- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 7d0cce6cbe71af6e9c1831bff101a2b9c249c4a2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081215-variable-implicit-aa4c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7d0cce6cbe71af6e9c1831bff101a2b9c249c4a2 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Tue, 10 Jun 2025 16:20:09 -0700 Subject: [PATCH] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs Introduce vmx_guest_debugctl_{read,write}() to handle all accesses to vmcs.GUEST_IA32_DEBUGCTL. This will allow stuffing FREEZE_IN_SMM into GUEST_IA32_DEBUGCTL based on the host setting without bleeding the state into the guest, and without needing to copy+paste the FREEZE_IN_SMM logic into every patch that accesses GUEST_IA32_DEBUGCTL. No functional change intended. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> [sean: massage changelog, make inline, use in all prepare_vmcs02() cases] Reviewed-by: Dapeng Mi <dapeng1.mi(a)linux.intel.com> Link: https://lore.kernel.org/r/20250610232010.162191-8-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 1b8b0642fc2d..ef20184b8b11 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2663,11 +2663,11 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, if (vmx->nested.nested_run_pending && (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) { kvm_set_dr(vcpu, 7, vmcs12->guest_dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl & - vmx_get_supported_debugctl(vcpu, false)); + vmx_guest_debugctl_write(vcpu, vmcs12->guest_ia32_debugctl & + vmx_get_supported_debugctl(vcpu, false)); } else { kvm_set_dr(vcpu, 7, vcpu->arch.dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl); + vmx_guest_debugctl_write(vcpu, vmx->nested.pre_vmenter_debugctl); } if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) @@ -3532,7 +3532,7 @@ enum nvmx_vmentry_status nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu, if (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) - vmx->nested.pre_vmenter_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL); + vmx->nested.pre_vmenter_debugctl = vmx_guest_debugctl_read(); if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) @@ -4806,7 +4806,7 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu, __vmx_set_segment(vcpu, &seg, VCPU_SREG_LDTR); kvm_set_dr(vcpu, 7, 0x400); - vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + vmx_guest_debugctl_write(vcpu, 0); if (nested_vmx_load_msr(vcpu, vmcs12->vm_exit_msr_load_addr, vmcs12->vm_exit_msr_load_count)) diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c index bbf4509f32d0..0b173602821b 100644 --- a/arch/x86/kvm/vmx/pmu_intel.c +++ b/arch/x86/kvm/vmx/pmu_intel.c @@ -653,11 +653,11 @@ static void intel_pmu_reset(struct kvm_vcpu *vcpu) */ static void intel_pmu_legacy_freezing_lbrs_on_pmi(struct kvm_vcpu *vcpu) { - u64 data = vmcs_read64(GUEST_IA32_DEBUGCTL); + u64 data = vmx_guest_debugctl_read(); if (data & DEBUGCTLMSR_FREEZE_LBRS_ON_PMI) { data &= ~DEBUGCTLMSR_LBR; - vmcs_write64(GUEST_IA32_DEBUGCTL, data); + vmx_guest_debugctl_write(vcpu, data); } } @@ -730,7 +730,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu) if (!lbr_desc->event) { vmx_disable_lbr_msrs_passthrough(vcpu); - if (vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR) + if (vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR) goto warn; if (test_bit(INTEL_PMC_IDX_FIXED_VLBR, pmu->pmc_in_use)) goto warn; @@ -752,7 +752,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu) static void intel_pmu_cleanup(struct kvm_vcpu *vcpu) { - if (!(vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR)) + if (!(vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR)) intel_pmu_release_guest_lbr_event(vcpu); } diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 6a8b78e954cd..a77d325fe78b 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2149,7 +2149,7 @@ int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) msr_info->data = vmx->pt_desc.guest.addr_a[index / 2]; break; case MSR_IA32_DEBUGCTLMSR: - msr_info->data = vmcs_read64(GUEST_IA32_DEBUGCTL); + msr_info->data = vmx_guest_debugctl_read(); break; default: find_uret_msr: @@ -2283,7 +2283,8 @@ int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) VM_EXIT_SAVE_DEBUG_CONTROLS) get_vmcs12(vcpu)->guest_ia32_debugctl = data; - vmcs_write64(GUEST_IA32_DEBUGCTL, data); + vmx_guest_debugctl_write(vcpu, data); + if (intel_pmu_lbr_is_enabled(vcpu) && !to_vmx(vcpu)->lbr_desc.event && (data & DEBUGCTLMSR_LBR)) intel_pmu_create_guest_lbr_event(vcpu); @@ -4798,7 +4799,8 @@ static void init_vmcs(struct vcpu_vmx *vmx) vmcs_write32(GUEST_SYSENTER_CS, 0); vmcs_writel(GUEST_SYSENTER_ESP, 0); vmcs_writel(GUEST_SYSENTER_EIP, 0); - vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + + vmx_guest_debugctl_write(&vmx->vcpu, 0); if (cpu_has_vmx_tpr_shadow()) { vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, 0); diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index 392e66c7e5fe..c20a4185d10a 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -417,6 +417,16 @@ void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu); u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated); bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated); +static inline void vmx_guest_debugctl_write(struct kvm_vcpu *vcpu, u64 val) +{ + vmcs_write64(GUEST_IA32_DEBUGCTL, val); +} + +static inline u64 vmx_guest_debugctl_read(void) +{ + return vmcs_read64(GUEST_IA32_DEBUGCTL); +} + /* * Note, early Intel manuals have the write-low and read-high bitmap offsets * the wrong way round. The bitmaps control MSRs 0x00000000-0x00001fff and

1 month, 1 week

3
9
0 0

FAILED: patch "[PATCH] KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081208-commerce-sports-ea01@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Tue, 10 Jun 2025 16:20:06 -0700 Subject: [PATCH] KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported Let the guest set DEBUGCTL.RTM_DEBUG if RTM is supported according to the guest CPUID model, as debug support is supposed to be available if RTM is supported, and there are no known downsides to letting the guest debug RTM aborts. Note, there are no known bug reports related to RTM_DEBUG, the primary motivation is to reduce the probability of breaking existing guests when a future change adds a missing consistency check on vmcs12.GUEST_DEBUGCTL (KVM currently lets L2 run with whatever hardware supports; whoops). Note #2, KVM already emulates DR6.RTM, and doesn't restrict access to DR7.RTM. Fixes: 83c529151ab0 ("KVM: x86: expose Intel cpu new features (HLE, