Tiwari (3): PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation PCI: j721e: Fix incorrect error message in probe() idpf: fix mismatched free function for dma_alloc_coherent Andrea Righi (1): bpf: Mark kfuncs as __noclone Andreas Gruenbacher (1): gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote Andrei Lalaev (1): leds: leds-lp55xx: Use correct address for memory programming Andy Yan (1): power: supply: cw2015: Fix a alignment coding style issue AngeloGioacchino Del Regno (4): arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible Annette Kobou (1): arm64: dts: imx93-kontron: Fix GPIO for panel regulator Anthony Iliopoulos (1): NFSv4.1: fix backchannel max_resp_sz verification check Arnd Bergmann (2): hwrng: nomadik - add ARM_AMBA dependency media: st-delta: avoid excessive stack usage Bagas Sanjaya (1): Documentation: trace: historgram-design: Separate sched_waking histogram section heading and the following diagram Bala-Vignesh-Reddy (1): selftests: arm64: Check fread return value in exec_target Baochen Qiang (2): wifi: ath12k: fix wrong logging ID used for CE wifi: ath10k: avoid unnecessary wait for service ready message Bartosz Golaszewski (2): mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() pinctrl: check the return value of pinmux_ops::get_function_name() Bean Huo (1): mmc: core: Fix variable shadowing in mmc_route_rpmb_frames() Benjamin Berg (1): selftests/nolibc: fix EXPECT_NZ macro Benjamin Tissoires (1): HID: hidraw: tighten ioctl command parsing Bernard Metzler (1): RDMA/siw: Always report immediate post SQ errors Biju Das (1): arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0 Brahmajit Das (1): drm/radeon/r600_cs: clean up of dead code in r600_cs Brigham Campbell (1): drm/panel: novatek-nt35560: Fix invalid return value Chao Yu (4): f2fs: fix condition in __allow_reserved_blocks() f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks() f2fs: fix to truncate first page in error path of f2fs_truncate() f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page() Chen-Yu Tsai (1): arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model Chenghai Huang (3): crypto: hisilicon/zip - remove unnecessary validation for high-performance mode configurations crypto: hisilicon - re-enable address prefetch after device resuming crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs Chia-I Wu (1): drm/bridge: it6505: select REGMAP_I2C Christophe Leroy (3): powerpc/8xx: Remove left-over instruction and comments in DataStoreTLBMiss handler powerpc/603: Really copy kernel PGD entries into all PGDIRs watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog Colin Ian King (2): misc: genwqe: Fix incorrect cmd field being reported in error ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message Cosmin Tanislav (1): mfd: rz-mtu3: Fix MTU5 NFCR register offset Cristian Ciocaltea (1): usb: vhci-hcd: Prevent suspending virtually attached devices D. Wythe (1): libbpf: Fix error when st-prefix_ops and ops from differ btf Da Xue (1): pinctrl: meson-gxl: add missing i2c_d pinmux Dan Carpenter (4): PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup serial: max310x: Add error checking in probe() ocfs2: fix double free in user_cluster_connect() Daniel Borkmann (1): bpf: Enforce expected_attach_type for tailcall compatibility Daniel Wagner (1): nvmet-fc: move lsop put work to nvmet_fc_ls_req_op Deepak Sharma (1): net: nfc: nci: Add parameter validation for packet data Dmitry Antipov (1): ACPICA: Fix largest possible resource descriptor index Dmitry Baryshkov (2): thermal/drivers/qcom: Make LMH select QCOM_SCM thermal/drivers/qcom/lmh: Add missing IRQ includes Dominique Martinet (1): net/9p: Fix buffer overflow in USB transport layer Donet Tom (2): drivers/base/node: handle error properly in register_one_node() drivers/base/node: fix double free in register_one_node() Enzo Matsumiya (1): smb: client: fix crypto buffers in non-linear memory Eric Dumazet (3): nbd: restrict sockets to TCP and UDP inet: ping: check sock_net() in ping_get_port() and ping_lookup() tcp: fix __tcp_close() to only send RST when required Erick Karanja (1): mtd: rawnand: atmel: Fix error handling path in atmel_nand_controller_add_nands Fan Wu (1): KEYS: X.509: Fix Basic Constraints CA flag parsing Fedor Pchelkin (1): wifi: rtw89: avoid circular locking dependency in ser_state_run() Fenglin Wu (1): leds: flash: leds-qcom-flash: Update torch current clamp setting Fernando Fernandez Mancera (1): netfilter: nfnetlink: reset nlh pointer during batch replay Florian Fainelli (1): cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus() Frieder Schrempf (1): arm64: dts: imx93-kontron: Fix USB port assignment Geert Uytterhoeven (3): init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD regmap: Remove superfluous check for !config in __regmap_init() ARM: dts: renesas: porter: Fix CAN pin group Genjian Zhang (1): null_blk: Fix the description of the cache_size module argument Greg Kroah-Hartman (1): Linux 6.12.53 Guangshuo Li (1): nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() Gui-Dong Han (1): RDMA/rxe: Fix race in do_task() when draining Guoqing Jiang (1): arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0 Hans de Goede (2): iio: consumers: Fix handling of negative channel scale in iio_convert_raw_to_processed() iio: consumers: Fix offset handling in iio_convert_raw_to_processed() Hengqi Chen (2): riscv, bpf: Sign extend struct ops return values properly bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free() Huisong Li (1): ACPI: processor: idle: Fix memory leak when register cpuidle device failed Håkon Bugge (1): RDMA/cm: Rate limit destroy CM ID timeout error message I Viswanath (2): net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast ptp: Add a upper bound on max_vclocks Ivan Abramov (1): dm vdo: return error on corrupted metadata in start_restoring_volume functions Jacopo Mondi (1): media: zoran: Remove zoran_fh structure Jakub Kicinski (1): Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" Jan Kara (1): ext4: fix checks for orphan inodes Janne Grunau (2): arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map fbdev: simplefb: Fix use after free in simplefb_detach_genpds() Jarkko Sakkinen (1): tpm: Disable TPM2_TCG_HMAC by default Jeff Layton (1): filelock: add FL_RECLAIM to show_fl_flags() macro Jens Axboe (1): io_uring/waitid: always prune wait queue entry in io_waitid_wait() Jens Wiklander (1): tee: fix register_shm_helper() Jeremy Linton (1): uprobes: uprobe_warn should use passed task Jie Gan (1): coresight: tpda: fix the logic to setup the element size Jihed Chaibi (3): ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS to use correct boolean syntax ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property to use correct boolean syntax in DTS ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer property Johan Hovold (4): firmware: firmware: meson-sm: fix compile-test default soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure cpuidle: qcom-spm: fix device and OF node leaks at probe Johannes Nixdorf (1): seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too fast Jonas Gorski (1): spi: fix return code when spi device has too many chipselects Jonas Karlman (1): phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568 Joy Zou (1): arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid Junnan Wu (1): firmware: arm_scmi: Mark VirtIO ready before registering scmi_virtio_driver Kohei Enju (2): nfp: fix RSS hash key size when RSS is not supported net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable Komal Bajaj (1): usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls Konrad Dybcio (1): arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode Kunihiko Hayashi (2): i2c: designware: Fix clock issue when PM is disabled i2c: designware: Add disabling clocks when probe fails Lad Prabhakar (1): pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read() Larshin Sergey (1): fs: udf: fix OOB read in lengthAllocDescs handling Lei Lu (1): sunrpc: fix null pointer dereference on zero-length checksum Leilk.Liu (1): i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD Leo Yan (6): coresight: trbe: Prevent overflow in PERF_IDX2OFF() perf: arm_spe: Prevent overflow in PERF_IDX2OFF() coresight: tmc: Support atclk coresight: catu: Support atclk coresight: etm4x: Support atclk coresight: trbe: Return NULL pointer for allocation failures Li Nan (1): blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx Liao Yuanhong (2): drm/amd/display: Remove redundant semicolons wifi: iwlwifi: Remove redundant header files Lin Yujun (1): coresight: Fix incorrect handling for return value of devm_kzalloc Ling Xu (4): misc: fastrpc: Save actual DMA size in fastrpc_map structure misc: fastrpc: Fix fastrpc_map_lookup operation misc: fastrpc: fix possible map leak in fastrpc_put_args misc: fastrpc: Skip reference for DMA handles Lorenzo Bianconi (2): wifi: mt76: mt7996: Fix RX packets configuration for primary WED device wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE Lu Baolu (1): iommu/vt-d: Disallow dirty tracking if incoherent page walk Luiz Augusto von Dentz (3): Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO Bluetooth: ISO: Fix possible UAF on iso_conn_free Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements Ma Ke (1): ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data() Marek Vasut (4): PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion PCI: rcar-gen4: Assure reset occurs before DBI access PCI: rcar-gen4: Fix inverted break condition in PHY initialization Input: atmel_mxt_ts - allow reset GPIO to sleep Matt Bobrowski (1): bpf/selftests: Fix test_tcpnotify_user Matvey Kovalev (1): ksmbd: fix error code overwriting in smb2_get_info_filesystem() Miaoqian Lin (1): usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call Michael Karcher (5): sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara sparc: fix accurate exception reporting in copy_to_user for Niagara 4 sparc: fix accurate exception reporting in copy_{from,to}_user for M7 Michael S. Tsirkin (1): vhost: vringh: Fix copy_to_iter return value check Michal Pecio (1): Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running" Moon Hee Lee (1): fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist Moshe Shemesh (2): net/mlx5: Stop polling for command response if interface goes down net/mlx5: fw reset, add reset timeout work Nagarjuna Kristam (1): PCI: tegra194: Fix duplicate PLL disable in pex_ep_event_pex_rst_assert() Naman Jain (1): uio_hv_generic: Let userspace take care of interrupt mask Namjae Jeon (1): ksmbd: add max ip connections parameter Nicolas Ferre (1): ARM: at91: pm: fix MCKx restore routine Nicolas Frattaroli (1): PM / devfreq: rockchip-dfi: double count on RK3588 Niklas Cassel (1): scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Nirmoy Das (1): PCI/ACPI: Fix pci_acpi_preserve_config() memory leak Nishanth Menon (1): hwrng: ks-sa - fix division by zero in ks_sa_rng_init Oleksij Rempel (1): net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Or Har-Toov (1): RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count Parav Pandit (1): RDMA/core: Resolve MAC of next-hop device without ARP support Patrisious Haddad (1): RDMA/mlx5: Fix vport loopback forcing for MPV device Paul Chaignon (1): bpf: Explicitly check accesses to bpf_sock_addr Pauli Virtanen (2): Bluetooth: ISO: free rx_skb if not consumed Bluetooth: ISO: don't leak skb in ISO_CONT RX Phillip Lougher (1): Squashfs: fix uninit-value in squashfs_get_parent Qi Xi (1): once: fix race by moving DO_ONCE to separate section Qianfeng Rong (9): regulator: scmi: Use int type to store negative error codes block: use int to store blk_stack_limits() return value pinctrl: renesas: Use int type to store negative error codes ALSA: lx_core: use int type to store negative error codes drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl() drm/msm/dpu: fix incorrect type for ret scsi: qla2xxx: edif: Fix incorrect sign of error code scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES() scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp() Qiuxu Zhuo (1): EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller Qu Wenruo (1): btrfs: return any hit error from extent_writepage_io() Rafael J. Wysocki (2): PM: sleep: core: Clear power.must_resume in noirq suspend error path smp: Fix up and expand the smp_call_function_many() kerneldoc Randy Dunlap (1): lsm: CONFIG_LSM can depend on CONFIG_SECURITY Ranjan Kumar (1): scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() Ranjani Sridharan (1): ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down Richard Fitzgerald (1): ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback Salah Triki (1): bus: fsl-mc: Check return value of platform_get_resource() Sean Christopherson (1): KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid Sebastian Andrzej Siewior (1): ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on PREEMPT_RT Seppo Takalo (1): tty: n_gsm: Don't block input queue by waiting MSC Shay Drory (1): net/mlx5: pagealloc: Fix reclaim race during command interface teardown Slavin Liu (1): ipvs: Defer ip_vs_ftp unregister during netns cleanup Sneh Mankad (1): soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS Srinivas Kandagatla (2): ASoC: codecs: wcd937x: set the comp soundwire port correctly ASoC: codecs: wcd937x: make stub functions inline Stanley Chu (2): i3c: master: svc: Use manual response for IBI events i3c: master: svc: Recycle unused IBI slot Stefan Kerkmann (1): wifi: mwifiex: send world regulatory domain to driver Stefan Metzmacher (1): smb: server: fix IRD/ORD negotiation with the client Stephan Gerhold (1): remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice Sven Peter (1): usb: typec: tipd: Clear interrupts first Takashi Iwai (3): ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping Tao Chen (1): bpf: Remove migrate_disable in kprobe_multi_link_prog_run Thomas Fourier (2): crypto: keembay - Add missing check after sg_nents_for_len() scsi: myrs: Fix dma_alloc_coherent() error check Thomas Weißschuh (3): vdso: Add struct __kernel_old_timeval forward declaration to gettime.h selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing vDSO Thorsten Blum (1): crypto: octeontx2 - Call strscpy() with correct size argument Timur Kristóf (7): drm/amdgpu: Power up UVD 3 for FW validation (v2) drm/amd/pm: Disable ULV even if unsupported (v3) drm/amd/pm: Fix si_upload_smc_data (v3) drm/amd/pm: Adjust si_upload_smc_data register programming (v3) drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3) drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2) drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3) Uros Bizjak (1): x86/vdso: Fix output operand size of RDPID Uwe Kleine-König (4): pwm: tiehrpwm: Don't drop runtime PM reference in .free() pwm: tiehrpwm: Make code comment in .free() more useful pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation pwm: tiehrpwm: Fix corner case in clock divisor calculation Vadim Pasternak (1): hwmon: (mlxreg-fan) Separate methods of fan setting coming from different subsystems Vineeth Pillai (Google) (1): iommu/vt-d: debugfs: Fix legacy mode page table dump logic Vitaly Grigoryev (1): fs: ntfs3: Fix integer overflow in run_unpack() Vlad Dumitrescu (1): IB/sa: Fix sa_local_svc_timeout_ms read race Wang Liang (1): pps: fix warning in pps_register_cdev when register device fail William Wu (1): usb: gadget: configfs: Correctly set use_os_string at bind Xichao Zhao (1): usb: phy: twl6030: Fix incorrect type for ret Yang Shi (1): mm: hugetlb: avoid soft lockup when mprotect to large memory area Yazhou Tang (1): bpf: Reject negative offsets for ALU ops Yeounsu Moon (1): net: dlink: handle copy_thresh allocation failure Youling Tang (1): LoongArch: Automatically disable kaslr if boot from kexec_file Yuanfang Zhang (2): coresight: Only register perf symlink for sinks with alloc_buffer coresight-etm4x: Conditionally access register TRCEXTINSELR Yunseong Kim (1): ksmbd: Fix race condition in RPC handle list access Yureka Lilian (1): libbpf: Fix reuse of DEVMAP Zhang Shurong (1): media: rj54n1cb0c: Fix memleak in rj54n1_probe() Zhang Tengfei (1): ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable Zhen Ni (3): netfilter: ipset: Remove unused htable_bits in macro ahash_region Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() Zheng Qixing (2): dm: fix queue start/stop imbalance under suspend/load/resume races dm: fix NULL pointer dereference in __dm_suspend() Zhi-Jun You (1): wifi: mt76: mt7915: fix mt7981 pre-calibration Zhouyi Zhou (1): tools/nolibc: make time_t robust if __kernel_old_time_t is missing in host headers Zhushuai Yin (1): crypto: hisilicon/qm - check whether the input function and PF are on the same device Zilin Guan (1): vfio/pds: replace bitmap_free with vfree wangzijie (1): f2fs: fix zero-sized extent for precache extents zhang jiao (1): vhost: vringh: Modify the return value check

3 weeks

1
1
0 0

[PATCH net v2] xsk: Fix overflow in descriptor validation

by Ilia Gavrilov

The desc->len value can be set up to U32_MAX. If umem tx_metadata_len option is also set, the value of the expression 'desc->len + pool->tx_metadata_len' can overflow and validation of the incorrect descriptor will be successfully passed. This can lead to a subsequent chain of arithmetic overflows in the xsk_build_skb() function and incorrect sk_buff allocation. To reproduce the overflow, this piece of userspace code can be used: struct xdp_umem_reg umem_reg; umem_reg.addr = (__u64)(void *)umem; ... umem_reg.chunk_size = 4096; umem_reg.tx_metadata_len = 16; umem_reg.flags = XDP_UMEM_TX_METADATA_LEN; setsockopt(sfd, SOL_XDP, XDP_UMEM_REG, &umem_reg, sizeof(umem_reg)); ... xsk_ring_prod__reserve(tq, batch_size, &idx); for (i = 0; i < nr_packets; ++i) { struct xdp_desc *tx_desc = xsk_ring_prod__tx_desc(tq, idx + i); tx_desc->addr = packets[i].addr; tx_desc->addr += umem->tx_metadata_len; tx_desc->options = XDP_TX_METADATA; tx_desc->len = UINT32_MAX; } xsk_ring_prod__submit(tq, nr_packets); ... sendto(sfd, NULL, 0, MSG_DONTWAIT, NULL, 0); Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 341ac980eab9 ("xsk: Support tx_metadata_len") Cc: stable(a)vger.kernel.org Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> --- v2: Add a repro net/xdp/xsk_queue.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h index f16f390370dc..b206a8839b39 100644 --- a/net/xdp/xsk_queue.h +++ b/net/xdp/xsk_queue.h @@ -144,7 +144,7 @@ static inline bool xp_aligned_validate_desc(struct xsk_buff_pool *pool, struct xdp_desc *desc) { u64 addr = desc->addr - pool->tx_metadata_len; - u64 len = desc->len + pool->tx_metadata_len; + u64 len = (u64)desc->len + pool->tx_metadata_len; u64 offset = addr & (pool->chunk_size - 1); if (!desc->len) @@ -165,7 +165,7 @@ static inline bool xp_unaligned_validate_desc(struct xsk_buff_pool *pool, struct xdp_desc *desc) { u64 addr = xp_unaligned_add_offset_to_addr(desc->addr) - pool->tx_metadata_len; - u64 len = desc->len + pool->tx_metadata_len; + u64 len = (u64)desc->len + pool->tx_metadata_len; if (!desc->len) return false; -- 2.39.5

3 weeks

2
2
0 0

Linux 6.6.112

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.112 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/trace/histogram-design.rst | 4 Makefile | 2 arch/arm/boot/dts/renesas/r8a7791-porter.dts | 2 arch/arm/boot/dts/ti/omap/am335x-baltos.dtsi | 2 arch/arm/boot/dts/ti/omap/am335x-cm-t335.dts | 2 arch/arm/boot/dts/ti/omap/omap3-devkit8000-lcd-common.dtsi | 2 arch/arm/mach-at91/pm_suspend.S | 4 arch/arm64/boot/dts/apple/t8103-j457.dts | 12 arch/arm64/boot/dts/mediatek/mt6331.dtsi | 10 arch/arm64/boot/dts/mediatek/mt6795-sony-xperia-m5.dts | 2 arch/arm64/boot/dts/mediatek/mt8195.dtsi | 3 arch/arm64/boot/dts/mediatek/mt8516-pumpkin.dts | 2 arch/arm64/boot/dts/qcom/qcm2290.dtsi | 1 arch/arm64/boot/dts/renesas/rzg2lc-smarc.dtsi | 5 arch/loongarch/kernel/relocate.c | 4 arch/sparc/lib/M7memcpy.S | 20 - arch/sparc/lib/Memcpy_utils.S | 9 arch/sparc/lib/NG4memcpy.S | 2 arch/sparc/lib/NGmemcpy.S | 29 +- arch/sparc/lib/U1memcpy.S | 19 - arch/sparc/lib/U3memcpy.S | 2 arch/x86/include/asm/segment.h | 8 block/blk-mq-sysfs.c | 6 block/blk-settings.c | 3 crypto/asymmetric_keys/x509_cert_parser.c | 16 - drivers/acpi/acpica/aclocal.h | 2 drivers/acpi/nfit/core.c | 2 drivers/acpi/processor_idle.c | 3 drivers/base/node.c | 4 drivers/base/power/main.c | 14 - drivers/base/regmap/regmap.c | 2 drivers/block/nbd.c | 8 drivers/block/null_blk/main.c | 2 drivers/bus/fsl-mc/fsl-mc-bus.c | 3 drivers/char/hw_random/Kconfig | 1 drivers/char/hw_random/ks-sa-rng.c | 4 drivers/cpufreq/scmi-cpufreq.c | 10 drivers/cpuidle/cpuidle-qcom-spm.c | 7 drivers/crypto/hisilicon/debugfs.c | 1 drivers/crypto/hisilicon/hpre/hpre_main.c | 3 drivers/crypto/hisilicon/qm.c | 7 drivers/crypto/hisilicon/sec2/sec_main.c | 80 ++--- drivers/crypto/hisilicon/zip/zip_main.c | 17 - drivers/crypto/intel/keembay/keembay-ocs-hcu-core.c | 5 drivers/devfreq/mtk-cci-devfreq.c | 3 drivers/edac/i10nm_base.c | 14 + drivers/firmware/meson/Kconfig | 2 drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 29 +- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn32/display_rq_dlg_calc_32.c | 1 drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 7 drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 92 ++++-- drivers/gpu/drm/bridge/Kconfig | 1 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 2 drivers/gpu/drm/panel/panel-novatek-nt35560.c | 2 drivers/gpu/drm/radeon/r600_cs.c | 4 drivers/hwmon/mlxreg-fan.c | 24 + drivers/hwtracing/coresight/coresight-core.c | 5 drivers/hwtracing/coresight/coresight-etm4x-core.c | 31 +- drivers/hwtracing/coresight/coresight-etm4x.h | 6 drivers/hwtracing/coresight/coresight-trbe.c | 9 drivers/i2c/busses/i2c-designware-platdrv.c | 5 drivers/i2c/busses/i2c-mt65xx.c | 17 - drivers/i3c/master/svc-i3c-master.c | 31 +- drivers/iio/inkern.c | 30 +- drivers/infiniband/core/addr.c | 10 drivers/infiniband/core/cm.c | 4 drivers/infiniband/core/sa_query.c | 6 drivers/infiniband/hw/mlx5/main.c | 19 + drivers/infiniband/hw/mlx5/mlx5_ib.h | 1 drivers/infiniband/sw/rxe/rxe_task.c | 8 drivers/infiniband/sw/siw/siw_verbs.c | 25 + drivers/input/misc/uinput.c | 1 drivers/input/touchscreen/atmel_mxt_ts.c | 2 drivers/leds/flash/leds-qcom-flash.c | 62 ++-- drivers/md/dm-core.h | 1 drivers/md/dm.c | 13 drivers/media/i2c/rj54n1cb0c.c | 9 drivers/media/pci/zoran/zoran.h | 6 drivers/media/pci/zoran/zoran_driver.c | 3 drivers/media/platform/st/sti/delta/delta-mjpeg-dec.c | 20 - drivers/mfd/rz-mtu3.c | 2 drivers/mfd/vexpress-sysreg.c | 6 drivers/misc/fastrpc.c | 62 ++-- drivers/misc/genwqe/card_ddcb.c | 2 drivers/mtd/nand/raw/atmel/nand-controller.c | 4 drivers/net/ethernet/amazon/ena/ena_ethtool.c | 5 drivers/net/ethernet/dlink/dl2k.c | 7 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 17 - drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 24 + drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 7 drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 drivers/net/usb/asix_devices.c | 29 ++ drivers/net/usb/rtl8150.c | 2 drivers/net/wireless/ath/ath10k/wmi.c | 39 +- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 7 drivers/net/wireless/mediatek/mt76/mt7603/soc.c | 2 drivers/net/wireless/realtek/rtw89/ser.c | 3 drivers/nvme/target/fc.c | 19 - drivers/pci/controller/dwc/pcie-tegra194.c | 4 drivers/pci/controller/pci-tegra.c | 2 drivers/perf/arm_spe_pmu.c | 3 drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 12 drivers/pinctrl/meson/pinctrl-meson-gxl.c | 10 drivers/pinctrl/pinmux.c | 2 drivers/pinctrl/renesas/pinctrl.c | 3 drivers/power/supply/cw2015_battery.c | 3 drivers/pps/kapi.c | 5 drivers/pps/pps.c | 5 drivers/pwm/pwm-tiehrpwm.c | 4 drivers/regulator/scmi-regulator.c | 3 drivers/remoteproc/pru_rproc.c | 3 drivers/remoteproc/qcom_q6v5.c | 3 drivers/scsi/mpt3sas/mpt3sas_transport.c | 8 drivers/scsi/myrs.c | 8 drivers/scsi/pm8001/pm8001_sas.c | 9 drivers/scsi/qla2xxx/qla_edif.c | 4 drivers/scsi/qla2xxx/qla_init.c | 4 drivers/scsi/qla2xxx/qla_nvme.c | 2 drivers/soc/qcom/rpmh-rsc.c | 7 drivers/thermal/qcom/Kconfig | 3 drivers/thermal/qcom/lmh.c | 2 drivers/tty/n_gsm.c | 25 + drivers/tty/serial/max310x.c | 2 drivers/uio/uio_hv_generic.c | 7 drivers/usb/cdns3/cdnsp-pci.c | 5 drivers/usb/gadget/configfs.c | 2 drivers/usb/host/max3421-hcd.c | 2 drivers/usb/host/xhci-ring.c | 11 drivers/usb/misc/Kconfig | 1 drivers/usb/misc/qcom_eud.c | 33 +- drivers/usb/phy/phy-twl6030-usb.c | 3 drivers/usb/typec/tipd/core.c | 24 - drivers/usb/usbip/vhci_hcd.c | 22 + drivers/vfio/pci/pds/dirty.c | 2 drivers/vhost/vringh.c | 14 - drivers/watchdog/mpc8xxx_wdt.c | 2 fs/ext4/ext4.h | 10 fs/ext4/file.c | 2 fs/ext4/inode.c | 2 fs/ext4/orphan.c | 6 fs/ext4/super.c | 4 fs/f2fs/data.c | 9 fs/f2fs/f2fs.h | 4 fs/f2fs/file.c | 49 ++- fs/gfs2/glock.c | 2 fs/nfs/nfs4proc.c | 2 fs/ntfs3/index.c | 10 fs/ntfs3/run.c | 12 fs/ocfs2/stack_user.c | 1 fs/smb/client/smb2ops.c | 17 - fs/smb/server/smb2pdu.c | 3 fs/smb/server/transport_rdma.c | 99 ++++++- fs/squashfs/inode.c | 7 fs/squashfs/squashfs_fs_i.h | 2 fs/udf/inode.c | 3 include/asm-generic/vmlinux.lds.h | 1 include/linux/bpf.h | 1 include/linux/once.h | 4 include/trace/events/filelock.h | 3 init/Kconfig | 1 kernel/bpf/core.c | 5 kernel/bpf/verifier.c | 4 kernel/seccomp.c | 12 kernel/smp.c | 11 kernel/trace/bpf_trace.c | 9 mm/hugetlb.c | 2 net/bluetooth/hci_sync.c | 10 net/bluetooth/iso.c | 9 net/bluetooth/mgmt.c | 10 net/core/filter.c | 16 - net/ipv4/ping.c | 14 - net/ipv4/tcp.c | 9 net/mac80211/rx.c | 28 +- net/netfilter/ipset/ip_set_hash_gen.h | 8 net/netfilter/ipvs/ip_vs_conn.c | 4 net/netfilter/ipvs/ip_vs_core.c | 11 net/netfilter/ipvs/ip_vs_ctl.c | 6 net/netfilter/ipvs/ip_vs_est.c | 16 - net/netfilter/ipvs/ip_vs_ftp.c | 4 net/nfc/nci/ntf.c | 135 +++++++--- net/sunrpc/auth_gss/svcauth_gss.c | 2 sound/pci/lx6464es/lx_core.c | 4 sound/soc/codecs/wcd934x.c | 17 + sound/soc/intel/boards/bytcht_es8316.c | 20 + sound/soc/intel/boards/bytcr_rt5640.c | 7 sound/soc/intel/boards/bytcr_rt5651.c | 26 + sound/soc/sof/ipc3-topology.c | 10 tools/include/nolibc/std.h | 2 tools/lib/bpf/libbpf.c | 10 tools/testing/nvdimm/test/ndtest.c | 13 tools/testing/selftests/arm64/pauth/exec_target.c | 7 tools/testing/selftests/bpf/progs/test_tcpnotify_kern.c | 1 tools/testing/selftests/bpf/test_tcpnotify_user.c | 20 - tools/testing/selftests/nolibc/nolibc-test.c | 4 tools/testing/selftests/watchdog/watchdog-test.c | 6 198 files changed, 1386 insertions(+), 714 deletions(-) Abdun Nihaal (1): wifi: mt76: fix potential memory leak in mt76_wmac_probe() Aditya Kumar Singh (1): wifi: mac80211: fix Rx packet handling when pubsta information is not available Akhilesh Patil (1): selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported Alok Tiwari (1): PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation Andreas Gruenbacher (1): gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote Andy Yan (1): power: supply: cw2015: Fix a alignment coding style issue AngeloGioacchino Del Regno (3): arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible Anthony Iliopoulos (1): NFSv4.1: fix backchannel max_resp_sz verification check Arnd Bergmann (2): hwrng: nomadik - add ARM_AMBA dependency media: st-delta: avoid excessive stack usage Bagas Sanjaya (1): Documentation: trace: historgram-design: Separate sched_waking histogram section heading and the following diagram Bala-Vignesh-Reddy (1): selftests: arm64: Check fread return value in exec_target Baochen Qiang (1): wifi: ath10k: avoid unnecessary wait for service ready message Bartosz Golaszewski (2): mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() pinctrl: check the return value of pinmux_ops::get_function_name() Benjamin Berg (1): selftests/nolibc: fix EXPECT_NZ macro Bernard Metzler (1): RDMA/siw: Always report immediate post SQ errors Biju Das (1): arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0 Brahmajit Das (1): drm/radeon/r600_cs: clean up of dead code in r600_cs Brigham Campbell (1): drm/panel: novatek-nt35560: Fix invalid return value Chao Yu (4): f2fs: fix condition in __allow_reserved_blocks() f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks() f2fs: fix to truncate first page in error path of f2fs_truncate() f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page() Chenghai Huang (3): crypto: hisilicon/zip - remove unnecessary validation for high-performance mode configurations crypto: hisilicon - re-enable address prefetch after device resuming crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs Chia-I Wu (1): drm/bridge: it6505: select REGMAP_I2C Christophe Leroy (1): watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog Colin Ian King (2): misc: genwqe: Fix incorrect cmd field being reported in error ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message Cosmin Tanislav (1): mfd: rz-mtu3: Fix MTU5 NFCR register offset Cristian Ciocaltea (1): usb: vhci-hcd: Prevent suspending virtually attached devices Da Xue (1): pinctrl: meson-gxl: add missing i2c_d pinmux Dan Carpenter (4): PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup serial: max310x: Add error checking in probe() ocfs2: fix double free in user_cluster_connect() Daniel Borkmann (1): bpf: Enforce expected_attach_type for tailcall compatibility Daniel Wagner (1): nvmet-fc: move lsop put work to nvmet_fc_ls_req_op Deepak Sharma (1): net: nfc: nci: Add parameter validation for packet data Dmitry Antipov (1): ACPICA: Fix largest possible resource descriptor index Dmitry Baryshkov (2): thermal/drivers/qcom: Make LMH select QCOM_SCM thermal/drivers/qcom/lmh: Add missing IRQ includes Donet Tom (2): drivers/base/node: handle error properly in register_one_node() drivers/base/node: fix double free in register_one_node() Enzo Matsumiya (1): smb: client: fix crypto buffers in non-linear memory Eric Dumazet (3): nbd: restrict sockets to TCP and UDP inet: ping: check sock_net() in ping_get_port() and ping_lookup() tcp: fix __tcp_close() to only send RST when required Erick Karanja (1): mtd: rawnand: atmel: Fix error handling path in atmel_nand_controller_add_nands Fan Wu (1): KEYS: X.509: Fix Basic Constraints CA flag parsing Fedor Pchelkin (1): wifi: rtw89: avoid circular locking dependency in ser_state_run() Fenglin Wu (1): leds: flash: leds-qcom-flash: Update torch current clamp setting Florian Fainelli (1): cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus() Geert Uytterhoeven (3): init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD regmap: Remove superfluous check for !config in __regmap_init() ARM: dts: renesas: porter: Fix CAN pin group Genjian Zhang (1): null_blk: Fix the description of the cache_size module argument Greg Kroah-Hartman (1): Linux 6.6.112 Guangshuo Li (1): nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() Gui-Dong Han (1): RDMA/rxe: Fix race in do_task() when draining Guoqing Jiang (1): arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0 Hans de Goede (2): iio: consumers: Fix handling of negative channel scale in iio_convert_raw_to_processed() iio: consumers: Fix offset handling in iio_convert_raw_to_processed() Huisong Li (1): ACPI: processor: idle: Fix memory leak when register cpuidle device failed Håkon Bugge (1): RDMA/cm: Rate limit destroy CM ID timeout error message I Viswanath (1): net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast Jacopo Mondi (1): media: zoran: Remove zoran_fh structure Jakub Kicinski (1): Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" Jan Kara (1): ext4: fix checks for orphan inodes Janne Grunau (1): arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map Jeff Layton (1): filelock: add FL_RECLAIM to show_fl_flags() macro Jihed Chaibi (3): ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS to use correct boolean syntax ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property to use correct boolean syntax in DTS ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer property Johan Hovold (2): firmware: firmware: meson-sm: fix compile-test default cpuidle: qcom-spm: fix device and OF node leaks at probe Johannes Nixdorf (1): seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too fast Jonas Karlman (1): phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568 Kohei Enju (2): nfp: fix RSS hash key size when RSS is not supported net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable Komal Bajaj (1): usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls Konrad Dybcio (1): arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode Kunihiko Hayashi (2): i2c: designware: Fix clock issue when PM is disabled i2c: designware: Add disabling clocks when probe fails Larshin Sergey (1): fs: udf: fix OOB read in lengthAllocDescs handling Lei Lu (1): sunrpc: fix null pointer dereference on zero-length checksum Leilk.Liu (1): i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD Leo Yan (4): coresight: trbe: Prevent overflow in PERF_IDX2OFF() perf: arm_spe: Prevent overflow in PERF_IDX2OFF() coresight: etm4x: Support atclk coresight: trbe: Return NULL pointer for allocation failures Li Nan (1): blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx Liao Yuanhong (1): drm/amd/display: Remove redundant semicolons Ling Xu (3): misc: fastrpc: Fix fastrpc_map_lookup operation misc: fastrpc: fix possible map leak in fastrpc_put_args misc: fastrpc: Skip reference for DMA handles Luiz Augusto von Dentz (3): Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO Bluetooth: ISO: Fix possible UAF on iso_conn_free Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements Ma Ke (1): ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data() Marek Vasut (1): Input: atmel_mxt_ts - allow reset GPIO to sleep Matt Bobrowski (1): bpf/selftests: Fix test_tcpnotify_user Matvey Kovalev (1): ksmbd: fix error code overwriting in smb2_get_info_filesystem() Miaoqian Lin (1): usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call Michael Karcher (5): sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara sparc: fix accurate exception reporting in copy_to_user for Niagara 4 sparc: fix accurate exception reporting in copy_{from,to}_user for M7 Michael S. Tsirkin (1): vhost: vringh: Fix copy_to_iter return value check Michal Pecio (1): Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running" Moon Hee Lee (1): fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist Moshe Shemesh (2): net/mlx5: Stop polling for command response if interface goes down net/mlx5: fw reset, add reset timeout work Nagarjuna Kristam (1): PCI: tegra194: Fix duplicate PLL disable in pex_ep_event_pex_rst_assert() Naman Jain (1): uio_hv_generic: Let userspace take care of interrupt mask Nicolas Ferre (1): ARM: at91: pm: fix MCKx restore routine Niklas Cassel (1): scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Nishanth Menon (1): hwrng: ks-sa - fix division by zero in ks_sa_rng_init Oleksij Rempel (1): net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Parav Pandit (1): RDMA/core: Resolve MAC of next-hop device without ARP support Patrisious Haddad (1): RDMA/mlx5: Fix vport loopback forcing for MPV device Paul Chaignon (1): bpf: Explicitly check accesses to bpf_sock_addr Pauli Virtanen (1): Bluetooth: ISO: don't leak skb in ISO_CONT RX Phillip Lougher (1): Squashfs: fix uninit-value in squashfs_get_parent Qi Xi (1): once: fix race by moving DO_ONCE to separate section Qianfeng Rong (9): regulator: scmi: Use int type to store negative error codes block: use int to store blk_stack_limits() return value pinctrl: renesas: Use int type to store negative error codes ALSA: lx_core: use int type to store negative error codes drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl() drm/msm/dpu: fix incorrect type for ret scsi: qla2xxx: edif: Fix incorrect sign of error code scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES() scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp() Qiuxu Zhuo (1): EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller Rafael J. Wysocki (2): PM: sleep: core: Clear power.must_resume in noirq suspend error path smp: Fix up and expand the smp_call_function_many() kerneldoc Ranjan Kumar (1): scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() Ranjani Sridharan (1): ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down Salah Triki (1): bus: fsl-mc: Check return value of platform_get_resource() Seppo Takalo (1): tty: n_gsm: Don't block input queue by waiting MSC Shay Drory (1): net/mlx5: pagealloc: Fix reclaim race during command interface teardown Slavin Liu (1): ipvs: Defer ip_vs_ftp unregister during netns cleanup Sneh Mankad (1): soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS Stanley Chu (2): i3c: master: svc: Use manual response for IBI events i3c: master: svc: Recycle unused IBI slot Stefan Kerkmann (1): wifi: mwifiex: send world regulatory domain to driver Stefan Metzmacher (1): smb: server: fix IRD/ORD negotiation with the client Stephan Gerhold (1): remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice Sven Peter (1): usb: typec: tipd: Clear interrupts first Takashi Iwai (3): ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping Tao Chen (1): bpf: Remove migrate_disable in kprobe_multi_link_prog_run Thomas Fourier (2): crypto: keembay - Add missing check after sg_nents_for_len() scsi: myrs: Fix dma_alloc_coherent() error check Timur Kristóf (7): drm/amdgpu: Power up UVD 3 for FW validation (v2) drm/amd/pm: Disable ULV even if unsupported (v3) drm/amd/pm: Fix si_upload_smc_data (v3) drm/amd/pm: Adjust si_upload_smc_data register programming (v3) drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3) drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2) drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3) Uros Bizjak (1): x86/vdso: Fix output operand size of RDPID Uwe Kleine-König (1): pwm: tiehrpwm: Fix corner case in clock divisor calculation Vadim Pasternak (1): hwmon: (mlxreg-fan) Separate methods of fan setting coming from different subsystems Vitaly Grigoryev (1): fs: ntfs3: Fix integer overflow in run_unpack() Vlad Dumitrescu (1): IB/sa: Fix sa_local_svc_timeout_ms read race Wang Liang (1): pps: fix warning in pps_register_cdev when register device fail William Wu (1): usb: gadget: configfs: Correctly set use_os_string at bind Xichao Zhao (1): usb: phy: twl6030: Fix incorrect type for ret Yang Shi (1): mm: hugetlb: avoid soft lockup when mprotect to large memory area Yazhou Tang (1): bpf: Reject negative offsets for ALU ops Yeounsu Moon (1): net: dlink: handle copy_thresh allocation failure Youling Tang (1): LoongArch: Automatically disable kaslr if boot from kexec_file Yuanfang Zhang (2): coresight: Only register perf symlink for sinks with alloc_buffer coresight-etm4x: Conditionally access register TRCEXTINSELR Yureka Lilian (1): libbpf: Fix reuse of DEVMAP Zhang Shurong (1): media: rj54n1cb0c: Fix memleak in rj54n1_probe() Zhang Tengfei (1): ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable Zhen Ni (3): netfilter: ipset: Remove unused htable_bits in macro ahash_region Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() Zheng Qixing (2): dm: fix queue start/stop imbalance under suspend/load/resume races dm: fix NULL pointer dereference in __dm_suspend() Zhouyi Zhou (1): tools/nolibc: make time_t robust if __kernel_old_time_t is missing in host headers Zhushuai Yin (1): crypto: hisilicon/qm - check whether the input function and PF are on the same device Zilin Guan (1): vfio/pds: replace bitmap_free with vfree wangzijie (1): f2fs: fix zero-sized extent for precache extents zhang jiao (1): vhost: vringh: Modify the return value check

3 weeks

1
1
0 0

Linux 6.1.156

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.156 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/trace/histogram-design.rst | 4 Makefile | 2 arch/arm/mach-at91/pm_suspend.S | 4 arch/arm64/boot/dts/mediatek/mt8516-pumpkin.dts | 2 arch/arm64/boot/dts/renesas/rzg2lc-smarc.dtsi | 5 arch/arm64/kernel/fpsimd.c | 8 arch/sparc/lib/M7memcpy.S | 20 arch/sparc/lib/Memcpy_utils.S | 9 arch/sparc/lib/NG4memcpy.S | 2 arch/sparc/lib/NGmemcpy.S | 29 - arch/sparc/lib/U1memcpy.S | 19 arch/sparc/lib/U3memcpy.S | 2 arch/x86/include/asm/segment.h | 8 block/blk-mq-sysfs.c | 6 block/blk-settings.c | 3 crypto/rng.c | 8 drivers/acpi/nfit/core.c | 2 drivers/acpi/processor_idle.c | 3 drivers/base/node.c | 4 drivers/base/power/main.c | 14 drivers/base/regmap/regmap.c | 2 drivers/block/nbd.c | 8 drivers/block/null_blk/main.c | 2 drivers/bus/fsl-mc/fsl-mc-bus.c | 3 drivers/char/hw_random/Kconfig | 1 drivers/char/hw_random/ks-sa-rng.c | 4 drivers/cpufreq/scmi-cpufreq.c | 10 drivers/cpuidle/cpuidle-qcom-spm.c | 7 drivers/crypto/hisilicon/debugfs.c | 1 drivers/crypto/hisilicon/hpre/hpre_main.c | 3 drivers/crypto/hisilicon/qm.c | 3 drivers/crypto/hisilicon/sec2/sec_main.c | 80 +-- drivers/crypto/hisilicon/zip/zip_main.c | 17 drivers/devfreq/mtk-cci-devfreq.c | 3 drivers/firmware/meson/Kconfig | 2 drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 29 + drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 drivers/gpu/drm/amd/display/dc/dml/dcn32/display_rq_dlg_calc_32.c | 1 drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 7 drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 92 ++-- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 2 drivers/gpu/drm/panel/panel-novatek-nt35560.c | 2 drivers/gpu/drm/radeon/r600_cs.c | 4 drivers/hid/hid-mcp2221.c | 4 drivers/hwmon/mlxreg-fan.c | 24 - drivers/hwtracing/coresight/coresight-etm4x-core.c | 11 drivers/hwtracing/coresight/coresight-etm4x.h | 2 drivers/hwtracing/coresight/coresight-trbe.c | 9 drivers/i2c/busses/i2c-designware-platdrv.c | 1 drivers/i2c/busses/i2c-mt65xx.c | 17 drivers/i3c/master/svc-i3c-master.c | 31 + drivers/iio/inkern.c | 2 drivers/infiniband/core/addr.c | 10 drivers/infiniband/core/cm.c | 4 drivers/infiniband/core/sa_query.c | 6 drivers/infiniband/sw/siw/siw_verbs.c | 25 - drivers/input/misc/uinput.c | 1 drivers/input/touchscreen/atmel_mxt_ts.c | 2 drivers/input/touchscreen/cyttsp4_core.c | 2 drivers/irqchip/irq-sun6i-r.c | 2 drivers/md/dm-core.h | 1 drivers/md/dm-integrity.c | 4 drivers/md/dm.c | 13 drivers/media/i2c/rj54n1cb0c.c | 9 drivers/media/i2c/tc358743.c | 4 drivers/media/pci/b2c2/flexcop-pci.c | 2 drivers/media/platform/st/sti/delta/delta-mjpeg-dec.c | 20 drivers/media/rc/imon.c | 27 - drivers/media/tuners/xc5000.c | 41 - drivers/mfd/vexpress-sysreg.c | 6 drivers/misc/fastrpc.c | 62 +- drivers/misc/genwqe/card_ddcb.c | 2 drivers/mtd/nand/raw/atmel/nand-controller.c | 4 drivers/net/can/rcar/rcar_canfd.c | 7 drivers/net/can/spi/hi311x.c | 33 - drivers/net/ethernet/amazon/ena/ena_ethtool.c | 5 drivers/net/ethernet/dlink/dl2k.c | 7 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 drivers/net/ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 17 drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 24 + drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 7 drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 drivers/net/usb/asix_devices.c | 29 + drivers/net/usb/rtl8150.c | 2 drivers/net/wireless/ath/ath10k/wmi.c | 39 - drivers/net/wireless/marvell/mwifiex/cfg80211.c | 7 drivers/net/wireless/mediatek/mt76/mt7603/soc.c | 2 drivers/net/wireless/realtek/rtlwifi/rtl8192cu/sw.c | 1 drivers/net/wireless/realtek/rtw89/ser.c | 3 drivers/nvme/target/fc.c | 19 drivers/pci/controller/dwc/pcie-tegra194.c | 4 drivers/pci/controller/pci-tegra.c | 2 drivers/perf/arm_spe_pmu.c | 3 drivers/pinctrl/meson/pinctrl-meson-gxl.c | 10 drivers/pinctrl/pinmux.c | 2 drivers/pinctrl/renesas/pinctrl.c | 3 drivers/power/supply/cw2015_battery.c | 3 drivers/pps/kapi.c | 5 drivers/pps/pps.c | 5 drivers/pwm/pwm-tiehrpwm.c | 4 drivers/regulator/scmi-regulator.c | 3 drivers/remoteproc/qcom_q6v5.c | 3 drivers/scsi/mpt3sas/mpt3sas_transport.c | 8 drivers/scsi/myrs.c | 8 drivers/scsi/pm8001/pm8001_sas.c | 9 drivers/scsi/qla2xxx/qla_edif.c | 4 drivers/scsi/qla2xxx/qla_init.c | 4 drivers/soc/qcom/rpmh-rsc.c | 7 drivers/staging/axis-fifo/axis-fifo.c | 68 +-- drivers/target/target_core_configfs.c | 2 drivers/thermal/qcom/Kconfig | 3 drivers/thermal/qcom/lmh.c | 2 drivers/tty/serial/Kconfig | 2 drivers/tty/serial/max310x.c | 2 drivers/uio/uio_hv_generic.c | 7 drivers/usb/cdns3/cdnsp-pci.c | 5 drivers/usb/gadget/configfs.c | 2 drivers/usb/host/max3421-hcd.c | 2 drivers/usb/host/xhci-ring.c | 11 drivers/usb/phy/phy-twl6030-usb.c | 3 drivers/usb/serial/option.c | 6 drivers/usb/typec/tipd/core.c | 24 - drivers/usb/usbip/vhci_hcd.c | 22 drivers/vhost/vringh.c | 14 drivers/watchdog/mpc8xxx_wdt.c | 2 fs/btrfs/ref-verify.c | 9 fs/btrfs/tree-checker.c | 2 fs/ext4/ext4.h | 10 fs/ext4/file.c | 2 fs/ext4/inode.c | 2 fs/ext4/orphan.c | 6 fs/ext4/super.c | 4 fs/f2fs/data.c | 7 fs/nfs/nfs4proc.c | 2 fs/ntfs3/run.c | 12 fs/ocfs2/stack_user.c | 1 fs/smb/server/smb2pdu.c | 3 fs/smb/server/transport_rdma.c | 99 +++- fs/squashfs/inode.c | 7 fs/squashfs/squashfs_fs_i.h | 2 fs/udf/inode.c | 3 include/crypto/sha256_base.h | 2 include/linux/bpf.h | 1 include/linux/compiler.h | 9 include/linux/device.h | 3 include/linux/minmax.h | 222 +++++----- include/trace/events/filelock.h | 3 init/Kconfig | 1 kernel/bpf/core.c | 5 kernel/seccomp.c | 12 kernel/smp.c | 11 kernel/trace/bpf_trace.c | 9 lib/vsprintf.c | 2 mm/hugetlb.c | 2 net/9p/trans_fd.c | 8 net/bluetooth/hci_sync.c | 10 net/bluetooth/iso.c | 9 net/bluetooth/mgmt.c | 10 net/core/filter.c | 16 net/ipv4/tcp.c | 9 net/mac80211/rx.c | 28 - net/netfilter/ipset/ip_set_hash_gen.h | 8 net/netfilter/ipvs/ip_vs_ftp.c | 4 net/nfc/nci/ntf.c | 135 ++++-- scripts/gcc-plugins/gcc-common.h | 7 sound/pci/lx6464es/lx_core.c | 4 sound/soc/codecs/rt5682s.c | 17 sound/soc/intel/boards/bytcht_es8316.c | 20 sound/soc/intel/boards/bytcr_rt5640.c | 7 sound/soc/intel/boards/bytcr_rt5651.c | 26 - sound/soc/qcom/qdsp6/topology.c | 4 tools/include/nolibc/std.h | 2 tools/lib/bpf/libbpf.c | 10 tools/lib/subcmd/help.c | 3 tools/testing/nvdimm/test/ndtest.c | 13 tools/testing/selftests/arm64/pauth/exec_target.c | 7 tools/testing/selftests/bpf/progs/test_tcpnotify_kern.c | 1 tools/testing/selftests/bpf/test_tcpnotify_user.c | 20 tools/testing/selftests/net/mptcp/mptcp_connect.c | 2 tools/testing/selftests/watchdog/watchdog-test.c | 6 182 files changed, 1363 insertions(+), 751 deletions(-) Abdun Nihaal (1): wifi: mt76: fix potential memory leak in mt76_wmac_probe() Aditya Kumar Singh (1): wifi: mac80211: fix Rx packet handling when pubsta information is not available Akhilesh Patil (1): selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported Alok Tiwari (1): PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation Andy Yan (1): power: supply: cw2015: Fix a alignment coding style issue AngeloGioacchino Del Regno (1): arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible Anthony Iliopoulos (1): NFSv4.1: fix backchannel max_resp_sz verification check Arnaud Lecomte (1): hid: fix I2C read buffer overflow in raw_event() for mcp2221 Arnd Bergmann (2): hwrng: nomadik - add ARM_AMBA dependency media: st-delta: avoid excessive stack usage Bagas Sanjaya (1): Documentation: trace: historgram-design: Separate sched_waking histogram section heading and the following diagram Bala-Vignesh-Reddy (1): selftests: arm64: Check fread return value in exec_target Baochen Qiang (1): wifi: ath10k: avoid unnecessary wait for service ready message Bartosz Golaszewski (2): mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() pinctrl: check the return value of pinmux_ops::get_function_name() Bernard Metzler (1): RDMA/siw: Always report immediate post SQ errors Biju Das (1): arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0 Bitterblue Smith (1): wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188 Brahmajit Das (1): drm/radeon/r600_cs: clean up of dead code in r600_cs Breno Leitao (1): crypto: sha256 - fix crash at kexec Brigham Campbell (1): drm/panel: novatek-nt35560: Fix invalid return value Chen Yufeng (1): can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled Chenghai Huang (3): crypto: hisilicon/zip - remove unnecessary validation for high-performance mode configurations crypto: hisilicon - re-enable address prefetch after device resuming crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs Christophe Leroy (1): watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog Colin Ian King (2): misc: genwqe: Fix incorrect cmd field being reported in error ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message Cristian Ciocaltea (1): usb: vhci-hcd: Prevent suspending virtually attached devices Da Xue (1): pinctrl: meson-gxl: add missing i2c_d pinmux Dan Carpenter (4): PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup serial: max310x: Add error checking in probe() ocfs2: fix double free in user_cluster_connect() Daniel Borkmann (1): bpf: Enforce expected_attach_type for tailcall compatibility Daniel Wagner (1): nvmet-fc: move lsop put work to nvmet_fc_ls_req_op David Laight (7): minmax.h: add whitespace around operators and after commas minmax.h: update some comments minmax.h: reduce the #define expansion of min(), max() and clamp() minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() minmax.h: move all the clamp() definitions after the min/max() ones minmax.h: simplify the variants of clamp() minmax.h: remove some #defines that are only expanded once David Sterba (1): btrfs: ref-verify: handle damaged extent root tree Deepak Sharma (1): net: nfc: nci: Add parameter validation for packet data Dmitry Baryshkov (2): thermal/drivers/qcom: Make LMH select QCOM_SCM thermal/drivers/qcom/lmh: Add missing IRQ includes Donet Tom (2): drivers/base/node: handle error properly in register_one_node() drivers/base/node: fix double free in register_one_node() Duoming Zhou (3): media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove media: tuner: xc5000: Fix use-after-free in xc5000_release media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe Duy Nguyen (1): can: rcar_canfd: Fix controller mode setting Eric Dumazet (2): nbd: restrict sockets to TCP and UDP tcp: fix __tcp_close() to only send RST when required Erick Karanja (1): mtd: rawnand: atmel: Fix error handling path in atmel_nand_controller_add_nands Fedor Pchelkin (1): wifi: rtw89: avoid circular locking dependency in ser_state_run() Florian Fainelli (1): cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus() Geert Uytterhoeven (2): init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD regmap: Remove superfluous check for !config in __regmap_init() Genjian Zhang (1): null_blk: Fix the description of the cache_size module argument Greg Kroah-Hartman (1): Linux 6.1.156 Guangshuo Li (1): nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() Hans de Goede (1): iio: consumers: Fix offset handling in iio_convert_raw_to_processed() Herbert Xu (1): crypto: rng - Ensure set_ent is always present Huisong Li (1): ACPI: processor: idle: Fix memory leak when register cpuidle device failed Håkon Bugge (1): RDMA/cm: Rate limit destroy CM ID timeout error message I Viswanath (1): net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast Jack Yu (1): ASoC: rt5682s: Adjust SAR ADC button mode to fix noise issue Jakub Kicinski (1): Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" Jan Kara (1): ext4: fix checks for orphan inodes Jeff Layton (1): filelock: add FL_RECLAIM to show_fl_flags() macro Johan Hovold (2): firmware: firmware: meson-sm: fix compile-test default cpuidle: qcom-spm: fix device and OF node leaks at probe Johannes Nixdorf (1): seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too fast Kees Cook (1): gcc-plugins: Remove TODO_verify_il for GCC >= 16 Kenta Akagi (1): selftests: mptcp: connect: fix build regression caused by backport Kohei Enju (2): nfp: fix RSS hash key size when RSS is not supported net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable Kunihiko Hayashi (1): i2c: designware: Add disabling clocks when probe fails Larshin Sergey (2): media: rc: fix races with imon_disconnect() fs: udf: fix OOB read in lengthAllocDescs handling Leilk.Liu (1): i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD Leo Yan (3): coresight: trbe: Prevent overflow in PERF_IDX2OFF() perf: arm_spe: Prevent overflow in PERF_IDX2OFF() coresight: trbe: Return NULL pointer for allocation failures Li Nan (1): blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx Liao Yuanhong (1): drm/amd/display: Remove redundant semicolons Ling Xu (3): misc: fastrpc: Fix fastrpc_map_lookup operation misc: fastrpc: fix possible map leak in fastrpc_put_args misc: fastrpc: Skip reference for DMA handles Linus Torvalds (4): minmax: don't use max() in situations that want a C constant expression minmax: simplify min()/max()/clamp() implementation minmax: improve macro expansion and type checking minmax: fix up min3() and max3() too Luiz Augusto von Dentz (3): Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO Bluetooth: ISO: Fix possible UAF on iso_conn_free Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements Marek Vasut (1): Input: atmel_mxt_ts - allow reset GPIO to sleep Matt Bobrowski (1): bpf/selftests: Fix test_tcpnotify_user Matvey Kovalev (1): ksmbd: fix error code overwriting in smb2_get_info_filesystem() Miaoqian Lin (1): usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call Michael Karcher (5): sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara sparc: fix accurate exception reporting in copy_to_user for Niagara 4 sparc: fix accurate exception reporting in copy_{from,to}_user for M7 Michael S. Tsirkin (1): vhost: vringh: Fix copy_to_iter return value check Michal Pecio (1): Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running" Mikulas Patocka (1): dm-integrity: limit MAX_TAG_SIZE to 255 Moshe Shemesh (2): net/mlx5: Stop polling for command response if interface goes down net/mlx5: fw reset, add reset timeout work Nagarjuna Kristam (1): PCI: tegra194: Fix duplicate PLL disable in pex_ep_event_pex_rst_assert() Nalivayko Sergey (1): net/9p: fix double req put in p9_fd_cancelled Naman Jain (1): uio_hv_generic: Let userspace take care of interrupt mask Nicolas Ferre (1): ARM: at91: pm: fix MCKx restore routine Niklas Cassel (1): scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Nishanth Menon (1): hwrng: ks-sa - fix division by zero in ks_sa_rng_init Oleksij Rempel (1): net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Ovidiu Panait (3): staging: axis-fifo: fix maximum TX packet length check staging: axis-fifo: fix TX handling on copy_from_user() failure staging: axis-fifo: flush RX FIFO on read errors Parav Pandit (1): RDMA/core: Resolve MAC of next-hop device without ARP support Paul Chaignon (1): bpf: Explicitly check accesses to bpf_sock_addr Pauli Virtanen (1): Bluetooth: ISO: don't leak skb in ISO_CONT RX Phillip Lougher (1): Squashfs: fix uninit-value in squashfs_get_parent Qianfeng Rong (8): regulator: scmi: Use int type to store negative error codes block: use int to store blk_stack_limits() return value pinctrl: renesas: Use int type to store negative error codes ALSA: lx_core: use int type to store negative error codes drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl() drm/msm/dpu: fix incorrect type for ret scsi: qla2xxx: edif: Fix incorrect sign of error code scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES() Rafael J. Wysocki (3): driver core/PM: Set power.no_callbacks along with power.no_pm PM: sleep: core: Clear power.must_resume in noirq suspend error path smp: Fix up and expand the smp_call_function_many() kerneldoc Ranjan Kumar (1): scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() Raphael Gallais-Pou (1): serial: stm32: allow selecting console when the driver is module Ricardo Ribalda (1): media: tunner: xc5000: Refactor firmware load Salah Triki (1): bus: fsl-mc: Check return value of platform_get_resource() Shay Drory (1): net/mlx5: pagealloc: Fix reclaim race during command interface teardown Slavin Liu (1): ipvs: Defer ip_vs_ftp unregister during netns cleanup Sneh Mankad (1): soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS Srinivas Kandagatla (1): ASoC: qcom: audioreach: fix potential null pointer dereference Stanley Chu (2): i3c: master: svc: Use manual response for IBI events i3c: master: svc: Recycle unused IBI slot Stefan Kerkmann (1): wifi: mwifiex: send world regulatory domain to driver Stefan Metzmacher (1): smb: server: fix IRD/ORD negotiation with the client Stephan Gerhold (1): remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice Sven Peter (1): usb: typec: tipd: Clear interrupts first Takashi Iwai (3): ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping Tao Chen (1): bpf: Remove migrate_disable in kprobe_multi_link_prog_run Thomas Fourier (1): scsi: myrs: Fix dma_alloc_coherent() error check Timur Kristóf (7): drm/amdgpu: Power up UVD 3 for FW validation (v2) drm/amd/pm: Disable ULV even if unsupported (v3) drm/amd/pm: Fix si_upload_smc_data (v3) drm/amd/pm: Adjust si_upload_smc_data register programming (v3) drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3) drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2) drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3) Uros Bizjak (1): x86/vdso: Fix output operand size of RDPID Uwe Kleine-König (1): pwm: tiehrpwm: Fix corner case in clock divisor calculation Vadim Pasternak (1): hwmon: (mlxreg-fan) Separate methods of fan setting coming from different subsystems Vitaly Grigoryev (1): fs: ntfs3: Fix integer overflow in run_unpack() Vlad Dumitrescu (1): IB/sa: Fix sa_local_svc_timeout_ms read race Wang Haoran (1): scsi: target: target_core_configfs: Add length check to avoid buffer overflow Wang Liang (1): pps: fix warning in pps_register_cdev when register device fail Will Deacon (1): KVM: arm64: Fix softirq masking in FPSIMD register saving sequence William Wu (1): usb: gadget: configfs: Correctly set use_os_string at bind Xiaowei Li (1): USB: serial: option: add SIMCom 8230C compositions Xichao Zhao (1): usb: phy: twl6030: Fix incorrect type for ret Yang Shi (1): mm: hugetlb: avoid soft lockup when mprotect to large memory area Yeounsu Moon (1): net: dlink: handle copy_thresh allocation failure Yuanfang Zhang (1): coresight-etm4x: Conditionally access register TRCEXTINSELR Yureka Lilian (1): libbpf: Fix reuse of DEVMAP Zhang Shurong (1): media: rj54n1cb0c: Fix memleak in rj54n1_probe() Zhen Ni (2): netfilter: ipset: Remove unused htable_bits in macro ahash_region Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Zheng Qixing (2): dm: fix queue start/stop imbalance under suspend/load/resume races dm: fix NULL pointer dereference in __dm_suspend() Zhouyi Zhou (1): tools/nolibc: make time_t robust if __kernel_old_time_t is missing in host headers hupu (1): perf subcmd: avoid crash in exclude_cmds when excludes is empty wangzijie (1): f2fs: fix zero-sized extent for precache extents zhang jiao (1): vhost: vringh: Modify the return value check

3 weeks

1
1
0 0

Chinese Legal Translation - 95,000+ Satisfied Clients in 29+ Years

by Communication Dubai

[Logo] PROFESSIONAL & ACCURATE CHINESE LEGAL TRANSLATION SERVICES Our certified CHINESE-ARABIC TRANSLATION SERVICES IN DUBAI is approved by the UAE Ministry of Justice, ensuring official recognition for all translation. WHAT WE OFFER ▸ CERTIFICATES ▸ LICENSES ▸ LEGAL DOCUMENTS ▸ CONTRACTS & AGREEMENTS ▸ COURT DOCUMENTS & MORE FOR MORE INFORMATION +971 42663517 +971 502885313 [http://track.uaetranslationservices.com/web/index.php/campaigns/vg637tltmtc…] → FREE QUOTE [http://track.uaetranslationservices.com/web/index.php/campaigns/vg637tltmtc…] OTHER LEGAL LANGUAGES WE OFFER: Arabic, Russian, Turkish, French, Spanish, German, Italian, Persian and Bulgarian. 95,000+ SATISFIED CLIENTS IN 29+ YEARS www.communicationdubai.com I admin(a)communicationdubai.com [http://track.uaetranslationservices.com/web/index.php/campaigns/vg637tltmtc…] Near Abu Abu Hail Metro Station - Al Yasmeen Bldg. Office - 108 Salah Uddin Road - Dubai If you want to Unsubscribe Click Here [http://track.uaetranslationservices.com/web/index.php/campaigns/vg637tltmtc…] and Abuse Report [http://track.uaetranslationservices.com/web/index.php/campaigns/vg637tltmtc…]

3 weeks

1
0
0 0

[PATCH v3] platform/x86: alienware-wmi-wmax: Add AWCC support to Dell G15 5530

by tr1x_em

Makes alienware-wmi load on G15 5530 by default Cc: stable(a)vger.kernel.org Signed-off-by: Saumya <admin(a)trix.is-a.dev> --- drivers/platform/x86/dell/alienware-wmi-wmax.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/platform/x86/dell/alienware-wmi-wmax.c b/drivers/platform/x86/dell/alienware-wmi-wmax.c index 31f9643a6..3b25a8283 100644 --- a/drivers/platform/x86/dell/alienware-wmi-wmax.c +++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c @@ -209,6 +209,14 @@ static const struct dmi_system_id awcc_dmi_table[] __initconst = { }, .driver_data = &g_series_quirks, }, + { + .ident = "Dell Inc. G15 5530", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), + DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5530"), + }, + .driver_data = &g_series_quirks, + }, { .ident = "Dell Inc. G16 7630", .matches = { -- 2.51.0

3 weeks

3
2
0 0

[PATCH v3] platform/x86: alienware-wmi-wmax: Fix null pointer dereference in sleep handlers

by Kurt Borja

Devices without the AWCC interface don't initialize `awcc`. Add a check before dereferencing it in sleep handlers. Cc: stable(a)vger.kernel.org Reported-by: Gal Hammer <galhammer(a)gmail.com> Tested-by: Gal Hammer <galhammer(a)gmail.com> Fixes: 07ac275981b1 ("platform/x86: alienware-wmi-wmax: Add support for manual fan control") Signed-off-by: Kurt Borja <kuurtb(a)gmail.com> --- Changes in v3: - Fix typo in title - Go for a simpler approach because the last one prevented the old driver interface from loading - Link to v2: https://lore.kernel.org/r/20251013-sleep-fix-v2-1-1ad8bdb79585@gmail.com Changes in v2: - Little logic mistake in the `force_gmode` path... (oops) - Link to v1: https://lore.kernel.org/r/20251013-sleep-fix-v1-1-92bc11b6ecae@gmail.com --- drivers/platform/x86/dell/alienware-wmi-wmax.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/platform/x86/dell/alienware-wmi-wmax.c b/drivers/platform/x86/dell/alienware-wmi-wmax.c index 31f9643a6a3b..b106e8e407b3 100644 --- a/drivers/platform/x86/dell/alienware-wmi-wmax.c +++ b/drivers/platform/x86/dell/alienware-wmi-wmax.c @@ -1639,7 +1639,7 @@ static int wmax_wmi_probe(struct wmi_device *wdev, const void *context) static int wmax_wmi_suspend(struct device *dev) { - if (awcc->hwmon) + if (awcc && awcc->hwmon) awcc_hwmon_suspend(dev); return 0; @@ -1647,7 +1647,7 @@ static int wmax_wmi_suspend(struct device *dev) static int wmax_wmi_resume(struct device *dev) { - if (awcc->hwmon) + if (awcc && awcc->hwmon) awcc_hwmon_resume(dev); return 0; --- base-commit: 3ed17349f18774c24505b0c21dfbd3cc4f126518 change-id: 20251012-sleep-fix-5d0596dd92a3 -- ~ Kurt

3 weeks

2
1
0 0

[PATCH v2] drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies

by Tvrtko Ursulin

When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the code back then looked like this: drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]); Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it. The bug was then only noticed and fixed after 9c2ba265352a ("drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2") landed, with its fixup of 4eaf02d6076c ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies"). At that point it was a slightly different flavour of a double free, which 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder") noticed and attempted to fix. But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case. As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain. While fixing we also improve the comment and explain the reason for taking the reference and not dropping it. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder") Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Reference: https://lore.kernel.org/dri-devel/aNFbXq8OeYl3QSdm@stanley.mountain/ Cc: Christian König <christian.koenig(a)amd.com> Cc: Rob Clark <robdclark(a)chromium.org> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Danilo Krummrich <dakr(a)kernel.org> Cc: Philipp Stanner <phasta(a)kernel.org> Cc: "Christian König" <ckoenig.leichtzumerken(a)gmail.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.16+ --- v2: * Re-arrange commit text so discussion around sentences starting with capital letters in all cases can be avoided. * Keep double return for now. * Improved comment instead of dropping it. --- drivers/gpu/drm/scheduler/sched_main.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c index 46119aacb809..c39f0245e3a9 100644 --- a/drivers/gpu/drm/scheduler/sched_main.c +++ b/drivers/gpu/drm/scheduler/sched_main.c @@ -965,13 +965,14 @@ int drm_sched_job_add_resv_dependencies(struct drm_sched_job *job, dma_resv_assert_held(resv); dma_resv_for_each_fence(&cursor, resv, usage, fence) { - /* Make sure to grab an additional ref on the added fence */ - dma_fence_get(fence); - ret = drm_sched_job_add_dependency(job, fence); - if (ret) { - dma_fence_put(fence); + /* + * As drm_sched_job_add_dependency always consumes the fence + * reference (even when it fails), and dma_resv_for_each_fence + * is not obtaining one, we need to grab one before calling. + */ + ret = drm_sched_job_add_dependency(job, dma_fence_get(fence)); + if (ret) return ret; - } } return 0; } -- 2.48.0

3 weeks

2
3
0 0

FAILED: patch "[PATCH] ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x bcd1383516bb5a6f72b2d1e7f7ad42c4a14837d1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101352-joylessly-yoyo-b1e8@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From bcd1383516bb5a6f72b2d1e7f7ad42c4a14837d1 Mon Sep 17 00:00:00 2001 From: Kai Vehmanen <kai.vehmanen(a)linux.intel.com> Date: Thu, 2 Oct 2025 10:47:15 +0300 Subject: [PATCH] ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the sampling rates going in (host) and out (dai) from the DSP are different, the IPC4 delay reporting does not work correctly. Add support for this case by scaling the all raw position values to a common timebase before calculating real-time delay for the PCM. Cc: stable(a)vger.kernel.org Fixes: 0ea06680dfcb ("ASoC: SOF: ipc4-pcm: Correct the delay calculation") Signed-off-by: Kai Vehmanen <kai.vehmanen(a)linux.intel.com> Reviewed-by: Péter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Reviewed-by: Bard Liao <yung-chuan.liao(a)linux.intel.com> Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Link: https://patch.msgid.link/20251002074719.2084-2-peter.ujfalusi@linux.intel.c… Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/sof/ipc4-pcm.c b/sound/soc/sof/ipc4-pcm.c index cb9a06792a47..769ba4fed56a 100644 --- a/sound/soc/sof/ipc4-pcm.c +++ b/sound/soc/sof/ipc4-pcm.c @@ -19,12 +19,14 @@ * struct sof_ipc4_timestamp_info - IPC4 timestamp info * @host_copier: the host copier of the pcm stream * @dai_copier: the dai copier of the pcm stream - * @stream_start_offset: reported by fw in memory window (converted to frames) - * @stream_end_offset: reported by fw in memory window (converted to frames) + * @stream_start_offset: reported by fw in memory window (converted to + * frames at host_copier sampling rate) + * @stream_end_offset: reported by fw in memory window (converted to + * frames at host_copier sampling rate) * @llp_offset: llp offset in memory window - * @boundary: wrap boundary should be used for the LLP frame counter * @delay: Calculated and stored in pointer callback. The stored value is - * returned in the delay callback. + * returned in the delay callback. Expressed in frames at host copier + * sampling rate. */ struct sof_ipc4_timestamp_info { struct sof_ipc4_copier *host_copier; @@ -33,7 +35,6 @@ struct sof_ipc4_timestamp_info { u64 stream_end_offset; u32 llp_offset; - u64 boundary; snd_pcm_sframes_t delay; }; @@ -48,6 +49,16 @@ struct sof_ipc4_pcm_stream_priv { bool chain_dma_allocated; }; +/* + * Modulus to use to compare host and link position counters. The sampling + * rates may be different, so the raw hardware counters will wrap + * around at different times. To calculate differences, use + * DELAY_BOUNDARY as a common modulus. This value must be smaller than + * the wrap-around point of any hardware counter, and larger than any + * valid delay measurement. + */ +#define DELAY_BOUNDARY U32_MAX + static inline struct sof_ipc4_timestamp_info * sof_ipc4_sps_to_time_info(struct snd_sof_pcm_stream *sps) { @@ -1049,6 +1060,35 @@ static int sof_ipc4_pcm_hw_params(struct snd_soc_component *component, return 0; } +static u64 sof_ipc4_frames_dai_to_host(struct sof_ipc4_timestamp_info *time_info, u64 value) +{ + u64 dai_rate, host_rate; + + if (!time_info->dai_copier || !time_info->host_copier) + return value; + + /* + * copiers do not change sampling rate, so we can use the + * out_format independently of stream direction + */ + dai_rate = time_info->dai_copier->data.out_format.sampling_frequency; + host_rate = time_info->host_copier->data.out_format.sampling_frequency; + + if (!dai_rate || !host_rate || dai_rate == host_rate) + return value; + + /* take care not to overflow u64, rates can be up to 768000 */ + if (value > U32_MAX) { + value = div64_u64(value, dai_rate); + value *= host_rate; + } else { + value *= host_rate; + value = div64_u64(value, dai_rate); + } + + return value; +} + static int sof_ipc4_get_stream_start_offset(struct snd_sof_dev *sdev, struct snd_pcm_substream *substream, struct snd_sof_pcm_stream *sps, @@ -1099,14 +1139,13 @@ static int sof_ipc4_get_stream_start_offset(struct snd_sof_dev *sdev, time_info->stream_end_offset = ppl_reg.stream_end_offset; do_div(time_info->stream_end_offset, dai_sample_size); + /* convert to host frame time */ + time_info->stream_start_offset = + sof_ipc4_frames_dai_to_host(time_info, time_info->stream_start_offset); + time_info->stream_end_offset = + sof_ipc4_frames_dai_to_host(time_info, time_info->stream_end_offset); + out: - /* - * Calculate the wrap boundary need to be used for delay calculation - * The host counter is in bytes, it will wrap earlier than the frames - * based link counter. - */ - time_info->boundary = div64_u64(~((u64)0), - frames_to_bytes(substream->runtime, 1)); /* Initialize the delay value to 0 (no delay) */ time_info->delay = 0; @@ -1149,6 +1188,8 @@ static int sof_ipc4_pcm_pointer(struct snd_soc_component *component, /* For delay calculation we need the host counter */ host_cnt = snd_sof_pcm_get_host_byte_counter(sdev, component, substream); + + /* Store the original value to host_ptr */ host_ptr = host_cnt; /* convert the host_cnt to frames */ @@ -1167,6 +1208,8 @@ static int sof_ipc4_pcm_pointer(struct snd_soc_component *component, sof_mailbox_read(sdev, time_info->llp_offset, &llp, sizeof(llp)); dai_cnt = ((u64)llp.reading.llp_u << 32) | llp.reading.llp_l; } + + dai_cnt = sof_ipc4_frames_dai_to_host(time_info, dai_cnt); dai_cnt += time_info->stream_end_offset; /* In two cases dai dma counter is not accurate @@ -1200,8 +1243,9 @@ static int sof_ipc4_pcm_pointer(struct snd_soc_component *component, dai_cnt -= time_info->stream_start_offset; } - /* Wrap the dai counter at the boundary where the host counter wraps */ - div64_u64_rem(dai_cnt, time_info->boundary, &dai_cnt); + /* Convert to a common base before comparisons */ + dai_cnt &= DELAY_BOUNDARY; + host_cnt &= DELAY_BOUNDARY; if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { head_cnt = host_cnt; @@ -1211,14 +1255,11 @@ static int sof_ipc4_pcm_pointer(struct snd_soc_component *component, tail_cnt = host_cnt; } - if (head_cnt < tail_cnt) { - time_info->delay = time_info->boundary - tail_cnt + head_cnt; - goto out; - } + if (unlikely(head_cnt < tail_cnt)) + time_info->delay = DELAY_BOUNDARY - tail_cnt + head_cnt; + else + time_info->delay = head_cnt - tail_cnt; - time_info->delay = head_cnt - tail_cnt; - -out: /* * Convert the host byte counter to PCM pointer which wraps in buffer * and it is in frames

3 weeks

3
3
0 0

+ mm-damon-core-use-damos_commit_quota_goal-for-new-goal-commit.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: use damos_commit_quota_goal() for new goal commit has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-use-damos_commit_quota_goal-for-new-goal-commit.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: use damos_commit_quota_goal() for new goal commit Date: Mon, 13 Oct 2025 17:18:44 -0700 When damos_commit_quota_goals() is called for adding new DAMOS quota goals of DAMOS_QUOTA_USER_INPUT metric, current_value fields of the new goals should be also set as requested. However, damos_commit_quota_goals() is not updating the field for the case, since it is setting only metrics and target values using damos_new_quota_goal(), and metric-optional union fields using damos_commit_quota_goal_union(). As a result, users could see the first current_value parameter that committed online with a new quota goal is ignored. Users are assumed to commit the current_value for DAMOS_QUOTA_USER_INPUT quota goals, since it is being used as a feedback. Hence the real impact would be subtle. That said, this is obviously not intended behavior. Fix the issue by using damos_commit_quota_goal() which sets all quota goal parameters, instead of damos_commit_quota_goal_union(), which sets only the union fields. Link: https://lkml.kernel.org/r/20251014001846.279282-1-sj@kernel.org Fixes: 1aef9df0ee90 ("mm/damon/core: commit damos_quota_goal->nid") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.16+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/damon/core.c~mm-damon-core-use-damos_commit_quota_goal-for-new-goal-commit +++ a/mm/damon/core.c @@ -835,7 +835,7 @@ int damos_commit_quota_goals(struct damo src_goal->metric, src_goal->target_value); if (!new_goal) return -ENOMEM; - damos_commit_quota_goal_union(new_goal, src_goal); + damos_commit_quota_goal(new_goal, src_goal); damos_add_quota_goal(dst, new_goal); } return 0; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-sysfs-catch-commit-test-ctx-alloc-failure.patch mm-damon-sysfs-dealloc-commit-test-ctx-always.patch mm-damon-core-fix-list_add_tail-call-on-damon_call.patch mm-damon-core-use-damos_commit_quota_goal-for-new-goal-commit.patch mm-zswap-remove-unnecessary-dlen-writes-for-incompressible-pages.patch mm-zswap-fix-typos-s-zwap-zswap.patch mm-zswap-s-red-black-tree-xarray.patch docs-admin-guide-mm-zswap-s-red-black-tree-xarray.patch

3 weeks

1
0
0 0

[PATCH] ext4: free orphan info with kvfree

by Jan Kara

Orphan info is now getting allocated with kvmalloc_array(). Free it with kvfree() instead of kfree() to avoid complaints from mm. Reported-by: Chris Mason <clm(a)meta.com> Fixes: 0a6ce20c1564 ("ext4: verify orphan file size is not too big") CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/ext4/orphan.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ext4/orphan.c b/fs/ext4/orphan.c index 33c3a89396b1..82d5e7501455 100644 --- a/fs/ext4/orphan.c +++ b/fs/ext4/orphan.c @@ -513,7 +513,7 @@ void ext4_release_orphan_info(struct super_block *sb) return; for (i = 0; i < oi->of_blocks; i++) brelse(oi->of_binfo[i].ob_bh); - kfree(oi->of_binfo); + kvfree(oi->of_binfo); } static struct ext4_orphan_block_tail *ext4_orphan_block_tail( @@ -637,7 +637,7 @@ int ext4_init_orphan_info(struct super_block *sb) out_free: for (i--; i >= 0; i--) brelse(oi->of_binfo[i].ob_bh); - kfree(oi->of_binfo); + kvfree(oi->of_binfo); out_put: iput(inode); return ret; -- 2.51.0

3 weeks

2
1
0 0

+ mm-damon-core-fix-potential-memory-leak-by-cleaning-ops_filter-in-damon_destroy_scheme.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-fix-potential-memory-leak-by-cleaning-ops_filter-in-damon_destroy_scheme.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Enze Li <lienze(a)kylinos.cn> Subject: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Date: Tue, 14 Oct 2025 16:42:25 +0800 Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks. Link: https://lkml.kernel.org/r/20251014084225.313313-1-lienze@kylinos.cn Fixes: ab82e57981d0 ("mm/damon/core: introduce damos->ops_filters") Signed-off-by: Enze Li <lienze(a)kylinos.cn> Reviewed-by: SeongJae Park <sj(a)kernel.org> Tested-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 3 +++ 1 file changed, 3 insertions(+) --- a/mm/damon/core.c~mm-damon-core-fix-potential-memory-leak-by-cleaning-ops_filter-in-damon_destroy_scheme +++ a/mm/damon/core.c @@ -452,6 +452,9 @@ void damon_destroy_scheme(struct damos * damos_for_each_filter_safe(f, next, s) damos_destroy_filter(f); + damos_for_each_ops_filter_safe(f, next, s) + damos_destroy_filter(f); + kfree(s->migrate_dests.node_id_arr); kfree(s->migrate_dests.weight_arr); damon_del_scheme(s); _ Patches currently in -mm which might be from lienze(a)kylinos.cn are mm-damon-core-fix-potential-memory-leak-by-cleaning-ops_filter-in-damon_destroy_scheme.patch

3 weeks

1
0
0 0

+ vmw_balloon-indicate-success-when-effectively-deflating-during-migration.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: vmw_balloon: indicate success when effectively deflating during migration has been added to the -mm mm-hotfixes-unstable branch. Its filename is vmw_balloon-indicate-success-when-effectively-deflating-during-migration.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: vmw_balloon: indicate success when effectively deflating during migration Date: Tue, 14 Oct 2025 14:44:55 +0200 When migrating a balloon page, we first deflate the old page to then inflate the new page. However, if inflating the new page succeeded, we effectively deflated the old page, reducing the balloon size. In that case, the migration actually worked: similar to migrating+ immediately deflating the new page. The old page will be freed back to the buddy. Right now, the core will leave the page be marked as isolated (as we returned an error). When later trying to putback that page, we will run into the WARN_ON_ONCE() in balloon_page_putback(). That handling was changed in commit 3544c4faccb8 ("mm/balloon_compaction: stop using __ClearPageMovable()"); before that change, we would have tolerated that way of handling it. To fix it, let's just return 0 in that case, making the core effectively just clear the "isolated" flag + freeing it back to the buddy as if the migration succeeded. Note that the new page will also get freed when the core puts the last reference. Note that this also makes it all be more consistent: we will no longer unisolate the page in the balloon driver while keeping it marked as being isolated in migration core. This was found by code inspection. Link: https://lkml.kernel.org/r/20251014124455.478345-1-david@redhat.com Fixes: 3544c4faccb8 ("mm/balloon_compaction: stop using __ClearPageMovable()") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Jerrin Shaji George <jerrin.shaji-george(a)broadcom.com> Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/misc/vmw_balloon.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) --- a/drivers/misc/vmw_balloon.c~vmw_balloon-indicate-success-when-effectively-deflating-during-migration +++ a/drivers/misc/vmw_balloon.c @@ -1737,7 +1737,7 @@ static int vmballoon_migratepage(struct { unsigned long status, flags; struct vmballoon *b; - int ret; + int ret = 0; b = container_of(b_dev_info, struct vmballoon, b_dev_info); @@ -1796,17 +1796,15 @@ static int vmballoon_migratepage(struct * A failure happened. While we can deflate the page we just * inflated, this deflation can also encounter an error. Instead * we will decrease the size of the balloon to reflect the - * change and report failure. + * change. */ atomic64_dec(&b->size); - ret = -EBUSY; } else { /* * Success. Take a reference for the page, and we will add it to * the list after acquiring the lock. */ get_page(newpage); - ret = 0; } /* Update the balloon list under the @pages_lock */ @@ -1817,7 +1815,7 @@ static int vmballoon_migratepage(struct * If we succeed just insert it to the list and update the statistics * under the lock. */ - if (!ret) { + if (status == VMW_BALLOON_SUCCESS) { balloon_page_insert(&b->b_dev_info, newpage); __count_vm_event(BALLOON_MIGRATE); } _ Patches currently in -mm which might be from david(a)redhat.com are vmw_balloon-indicate-success-when-effectively-deflating-during-migration.patch

3 weeks

1
0
0 0

[REGRESSION] bisected: perf: hang when using async-profiler caused by perf: Fix the POLL_HUP delivery breakage

by Octavia Togami

Using async-profiler (https://github.com/async-profiler/async-profiler/) on Linux 6.17.1-arch1-1 causes a complete hang of the CPU. This has been reported by many people at https://github.com/lucko/spark/issues/530. spark is a piece of software that uses async-profiler internally. As seen in https://github.com/lucko/spark/issues/530#issuecomment-3339974827, this was bisected to 18dbcbfabfffc4a5d3ea10290c5ad27f22b0d240 perf: Fix the POLL_HUP delivery breakage. Reverting this commit on 6.17.1 fixed the issue for me. Steps to reproduce: 1. Get a copy of async-profiler. I tested both v3 (affects older spark versions) and v4.1 (latest at time of writing). Unarchive it, this is <async-profiler-dir>. 2. Set kernel parameters kernel.perf_event_paranoid=1 and kernel.kptr_restrict=0 as instructed by https://github.com/async-profiler/async-profiler/blob/fb673227c7fb311f872ce… 3. Install a version of Java that comes with jshell, i.e. Java 9 or newer. Note: jshell is used for ease of reproduction. Any Java application that is actively running will work. 4. Run `printf 'int acc; while (true) { acc++; }' | jshell -`. This will start an infinitely running Java process. 5. Run `jps` and take the PID next to the text RemoteExecutionControl -- this is the process that was just started. 6. Attach async-profiler to this process by running `<async-profiler-dir>/bin/asprof -d 1 <PID>`. This will run for one second, then the system should freeze entirely shortly thereafter. I triggered a sysrq crash while the system was frozen, and the output I found in journalctl afterwards is at https://gist.github.com/octylFractal/76611ee76060051e5efc0c898dd0949e I'm not sure if that text is actually from the triggered crash, but it seems relevant. If needed, please tell me how to get the actual crash report, I'm not sure where it is. I'm using an AMD Ryzen 9 5900X 12-Core Processor. Given that I've seen no Intel reports, it may be AMD specific. I don't have an Intel CPU on hand to test with. /proc/version: Linux version 6.17.1-arch1-1 (linux@archlinux) (gcc (GCC) 15.2.1 20250813, GNU ld (GNU Binutils) 2.45.0) #1 SMP PREEMPT_DYNAMIC Mon, 06 Oct 2025 18:48:29 +0000 Operating System: Arch Linux uname -mi: x86_64 unknown

3 weeks

3
7
0 0

[PATCH net v3 0/6] Intel Wired LAN Driver Updates 2025-10-01 (idpf, ixgbe, ixgbevf)

by Jacob Keller

For idpf: Milena fixes a memory leak in the idpf reset logic when the driver resets with an outstanding Tx timestamp. For ixgbe and ixgbevf: Jedrzej fixes an issue with reporting link speed on E610 VFs. Jedrzej also fixes the VF mailbox API incompatibilities caused by the confusion with API v1.4, v1.5, and v1.6. The v1.4 API introduced IPSEC offload, but this was only supported on Linux hosts. The v1.5 API introduced a new mailbox API which is necessary to resolve issues on ESX hosts. The v1.6 API introduced a new link management API for E610. Jedrzej introduces a new v1.7 API with a feature negotiation which enables properly checking if features such as IPSEC or the ESX mailbox APIs are supported. This resolves issues with compatibility on different hosts, and aligns the API across hosts instead of having Linux require custom mailbox API versions for IPSEC offload. Koichiro fixes a KASAN use-after-free bug in ixgbe_remove(). Signed-off-by: Jacob Keller <jacob.e.keller(a)intel.com> --- Changes in v3: - Rebase and verified compilation issues are resolved. - Configured b4 to exclude undeliverable addresses. - Link to v2: https://lore.kernel.org/r/20251003-jk-iwl-net-2025-10-01-v2-0-e59b4141c1b5@… Changes in v2: - Drop Emil's idpf_vport_open race fix for now. - Add my signature. - Link to v1: https://lore.kernel.org/r/20251001-jk-iwl-net-2025-10-01-v1-0-49fa99e86600@… --- Jedrzej Jagielski (4): ixgbevf: fix getting link speed data for E610 devices ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation ixgbevf: fix mailbox API compatibility by negotiating supported features ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd Koichiro Den (1): ixgbe: fix too early devlink_free() in ixgbe_remove() Milena Olech (1): idpf: cleanup remaining SKBs in PTP flows drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h | 15 ++ drivers/net/ethernet/intel/ixgbevf/defines.h | 1 + drivers/net/ethernet/intel/ixgbevf/ixgbevf.h | 7 + drivers/net/ethernet/intel/ixgbevf/mbx.h | 8 + drivers/net/ethernet/intel/ixgbevf/vf.h | 1 + drivers/net/ethernet/intel/idpf/idpf_ptp.c | 3 + .../net/ethernet/intel/idpf/idpf_virtchnl_ptp.c | 1 + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 +- drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 79 +++++++++ drivers/net/ethernet/intel/ixgbevf/ipsec.c | 10 ++ drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 34 +++- drivers/net/ethernet/intel/ixgbevf/vf.c | 182 +++++++++++++++++---- 12 files changed, 310 insertions(+), 34 deletions(-) --- base-commit: fea8cdf6738a8b25fccbb7b109b440795a0892cb change-id: 20251001-jk-iwl-net-2025-10-01-92cd2a626ff7 Best regards, -- Jacob Keller <jacob.e.keller(a)intel.com>

3 weeks

2
4
0 0

+ mm-damon-core-fix-list_add_tail-call-on-damon_call.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: fix list_add_tail() call on damon_call() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-fix-list_add_tail-call-on-damon_call.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/core: fix list_add_tail() call on damon_call() Date: Tue, 14 Oct 2025 13:59:36 -0700 Each damon_ctx maintains callback requests using a linked list (damon_ctx->call_controls). When a new callback request is received via damon_call(), the new request should be added to the list. However, the function is making a mistake at list_add_tail() invocation: putting the new item to add and the list head to add it before, in the opposite order. Because of the linked list manipulation implementation, the new request can still be reached from the context's list head. But the list items that were added before the new request are dropped from the list. As a result, the callbacks are unexpectedly not invocated. Worse yet, if the dropped callback requests were dynamically allocated, the memory is leaked. Actually DAMON sysfs interface is using a dynamically allocated repeat-mode callback request for automatic essential stats update. And because the online DAMON parameters commit is using a non-repeat-mode callback request, the issue can easily be reproduced, like below. # damo start --damos_action stat --refresh_stat 1s # damo tune --damos_action stat --refresh_stat 1s The first command dynamically allocates the repeat-mode callback request for automatic essential stat update. Users can see the essential stats are automatically updated for every second, using the sysfs interface. The second command calls damon_commit() with a new callback request that was made for the commit. As a result, the previously added repeat-mode callback request is dropped from the list. The automatic stats refresh stops working, and the memory for the repeat-mode callback request is leaked. It can be confirmed using kmemleak. Fix the mistake on the list_add_tail() call. Link: https://lkml.kernel.org/r/20251014205939.1206-1-sj@kernel.org Fixes: 004ded6bee11 ("mm/damon: accept parallel damon_call() requests") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.17+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/damon/core.c~mm-damon-core-fix-list_add_tail-call-on-damon_call +++ a/mm/damon/core.c @@ -1450,7 +1450,7 @@ int damon_call(struct damon_ctx *ctx, st INIT_LIST_HEAD(&control->list); mutex_lock(&ctx->call_controls_lock); - list_add_tail(&ctx->call_controls, &control->list); + list_add_tail(&control->list, &ctx->call_controls); mutex_unlock(&ctx->call_controls_lock); if (!damon_is_running(ctx)) return -EINVAL; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-sysfs-catch-commit-test-ctx-alloc-failure.patch mm-damon-sysfs-dealloc-commit-test-ctx-always.patch mm-damon-core-fix-list_add_tail-call-on-damon_call.patch mm-zswap-remove-unnecessary-dlen-writes-for-incompressible-pages.patch mm-zswap-fix-typos-s-zwap-zswap.patch mm-zswap-s-red-black-tree-xarray.patch docs-admin-guide-mm-zswap-s-red-black-tree-xarray.patch

3 weeks, 1 day

1
0
0 0

[PATCH Resend] PCI: Limit islolated function probing on bus 0 for LoongArch

by Huacai Chen

We found some discrete AMD graphics devices hide funtion 0 and the whole is not supposed to be probed. Since our original purpose is to allow integrated devices (on bus 0) to be probed without function 0, we can limit the islolated function probing only on bus 0. Cc: stable(a)vger.kernel.org Fixes: a02fd05661d73a8 ("PCI: Extend isolated function probing to LoongArch") Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- Resend to correct the subject line. drivers/pci/probe.c | 2 +- include/linux/hypervisor.h | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c index c83e75a0ec12..da6a2aef823a 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -2883,7 +2883,7 @@ int pci_scan_slot(struct pci_bus *bus, int devfn) * a hypervisor that passes through individual PCI * functions. */ - if (!hypervisor_isolated_pci_functions()) + if (!hypervisor_isolated_pci_functions(bus->number)) break; } fn = next_fn(bus, dev, fn); diff --git a/include/linux/hypervisor.h b/include/linux/hypervisor.h index be5417303ecf..30ece04a16d9 100644 --- a/include/linux/hypervisor.h +++ b/include/linux/hypervisor.h @@ -32,13 +32,15 @@ static inline bool jailhouse_paravirt(void) #endif /* !CONFIG_X86 */ -static inline bool hypervisor_isolated_pci_functions(void) +static inline bool hypervisor_isolated_pci_functions(int bus) { if (IS_ENABLED(CONFIG_S390)) return true; - if (IS_ENABLED(CONFIG_LOONGARCH)) - return true; + if (IS_ENABLED(CONFIG_LOONGARCH)) { + if (bus == 0) + return true; + } return jailhouse_paravirt(); } -- 2.47.3

3 weeks, 1 day

2
1
0 0

[PATCH] mm/damon/core: fix list_add_tail() call on damon_call()

by SeongJae Park

Each damon_ctx maintains callback requests using a linked list (damon_ctx->call_controls). When a new callback request is received via damon_call(), the new request should be added to the list. However, the function is making a mistake at list_add_tail() invocation: putting the new item to add and the list head to add it before, in the opposite order. Because of the linked list manipulation implementation, the new request can still be reached from the context's list head. But the list items that were added before the new request are dropped from the list. As a result, the callbacks are unexpectedly not invocated. Worse yet, if the dropped callback requests were dynamically allocated, the memory is leaked. Actually DAMON sysfs interface is using a dynamically allocated repeat-mode callback request for automatic essential stats update. And because the online DAMON parameters commit is using a non-repeat-mode callback request, the issue can easily be reproduced, like below. # damo start --damos_action stat --refresh_stat 1s # damo tune --damos_action stat --refresh_stat 1s The first command dynamically allocates the repeat-mode callback request for automatic essential stat update. Users can see the essential stats are automatically updated for every second, using the sysfs interface. The second command calls damon_commit() with a new callback request that was made for the commit. As a result, the previously added repeat-mode callback request is dropped from the list. The automatic stats refresh stops working, and the memory for the repeat-mode callback request is leaked. It can be confirmed using kmemleak. Fix the mistake on the list_add_tail() call. Fixes: 004ded6bee11 ("mm/damon: accept parallel damon_call() requests") Cc: <stable(a)vger.kernel.org> # 6.17.x Signed-off-by: SeongJae Park <sj(a)kernel.org> --- mm/damon/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/damon/core.c b/mm/damon/core.c index 417f33a7868e..109b050c795a 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -1453,7 +1453,7 @@ int damon_call(struct damon_ctx *ctx, struct damon_call_control *control) INIT_LIST_HEAD(&control->list); mutex_lock(&ctx->call_controls_lock); - list_add_tail(&ctx->call_controls, &control->list); + list_add_tail(&control->list, &ctx->call_controls); mutex_unlock(&ctx->call_controls_lock); if (!damon_is_running(ctx)) return -EINVAL; base-commit: 49926cfb24ad064c8c26f8652e8a61bbcde37701 -- 2.47.3

3 weeks, 1 day

1
0
0 0

[PATCH] smb: client: Fix format specifiers for size_t in parse_dfs_referrals()

by Nathan Chancellor

When building for 32-bit platforms, for which 'size_t' is 'unsigned int', there are a couple instances of -Wformat: fs/smb/client/misc.c:922:25: error: format specifies type 'unsigned long' but the argument has type 'unsigned int' [-Werror,-Wformat] 921 | "%s: header is malformed (size is %u, must be %lu)\n", | ~~~ | %u 922 | __func__, rsp_size, sizeof(*rsp)); | ^~~~~~~~~~~~ fs/smb/client/misc.c:940:5: error: format specifies type 'unsigned long' but the argument has type 'unsigned int' [-Werror,-Wformat] 938 | "%s: malformed buffer (size is %u, must be at least %lu)\n", | ~~~ | %u 939 | __func__, rsp_size, 940 | sizeof(*rsp) + *num_of_nodes * sizeof(REFERRAL3)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Use the proper 'size_t' format specifier, '%zu', to clear up these warnings. Cc: stable(a)vger.kernel.org Fixes: c1047752ed9f ("cifs: parse_dfs_referrals: prevent oob on malformed input") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- Feel free to squash this into the original change to make backporting easier. I included the tags in case rebasing was not an option. --- fs/smb/client/misc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c index 987f0ca73123..e10123d8cd7d 100644 --- a/fs/smb/client/misc.c +++ b/fs/smb/client/misc.c @@ -918,7 +918,7 @@ parse_dfs_referrals(struct get_dfs_referral_rsp *rsp, u32 rsp_size, if (rsp_size < sizeof(*rsp)) { cifs_dbg(VFS | ONCE, - "%s: header is malformed (size is %u, must be %lu)\n", + "%s: header is malformed (size is %u, must be %zu)\n", __func__, rsp_size, sizeof(*rsp)); rc = -EINVAL; goto parse_DFS_referrals_exit; @@ -935,7 +935,7 @@ parse_dfs_referrals(struct get_dfs_referral_rsp *rsp, u32 rsp_size, if (sizeof(*rsp) + *num_of_nodes * sizeof(REFERRAL3) > rsp_size) { cifs_dbg(VFS | ONCE, - "%s: malformed buffer (size is %u, must be at least %lu)\n", + "%s: malformed buffer (size is %u, must be at least %zu)\n", __func__, rsp_size, sizeof(*rsp) + *num_of_nodes * sizeof(REFERRAL3)); rc = -EINVAL; --- base-commit: 4e47319b091f90d5776efe96d6c198c139f34883 change-id: 20251014-smb-client-fix-wformat-32b-parse_dfs_referrals-189b8c6fdf75 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

3 weeks, 1 day

2
1
0 0

[PATCH] perf tools: Fix bool return value in gzip_is_compressed()

by Miaoqian Lin

gzip_is_compressed() returns -1 on error but is declared as bool. And -1 gets converted to true, which could be misleading. Return false instead to match the declared type. Fixes: 88c74dc76a30 ("perf tools: Add gzip_is_compressed function") Cc: <stable(a)vger.kernel.org> Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- tools/perf/util/zlib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/perf/util/zlib.c b/tools/perf/util/zlib.c index 78d2297c1b67..1f7c06523059 100644 --- a/tools/perf/util/zlib.c +++ b/tools/perf/util/zlib.c @@ -88,7 +88,7 @@ bool gzip_is_compressed(const char *input) ssize_t rc; if (fd < 0) - return -1; + return false; rc = read(fd, buf, sizeof(buf)); close(fd); -- 2.39.5 (Apple Git-154)

3 weeks, 1 day

4
5
0 0

[PATCH] arm64: dts: rockchip: Remove non-functioning CPU OPPs from RK3576

by Alexey Charkov

Drop the top-frequency OPPs from both the LITTLE and big CPU clusters on RK3576, as neither the opensource TF-A [1] nor the recent (after v1.08) binary BL31 images provided by Rockchip expose those. This fixes the problem [2] when the cpufreq governor tries to jump directly to the highest-frequency OPP, which results in a failed SCMI call leaving the system stuck at the previous OPP before the attempted change. [1] https://github.com/ARM-software/arm-trusted-firmware/blob/master/plat/rockc… [2] https://lore.kernel.org/linux-rockchip/CABjd4Yz4NbqzZH4Qsed3ias56gcga9K6CmY… Fixes: 57b1ce903966 ("arm64: dts: rockchip: Add rk3576 SoC base DT") Cc: stable(a)vger.kernel.org Signed-off-by: Alexey Charkov <alchark(a)gmail.com> --- arch/arm64/boot/dts/rockchip/rk3576.dtsi | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/arch/arm64/boot/dts/rockchip/rk3576.dtsi b/arch/arm64/boot/dts/rockchip/rk3576.dtsi index fc4e9e07f1cf35fb57f132c6d82c48c62bd6265d..f0c3ab00a7f3447a1dbf7874c7bf758e82e04f25 100644 --- a/arch/arm64/boot/dts/rockchip/rk3576.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3576.dtsi @@ -276,12 +276,6 @@ opp-2016000000 { opp-microvolt = <900000 900000 950000>; clock-latency-ns = <40000>; }; - - opp-2208000000 { - opp-hz = /bits/ 64 <2208000000>; - opp-microvolt = <950000 950000 950000>; - clock-latency-ns = <40000>; - }; }; cluster1_opp_table: opp-table-cluster1 { @@ -348,12 +342,6 @@ opp-2208000000 { opp-microvolt = <925000 925000 950000>; clock-latency-ns = <40000>; }; - - opp-2304000000 { - opp-hz = /bits/ 64 <2304000000>; - opp-microvolt = <950000 950000 950000>; - clock-latency-ns = <40000>; - }; }; gpu_opp_table: opp-table-gpu { --- base-commit: ec714e371f22f716a04e6ecb2a24988c92b26911 change-id: 20251009-rk3576_opp-7bafcadef820 Best regards, -- Alexey Charkov <alchark(a)gmail.com>

3 weeks, 1 day

2
1
0 0

[PATCH 6.6 000/196] 6.6.112-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.112 release. There are 196 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 15 Oct 2025 14:42:41 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.112-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.112-rc1 Miaoqian Lin <linmq006(a)gmail.com> usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode Sven Peter <sven(a)kernel.org> usb: typec: tipd: Clear interrupts first Oleksij Rempel <o.rempel(a)pengutronix.de> net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock Salah Triki <salah.triki(a)gmail.com> bus: fsl-mc: Check return value of platform_get_resource() Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> pinctrl: check the return value of pinmux_ops::get_function_name() Zhen Ni <zhen.ni(a)easystack.cn> remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() Lei Lu <llfamsec(a)gmail.com> sunrpc: fix null pointer dereference on zero-length checksum Zhen Ni <zhen.ni(a)easystack.cn> Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Marek Vasut <marek.vasut(a)mailbox.org> Input: atmel_mxt_ts - allow reset GPIO to sleep Ling Xu <quic_lxu5(a)quicinc.com> misc: fastrpc: Skip reference for DMA handles Ling Xu <quic_lxu5(a)quicinc.com> misc: fastrpc: fix possible map leak in fastrpc_put_args Ling Xu <quic_lxu5(a)quicinc.com> misc: fastrpc: Fix fastrpc_map_lookup operation Guangshuo Li <lgs201920130244(a)gmail.com> nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() Yang Shi <yang(a)os.amperecomputing.com> mm: hugetlb: avoid soft lockup when mprotect to large memory area Jan Kara <jack(a)suse.cz> ext4: fix checks for orphan inodes Matvey Kovalev <matvey.kovalev(a)ispras.ru> ksmbd: fix error code overwriting in smb2_get_info_filesystem() Youling Tang <tangyouling(a)kylinos.cn> LoongArch: Automatically disable kaslr if boot from kexec_file Zheng Qixing <zhengqixing(a)huawei.com> dm: fix NULL pointer dereference in __dm_suspend() Zheng Qixing <zhengqixing(a)huawei.com> dm: fix queue start/stop imbalance under suspend/load/resume races Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() Cosmin Tanislav <cosmin-gabriel.tanislav.xa(a)renesas.com> mfd: rz-mtu3: Fix MTU5 NFCR register offset Deepak Sharma <deepak.sharma.472935(a)gmail.com> net: nfc: nci: Add parameter validation for packet data Larshin Sergey <Sergey.Larshin(a)kaspersky.com> fs: udf: fix OOB read in lengthAllocDescs handling Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down Ma Ke <make24(a)iscas.ac.cn> ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data() Naman Jain <namjain(a)linux.microsoft.com> uio_hv_generic: Let userspace take care of interrupt mask Phillip Lougher <phillip(a)squashfs.org.uk> Squashfs: fix uninit-value in squashfs_get_parent Yazhou Tang <tangyazhou518(a)outlook.com> bpf: Reject negative offsets for ALU ops zhang jiao <zhangjiao2(a)cmss.chinamobile.com> vhost: vringh: Modify the return value check Jakub Kicinski <kuba(a)kernel.org> Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" Enzo Matsumiya <ematsumiya(a)suse.de> smb: client: fix crypto buffers in non-linear memory Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: fw reset, add reset timeout work Shay Drory <shayd(a)nvidia.com> net/mlx5: pagealloc: Fix reclaim race during command interface teardown Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: Stop polling for command response if interface goes down Yeounsu Moon <yyyynoom(a)gmail.com> net: dlink: handle copy_thresh allocation failure Kohei Enju <enjuk(a)amazon.com> net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable Kohei Enju <enjuk(a)amazon.com> nfp: fix RSS hash key size when RSS is not supported Erick Karanja <karanja99erick(a)gmail.com> mtd: rawnand: atmel: Fix error handling path in atmel_nand_controller_add_nands Donet Tom <donettom(a)linux.ibm.com> drivers/base/node: fix double free in register_one_node() Dan Carpenter <dan.carpenter(a)linaro.org> ocfs2: fix double free in user_cluster_connect() Nishanth Menon <nm(a)ti.com> hwrng: ks-sa - fix division by zero in ks_sa_rng_init Fan Wu <wufan(a)kernel.org> KEYS: X.509: Fix Basic Constraints CA flag parsing Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements Pauli Virtanen <pav(a)iki.fi> Bluetooth: ISO: don't leak skb in ISO_CONT RX Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix possible UAF on iso_conn_free Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO Michael S. Tsirkin <mst(a)redhat.com> vhost: vringh: Fix copy_to_iter return value check I Viswanath <viswanathiyyappan(a)gmail.com> net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast Bernard Metzler <bernard.metzler(a)linux.dev> RDMA/siw: Always report immediate post SQ errors Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> usb: vhci-hcd: Prevent suspending virtually attached devices Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() Slavin Liu <slavin452(a)gmail.com> ipvs: Defer ip_vs_ftp unregister during netns cleanup Anthony Iliopoulos <ailiop(a)suse.com> NFSv4.1: fix backchannel max_resp_sz verification check Leo Yan <leo.yan(a)arm.com> coresight: trbe: Return NULL pointer for allocation failures Leo Yan <leo.yan(a)arm.com> coresight: etm4x: Support atclk Yuanfang Zhang <yuanfang.zhang(a)oss.qualcomm.com> coresight-etm4x: Conditionally access register TRCEXTINSELR Stephan Gerhold <stephan.gerhold(a)linaro.org> remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice Nagarjuna Kristam <nkristam(a)nvidia.com> PCI: tegra194: Fix duplicate PLL disable in pex_ep_event_pex_rst_assert() Fedor Pchelkin <pchelkin(a)ispras.ru> wifi: rtw89: avoid circular locking dependency in ser_state_run() Gui-Dong Han <hanguidong02(a)gmail.com> RDMA/rxe: Fix race in do_task() when draining Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs Zilin Guan <zilin(a)seu.edu.cn> vfio/pds: replace bitmap_free with vfree Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_{from,to}_user for M7 Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_to_user for Niagara 4 Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC Aditya Kumar Singh <aditya.kumar.singh(a)oss.qualcomm.com> wifi: mac80211: fix Rx packet handling when pubsta information is not available Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> wifi: ath10k: avoid unnecessary wait for service ready message Bagas Sanjaya <bagasdotme(a)gmail.com> Documentation: trace: historgram-design: Separate sched_waking histogram section heading and the following diagram Vlad Dumitrescu <vdumitrescu(a)nvidia.com> IB/sa: Fix sa_local_svc_timeout_ms read race Parav Pandit <parav(a)nvidia.com> RDMA/core: Resolve MAC of next-hop device without ARP support Michal Pecio <michal.pecio(a)gmail.com> Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running" wangzijie <wangzijie1(a)honor.com> f2fs: fix zero-sized extent for precache extents Qianfeng Rong <rongqianfeng(a)vivo.com> scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp() Qianfeng Rong <rongqianfeng(a)vivo.com> scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES() Qianfeng Rong <rongqianfeng(a)vivo.com> scsi: qla2xxx: edif: Fix incorrect sign of error code Colin Ian King <colin.i.king(a)gmail.com> ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message Chao Yu <chao(a)kernel.org> f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page() Chao Yu <chao(a)kernel.org> f2fs: fix to truncate first page in error path of f2fs_truncate() Chao Yu <chao(a)kernel.org> f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks() Abdun Nihaal <abdun.nihaal(a)gmail.com> wifi: mt76: fix potential memory leak in mt76_wmac_probe() Håkon Bugge <haakon.bugge(a)oracle.com> RDMA/cm: Rate limit destroy CM ID timeout error message Donet Tom <donettom(a)linux.ibm.com> drivers/base/node: handle error properly in register_one_node() Christophe Leroy <christophe.leroy(a)csgroup.eu> watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog Zhang Tengfei <zhtfdev(a)gmail.com> ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable Zhen Ni <zhen.ni(a)easystack.cn> netfilter: ipset: Remove unused htable_bits in macro ahash_region Hans de Goede <hansg(a)kernel.org> iio: consumers: Fix offset handling in iio_convert_raw_to_processed() Hans de Goede <hansg(a)kernel.org> iio: consumers: Fix handling of negative channel scale in iio_convert_raw_to_processed() Moon Hee Lee <moonhee.lee.ca(a)gmail.com> fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist Vitaly Grigoryev <Vitaly.Grigoryev(a)kaspersky.com> fs: ntfs3: Fix integer overflow in run_unpack() Qianfeng Rong <rongqianfeng(a)vivo.com> drm/msm/dpu: fix incorrect type for ret Takashi Iwai <tiwai(a)suse.de> ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping Takashi Iwai <tiwai(a)suse.de> ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping Takashi Iwai <tiwai(a)suse.de> ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping Wang Liang <wangliang74(a)huawei.com> pps: fix warning in pps_register_cdev when register device fail Colin Ian King <colin.i.king(a)gmail.com> misc: genwqe: Fix incorrect cmd field being reported in error Seppo Takalo <seppo.takalo(a)nordicsemi.no> tty: n_gsm: Don't block input queue by waiting MSC William Wu <william.wu(a)rock-chips.com> usb: gadget: configfs: Correctly set use_os_string at bind Xichao Zhao <zhao.xichao(a)vivo.com> usb: phy: twl6030: Fix incorrect type for ret Qianfeng Rong <rongqianfeng(a)vivo.com> drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl() Eric Dumazet <edumazet(a)google.com> tcp: fix __tcp_close() to only send RST when required Alok Tiwari <alok.a.tiwari(a)oracle.com> PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation Stefan Kerkmann <s.kerkmann(a)pengutronix.de> wifi: mwifiex: send world regulatory domain to driver Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Adjust si_upload_smc_data register programming (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Fix si_upload_smc_data (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/pm: Disable ULV even if unsupported (v3) Timur Kristóf <timur.kristof(a)gmail.com> drm/amdgpu: Power up UVD 3 for FW validation (v2) Yuanfang Zhang <quic_yuanfang(a)quicinc.com> coresight: Only register perf symlink for sinks with alloc_buffer Eric Dumazet <edumazet(a)google.com> inet: ping: check sock_net() in ping_get_port() and ping_lookup() Zhushuai Yin <yinzhushuai(a)huawei.com> crypto: hisilicon/qm - check whether the input function and PF are on the same device Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon - re-enable address prefetch after device resuming Chenghai Huang <huangchenghai2(a)huawei.com> crypto: hisilicon/zip - remove unnecessary validation for high-performance mode configurations Arnd Bergmann <arnd(a)arndb.de> media: st-delta: avoid excessive stack usage Qianfeng Rong <rongqianfeng(a)vivo.com> ALSA: lx_core: use int type to store negative error codes Patrisious Haddad <phaddad(a)nvidia.com> RDMA/mlx5: Fix vport loopback forcing for MPV device Zhang Shurong <zhang_shurong(a)foxmail.com> media: rj54n1cb0c: Fix memleak in rj54n1_probe() Thomas Fourier <fourier.thomas(a)gmail.com> scsi: myrs: Fix dma_alloc_coherent() error check Niklas Cassel <cassel(a)kernel.org> scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Arnd Bergmann <arnd(a)arndb.de> hwrng: nomadik - add ARM_AMBA dependency Thomas Fourier <fourier.thomas(a)gmail.com> crypto: keembay - Add missing check after sg_nents_for_len() Liao Yuanhong <liaoyuanhong(a)vivo.com> drm/amd/display: Remove redundant semicolons Dan Carpenter <dan.carpenter(a)linaro.org> serial: max310x: Add error checking in probe() Komal Bajaj <komal.bajaj(a)oss.qualcomm.com> usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls Dan Carpenter <dan.carpenter(a)linaro.org> usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup Jonas Karlman <jonas(a)kwiboo.se> phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568 Jacopo Mondi <jacopo.mondi(a)ideasonboard.com> media: zoran: Remove zoran_fh structure Chia-I Wu <olvaffe(a)gmail.com> drm/bridge: it6505: select REGMAP_I2C Chao Yu <chao(a)kernel.org> f2fs: fix condition in __allow_reserved_blocks() Brahmajit Das <listout(a)listout.xyz> drm/radeon/r600_cs: clean up of dead code in r600_cs Brigham Campbell <me(a)brighamcampbell.com> drm/panel: novatek-nt35560: Fix invalid return value Daniel Borkmann <daniel(a)iogearbox.net> bpf: Enforce expected_attach_type for tailcall compatibility Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> i2c: designware: Add disabling clocks when probe fails Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> i2c: designware: Fix clock issue when PM is disabled Leilk.Liu <leilk.liu(a)mediatek.com> i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> thermal/drivers/qcom/lmh: Add missing IRQ includes Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> thermal/drivers/qcom: Make LMH select QCOM_SCM Vadim Pasternak <vadimp(a)nvidia.com> hwmon: (mlxreg-fan) Separate methods of fan setting coming from different subsystems Qi Xi <xiqi2(a)huawei.com> once: fix race by moving DO_ONCE to separate section Zhouyi Zhou <zhouzhouyi(a)gmail.com> tools/nolibc: make time_t robust if __kernel_old_time_t is missing in host headers Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> smp: Fix up and expand the smp_call_function_many() kerneldoc Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Explicitly check accesses to bpf_sock_addr Akhilesh Patil <akhilesh(a)ee.iitb.ac.in> selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported Stanley Chu <stanley.chuys(a)gmail.com> i3c: master: svc: Recycle unused IBI slot Stanley Chu <yschu(a)nuvoton.com> i3c: master: svc: Use manual response for IBI events Daniel Wagner <wagi(a)kernel.org> nvmet-fc: move lsop put work to nvmet_fc_ls_req_op Dmitry Antipov <dmantipov(a)yandex.ru> ACPICA: Fix largest possible resource descriptor index Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: tiehrpwm: Fix corner case in clock divisor calculation AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names Johan Hovold <johan(a)kernel.org> cpuidle: qcom-spm: fix device and OF node leaks at probe Johan Hovold <johan(a)kernel.org> firmware: firmware: meson-sm: fix compile-test default Eric Dumazet <edumazet(a)google.com> nbd: restrict sockets to TCP and UDP Guoqing Jiang <guoqing.jiang(a)canonical.com> arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0 Genjian Zhang <zhanggenjian(a)kylinos.cn> null_blk: Fix the description of the cache_size module argument Qianfeng Rong <rongqianfeng(a)vivo.com> pinctrl: renesas: Use int type to store negative error codes Andy Yan <andyshrk(a)163.com> power: supply: cw2015: Fix a alignment coding style issue Dan Carpenter <dan.carpenter(a)linaro.org> PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe() Jihed Chaibi <jihed.chaibi.dev(a)gmail.com> ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer property Jihed Chaibi <jihed.chaibi.dev(a)gmail.com> ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property to use correct boolean syntax in DTS Jihed Chaibi <jihed.chaibi.dev(a)gmail.com> ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS to use correct boolean syntax Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: sleep: core: Clear power.must_resume in noirq suspend error path Qianfeng Rong <rongqianfeng(a)vivo.com> block: use int to store blk_stack_limits() return value Benjamin Berg <benjamin.berg(a)intel.com> selftests/nolibc: fix EXPECT_NZ macro Qianfeng Rong <rongqianfeng(a)vivo.com> regulator: scmi: Use int type to store negative error codes Janne Grunau <j(a)jannau.net> arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map Nicolas Ferre <nicolas.ferre(a)microchip.com> ARM: at91: pm: fix MCKx restore routine Li Nan <linan122(a)huawei.com> blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx Da Xue <da(a)libre.computer> pinctrl: meson-gxl: add missing i2c_d pinmux Sneh Mankad <sneh.mankad(a)oss.qualcomm.com> soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS Huisong Li <lihuisong(a)huawei.com> ACPI: processor: idle: Fix memory leak when register cpuidle device failed Florian Fainelli <florian.fainelli(a)broadcom.com> cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus() Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL Fenglin Wu <fenglin.wu(a)oss.qualcomm.com> leds: flash: leds-qcom-flash: Update torch current clamp setting Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: dts: renesas: porter: Fix CAN pin group Yureka Lilian <yuka(a)yuka.dev> libbpf: Fix reuse of DEVMAP Tao Chen <chen.dylane(a)linux.dev> bpf: Remove migrate_disable in kprobe_multi_link_prog_run Matt Bobrowski <mattbobrowski(a)google.com> bpf/selftests: Fix test_tcpnotify_user Geert Uytterhoeven <geert+renesas(a)glider.be> regmap: Remove superfluous check for !config in __regmap_init() Biju Das <biju.das.jz(a)bp.renesas.com> arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0 Uros Bizjak <ubizjak(a)gmail.com> x86/vdso: Fix output operand size of RDPID Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller Stefan Metzmacher <metze(a)samba.org> smb: server: fix IRD/ORD negotiation with the client Leo Yan <leo.yan(a)arm.com> perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Leo Yan <leo.yan(a)arm.com> coresight: trbe: Prevent overflow in PERF_IDX2OFF() Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote Bala-Vignesh-Reddy <reddybalavignesh9979(a)gmail.com> selftests: arm64: Check fread return value in exec_target Johannes Nixdorf <johannes(a)nixdorf.dev> seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too fast Geert Uytterhoeven <geert+renesas(a)glider.be> init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD Jeff Layton <jlayton(a)kernel.org> filelock: add FL_RECLAIM to show_fl_flags() macro ------------- Diffstat: Documentation/trace/histogram-design.rst | 4 +- Makefile | 4 +- arch/arm/boot/dts/renesas/r8a7791-porter.dts | 2 +- arch/arm/boot/dts/ti/omap/am335x-baltos.dtsi | 2 +- arch/arm/boot/dts/ti/omap/am335x-cm-t335.dts | 2 - .../dts/ti/omap/omap3-devkit8000-lcd-common.dtsi | 2 +- arch/arm/mach-at91/pm_suspend.S | 4 +- arch/arm64/boot/dts/apple/t8103-j457.dts | 12 +- arch/arm64/boot/dts/mediatek/mt6331.dtsi | 10 +- .../boot/dts/mediatek/mt6795-sony-xperia-m5.dts | 2 +- arch/arm64/boot/dts/mediatek/mt8195.dtsi | 3 - arch/arm64/boot/dts/mediatek/mt8516-pumpkin.dts | 2 +- arch/arm64/boot/dts/qcom/qcm2290.dtsi | 1 + arch/arm64/boot/dts/renesas/rzg2lc-smarc.dtsi | 5 +- arch/loongarch/kernel/relocate.c | 4 + arch/s390/net/bpf_jit_comp.c | 26 ++-- arch/sparc/lib/M7memcpy.S | 20 +-- arch/sparc/lib/Memcpy_utils.S | 9 ++ arch/sparc/lib/NG4memcpy.S | 2 +- arch/sparc/lib/NGmemcpy.S | 29 +++-- arch/sparc/lib/U1memcpy.S | 19 +-- arch/sparc/lib/U3memcpy.S | 2 +- arch/x86/include/asm/segment.h | 8 +- block/blk-mq-sysfs.c | 6 +- block/blk-settings.c | 3 +- crypto/asymmetric_keys/x509_cert_parser.c | 16 ++- drivers/acpi/acpica/aclocal.h | 2 +- drivers/acpi/nfit/core.c | 2 +- drivers/acpi/processor_idle.c | 3 + drivers/base/node.c | 4 + drivers/base/power/main.c | 14 ++- drivers/base/regmap/regmap.c | 2 +- drivers/block/nbd.c | 8 ++ drivers/block/null_blk/main.c | 2 +- drivers/bus/fsl-mc/fsl-mc-bus.c | 3 + drivers/char/hw_random/Kconfig | 1 + drivers/char/hw_random/ks-sa-rng.c | 4 + drivers/cpufreq/scmi-cpufreq.c | 10 ++ drivers/cpuidle/cpuidle-qcom-spm.c | 7 +- drivers/crypto/hisilicon/debugfs.c | 1 + drivers/crypto/hisilicon/hpre/hpre_main.c | 3 +- drivers/crypto/hisilicon/qm.c | 7 +- drivers/crypto/hisilicon/sec2/sec_main.c | 80 ++++++------ drivers/crypto/hisilicon/zip/zip_main.c | 17 +-- .../crypto/intel/keembay/keembay-ocs-hcu-core.c | 5 +- drivers/devfreq/mtk-cci-devfreq.c | 3 +- drivers/edac/i10nm_base.c | 14 +++ drivers/firmware/meson/Kconfig | 2 +- drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 29 ++++- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 +- .../display/dc/dml/dcn32/display_rq_dlg_calc_32.c | 1 - drivers/gpu/drm/amd/pm/amdgpu_dpm_internal.c | 7 ++ drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 92 +++++++++----- drivers/gpu/drm/bridge/Kconfig | 1 + .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 2 +- drivers/gpu/drm/panel/panel-novatek-nt35560.c | 2 +- drivers/gpu/drm/radeon/r600_cs.c | 4 +- drivers/hwmon/mlxreg-fan.c | 24 ++-- drivers/hwtracing/coresight/coresight-core.c | 5 +- drivers/hwtracing/coresight/coresight-etm4x-core.c | 31 +++-- drivers/hwtracing/coresight/coresight-etm4x.h | 6 +- drivers/hwtracing/coresight/coresight-trbe.c | 9 +- drivers/i2c/busses/i2c-designware-platdrv.c | 5 +- drivers/i2c/busses/i2c-mt65xx.c | 17 +-- drivers/i3c/master/svc-i3c-master.c | 31 ++++- drivers/iio/inkern.c | 30 ++--- drivers/infiniband/core/addr.c | 10 +- drivers/infiniband/core/cm.c | 4 +- drivers/infiniband/core/sa_query.c | 6 +- drivers/infiniband/hw/mlx5/main.c | 19 ++- drivers/infiniband/hw/mlx5/mlx5_ib.h | 1 + drivers/infiniband/sw/rxe/rxe_task.c | 8 +- drivers/infiniband/sw/siw/siw_verbs.c | 25 ++-- drivers/input/misc/uinput.c | 1 + drivers/input/touchscreen/atmel_mxt_ts.c | 2 +- drivers/leds/flash/leds-qcom-flash.c | 62 ++++++---- drivers/md/dm-core.h | 1 + drivers/md/dm.c | 13 +- drivers/media/i2c/rj54n1cb0c.c | 9 +- drivers/media/pci/zoran/zoran.h | 6 - drivers/media/pci/zoran/zoran_driver.c | 3 +- .../media/platform/st/sti/delta/delta-mjpeg-dec.c | 20 +-- drivers/mfd/rz-mtu3.c | 2 +- drivers/mfd/vexpress-sysreg.c | 6 +- drivers/misc/fastrpc.c | 62 ++++++---- drivers/misc/genwqe/card_ddcb.c | 2 +- drivers/mtd/nand/raw/atmel/nand-controller.c | 4 +- drivers/net/ethernet/amazon/ena/ena_ethtool.c | 5 +- drivers/net/ethernet/dlink/dl2k.c | 7 +- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 +- .../ethernet/mellanox/mlx5/core/en/port_buffer.h | 12 -- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 17 +-- drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 24 ++++ .../net/ethernet/mellanox/mlx5/core/pagealloc.c | 7 +- .../net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 +- drivers/net/usb/asix_devices.c | 29 +++++ drivers/net/usb/rtl8150.c | 2 - drivers/net/wireless/ath/ath10k/wmi.c | 39 +++--- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 7 +- drivers/net/wireless/mediatek/mt76/mt7603/soc.c | 2 +- drivers/net/wireless/realtek/rtw89/ser.c | 3 +- drivers/nvme/target/fc.c | 19 ++- drivers/pci/controller/dwc/pcie-tegra194.c | 4 +- drivers/pci/controller/pci-tegra.c | 2 +- drivers/perf/arm_spe_pmu.c | 3 +- drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 12 ++ drivers/pinctrl/meson/pinctrl-meson-gxl.c | 10 ++ drivers/pinctrl/pinmux.c | 2 +- drivers/pinctrl/renesas/pinctrl.c | 3 +- drivers/power/supply/cw2015_battery.c | 3 +- drivers/pps/kapi.c | 5 +- drivers/pps/pps.c | 5 +- drivers/pwm/pwm-tiehrpwm.c | 4 +- drivers/regulator/scmi-regulator.c | 3 +- drivers/remoteproc/pru_rproc.c | 3 +- drivers/remoteproc/qcom_q6v5.c | 3 - drivers/scsi/mpt3sas/mpt3sas_transport.c | 8 +- drivers/scsi/myrs.c | 8 +- drivers/scsi/pm8001/pm8001_sas.c | 9 +- drivers/scsi/qla2xxx/qla_edif.c | 4 +- drivers/scsi/qla2xxx/qla_init.c | 4 +- drivers/scsi/qla2xxx/qla_nvme.c | 2 +- drivers/soc/qcom/rpmh-rsc.c | 7 +- drivers/thermal/qcom/Kconfig | 3 +- drivers/thermal/qcom/lmh.c | 2 + drivers/tty/n_gsm.c | 25 +++- drivers/tty/serial/max310x.c | 2 + drivers/uio/uio_hv_generic.c | 7 +- drivers/usb/cdns3/cdnsp-pci.c | 5 +- drivers/usb/gadget/configfs.c | 2 + drivers/usb/host/max3421-hcd.c | 2 +- drivers/usb/host/xhci-ring.c | 11 +- drivers/usb/misc/Kconfig | 1 + drivers/usb/misc/qcom_eud.c | 33 +++-- drivers/usb/phy/phy-twl6030-usb.c | 3 +- drivers/usb/typec/tipd/core.c | 24 ++-- drivers/usb/usbip/vhci_hcd.c | 22 ++++ drivers/vfio/pci/pds/dirty.c | 2 +- drivers/vhost/vringh.c | 14 ++- drivers/watchdog/mpc8xxx_wdt.c | 2 + fs/ext4/ext4.h | 10 ++ fs/ext4/file.c | 2 +- fs/ext4/inode.c | 2 +- fs/ext4/orphan.c | 6 +- fs/ext4/super.c | 4 +- fs/f2fs/data.c | 9 +- fs/f2fs/f2fs.h | 4 +- fs/f2fs/file.c | 49 ++++---- fs/gfs2/glock.c | 2 - fs/nfs/nfs4proc.c | 2 +- fs/ntfs3/index.c | 10 ++ fs/ntfs3/run.c | 12 +- fs/ocfs2/stack_user.c | 1 + fs/smb/client/smb2ops.c | 17 +-- fs/smb/server/smb2pdu.c | 3 +- fs/smb/server/transport_rdma.c | 97 +++++++++++++-- fs/squashfs/inode.c | 7 ++ fs/squashfs/squashfs_fs_i.h | 2 +- fs/udf/inode.c | 3 + include/asm-generic/vmlinux.lds.h | 1 + include/linux/bpf.h | 1 + include/linux/once.h | 4 +- include/trace/events/filelock.h | 3 +- init/Kconfig | 1 + kernel/bpf/core.c | 5 + kernel/bpf/verifier.c | 4 +- kernel/seccomp.c | 12 +- kernel/smp.c | 11 +- kernel/trace/bpf_trace.c | 9 +- mm/hugetlb.c | 2 + net/bluetooth/hci_sync.c | 10 +- net/bluetooth/iso.c | 9 +- net/bluetooth/mgmt.c | 10 +- net/core/filter.c | 16 ++- net/ipv4/ping.c | 14 ++- net/ipv4/tcp.c | 9 +- net/mac80211/rx.c | 28 ++++- net/netfilter/ipset/ip_set_hash_gen.h | 8 +- net/netfilter/ipvs/ip_vs_conn.c | 4 +- net/netfilter/ipvs/ip_vs_core.c | 11 +- net/netfilter/ipvs/ip_vs_ctl.c | 6 +- net/netfilter/ipvs/ip_vs_est.c | 16 +-- net/netfilter/ipvs/ip_vs_ftp.c | 4 +- net/nfc/nci/ntf.c | 135 +++++++++++++++------ net/sunrpc/auth_gss/svcauth_gss.c | 2 +- sound/pci/lx6464es/lx_core.c | 4 +- sound/soc/codecs/wcd934x.c | 17 ++- sound/soc/intel/boards/bytcht_es8316.c | 20 ++- sound/soc/intel/boards/bytcr_rt5640.c | 7 +- sound/soc/intel/boards/bytcr_rt5651.c | 26 +++- sound/soc/sof/ipc3-topology.c | 10 +- tools/include/nolibc/std.h | 2 +- tools/lib/bpf/libbpf.c | 10 ++ tools/testing/nvdimm/test/ndtest.c | 13 +- tools/testing/selftests/arm64/pauth/exec_target.c | 7 +- .../selftests/bpf/progs/test_tcpnotify_kern.c | 1 - tools/testing/selftests/bpf/test_tcpnotify_user.c | 20 +-- tools/testing/selftests/nolibc/nolibc-test.c | 4 +- tools/testing/selftests/watchdog/watchdog-test.c | 6 + 199 files changed, 1405 insertions(+), 721 deletions(-)

3 weeks, 1 day

10
205
0 0

FAILED: patch "[PATCH] net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 3d3c4cd5c62f24bb3cb4511b7a95df707635e00a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101349-reptile-seldom-427d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3d3c4cd5c62f24bb3cb4511b7a95df707635e00a Mon Sep 17 00:00:00 2001 From: Oleksij Rempel <o.rempel(a)pengutronix.de> Date: Sun, 5 Oct 2025 10:12:03 +0200 Subject: [PATCH] net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Prevent USB runtime PM (autosuspend) for AX88772* in bind. usbnet enables runtime PM (autosuspend) by default, so disabling it via the usb_driver flag is ineffective. On AX88772B, autosuspend shows no measurable power saving with current driver (no link partner, admin up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering the PHY off on admin-down, not from USB autosuspend. The real hazard is that with runtime PM enabled, ndo_open() (under RTNL) may synchronously trigger autoresume (usb_autopm_get_interface()) into asix_resume() while the USB PM lock is held. Resume paths then invoke phylink/phylib and MDIO, which also expect RTNL, leading to possible deadlocks or PM lock vs MDIO wake issues. To avoid this, keep the device runtime-PM active by taking a usage reference in ax88772_bind() and dropping it in unbind(). A non-zero PM usage count blocks runtime suspend regardless of userspace policy (.../power/control - pm_runtime_allow/forbid), making this approach robust against sysfs overrides. Holding a runtime-PM usage ref does not affect system-wide suspend; system sleep/resume callbacks continue to run as before. Fixes: 4a2c7217cd5a ("net: usb: asix: ax88772: manage PHY PM from MAC") Reported-by: Hubert Wiśniewski <hubert.wisniewski.25632(a)gmail.com> Closes: https://lore.kernel.org/all/DCGHG5UJT9G3.2K1GHFZ3H87T0@gmail.com Tested-by: Hubert Wiśniewski <hubert.wisniewski.25632(a)gmail.com> Reported-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Closes: https://lore.kernel.org/all/b5ea8296-f981-445d-a09a-2f389d7f6fdd@samsung.com Cc: stable(a)vger.kernel.org Signed-off-by: Oleksij Rempel <o.rempel(a)pengutronix.de> Link: https://patch.msgid.link/20251005081203.3067982-1-o.rempel@pengutronix.de Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c index 792ddda1ad49..85bd5d845409 100644 --- a/drivers/net/usb/asix_devices.c +++ b/drivers/net/usb/asix_devices.c @@ -625,6 +625,21 @@ static void ax88772_suspend(struct usbnet *dev) asix_read_medium_status(dev, 1)); } +/* Notes on PM callbacks and locking context: + * + * - asix_suspend()/asix_resume() are invoked for both runtime PM and + * system-wide suspend/resume. For struct usb_driver the ->resume() + * callback does not receive pm_message_t, so the resume type cannot + * be distinguished here. + * + * - The MAC driver must hold RTNL when calling phylink interfaces such as + * phylink_suspend()/resume(). Those calls will also perform MDIO I/O. + * + * - Taking RTNL and doing MDIO from a runtime-PM resume callback (while + * the USB PM lock is held) is fragile. Since autosuspend brings no + * measurable power saving here, we block it by holding a PM usage + * reference in ax88772_bind(). + */ static int asix_suspend(struct usb_interface *intf, pm_message_t message) { struct usbnet *dev = usb_get_intfdata(intf); @@ -919,6 +934,13 @@ static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf) if (ret) goto initphy_err; + /* Keep this interface runtime-PM active by taking a usage ref. + * Prevents runtime suspend while bound and avoids resume paths + * that could deadlock (autoresume under RTNL while USB PM lock + * is held, phylink/MDIO wants RTNL). + */ + pm_runtime_get_noresume(&intf->dev); + return 0; initphy_err: @@ -948,6 +970,8 @@ static void ax88772_unbind(struct usbnet *dev, struct usb_interface *intf) phylink_destroy(priv->phylink); ax88772_mdio_unregister(priv); asix_rx_fixup_common_free(dev->driver_priv); + /* Drop the PM usage ref taken in bind() */ + pm_runtime_put(&intf->dev); } static void ax88178_unbind(struct usbnet *dev, struct usb_interface *intf) @@ -1600,6 +1624,11 @@ static struct usb_driver asix_driver = { .resume = asix_resume, .reset_resume = asix_resume, .disconnect = usbnet_disconnect, + /* usbnet enables autosuspend by default (supports_autosuspend=1). + * We keep runtime-PM active for AX88772* by taking a PM usage + * reference in ax88772_bind() (pm_runtime_get_noresume()) and + * dropping it in unbind(), which effectively blocks autosuspend. + */ .supports_autosuspend = 1, .disable_hub_initiated_lpm = 1, };

3 weeks, 1 day

2
1
0 0

PsicoSmart: Selección de talento y reducción de rotación

by Valeria Pérez

Reduce la rotación y retén a tu talento clave body { margin: 0; padding: 0; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: #333; background-color: #ffffff; } table { border-spacing: 0; width: 100%; max-width: 600px; margin: auto; } td { padding: 12px 20px; } a { color: #1a73e8; text-decoration: none; } .footer { font-size: 12px; color: #888888; text-align: center; } Evita la rotación de personal y retén talento clave con PsicoSmart. Hola, , ¿Te ha pasado que tus mejores empleados renuncian poco después de ser contratados, dejando vacantes y generando costos inesperados? Confiar únicamente en entrevistas o currículums no siempre garantiza que un candidato encaje en tu empresa. Por eso quiero presentarte PsicoSmart, una herramienta que ayuda a tomar decisiones de selección basadas en datos, reduciendo sorpresas y rotación de personal. Con PsicoSmart puedes: Evaluar 31 competencias psicométricas, incluyendo liderazgo, comunicación, honestidad e inteligencia emocional. Validar conocimientos técnicos con más de 2,500 exámenes especializados. Verificar la identidad de quien responde mediante captura fotográfica automática durante la evaluación. Gestionar todo desde una sola plataforma, accesible desde cualquier dispositivo. Reducir la rotación y retener talento clave está al alcance de un clic. Si quieres conocer más, puedes responder este correo o contactarme directamente, mis datos están abajo. Saludos, -------------- Atte.: Valeria Pérez Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewispotseup">click aquí</a>

3 weeks, 1 day

1
0
0 0

FAILED: patch "[PATCH] PCI: endpoint: pci-epf-test: Add NULL check for DMA channels" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 85afa9ea122dd9d4a2ead104a951d318975dcd25 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101341-gallon-ungloved-bc19@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 85afa9ea122dd9d4a2ead104a951d318975dcd25 Mon Sep 17 00:00:00 2001 From: Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Date: Tue, 16 Sep 2025 11:57:56 +0900 Subject: [PATCH] PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be NULL even after EPF initialization. Then it is prudent to check that they have non-NULL values before releasing the channels. Add the checks in pci_epf_test_clean_dma_chan(). Without the checks, NULL pointer dereferences happen and they can lead to a kernel panic in some cases: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 Call trace: dma_release_channel+0x2c/0x120 (P) pci_epf_test_epc_deinit+0x94/0xc0 [pci_epf_test] pci_epc_deinit_notify+0x74/0xc0 tegra_pcie_ep_pex_rst_irq+0x250/0x5d8 irq_thread_fn+0x34/0xb8 irq_thread+0x18c/0x2e8 kthread+0x14c/0x210 ret_from_fork+0x10/0x20 Fixes: 8353813c88ef ("PCI: endpoint: Enable DMA tests for endpoints with DMA capabilities") Fixes: 5ebf3fc59bd2 ("PCI: endpoint: functions/pci-epf-test: Add DMA support to transfer data") Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> [mani: trimmed the stack trace] Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Reviewed-by: Krzysztof Wilczyński <kwilczynski(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250916025756.34807-1-shinichiro.kawasaki@wdc.com diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c index 09e1b8b46b55..31617772ad51 100644 --- a/drivers/pci/endpoint/functions/pci-epf-test.c +++ b/drivers/pci/endpoint/functions/pci-epf-test.c @@ -301,15 +301,20 @@ static void pci_epf_test_clean_dma_chan(struct pci_epf_test *epf_test) if (!epf_test->dma_supported) return; - dma_release_channel(epf_test->dma_chan_tx); - if (epf_test->dma_chan_tx == epf_test->dma_chan_rx) { + if (epf_test->dma_chan_tx) { + dma_release_channel(epf_test->dma_chan_tx); + if (epf_test->dma_chan_tx == epf_test->dma_chan_rx) { + epf_test->dma_chan_tx = NULL; + epf_test->dma_chan_rx = NULL; + return; + } epf_test->dma_chan_tx = NULL; - epf_test->dma_chan_rx = NULL; - return; } - dma_release_channel(epf_test->dma_chan_rx); - epf_test->dma_chan_rx = NULL; + if (epf_test->dma_chan_rx) { + dma_release_channel(epf_test->dma_chan_rx); + epf_test->dma_chan_rx = NULL; + } } static void pci_epf_test_print_rate(struct pci_epf_test *epf_test,

3 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] PCI: endpoint: pci-epf-test: Add NULL check for DMA channels" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 85afa9ea122dd9d4a2ead104a951d318975dcd25 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101340-passably-rounding-59df@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 85afa9ea122dd9d4a2ead104a951d318975dcd25 Mon Sep 17 00:00:00 2001 From: Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Date: Tue, 16 Sep 2025 11:57:56 +0900 Subject: [PATCH] PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be NULL even after EPF initialization. Then it is prudent to check that they have non-NULL values before releasing the channels. Add the checks in pci_epf_test_clean_dma_chan(). Without the checks, NULL pointer dereferences happen and they can lead to a kernel panic in some cases: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 Call trace: dma_release_channel+0x2c/0x120 (P) pci_epf_test_epc_deinit+0x94/0xc0 [pci_epf_test] pci_epc_deinit_notify+0x74/0xc0 tegra_pcie_ep_pex_rst_irq+0x250/0x5d8 irq_thread_fn+0x34/0xb8 irq_thread+0x18c/0x2e8 kthread+0x14c/0x210 ret_from_fork+0x10/0x20 Fixes: 8353813c88ef ("PCI: endpoint: Enable DMA tests for endpoints with DMA capabilities") Fixes: 5ebf3fc59bd2 ("PCI: endpoint: functions/pci-epf-test: Add DMA support to transfer data") Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> [mani: trimmed the stack trace] Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Reviewed-by: Krzysztof Wilczyński <kwilczynski(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250916025756.34807-1-shinichiro.kawasaki@wdc.com diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c index 09e1b8b46b55..31617772ad51 100644 --- a/drivers/pci/endpoint/functions/pci-epf-test.c +++ b/drivers/pci/endpoint/functions/pci-epf-test.c @@ -301,15 +301,20 @@ static void pci_epf_test_clean_dma_chan(struct pci_epf_test *epf_test) if (!epf_test->dma_supported) return; - dma_release_channel(epf_test->dma_chan_tx); - if (epf_test->dma_chan_tx == epf_test->dma_chan_rx) { + if (epf_test->dma_chan_tx) { + dma_release_channel(epf_test->dma_chan_tx); + if (epf_test->dma_chan_tx == epf_test->dma_chan_rx) { + epf_test->dma_chan_tx = NULL; + epf_test->dma_chan_rx = NULL; + return; + } epf_test->dma_chan_tx = NULL; - epf_test->dma_chan_rx = NULL; - return; } - dma_release_channel(epf_test->dma_chan_rx); - epf_test->dma_chan_rx = NULL; + if (epf_test->dma_chan_rx) { + dma_release_channel(epf_test->dma_chan_rx); + epf_test->dma_chan_rx = NULL; + } } static void pci_epf_test_print_rate(struct pci_epf_test *epf_test,

3 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] PCI: endpoint: pci-epf-test: Add NULL check for DMA channels" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 85afa9ea122dd9d4a2ead104a951d318975dcd25 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101340-marbled-uneven-a896@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 85afa9ea122dd9d4a2ead104a951d318975dcd25 Mon Sep 17 00:00:00 2001 From: Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Date: Tue, 16 Sep 2025 11:57:56 +0900 Subject: [PATCH] PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be NULL even after EPF initialization. Then it is prudent to check that they have non-NULL values before releasing the channels. Add the checks in pci_epf_test_clean_dma_chan(). Without the checks, NULL pointer dereferences happen and they can lead to a kernel panic in some cases: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 Call trace: dma_release_channel+0x2c/0x120 (P) pci_epf_test_epc_deinit+0x94/0xc0 [pci_epf_test] pci_epc_deinit_notify+0x74/0xc0 tegra_pcie_ep_pex_rst_irq+0x250/0x5d8 irq_thread_fn+0x34/0xb8 irq_thread+0x18c/0x2e8 kthread+0x14c/0x210 ret_from_fork+0x10/0x20 Fixes: 8353813c88ef ("PCI: endpoint: Enable DMA tests for endpoints with DMA capabilities") Fixes: 5ebf3fc59bd2 ("PCI: endpoint: functions/pci-epf-test: Add DMA support to transfer data") Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> [mani: trimmed the stack trace] Signed-off-by: Manivannan Sadhasivam <mani(a)kernel.org> Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Reviewed-by: Krzysztof Wilczyński <kwilczynski(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250916025756.34807-1-shinichiro.kawasaki@wdc.com diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c index 09e1b8b46b55..31617772ad51 100644 --- a/drivers/pci/endpoint/functions/pci-epf-test.c +++ b/drivers/pci/endpoint/functions/pci-epf-test.c @@ -301,15 +301,20 @@ static void pci_epf_test_clean_dma_chan(struct pci_epf_test *epf_test) if (!epf_test->dma_supported) return; - dma_release_channel(epf_test->dma_chan_tx); - if (epf_test->dma_chan_tx == epf_test->dma_chan_rx) { + if (epf_test->dma_chan_tx) { + dma_release_channel(epf_test->dma_chan_tx); + if (epf_test->dma_chan_tx == epf_test->dma_chan_rx) { + epf_test->dma_chan_tx = NULL; + epf_test->dma_chan_rx = NULL; + return; + } epf_test->dma_chan_tx = NULL; - epf_test->dma_chan_rx = NULL; - return; } - dma_release_channel(epf_test->dma_chan_rx); - epf_test->dma_chan_rx = NULL; + if (epf_test->dma_chan_rx) { + dma_release_channel(epf_test->dma_chan_rx); + epf_test->dma_chan_rx = NULL; + } } static void pci_epf_test_print_rate(struct pci_epf_test *epf_test,

3 weeks, 1 day

2
2
0 0

[PATCH v4] dmaengine: fsl-edma: Fix clk leak on alloc_chan_resources failure

by Zhen Ni

When fsl_edma_alloc_chan_resources() fails after clk_prepare_enable(), the error paths only free IRQs and destroy the TCD pool, but forget to call clk_disable_unprepare(). This causes the channel clock to remain enabled, leaking power and resources. Fix it by disabling the channel clock in the error unwind path. Fixes: d8d4355861d8 ("dmaengine: fsl-edma: add i.MX8ULP edma support") Cc: stable(a)vger.kernel.org Suggested-by: Frank Li <Frank.Li(a)nxp.com> Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> --- Changes in v2: - Remove FSL_EDMA_DRV_HAS_CHCLK check Changes in v3: - Remove cleanup Changes in v4: - Re-send as a new thread --- drivers/dma/fsl-edma-common.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/dma/fsl-edma-common.c b/drivers/dma/fsl-edma-common.c index 4976d7dde080..11655dcc4d6c 100644 --- a/drivers/dma/fsl-edma-common.c +++ b/drivers/dma/fsl-edma-common.c @@ -852,6 +852,7 @@ int fsl_edma_alloc_chan_resources(struct dma_chan *chan) free_irq(fsl_chan->txirq, fsl_chan); err_txirq: dma_pool_destroy(fsl_chan->tcd_pool); + clk_disable_unprepare(fsl_chan->clk); return ret; } -- 2.20.1

3 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] ksmbd: add max ip connections parameter" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x d8b6dc9256762293048bf122fc11c4e612d0ef5d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101339-chunk-hassle-3d8e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d8b6dc9256762293048bf122fc11c4e612d0ef5d Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Wed, 1 Oct 2025 09:25:35 +0900 Subject: [PATCH] ksmbd: add max ip connections parameter This parameter set the maximum number of connections per ip address. The default is 8. Cc: stable(a)vger.kernel.org Fixes: c0d41112f1a5 ("ksmbd: extend the connection limiting mechanism to support IPv6") Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/ksmbd_netlink.h b/fs/smb/server/ksmbd_netlink.h index 3f07a612c05b..8ccd57fd904b 100644 --- a/fs/smb/server/ksmbd_netlink.h +++ b/fs/smb/server/ksmbd_netlink.h @@ -112,10 +112,11 @@ struct ksmbd_startup_request { __u32 smbd_max_io_size; /* smbd read write size */ __u32 max_connections; /* Number of maximum simultaneous connections */ __s8 bind_interfaces_only; - __s8 reserved[503]; /* Reserved room */ + __u32 max_ip_connections; /* Number of maximum connection per ip address */ + __s8 reserved[499]; /* Reserved room */ __u32 ifc_list_sz; /* interfaces list size */ __s8 ____payload[]; -}; +} __packed; #define KSMBD_STARTUP_CONFIG_INTERFACES(s) ((s)->____payload) diff --git a/fs/smb/server/server.h b/fs/smb/server/server.h index 995555febe7d..b8a7317be86b 100644 --- a/fs/smb/server/server.h +++ b/fs/smb/server/server.h @@ -43,6 +43,7 @@ struct ksmbd_server_config { unsigned int auth_mechs; unsigned int max_connections; unsigned int max_inflight_req; + unsigned int max_ip_connections; char *conf[SERVER_CONF_WORK_GROUP + 1]; struct task_struct *dh_task; diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c index 2a3e2b0ce557..2aa1b29bea08 100644 --- a/fs/smb/server/transport_ipc.c +++ b/fs/smb/server/transport_ipc.c @@ -335,6 +335,9 @@ static int ipc_server_config_on_startup(struct ksmbd_startup_request *req) if (req->max_connections) server_conf.max_connections = req->max_connections; + if (req->max_ip_connections) + server_conf.max_ip_connections = req->max_ip_connections; + ret = ksmbd_set_netbios_name(req->netbios_name); ret |= ksmbd_set_server_string(req->server_string); ret |= ksmbd_set_work_group(req->work_group); diff --git a/fs/smb/server/transport_tcp.c b/fs/smb/server/transport_tcp.c index 7440a2fd1126..e9ecb43db9d9 100644 --- a/fs/smb/server/transport_tcp.c +++ b/fs/smb/server/transport_tcp.c @@ -225,6 +225,7 @@ static int ksmbd_kthread_fn(void *p) struct interface *iface = (struct interface *)p; struct ksmbd_conn *conn; int ret; + unsigned int max_ip_conns; while (!kthread_should_stop()) { mutex_lock(&iface->sock_release_lock); @@ -242,34 +243,38 @@ static int ksmbd_kthread_fn(void *p) continue; } + if (!server_conf.max_ip_connections) + goto skip_max_ip_conns_limit; + /* * Limits repeated connections from clients with the same IP. */ + max_ip_conns = 0; down_read(&conn_list_lock); - list_for_each_entry(conn, &conn_list, conns_list) + list_for_each_entry(conn, &conn_list, conns_list) { #if IS_ENABLED(CONFIG_IPV6) if (client_sk->sk->sk_family == AF_INET6) { if (memcmp(&client_sk->sk->sk_v6_daddr, - &conn->inet6_addr, 16) == 0) { - ret = -EAGAIN; - break; - } + &conn->inet6_addr, 16) == 0) + max_ip_conns++; } else if (inet_sk(client_sk->sk)->inet_daddr == - conn->inet_addr) { - ret = -EAGAIN; - break; - } + conn->inet_addr) + max_ip_conns++; #else if (inet_sk(client_sk->sk)->inet_daddr == - conn->inet_addr) { + conn->inet_addr) + max_ip_conns++; +#endif + if (server_conf.max_ip_connections <= max_ip_conns) { ret = -EAGAIN; break; } -#endif + } up_read(&conn_list_lock); if (ret == -EAGAIN) continue; +skip_max_ip_conns_limit: if (server_conf.max_connections && atomic_inc_return(&active_num_conn) >= server_conf.max_connections) { pr_info_ratelimited("Limit the maximum number of connections(%u)\n",

3 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] misc: fastrpc: Save actual DMA size in fastrpc_map structure" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 8b5b456222fd604079b5cf2af1f25ad690f54a25 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101329-freestyle-unfair-5d44@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8b5b456222fd604079b5cf2af1f25ad690f54a25 Mon Sep 17 00:00:00 2001 From: Ling Xu <quic_lxu5(a)quicinc.com> Date: Fri, 12 Sep 2025 14:12:33 +0100 Subject: [PATCH] misc: fastrpc: Save actual DMA size in fastrpc_map structure For user passed fd buffer, map is created using DMA calls. The map related information is stored in fastrpc_map structure. The actual DMA size is not stored in the structure. Store the actual size of buffer and check it against the user passed size. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable(a)kernel.org Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> Co-developed-by: Ekansh Gupta <ekansh.gupta(a)oss.qualcomm.com> Signed-off-by: Ekansh Gupta <ekansh.gupta(a)oss.qualcomm.com> Signed-off-by: Ling Xu <quic_lxu5(a)quicinc.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Signed-off-by: Srinivas Kandagatla <srini(a)kernel.org> Link: https://lore.kernel.org/r/20250912131236.303102-2-srini@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 53e88a1bc430..52571916acd4 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -323,11 +323,11 @@ static void fastrpc_free_map(struct kref *ref) perm.vmid = QCOM_SCM_VMID_HLOS; perm.perm = QCOM_SCM_PERM_RWX; - err = qcom_scm_assign_mem(map->phys, map->size, + err = qcom_scm_assign_mem(map->phys, map->len, &src_perms, &perm, 1); if (err) { dev_err(map->fl->sctx->dev, "Failed to assign memory phys 0x%llx size 0x%llx err %d\n", - map->phys, map->size, err); + map->phys, map->len, err); return; } } @@ -758,7 +758,8 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, struct fastrpc_session_ctx *sess = fl->sctx; struct fastrpc_map *map = NULL; struct sg_table *table; - int err = 0; + struct scatterlist *sgl = NULL; + int err = 0, sgl_index = 0; if (!fastrpc_map_lookup(fl, fd, ppmap, true)) return 0; @@ -798,7 +799,15 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, map->phys = sg_dma_address(map->table->sgl); map->phys += ((u64)fl->sctx->sid << 32); } - map->size = len; + for_each_sg(map->table->sgl, sgl, map->table->nents, + sgl_index) + map->size += sg_dma_len(sgl); + if (len > map->size) { + dev_dbg(sess->dev, "Bad size passed len 0x%llx map size 0x%llx\n", + len, map->size); + err = -EINVAL; + goto map_err; + } map->va = sg_virt(map->table->sgl); map->len = len; @@ -815,10 +824,10 @@ static int fastrpc_map_create(struct fastrpc_user *fl, int fd, dst_perms[1].vmid = fl->cctx->vmperms[0].vmid; dst_perms[1].perm = QCOM_SCM_PERM_RWX; map->attr = attr; - err = qcom_scm_assign_mem(map->phys, (u64)map->size, &src_perms, dst_perms, 2); + err = qcom_scm_assign_mem(map->phys, (u64)map->len, &src_perms, dst_perms, 2); if (err) { dev_err(sess->dev, "Failed to assign memory with phys 0x%llx size 0x%llx err %d\n", - map->phys, map->size, err); + map->phys, map->len, err); goto map_err; } } @@ -2046,7 +2055,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *fl, char __user *argp) args[0].length = sizeof(req_msg); pages.addr = map->phys; - pages.size = map->size; + pages.size = map->len; args[1].ptr = (u64) (uintptr_t) &pages; args[1].length = sizeof(pages); @@ -2061,7 +2070,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *fl, char __user *argp) err = fastrpc_internal_invoke(fl, true, FASTRPC_INIT_HANDLE, sc, &args[0]); if (err) { dev_err(dev, "mem mmap error, fd %d, vaddr %llx, size %lld\n", - req.fd, req.vaddrin, map->size); + req.fd, req.vaddrin, map->len); goto err_invoke; } @@ -2074,7 +2083,7 @@ static int fastrpc_req_mem_map(struct fastrpc_user *fl, char __user *argp) if (copy_to_user((void __user *)argp, &req, sizeof(req))) { /* unmap the memory and release the buffer */ req_unmap.vaddr = (uintptr_t) rsp_msg.vaddr; - req_unmap.length = map->size; + req_unmap.length = map->len; fastrpc_req_mem_unmap_impl(fl, &req_unmap); return -EFAULT; }

3 weeks, 1 day

2
2
0 0

FAILED: patch "[PATCH] ksmbd: add max ip connections parameter" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x d8b6dc9256762293048bf122fc11c4e612d0ef5d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101339-refocus-negotiate-7718@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d8b6dc9256762293048bf122fc11c4e612d0ef5d Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Wed, 1 Oct 2025 09:25:35 +0900 Subject: [PATCH] ksmbd: add max ip connections parameter This parameter set the maximum number of connections per ip address. The default is 8. Cc: stable(a)vger.kernel.org Fixes: c0d41112f1a5 ("ksmbd: extend the connection limiting mechanism to support IPv6") Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/ksmbd_netlink.h b/fs/smb/server/ksmbd_netlink.h index 3f07a612c05b..8ccd57fd904b 100644 --- a/fs/smb/server/ksmbd_netlink.h +++ b/fs/smb/server/ksmbd_netlink.h @@ -112,10 +112,11 @@ struct ksmbd_startup_request { __u32 smbd_max_io_size; /* smbd read write size */ __u32 max_connections; /* Number of maximum simultaneous connections */ __s8 bind_interfaces_only; - __s8 reserved[503]; /* Reserved room */ + __u32 max_ip_connections; /* Number of maximum connection per ip address */ + __s8 reserved[499]; /* Reserved room */ __u32 ifc_list_sz; /* interfaces list size */ __s8 ____payload[]; -}; +} __packed; #define KSMBD_STARTUP_CONFIG_INTERFACES(s) ((s)->____payload) diff --git a/fs/smb/server/server.h b/fs/smb/server/server.h index 995555febe7d..b8a7317be86b 100644 --- a/fs/smb/server/server.h +++ b/fs/smb/server/server.h @@ -43,6 +43,7 @@ struct ksmbd_server_config { unsigned int auth_mechs; unsigned int max_connections; unsigned int max_inflight_req; + unsigned int max_ip_connections; char *conf[SERVER_CONF_WORK_GROUP + 1]; struct task_struct *dh_task; diff --git a/fs/smb/server/transport_ipc.c b/fs/smb/server/transport_ipc.c index 2a3e2b0ce557..2aa1b29bea08 100644 --- a/fs/smb/server/transport_ipc.c +++ b/fs/smb/server/transport_ipc.c @@ -335,6 +335,9 @@ static int ipc_server_config_on_startup(struct ksmbd_startup_request *req) if (req->max_connections) server_conf.max_connections = req->max_connections; + if (req->max_ip_connections) + server_conf.max_ip_connections = req->max_ip_connections; + ret = ksmbd_set_netbios_name(req->netbios_name); ret |= ksmbd_set_server_string(req->server_string); ret |= ksmbd_set_work_group(req->work_group); diff --git a/fs/smb/server/transport_tcp.c b/fs/smb/server/transport_tcp.c index 7440a2fd1126..e9ecb43db9d9 100644 --- a/fs/smb/server/transport_tcp.c +++ b/fs/smb/server/transport_tcp.c @@ -225,6 +225,7 @@ static int ksmbd_kthread_fn(void *p) struct interface *iface = (struct interface *)p; struct ksmbd_conn *conn; int ret; + unsigned int max_ip_conns; while (!kthread_should_stop()) { mutex_lock(&iface->sock_release_lock); @@ -242,34 +243,38 @@ static int ksmbd_kthread_fn(void *p) continue; } + if (!server_conf.max_ip_connections) + goto skip_max_ip_conns_limit; + /* * Limits repeated connections from clients with the same IP. */ + max_ip_conns = 0; down_read(&conn_list_lock); - list_for_each_entry(conn, &conn_list, conns_list) + list_for_each_entry(conn, &conn_list, conns_list) { #if IS_ENABLED(CONFIG_IPV6) if (client_sk->sk->sk_family == AF_INET6) { if (memcmp(&client_sk->sk->sk_v6_daddr, - &conn->inet6_addr, 16) == 0) { - ret = -EAGAIN; - break; - } + &conn->inet6_addr, 16) == 0) + max_ip_conns++; } else if (inet_sk(client_sk->sk)->inet_daddr == - conn->inet_addr) { - ret = -EAGAIN; - break; - } + conn->inet_addr) + max_ip_conns++; #else if (inet_sk(client_sk->sk)->inet_daddr == - conn->inet_addr) { + conn->inet_addr) + max_ip_conns++; +#endif + if (server_conf.max_ip_connections <= max_ip_conns) { ret = -EAGAIN; break; } -#endif + } up_read(&conn_list_lock); if (ret == -EAGAIN) continue; +skip_max_ip_conns_limit: if (server_conf.max_connections && atomic_inc_return(&active_num_conn) >= server_conf.max_connections) { pr_info_ratelimited("Limit the maximum number of connections(%u)\n",

3 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] mm/ksm: fix incorrect KSM counter handling in mm_struct" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 4d6fc29f36341d7795db1d1819b4c15fe9be7b23 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101300-backspace-pulmonary-5620@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4d6fc29f36341d7795db1d1819b4c15fe9be7b23 Mon Sep 17 00:00:00 2001 From: Donet Tom <donettom(a)linux.ibm.com> Date: Wed, 24 Sep 2025 00:16:59 +0530 Subject: [PATCH] mm/ksm: fix incorrect KSM counter handling in mm_struct during fork Patch series "mm/ksm: Fix incorrect accounting of KSM counters during fork", v3. The first patch in this series fixes the incorrect accounting of KSM counters such as ksm_merging_pages, ksm_rmap_items, and the global ksm_zero_pages during fork. The following patch add a selftest to verify the ksm_merging_pages counter was updated correctly during fork. Test Results ============ Without the first patch ----------------------- # [RUN] test_fork_ksm_merging_page_count not ok 10 ksm_merging_page in child: 32 With the first patch -------------------- # [RUN] test_fork_ksm_merging_page_count ok 10 ksm_merging_pages is not inherited after fork This patch (of 2): Currently, the KSM-related counters in `mm_struct`, such as `ksm_merging_pages`, `ksm_rmap_items`, and `ksm_zero_pages`, are inherited by the child process during fork. This results in inconsistent accounting. When a process uses KSM, identical pages are merged and an rmap item is created for each merged page. The `ksm_merging_pages` and `ksm_rmap_items` counters are updated accordingly. However, after a fork, these counters are copied to the child while the corresponding rmap items are not. As a result, when the child later triggers an unmerge, there are no rmap items present in the child, so the counters remain stale, leading to incorrect accounting. A similar issue exists with `ksm_zero_pages`, which maintains both a global counter and a per-process counter. During fork, the per-process counter is inherited by the child, but the global counter is not incremented. Since the child also references zero pages, the global counter should be updated as well. Otherwise, during zero-page unmerge, both the global and per-process counters are decremented, causing the global counter to become inconsistent. To fix this, ksm_merging_pages and ksm_rmap_items are reset to 0 during fork, and the global ksm_zero_pages counter is updated with the per-process ksm_zero_pages value inherited by the child. This ensures that KSM statistics remain accurate and reflect the activity of each process correctly. Link: https://lkml.kernel.org/r/cover.1758648700.git.donettom@linux.ibm.com Link: https://lkml.kernel.org/r/7b9870eb67ccc0d79593940d9dbd4a0b39b5d396.17586487… Fixes: 7609385337a4 ("ksm: count ksm merging pages for each process") Fixes: cb4df4cae4f2 ("ksm: count allocated ksm rmap_items for each process") Fixes: e2942062e01d ("ksm: count all zero pages placed by KSM") Signed-off-by: Donet Tom <donettom(a)linux.ibm.com> Reviewed-by: Chengming Zhou <chengming.zhou(a)linux.dev> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Aboorva Devarajan <aboorvad(a)linux.ibm.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Donet Tom <donettom(a)linux.ibm.com> Cc: "Ritesh Harjani (IBM)" <ritesh.list(a)gmail.com> Cc: Wei Yang <richard.weiyang(a)gmail.com> Cc: xu xin <xu.xin16(a)zte.com.cn> Cc: <stable(a)vger.kernel.org> [6.6+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/ksm.h b/include/linux/ksm.h index 22e67ca7cba3..067538fc4d58 100644 --- a/include/linux/ksm.h +++ b/include/linux/ksm.h @@ -56,8 +56,14 @@ static inline long mm_ksm_zero_pages(struct mm_struct *mm) static inline void ksm_fork(struct mm_struct *mm, struct mm_struct *oldmm) { /* Adding mm to ksm is best effort on fork. */ - if (mm_flags_test(MMF_VM_MERGEABLE, oldmm)) + if (mm_flags_test(MMF_VM_MERGEABLE, oldmm)) { + long nr_ksm_zero_pages = atomic_long_read(&mm->ksm_zero_pages); + + mm->ksm_merging_pages = 0; + mm->ksm_rmap_items = 0; + atomic_long_add(nr_ksm_zero_pages, &ksm_zero_pages); __ksm_enter(mm); + } } static inline int ksm_execve(struct mm_struct *mm)

3 weeks, 1 day

2
1
0 0

[PATCH v1] fsnotify: Pass correct offset to fsnotify_mmap_perm()

by Ryan Roberts

fsnotify_mmap_perm() requires a byte offset for the file about to be mmap'ed. But it is called from vm_mmap_pgoff(), which has a page offset. Previously the conversion was done incorrectly so let's fix it, being careful not to overflow on 32-bit platforms. Discovered during code review. Cc: <stable(a)vger.kernel.org> Fixes: 066e053fe208 ("fsnotify: add pre-content hooks on mmap()") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> --- Applies against today's mm-unstable (aa05a436eca8). Thanks, Ryan mm/util.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/util.c b/mm/util.c index 6c1d64ed0221..8989d5767528 100644 --- a/mm/util.c +++ b/mm/util.c @@ -566,6 +566,7 @@ unsigned long vm_mmap_pgoff(struct file *file, unsigned long addr, unsigned long len, unsigned long prot, unsigned long flag, unsigned long pgoff) { + loff_t off = (loff_t)pgoff << PAGE_SHIFT; unsigned long ret; struct mm_struct *mm = current->mm; unsigned long populate; @@ -573,7 +574,7 @@ unsigned long vm_mmap_pgoff(struct file *file, unsigned long addr, ret = security_mmap_file(file, prot, flag); if (!ret) - ret = fsnotify_mmap_perm(file, prot, pgoff >> PAGE_SHIFT, len); + ret = fsnotify_mmap_perm(file, prot, off, len); if (!ret) { if (mmap_write_lock_killable(mm)) return -EINTR; -- 2.43.0

3 weeks, 1 day

6
12
0 0

[PATCH for v5 0/2] media: pci: Fix invalid access to file *

by Jacopo Mondi

Since commits 7b9eb53e8591 ("media: cx18: Access v4l2_fh from file") 9ba9d11544f9 ("media: ivtv: Access v4l2_fh from file") All the ioctl handlers access their private data structures from file * The ivtv and cx18 drivers call the ioctl handlers from their DVB layer without a valid file *, causing invalid memory access. The issue has been reported by smatch in "[bug report] media: cx18: Access v4l2_fh from file" Fix this by providing wrappers for the ioctl handlers to be used by the DVB layer that do not require a valid file *. Signed-off-by: Jacopo Mondi <jacopo.mondi(a)ideasonboard.com> --- Changes in v5: - Remove stray link from cx18 patch - Add Hans' tags - Link to v4: https://lore.kernel.org/r/20250819-cx18-v4l2-fh-v4-0-9db1635d6787@ideasonbo… Changes in v4: - Slightly adjust commit messages - Link to v3: https://lore.kernel.org/r/20250818-cx18-v4l2-fh-v3-0-5e2f08f3cadc@ideasonbo… Changes in v3: - Change helpers to accept the type they're going to operate on instead of using the open_id wrapper type as suggested by Laurent - Link to v2: https://lore.kernel.org/r/20250818-cx18-v4l2-fh-v2-0-3f53ce423663@ideasonbo… Changes in v2: - Add Cc: stable(a)vger.kernel.org per-patch --- Jacopo Mondi (2): media: cx18: Fix invalid access to file * media: ivtv: Fix invalid access to file * drivers/media/pci/cx18/cx18-driver.c | 9 +++------ drivers/media/pci/cx18/cx18-ioctl.c | 30 +++++++++++++++++++----------- drivers/media/pci/cx18/cx18-ioctl.h | 8 +++++--- drivers/media/pci/ivtv/ivtv-driver.c | 11 ++++------- drivers/media/pci/ivtv/ivtv-ioctl.c | 22 +++++++++++++++++----- drivers/media/pci/ivtv/ivtv-ioctl.h | 6 ++++-- 6 files changed, 52 insertions(+), 34 deletions(-) --- base-commit: 3a8660878839faadb4f1a6dd72c3179c1df56787 change-id: 20250818-cx18-v4l2-fh-7eaa6199fdde Best regards, -- Jacopo Mondi <jacopo.mondi(a)ideasonboard.com>

3 weeks, 1 day

2
3
0 0

[PATCH v6 7/7] iommu/sva: Invalidate stale IOTLB entries for kernel address space

by Lu Baolu

In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. A Use-After-Free (UAF) and Write-After-Free (WAF) condition arises when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. To mitigate this, a new IOMMU interface is introduced to flush IOTLB entries for the kernel address space. This interface is invoked from the x86 architecture code that manages combined user and kernel page tables, specifically before any kernel page table page is freed and reused. This addresses the main issue with vfree() which is a common occurrence and can be triggered by unprivileged users. While this resolves the primary problem, it doesn't address some extremely rare case related to memory unplug of memory that was present as reserved memory at boot, which cannot be triggered by unprivileged users. The discussion can be found at the link below. Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices") Cc: stable(a)vger.kernel.org Suggested-by: Jann Horn <jannh(a)google.com> Co-developed-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> Signed-off-by: Lu Baolu <baolu.lu(a)linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg(a)nvidia.com> Reviewed-by: Vasant Hegde <vasant.hegde(a)amd.com> Reviewed-by: Kevin Tian <kevin.tian(a)intel.com> Link: https://lore.kernel.org/linux-iommu/04983c62-3b1d-40d4-93ae-34ca04b827e5@in… --- include/linux/iommu.h | 4 ++++ drivers/iommu/iommu-sva.c | 29 ++++++++++++++++++++++++++++- mm/pgtable-generic.c | 2 ++ 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/include/linux/iommu.h b/include/linux/iommu.h index c30d12e16473..66e4abb2df0d 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -1134,7 +1134,9 @@ struct iommu_sva { struct iommu_mm_data { u32 pasid; + struct mm_struct *mm; struct list_head sva_domains; + struct list_head mm_list_elm; }; int iommu_fwspec_init(struct device *dev, struct fwnode_handle *iommu_fwnode); @@ -1615,6 +1617,7 @@ struct iommu_sva *iommu_sva_bind_device(struct device *dev, struct mm_struct *mm); void iommu_sva_unbind_device(struct iommu_sva *handle); u32 iommu_sva_get_pasid(struct iommu_sva *handle); +void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end); #else static inline struct iommu_sva * iommu_sva_bind_device(struct device *dev, struct mm_struct *mm) @@ -1639,6 +1642,7 @@ static inline u32 mm_get_enqcmd_pasid(struct mm_struct *mm) } static inline void mm_pasid_drop(struct mm_struct *mm) {} +static inline void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end) {} #endif /* CONFIG_IOMMU_SVA */ #ifdef CONFIG_IOMMU_IOPF diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c index 1a51cfd82808..d236aef80a8d 100644 --- a/drivers/iommu/iommu-sva.c +++ b/drivers/iommu/iommu-sva.c @@ -10,6 +10,8 @@ #include "iommu-priv.h" static DEFINE_MUTEX(iommu_sva_lock); +static bool iommu_sva_present; +static LIST_HEAD(iommu_sva_mms); static struct iommu_domain *iommu_sva_domain_alloc(struct device *dev, struct mm_struct *mm); @@ -42,6 +44,7 @@ static struct iommu_mm_data *iommu_alloc_mm_data(struct mm_struct *mm, struct de return ERR_PTR(-ENOSPC); } iommu_mm->pasid = pasid; + iommu_mm->mm = mm; INIT_LIST_HEAD(&iommu_mm->sva_domains); /* * Make sure the write to mm->iommu_mm is not reordered in front of @@ -132,8 +135,13 @@ struct iommu_sva *iommu_sva_bind_device(struct device *dev, struct mm_struct *mm if (ret) goto out_free_domain; domain->users = 1; - list_add(&domain->next, &mm->iommu_mm->sva_domains); + if (list_empty(&iommu_mm->sva_domains)) { + if (list_empty(&iommu_sva_mms)) + iommu_sva_present = true; + list_add(&iommu_mm->mm_list_elm, &iommu_sva_mms); + } + list_add(&domain->next, &iommu_mm->sva_domains); out: refcount_set(&handle->users, 1); mutex_unlock(&iommu_sva_lock); @@ -175,6 +183,13 @@ void iommu_sva_unbind_device(struct iommu_sva *handle) list_del(&domain->next); iommu_domain_free(domain); } + + if (list_empty(&iommu_mm->sva_domains)) { + list_del(&iommu_mm->mm_list_elm); + if (list_empty(&iommu_sva_mms)) + iommu_sva_present = false; + } + mutex_unlock(&iommu_sva_lock); kfree(handle); } @@ -312,3 +327,15 @@ static struct iommu_domain *iommu_sva_domain_alloc(struct device *dev, return domain; } + +void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end) +{ + struct iommu_mm_data *iommu_mm; + + guard(mutex)(&iommu_sva_lock); + if (!iommu_sva_present) + return; + + list_for_each_entry(iommu_mm, &iommu_sva_mms, mm_list_elm) + mmu_notifier_arch_invalidate_secondary_tlbs(iommu_mm->mm, start, end); +} diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c index 1c7caa8ef164..8c22be79b734 100644 --- a/mm/pgtable-generic.c +++ b/mm/pgtable-generic.c @@ -13,6 +13,7 @@ #include <linux/swap.h> #include <linux/swapops.h> #include <linux/mm_inline.h> +#include <linux/iommu.h> #include <asm/pgalloc.h> #include <asm/tlb.h> @@ -430,6 +431,7 @@ static void kernel_pgtable_work_func(struct work_struct *work) list_splice_tail_init(&kernel_pgtable_work.list, &page_list); spin_unlock(&kernel_pgtable_work.lock); + iommu_sva_invalidate_kva_range(PAGE_OFFSET, TLB_FLUSH_ALL); list_for_each_entry_safe(pt, next, &page_list, pt_list) __pagetable_free(pt); } -- 2.43.0

3 weeks, 1 day

1
0
0 0

FAILED: patch "[PATCH] tracing: Fix race condition in kprobe initialization causing" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101331-mulled-pueblo-7ac2@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f Mon Sep 17 00:00:00 2001 From: Yuan Chen <chenyuan(a)kylinos.cn> Date: Wed, 1 Oct 2025 03:20:25 +0100 Subject: [PATCH] tracing: Fix race condition in kprobe initialization causing NULL pointer dereference MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatcher+0x44/0x60 [1135630.286041] sp : ffffaeff4977fa40 [1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400 [1135630.302837] x27: 0000000000000000 x26: 0000000000000000 [1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528 [1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50 [1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50 [1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000 [1135630.349985] x17: 0000000000000000 x16: 0000000000000000 [1135630.359285] x15: 0000000000000000 x14: 0000000000000000 [1135630.368445] x13: 0000000000000000 x12: 0000000000000000 [1135630.377473] x11: 0000000000000000 x10: 0000000000000000 [1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000 [1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000 [1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000 [1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006 [1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000 [1135630.429410] Call trace: [1135630.434828] kprobe_perf_func+0x30/0x260 [1135630.441661] kprobe_dispatcher+0x44/0x60 [1135630.448396] aggr_pre_handler+0x70/0xc8 [1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0 [1135630.462435] brk_handler+0xbc/0xd8 [1135630.468437] do_debug_exception+0x84/0x138 [1135630.475074] el1_dbg+0x18/0x8c [1135630.480582] security_file_permission+0x0/0xd0 [1135630.487426] vfs_write+0x70/0x1c0 [1135630.493059] ksys_write+0x5c/0xc8 [1135630.498638] __arm64_sys_write+0x24/0x30 [1135630.504821] el0_svc_common+0x78/0x130 [1135630.510838] el0_svc_handler+0x38/0x78 [1135630.516834] el0_svc+0x8/0x1b0 kernel/trace/trace_kprobe.c: 1308 0xffff3df8995039ec <kprobe_perf_func+0x2c>: ldr x21, [x24,#120] include/linux/compiler.h: 294 0xffff3df8995039f0 <kprobe_perf_func+0x30>: ldr x1, [x21,x0] kernel/trace/trace_kprobe.c 1308: head = this_cpu_ptr(call->perf_events); 1309: if (hlist_empty(head)) 1310: return 0; crash> struct trace_event_call -o struct trace_event_call { ... [120] struct hlist_head *perf_events; //(call->perf_event) ... } crash> struct trace_event_call ffffaf015340e528 struct trace_event_call { ... perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 ... } Race Condition Analysis: The race occurs between kprobe activation and perf_events initialization: CPU0 CPU1 ==== ==== perf_kprobe_init perf_trace_event_init tp_event->perf_events = list;(1) tp_event->class->reg (2)← KPROBE ACTIVE Debug exception triggers ... kprobe_dispatcher kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) head = this_cpu_ptr(call->perf_events)(3) (perf_events is still NULL) Problem: 1. CPU0 executes (1) assigning tp_event->perf_events = list 2. CPU0 executes (2) enabling kprobe functionality via class->reg() 3. CPU1 triggers and reaches kprobe_dispatcher 4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed) 5. CPU1 calls kprobe_perf_func() and crashes at (3) because call->perf_events is still NULL CPU1 sees that kprobe functionality is enabled but does not see that perf_events has been assigned. Add pairing read and write memory barriers to guarantee that if CPU1 sees that kprobe functionality is enabled, it must also see that perf_events has been assigned. Link: https://lore.kernel.org/all/20251001022025.44626-1-chenyuan_fl@163.com/ Fixes: 50d780560785 ("tracing/kprobes: Add probe handler dispatcher to support perf and ftrace concurrent use") Cc: stable(a)vger.kernel.org Signed-off-by: Yuan Chen <chenyuan(a)kylinos.cn> Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> diff --git a/kernel/trace/trace_fprobe.c b/kernel/trace/trace_fprobe.c index b36ade43d4b3..ad9d6347b5fa 100644 --- a/kernel/trace/trace_fprobe.c +++ b/kernel/trace/trace_fprobe.c @@ -522,13 +522,14 @@ static int fentry_dispatcher(struct fprobe *fp, unsigned long entry_ip, void *entry_data) { struct trace_fprobe *tf = container_of(fp, struct trace_fprobe, fp); + unsigned int flags = trace_probe_load_flag(&tf->tp); int ret = 0; - if (trace_probe_test_flag(&tf->tp, TP_FLAG_TRACE)) + if (flags & TP_FLAG_TRACE) fentry_trace_func(tf, entry_ip, fregs); #ifdef CONFIG_PERF_EVENTS - if (trace_probe_test_flag(&tf->tp, TP_FLAG_PROFILE)) + if (flags & TP_FLAG_PROFILE) ret = fentry_perf_func(tf, entry_ip, fregs); #endif return ret; @@ -540,11 +541,12 @@ static void fexit_dispatcher(struct fprobe *fp, unsigned long entry_ip, void *entry_data) { struct trace_fprobe *tf = container_of(fp, struct trace_fprobe, fp); + unsigned int flags = trace_probe_load_flag(&tf->tp); - if (trace_probe_test_flag(&tf->tp, TP_FLAG_TRACE)) + if (flags & TP_FLAG_TRACE) fexit_trace_func(tf, entry_ip, ret_ip, fregs, entry_data); #ifdef CONFIG_PERF_EVENTS - if (trace_probe_test_flag(&tf->tp, TP_FLAG_PROFILE)) + if (flags & TP_FLAG_PROFILE) fexit_perf_func(tf, entry_ip, ret_ip, fregs, entry_data); #endif } diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index fa60362a3f31..ee8171b19bee 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -1815,14 +1815,15 @@ static int kprobe_register(struct trace_event_call *event, static int kprobe_dispatcher(struct kprobe *kp, struct pt_regs *regs) { struct trace_kprobe *tk = container_of(kp, struct trace_kprobe, rp.kp); + unsigned int flags = trace_probe_load_flag(&tk->tp); int ret = 0; raw_cpu_inc(*tk->nhit); - if (trace_probe_test_flag(&tk->tp, TP_FLAG_TRACE)) + if (flags & TP_FLAG_TRACE) kprobe_trace_func(tk, regs); #ifdef CONFIG_PERF_EVENTS - if (trace_probe_test_flag(&tk->tp, TP_FLAG_PROFILE)) + if (flags & TP_FLAG_PROFILE) ret = kprobe_perf_func(tk, regs); #endif return ret; @@ -1834,6 +1835,7 @@ kretprobe_dispatcher(struct kretprobe_instance *ri, struct pt_regs *regs) { struct kretprobe *rp = get_kretprobe(ri); struct trace_kprobe *tk; + unsigned int flags; /* * There is a small chance that get_kretprobe(ri) returns NULL when @@ -1846,10 +1848,11 @@ kretprobe_dispatcher(struct kretprobe_instance *ri, struct pt_regs *regs) tk = container_of(rp, struct trace_kprobe, rp); raw_cpu_inc(*tk->nhit); - if (trace_probe_test_flag(&tk->tp, TP_FLAG_TRACE)) + flags = trace_probe_load_flag(&tk->tp); + if (flags & TP_FLAG_TRACE) kretprobe_trace_func(tk, ri, regs); #ifdef CONFIG_PERF_EVENTS - if (trace_probe_test_flag(&tk->tp, TP_FLAG_PROFILE)) + if (flags & TP_FLAG_PROFILE) kretprobe_perf_func(tk, ri, regs); #endif return 0; /* We don't tweak kernel, so just return 0 */ diff --git a/kernel/trace/trace_probe.h b/kernel/trace/trace_probe.h index 842383fbc03b..08b5bda24da2 100644 --- a/kernel/trace/trace_probe.h +++ b/kernel/trace/trace_probe.h @@ -271,16 +271,21 @@ struct event_file_link { struct list_head list; }; +static inline unsigned int trace_probe_load_flag(struct trace_probe *tp) +{ + return smp_load_acquire(&tp->event->flags); +} + static inline bool trace_probe_test_flag(struct trace_probe *tp, unsigned int flag) { - return !!(tp->event->flags & flag); + return !!(trace_probe_load_flag(tp) & flag); } static inline void trace_probe_set_flag(struct trace_probe *tp, unsigned int flag) { - tp->event->flags |= flag; + smp_store_release(&tp->event->flags, tp->event->flags | flag); } static inline void trace_probe_clear_flag(struct trace_probe *tp, diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c index 8b0bcc0d8f41..430d09c49462 100644 --- a/kernel/trace/trace_uprobe.c +++ b/kernel/trace/trace_uprobe.c @@ -1547,6 +1547,7 @@ static int uprobe_dispatcher(struct uprobe_consumer *con, struct pt_regs *regs, struct trace_uprobe *tu; struct uprobe_dispatch_data udd; struct uprobe_cpu_buffer *ucb = NULL; + unsigned int flags; int ret = 0; tu = container_of(con, struct trace_uprobe, consumer); @@ -1561,11 +1562,12 @@ static int uprobe_dispatcher(struct uprobe_consumer *con, struct pt_regs *regs, if (WARN_ON_ONCE(!uprobe_cpu_buffer)) return 0; - if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE)) + flags = trace_probe_load_flag(&tu->tp); + if (flags & TP_FLAG_TRACE) ret |= uprobe_trace_func(tu, regs, &ucb); #ifdef CONFIG_PERF_EVENTS - if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE)) + if (flags & TP_FLAG_PROFILE) ret |= uprobe_perf_func(tu, regs, &ucb); #endif uprobe_buffer_put(ucb); @@ -1579,6 +1581,7 @@ static int uretprobe_dispatcher(struct uprobe_consumer *con, struct trace_uprobe *tu; struct uprobe_dispatch_data udd; struct uprobe_cpu_buffer *ucb = NULL; + unsigned int flags; tu = container_of(con, struct trace_uprobe, consumer); @@ -1590,11 +1593,12 @@ static int uretprobe_dispatcher(struct uprobe_consumer *con, if (WARN_ON_ONCE(!uprobe_cpu_buffer)) return 0; - if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE)) + flags = trace_probe_load_flag(&tu->tp); + if (flags & TP_FLAG_TRACE) uretprobe_trace_func(tu, func, regs, &ucb); #ifdef CONFIG_PERF_EVENTS - if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE)) + if (flags & TP_FLAG_PROFILE) uretprobe_perf_func(tu, func, regs, &ucb); #endif uprobe_buffer_put(ucb);

3 weeks, 1 day

2
1
0 0

[PATCH v4 0/2] media: pci: Fix invalid access to file *

by Jacopo Mondi

Since commits 7b9eb53e8591 ("media: cx18: Access v4l2_fh from file") 9ba9d11544f9 ("media: ivtv: Access v4l2_fh from file") All the ioctl handlers access their private data structures from file * The ivtv and cx18 drivers call the ioctl handlers from their DVB layer without a valid file *, causing invalid memory access. The issue has been reported by smatch in "[bug report] media: cx18: Access v4l2_fh from file" Fix this by providing wrappers for the ioctl handlers to be used by the DVB layer that do not require a valid file *. Signed-off-by: Jacopo Mondi <jacopo.mondi(a)ideasonboard.com> --- Changes in v4: - Slightly adjust commit messages - Link to v3: https://lore.kernel.org/r/20250818-cx18-v4l2-fh-v3-0-5e2f08f3cadc@ideasonbo… Changes in v3: - Change helpers to accept the type they're going to operate on instead of using the open_id wrapper type as suggested by Laurent - Link to v2: https://lore.kernel.org/r/20250818-cx18-v4l2-fh-v2-0-3f53ce423663@ideasonbo… Changes in v2: - Add Cc: stable(a)vger.kernel.org per-patch --- Jacopo Mondi (2): media: cx18: Fix invalid access to file * media: ivtv: Fix invalid access to file * drivers/media/pci/cx18/cx18-driver.c | 9 +++------ drivers/media/pci/cx18/cx18-ioctl.c | 30 +++++++++++++++++++----------- drivers/media/pci/cx18/cx18-ioctl.h | 8 +++++--- drivers/media/pci/ivtv/ivtv-driver.c | 11 ++++------- drivers/media/pci/ivtv/ivtv-ioctl.c | 22 +++++++++++++++++----- drivers/media/pci/ivtv/ivtv-ioctl.h | 6 ++++-- 6 files changed, 52 insertions(+), 34 deletions(-) --- base-commit: a75b8d198c55e9eb5feb6f6e155496305caba2dc change-id: 20250818-cx18-v4l2-fh-7eaa6199fdde Best regards, -- Jacopo Mondi <jacopo.mondi(a)ideasonboard.com>

3 weeks, 1 day

2
7
0 0

FAILED: patch "[PATCH] tracing: Fix race condition in kprobe initialization causing" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101328-fever-giggly-7991@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f Mon Sep 17 00:00:00 2001 From: Yuan Chen <chenyuan(a)kylinos.cn> Date: Wed, 1 Oct 2025 03:20:25 +0100 Subject: [PATCH] tracing: Fix race condition in kprobe initialization causing NULL pointer dereference MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatcher+0x44/0x60 [1135630.286041] sp : ffffaeff4977fa40 [1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400 [1135630.302837] x27: 0000000000000000 x26: 0000000000000000 [1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528 [1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50 [1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50 [1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000 [1135630.349985] x17: 0000000000000000 x16: 0000000000000000 [1135630.359285] x15: 0000000000000000 x14: 0000000000000000 [1135630.368445] x13: 0000000000000000 x12: 0000000000000000 [1135630.377473] x11: 0000000000000000 x10: 0000000000000000 [1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000 [1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000 [1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000 [1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006 [1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000 [1135630.429410] Call trace: [1135630.434828] kprobe_perf_func+0x30/0x260 [1135630.441661] kprobe_dispatcher+0x44/0x60 [1135630.448396] aggr_pre_handler+0x70/0xc8 [1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0 [1135630.462435] brk_handler+0xbc/0xd8 [1135630.468437] do_debug_exception+0x84/0x138 [1135630.475074] el1_dbg+0x18/0x8c [1135630.480582] security_file_permission+0x0/0xd0 [1135630.487426] vfs_write+0x70/0x1c0 [1135630.493059] ksys_write+0x5c/0xc8 [1135630.498638] __arm64_sys_write+0x24/0x30 [1135630.504821] el0_svc_common+0x78/0x130 [1135630.510838] el0_svc_handler+0x38/0x78 [1135630.516834] el0_svc+0x8/0x1b0 kernel/trace/trace_kprobe.c: 1308 0xffff3df8995039ec <kprobe_perf_func+0x2c>: ldr x21, [x24,#120] include/linux/compiler.h: 294 0xffff3df8995039f0 <kprobe_perf_func+0x30>: ldr x1, [x21,x0] kernel/trace/trace_kprobe.c 1308: head = this_cpu_ptr(call->perf_events); 1309: if (hlist_empty(head)) 1310: return 0; crash> struct trace_event_call -o struct trace_event_call { ... [120] struct hlist_head *perf_events; //(call->perf_event) ... } crash> struct trace_event_call ffffaf015340e528 struct trace_event_call { ... perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 ... } Race Condition Analysis: The race occurs between kprobe activation and perf_events initialization: CPU0 CPU1 ==== ==== perf_kprobe_init perf_trace_event_init tp_event->perf_events = list;(1) tp_event->class->reg (2)← KPROBE ACTIVE Debug exception triggers ... kprobe_dispatcher kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) head = this_cpu_ptr(call->perf_events)(3) (perf_events is still NULL) Problem: 1. CPU0 executes (1) assigning tp_event->perf_events = list 2. CPU0 executes (2) enabling kprobe functionality via class->reg() 3. CPU1 triggers and reaches kprobe_dispatcher 4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed) 5. CPU1 calls kprobe_perf_func() and crashes at (3) because call->perf_events is still NULL CPU1 sees that kprobe functionality is enabled but does not see that perf_events has been assigned. Add pairing read and write memory barriers to guarantee that if CPU1 sees that kprobe functionality is enabled, it must also see that perf_events has been assigned. Link: https://lore.kernel.org/all/20251001022025.44626-1-chenyuan_fl@163.com/ Fixes: 50d780560785 ("tracing/kprobes: Add probe handler dispatcher to support perf and ftrace concurrent use") Cc: stable(a)vger.kernel.org Signed-off-by: Yuan Chen <chenyuan(a)kylinos.cn> Signed-off-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> diff --git a/kernel/trace/trace_fprobe.c b/kernel/trace/trace_fprobe.c index b36ade43d4b3..ad9d6347b5fa 100644 --- a/kernel/trace/trace_fprobe.c +++ b/kernel/trace/trace_fprobe.c @@ -522,13 +522,14 @@ static int fentry_dispatcher(struct fprobe *fp, unsigned long entry_ip, void *entry_data) { struct trace_fprobe *tf = container_of(fp, struct trace_fprobe, fp); + unsigned int flags = trace_probe_load_flag(&tf->tp); int ret = 0; - if (trace_probe_test_flag(&tf->tp, TP_FLAG_TRACE)) + if (flags & TP_FLAG_TRACE) fentry_trace_func(tf, entry_ip, fregs); #ifdef CONFIG_PERF_EVENTS - if (trace_probe_test_flag(&tf->tp, TP_FLAG_PROFILE)) + if (flags & TP_FLAG_PROFILE) ret = fentry_perf_func(tf, entry_ip, fregs); #endif return ret; @@ -540,11 +541,12 @@ static void fexit_dispatcher(struct fprobe *fp, unsigned long entry_ip, void *entry_data) { struct trace_fprobe *tf = container_of(fp, struct trace_fprobe, fp); + unsigned int flags = trace_probe_load_flag(&tf->tp); - if (trace_probe_test_flag(&tf->tp, TP_FLAG_TRACE)) + if (flags & TP_FLAG_TRACE) fexit_trace_func(tf, entry_ip, ret_ip, fregs, entry_data); #ifdef CONFIG_PERF_EVENTS - if (trace_probe_test_flag(&tf->tp, TP_FLAG_PROFILE)) + if (flags & TP_FLAG_PROFILE) fexit_perf_func(tf, entry_ip, ret_ip, fregs, entry_data); #endif } diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c index fa60362a3f31..ee8171b19bee 100644 --- a/kernel/trace/trace_kprobe.c +++ b/kernel/trace/trace_kprobe.c @@ -1815,14 +1815,15 @@ static int kprobe_register(struct trace_event_call *event, static int kprobe_dispatcher(struct kprobe *kp, struct pt_regs *regs) { struct trace_kprobe *tk = container_of(kp, struct trace_kprobe, rp.kp); + unsigned int flags = trace_probe_load_flag(&tk->tp); int ret = 0; raw_cpu_inc(*tk->nhit); - if (trace_probe_test_flag(&tk->tp, TP_FLAG_TRACE)) + if (flags & TP_FLAG_TRACE) kprobe_trace_func(tk, regs); #ifdef CONFIG_PERF_EVENTS - if (trace_probe_test_flag(&tk->tp, TP_FLAG_PROFILE)) + if (flags & TP_FLAG_PROFILE) ret = kprobe_perf_func(tk, regs); #endif return ret; @@ -1834,6 +1835,7 @@ kretprobe_dispatcher(struct kretprobe_instance *ri, struct pt_regs *regs) { struct kretprobe *rp = get_kretprobe(ri); struct trace_kprobe *tk; + unsigned int flags; /* * There is a small chance that get_kretprobe(ri) returns NULL when @@ -1846,10 +1848,11 @@ kretprobe_dispatcher(struct kretprobe_instance *ri, struct pt_regs *regs) tk = container_of(rp, struct trace_kprobe, rp); raw_cpu_inc(*tk->nhit); - if (trace_probe_test_flag(&tk->tp, TP_FLAG_TRACE)) + flags = trace_probe_load_flag(&tk->tp); + if (flags & TP_FLAG_TRACE) kretprobe_trace_func(tk, ri, regs); #ifdef CONFIG_PERF_EVENTS - if (trace_probe_test_flag(&tk->tp, TP_FLAG_PROFILE)) + if (flags & TP_FLAG_PROFILE) kretprobe_perf_func(tk, ri, regs); #endif return 0; /* We don't tweak kernel, so just return 0 */ diff --git a/kernel/trace/trace_probe.h b/kernel/trace/trace_probe.h index 842383fbc03b..08b5bda24da2 100644 --- a/kernel/trace/trace_probe.h +++ b/kernel/trace/trace_probe.h @@ -271,16 +271,21 @@ struct event_file_link { struct list_head list; }; +static inline unsigned int trace_probe_load_flag(struct trace_probe *tp) +{ + return smp_load_acquire(&tp->event->flags); +} + static inline bool trace_probe_test_flag(struct trace_probe *tp, unsigned int flag) { - return !!(tp->event->flags & flag); + return !!(trace_probe_load_flag(tp) & flag); } static inline void trace_probe_set_flag(struct trace_probe *tp, unsigned int flag) { - tp->event->flags |= flag; + smp_store_release(&tp->event->flags, tp->event->flags | flag); } static inline void trace_probe_clear_flag(struct trace_probe *tp, diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c index 8b0bcc0d8f41..430d09c49462 100644 --- a/kernel/trace/trace_uprobe.c +++ b/kernel/trace/trace_uprobe.c @@ -1547,6 +1547,7 @@ static int uprobe_dispatcher(struct uprobe_consumer *con, struct pt_regs *regs, struct trace_uprobe *tu; struct uprobe_dispatch_data udd; struct uprobe_cpu_buffer *ucb = NULL; + unsigned int flags; int ret = 0; tu = container_of(con, struct trace_uprobe, consumer); @@ -1561,11 +1562,12 @@ static int uprobe_dispatcher(struct uprobe_consumer *con, struct pt_regs *regs, if (WARN_ON_ONCE(!uprobe_cpu_buffer)) return 0; - if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE)) + flags = trace_probe_load_flag(&tu->tp); + if (flags & TP_FLAG_TRACE) ret |= uprobe_trace_func(tu, regs, &ucb); #ifdef CONFIG_PERF_EVENTS - if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE)) + if (flags & TP_FLAG_PROFILE) ret |= uprobe_perf_func(tu, regs, &ucb); #endif uprobe_buffer_put(ucb); @@ -1579,6 +1581,7 @@ static int uretprobe_dispatcher(struct uprobe_consumer *con, struct trace_uprobe *tu; struct uprobe_dispatch_data udd; struct uprobe_cpu_buffer *ucb = NULL; + unsigned int flags; tu = container_of(con, struct trace_uprobe, consumer); @@ -1590,11 +1593,12 @@ static int uretprobe_dispatcher(struct uprobe_consumer *con, if (WARN_ON_ONCE(!uprobe_cpu_buffer)) return 0; - if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE)) + flags = trace_probe_load_flag(&tu->tp); + if (flags & TP_FLAG_TRACE) uretprobe_trace_func(tu, func, regs, &ucb); #ifdef CONFIG_PERF_EVENTS - if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE)) + if (flags & TP_FLAG_PROFILE) uretprobe_perf_func(tu, func, regs, &ucb); #endif uprobe_buffer_put(ucb);

3 weeks, 1 day

2
1
0 0

FAILED: patch "[PATCH] ksmbd: fix error code overwriting in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 88daf2f448aad05a2e6df738d66fe8b0cf85cee0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101324-echo-cardinal-3043@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 88daf2f448aad05a2e6df738d66fe8b0cf85cee0 Mon Sep 17 00:00:00 2001 From: Matvey Kovalev <matvey.kovalev(a)ispras.ru> Date: Thu, 25 Sep 2025 15:12:34 +0300 Subject: [PATCH] ksmbd: fix error code overwriting in smb2_get_info_filesystem() If client doesn't negotiate with SMB3.1.1 POSIX Extensions, then proper error code won't be returned due to overwriting. Return error immediately. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e2f34481b24db ("cifsd: add server-side procedures for SMB3") Cc: stable(a)vger.kernel.org Signed-off-by: Matvey Kovalev <matvey.kovalev(a)ispras.ru> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 0c069eff80b7..133ca5beb7cf 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -5629,7 +5629,8 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, if (!work->tcon->posix_extensions) { pr_err("client doesn't negotiate with SMB3.1.1 POSIX Extensions\n"); - rc = -EOPNOTSUPP; + path_put(&path); + return -EOPNOTSUPP; } else { info = (struct filesystem_posix_info *)(rsp->Buffer); info->OptimalTransferSize = cpu_to_le32(stfs.f_bsize);

3 weeks, 1 day

2
1
0 0

[PATCH v1] vmw_balloon: indicate success when effectively deflating during migration

by David Hildenbrand

When migrating a balloon page, we first deflate the old page to then inflate the new page. However, if inflating the new page succeeded, we effectively deflated the old page, reducing the balloon size. In that case, the migration actually worked: similar to migrating+ immediately deflating the new page. The old page will be freed back to the buddy. Right now, the core will leave the page be marked as isolated (as we returned an error). When later trying to putback that page, we will run into the WARN_ON_ONCE() in balloon_page_putback(). That handling was changed in commit 3544c4faccb8 ("mm/balloon_compaction: stop using __ClearPageMovable()"); before that change, we would have tolerated that way of handling it. To fix it, let's just return 0 in that case, making the core effectively just clear the "isolated" flag + freeing it back to the buddy as if the migration succeeded. Note that the new page will also get freed when the core puts the last reference. Note that this also makes it all be more consistent: we will no longer unisolate the page in the balloon driver while keeping it marked as being isolated in migration core. This was found by code inspection. Fixes: 3544c4faccb8 ("mm/balloon_compaction: stop using __ClearPageMovable()") Cc: <stable(a)vger.kernel.org> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Jerrin Shaji George <jerrin.shaji-george(a)broadcom.com> Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: David Hildenbrand <david(a)redhat.com> --- I have no easy way to test this, and I assume it happens very very rarely (inflation during migration failing). I would prefer this to go through the MM-tree, as I have some follow-up balloon_compaction reworks also mess with this code. --- drivers/misc/vmw_balloon.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/misc/vmw_balloon.c b/drivers/misc/vmw_balloon.c index 6df51ee8db621..cc1d18b3df5ca 100644 --- a/drivers/misc/vmw_balloon.c +++ b/drivers/misc/vmw_balloon.c @@ -1737,7 +1737,7 @@ static int vmballoon_migratepage(struct balloon_dev_info *b_dev_info, { unsigned long status, flags; struct vmballoon *b; - int ret; + int ret = 0; b = container_of(b_dev_info, struct vmballoon, b_dev_info); @@ -1796,17 +1796,15 @@ static int vmballoon_migratepage(struct balloon_dev_info *b_dev_info, * A failure happened. While we can deflate the page we just * inflated, this deflation can also encounter an error. Instead * we will decrease the size of the balloon to reflect the - * change and report failure. + * change. */ atomic64_dec(&b->size); - ret = -EBUSY; } else { /* * Success. Take a reference for the page, and we will add it to * the list after acquiring the lock. */ get_page(newpage); - ret = 0; } /* Update the balloon list under the @pages_lock */ @@ -1817,7 +1815,7 @@ static int vmballoon_migratepage(struct balloon_dev_info *b_dev_info, * If we succeed just insert it to the list and update the statistics * under the lock. */ - if (!ret) { + if (status == VMW_BALLOON_SUCCESS) { balloon_page_insert(&b->b_dev_info, newpage); __count_vm_event(BALLOON_MIGRATE); } base-commit: 1c58c31dc83e39f4790ae778626b6b8b59bc0db8 -- 2.51.0

3 weeks, 1 day

1
0
0 0

FAILED: patch "[PATCH] tracing: Have trace_marker use per-cpu data to read user" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 64cf7d058a005c5c31eb8a0b741f35dc12915d18 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025101354-eject-groove-319c@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 64cf7d058a005c5c31eb8a0b741f35dc12915d18 Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Wed, 8 Oct 2025 12:45:10 -0400 Subject: [PATCH] tracing: Have trace_marker use per-cpu data to read user space It was reported that using __copy_from_user_inatomic() can actually schedule. Which is bad when preemption is disabled. Even though there's logic to check in_atomic() is set, but this is a nop when the kernel is configured with PREEMPT_NONE. This is due to page faulting and the code could schedule with preemption disabled. Link: https://lore.kernel.org/all/20250819105152.2766363-1-luogengkun@huaweicloud… The solution was to change the __copy_from_user_inatomic() to copy_from_user_nofault(). But then it was reported that this caused a regression in Android. There's several applications writing into trace_marker() in Android, but now instead of showing the expected data, it is showing: tracing_mark_write: <faulted> After reverting the conversion to copy_from_user_nofault(), Android was able to get the data again. Writes to the trace_marker is a way to efficiently and quickly enter data into the Linux tracing buffer. It takes no locks and was designed to be as non-intrusive as possible. This means it cannot allocate memory, and must use pre-allocated data. A method that is actively being worked on to have faultable system call tracepoints read user space data is to allocate per CPU buffers, and use them in the callback. The method uses a technique similar to seqcount. That is something like this: preempt_disable(); cpu = smp_processor_id(); buffer = this_cpu_ptr(&pre_allocated_cpu_buffers, cpu); do { cnt = nr_context_switches_cpu(cpu); migrate_disable(); preempt_enable(); ret = copy_from_user(buffer, ptr, size); preempt_disable(); migrate_enable(); } while (!ret && cnt != nr_context_switches_cpu(cpu)); if (!ret) ring_buffer_write(buffer); preempt_enable(); It's a little more involved than that, but the above is the basic logic. The idea is to acquire the current CPU buffer, disable migration, and then enable preemption. At this moment, it can safely use copy_from_user(). After reading the data from user space, it disables preemption again. It then checks to see if there was any new scheduling on this CPU. If there was, it must assume that the buffer was corrupted by another task. If there wasn't, then the buffer is still valid as only tasks in preemptable context can write to this buffer and only those that are running on the CPU. By using this method, where trace_marker open allocates the per CPU buffers, trace_marker writes can access user space and even fault it in, without having to allocate or take any locks of its own. Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Luo Gengkun <luogengkun(a)huaweicloud.com> Cc: Wattson CI <wattson-external(a)google.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Link: https://lore.kernel.org/20251008124510.6dba541a@gandalf.local.home Fixes: 3d62ab32df065 ("tracing: Fix tracing_marker may trigger page fault during preempt_disable") Reported-by: Runping Lai <runpinglai(a)google.com> Tested-by: Runping Lai <runpinglai(a)google.com> Closes: https://lore.kernel.org/linux-trace-kernel/20251007003417.3470979-2-runping… Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index b3c94fbaf002..0fd582651293 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -4791,12 +4791,6 @@ int tracing_single_release_file_tr(struct inode *inode, struct file *filp) return single_release(inode, filp); } -static int tracing_mark_open(struct inode *inode, struct file *filp) -{ - stream_open(inode, filp); - return tracing_open_generic_tr(inode, filp); -} - static int tracing_release(struct inode *inode, struct file *file) { struct trace_array *tr = inode->i_private; @@ -7163,7 +7157,7 @@ tracing_free_buffer_release(struct inode *inode, struct file *filp) #define TRACE_MARKER_MAX_SIZE 4096 -static ssize_t write_marker_to_buffer(struct trace_array *tr, const char __user *ubuf, +static ssize_t write_marker_to_buffer(struct trace_array *tr, const char *buf, size_t cnt, unsigned long ip) { struct ring_buffer_event *event; @@ -7173,20 +7167,11 @@ static ssize_t write_marker_to_buffer(struct trace_array *tr, const char __user int meta_size; ssize_t written; size_t size; - int len; - -/* Used in tracing_mark_raw_write() as well */ -#define FAULTED_STR "<faulted>" -#define FAULTED_SIZE (sizeof(FAULTED_STR) - 1) /* '\0' is already accounted for */ meta_size = sizeof(*entry) + 2; /* add '\0' and possible '\n' */ again: size = cnt + meta_size; - /* If less than "<faulted>", then make sure we can still add that */ - if (cnt < FAULTED_SIZE) - size += FAULTED_SIZE - cnt; - buffer = tr->array_buffer.buffer; event = __trace_buffer_lock_reserve(buffer, TRACE_PRINT, size, tracing_gen_ctx()); @@ -7196,9 +7181,6 @@ static ssize_t write_marker_to_buffer(struct trace_array *tr, const char __user * make it smaller and try again. */ if (size > ring_buffer_max_event_size(buffer)) { - /* cnt < FAULTED size should never be bigger than max */ - if (WARN_ON_ONCE(cnt < FAULTED_SIZE)) - return -EBADF; cnt = ring_buffer_max_event_size(buffer) - meta_size; /* The above should only happen once */ if (WARN_ON_ONCE(cnt + meta_size == size)) @@ -7212,14 +7194,8 @@ static ssize_t write_marker_to_buffer(struct trace_array *tr, const char __user entry = ring_buffer_event_data(event); entry->ip = ip; - - len = copy_from_user_nofault(&entry->buf, ubuf, cnt); - if (len) { - memcpy(&entry->buf, FAULTED_STR, FAULTED_SIZE); - cnt = FAULTED_SIZE; - written = -EFAULT; - } else - written = cnt; + memcpy(&entry->buf, buf, cnt); + written = cnt; if (tr->trace_marker_file && !list_empty(&tr->trace_marker_file->triggers)) { /* do not add \n before testing triggers, but add \0 */ @@ -7243,6 +7219,169 @@ static ssize_t write_marker_to_buffer(struct trace_array *tr, const char __user return written; } +struct trace_user_buf { + char *buf; +}; + +struct trace_user_buf_info { + struct trace_user_buf __percpu *tbuf; + int ref; +}; + + +static DEFINE_MUTEX(trace_user_buffer_mutex); +static struct trace_user_buf_info *trace_user_buffer; + +static void trace_user_fault_buffer_free(struct trace_user_buf_info *tinfo) +{ + char *buf; + int cpu; + + for_each_possible_cpu(cpu) { + buf = per_cpu_ptr(tinfo->tbuf, cpu)->buf; + kfree(buf); + } + free_percpu(tinfo->tbuf); + kfree(tinfo); +} + +static int trace_user_fault_buffer_enable(void) +{ + struct trace_user_buf_info *tinfo; + char *buf; + int cpu; + + guard(mutex)(&trace_user_buffer_mutex); + + if (trace_user_buffer) { + trace_user_buffer->ref++; + return 0; + } + + tinfo = kmalloc(sizeof(*tinfo), GFP_KERNEL); + if (!tinfo) + return -ENOMEM; + + tinfo->tbuf = alloc_percpu(struct trace_user_buf); + if (!tinfo->tbuf) { + kfree(tinfo); + return -ENOMEM; + } + + tinfo->ref = 1; + + /* Clear each buffer in case of error */ + for_each_possible_cpu(cpu) { + per_cpu_ptr(tinfo->tbuf, cpu)->buf = NULL; + } + + for_each_possible_cpu(cpu) { + buf = kmalloc_node(TRACE_MARKER_MAX_SIZE, GFP_KERNEL, + cpu_to_node(cpu)); + if (!buf) { + trace_user_fault_buffer_free(tinfo); + return -ENOMEM; + } + per_cpu_ptr(tinfo->tbuf, cpu)->buf = buf; + } + + trace_user_buffer = tinfo; + + return 0; +} + +static void trace_user_fault_buffer_disable(void) +{ + struct trace_user_buf_info *tinfo; + + guard(mutex)(&trace_user_buffer_mutex); + + tinfo = trace_user_buffer; + + if (WARN_ON_ONCE(!tinfo)) + return; + + if (--tinfo->ref) + return; + + trace_user_fault_buffer_free(tinfo); + trace_user_buffer = NULL; +} + +/* Must be called with preemption disabled */ +static char *trace_user_fault_read(struct trace_user_buf_info *tinfo, + const char __user *ptr, size_t size, + size_t *read_size) +{ + int cpu = smp_processor_id(); + char *buffer = per_cpu_ptr(tinfo->tbuf, cpu)->buf; + unsigned int cnt; + int trys = 0; + int ret; + + if (size > TRACE_MARKER_MAX_SIZE) + size = TRACE_MARKER_MAX_SIZE; + *read_size = 0; + + /* + * This acts similar to a seqcount. The per CPU context switches are + * recorded, migration is disabled and preemption is enabled. The + * read of the user space memory is copied into the per CPU buffer. + * Preemption is disabled again, and if the per CPU context switches count + * is still the same, it means the buffer has not been corrupted. + * If the count is different, it is assumed the buffer is corrupted + * and reading must be tried again. + */ + + do { + /* + * If for some reason, copy_from_user() always causes a context + * switch, this would then cause an infinite loop. + * If this task is preempted by another user space task, it + * will cause this task to try again. But just in case something + * changes where the copying from user space causes another task + * to run, prevent this from going into an infinite loop. + * 100 tries should be plenty. + */ + if (WARN_ONCE(trys++ > 100, "Error: Too many tries to read user space")) + return NULL; + + /* Read the current CPU context switch counter */ + cnt = nr_context_switches_cpu(cpu); + + /* + * Preemption is going to be enabled, but this task must + * remain on this CPU. + */ + migrate_disable(); + + /* + * Now preemption is being enabed and another task can come in + * and use the same buffer and corrupt our data. + */ + preempt_enable_notrace(); + + ret = __copy_from_user(buffer, ptr, size); + + preempt_disable_notrace(); + migrate_enable(); + + /* if it faulted, no need to test if the buffer was corrupted */ + if (ret) + return NULL; + + /* + * Preemption is disabled again, now check the per CPU context + * switch counter. If it doesn't match, then another user space + * process may have schedule in and corrupted our buffer. In that + * case the copying must be retried. + */ + } while (nr_context_switches_cpu(cpu) != cnt); + + *read_size = size; + return buffer; +} + static ssize_t tracing_mark_write(struct file *filp, const char __user *ubuf, size_t cnt, loff_t *fpos) @@ -7250,6 +7389,8 @@ tracing_mark_write(struct file *filp, const char __user *ubuf, struct trace_array *tr = filp->private_data; ssize_t written = -ENODEV; unsigned long ip; + size_t size; + char *buf; if (tracing_disabled) return -EINVAL; @@ -7263,6 +7404,16 @@ tracing_mark_write(struct file *filp, const char __user *ubuf, if (cnt > TRACE_MARKER_MAX_SIZE) cnt = TRACE_MARKER_MAX_SIZE; + /* Must have preemption disabled while having access to the buffer */ + guard(preempt_notrace)(); + + buf = trace_user_fault_read(trace_user_buffer, ubuf, cnt, &size); + if (!buf) + return -EFAULT; + + if (cnt > size) + cnt = size; + /* The selftests expect this function to be the IP address */ ip = _THIS_IP_; @@ -7270,32 +7421,27 @@ tracing_mark_write(struct file *filp, const char __user *ubuf, if (tr == &global_trace) { guard(rcu)(); list_for_each_entry_rcu(tr, &marker_copies, marker_list) { - written = write_marker_to_buffer(tr, ubuf, cnt, ip); + written = write_marker_to_buffer(tr, buf, cnt, ip); if (written < 0) break; } } else { - written = write_marker_to_buffer(tr, ubuf, cnt, ip); + written = write_marker_to_buffer(tr, buf, cnt, ip); } return written; } static ssize_t write_raw_marker_to_buffer(struct trace_array *tr, - const char __user *ubuf, size_t cnt) + const char *buf, size_t cnt) { struct ring_buffer_event *event; struct trace_buffer *buffer; struct raw_data_entry *entry; ssize_t written; - int size; - int len; - -#define FAULT_SIZE_ID (FAULTED_SIZE + sizeof(int)) + size_t size; size = sizeof(*entry) + cnt; - if (cnt < FAULT_SIZE_ID) - size += FAULT_SIZE_ID - cnt; buffer = tr->array_buffer.buffer; @@ -7309,14 +7455,8 @@ static ssize_t write_raw_marker_to_buffer(struct trace_array *tr, return -EBADF; entry = ring_buffer_event_data(event); - - len = copy_from_user_nofault(&entry->id, ubuf, cnt); - if (len) { - entry->id = -1; - memcpy(&entry->buf, FAULTED_STR, FAULTED_SIZE); - written = -EFAULT; - } else - written = cnt; + memcpy(&entry->id, buf, cnt); + written = cnt; __buffer_unlock_commit(buffer, event); @@ -7329,8 +7469,8 @@ tracing_mark_raw_write(struct file *filp, const char __user *ubuf, { struct trace_array *tr = filp->private_data; ssize_t written = -ENODEV; - -#define FAULT_SIZE_ID (FAULTED_SIZE + sizeof(int)) + size_t size; + char *buf; if (tracing_disabled) return -EINVAL; @@ -7342,6 +7482,17 @@ tracing_mark_raw_write(struct file *filp, const char __user *ubuf, if (cnt < sizeof(unsigned int)) return -EINVAL; + /* Must have preemption disabled while having access to the buffer */ + guard(preempt_notrace)(); + + buf = trace_user_fault_read(trace_user_buffer, ubuf, cnt, &size); + if (!buf) + return -EFAULT; + + /* raw write is all or nothing */ + if (cnt > size) + return -EINVAL; + /* The global trace_marker_raw can go to multiple instances */ if (tr == &global_trace) { guard(rcu)(); @@ -7357,6 +7508,27 @@ tracing_mark_raw_write(struct file *filp, const char __user *ubuf, return written; } +static int tracing_mark_open(struct inode *inode, struct file *filp) +{ + int ret; + + ret = trace_user_fault_buffer_enable(); + if (ret < 0) + return ret; + + stream_open(inode, filp); + ret = tracing_open_generic_tr(inode, filp); + if (ret < 0) + trace_user_fault_buffer_disable(); + return ret; +} + +static int tracing_mark_release(struct inode *inode, struct file *file) +{ + trace_user_fault_buffer_disable(); + return tracing_release_generic_tr(inode, file); +} + static int tracing_clock_show(struct seq_file *m, void *v) { struct trace_array *tr = m->private; @@ -7764,13 +7936,13 @@ static const struct file_operations tracing_free_buffer_fops = { static const struct file_operations tracing_mark_fops = { .open = tracing_mark_open, .write = tracing_mark_write, - .release = tracing_release_generic_tr, + .release = tracing_mark_release, }; static const struct file_operations tracing_mark_raw_fops = { .open = tracing_mark_open, .write = tracing_mark_raw_write, - .release = tracing_release_generic_tr, + .release = tracing_mark_release, }; static const struct file_operations trace_clock_fops = {

3 weeks, 1 day

4
3
0 0

[PATCH v5 1/1] mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled mTHP subpage to shared zeropage

by Lance Yang

From: Lance Yang <lance.yang(a)linux.dev> When splitting an mTHP and replacing a zero-filled subpage with the shared zeropage, try_to_map_unused_to_zeropage() currently drops several important PTE bits. For userspace tools like CRIU, which rely on the soft-dirty mechanism for incremental snapshots, losing the soft-dirty bit means modified pages are missed, leading to inconsistent memory state after restore. As pointed out by David, the more critical uffd-wp bit is also dropped. This breaks the userfaultfd write-protection mechanism, causing writes to be silently missed by monitoring applications, which can lead to data corruption. Preserve both the soft-dirty and uffd-wp bits from the old PTE when creating the new zeropage mapping to ensure they are correctly tracked. Cc: <stable(a)vger.kernel.org> Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") Suggested-by: David Hildenbrand <david(a)redhat.com> Suggested-by: Dev Jain <dev.jain(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Dev Jain <dev.jain(a)arm.com> Signed-off-by: Lance Yang <lance.yang(a)linux.dev> --- v4 -> v5: - Move ptep_get() call after the !pvmw.pte check, which handles PMD-mapped THP migration entries. - https://lore.kernel.org/linux-mm/20250930071053.36158-1-lance.yang@linux.de… v3 -> v4: - Minor formatting tweak in try_to_map_unused_to_zeropage() function signature (per David and Dev) - Collect Reviewed-by from Dev - thanks! - https://lore.kernel.org/linux-mm/20250930060557.85133-1-lance.yang@linux.de… v2 -> v3: - ptep_get() gets called only once per iteration (per Dev) - https://lore.kernel.org/linux-mm/20250930043351.34927-1-lance.yang@linux.de… v1 -> v2: - Avoid calling ptep_get() multiple times (per Dev) - Double-check the uffd-wp bit (per David) - Collect Acked-by from David - thanks! - https://lore.kernel.org/linux-mm/20250928044855.76359-1-lance.yang@linux.de… mm/migrate.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/mm/migrate.c b/mm/migrate.c index ce83c2c3c287..e3065c9edb55 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -296,8 +296,7 @@ bool isolate_folio_to_list(struct folio *folio, struct list_head *list) } static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, - struct folio *folio, - unsigned long idx) + struct folio *folio, pte_t old_pte, unsigned long idx) { struct page *page = folio_page(folio, idx); pte_t newpte; @@ -306,7 +305,7 @@ static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, return false; VM_BUG_ON_PAGE(!PageAnon(page), page); VM_BUG_ON_PAGE(!PageLocked(page), page); - VM_BUG_ON_PAGE(pte_present(ptep_get(pvmw->pte)), page); + VM_BUG_ON_PAGE(pte_present(old_pte), page); if (folio_test_mlocked(folio) || (pvmw->vma->vm_flags & VM_LOCKED) || mm_forbids_zeropage(pvmw->vma->vm_mm)) @@ -322,6 +321,12 @@ static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address), pvmw->vma->vm_page_prot)); + + if (pte_swp_soft_dirty(old_pte)) + newpte = pte_mksoft_dirty(newpte); + if (pte_swp_uffd_wp(old_pte)) + newpte = pte_mkuffd_wp(newpte); + set_pte_at(pvmw->vma->vm_mm, pvmw->address, pvmw->pte, newpte); dec_mm_counter(pvmw->vma->vm_mm, mm_counter(folio)); @@ -364,13 +369,13 @@ static bool remove_migration_pte(struct folio *folio, continue; } #endif + old_pte = ptep_get(pvmw.pte); if (rmap_walk_arg->map_unused_to_zeropage && - try_to_map_unused_to_zeropage(&pvmw, folio, idx)) + try_to_map_unused_to_zeropage(&pvmw, folio, old_pte, idx)) continue; folio_get(folio); pte = mk_pte(new, READ_ONCE(vma->vm_page_prot)); - old_pte = ptep_get(pvmw.pte); entry = pte_to_swp_entry(old_pte); if (!is_migration_entry_young(entry)) -- 2.49.0

3 weeks, 1 day

5
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror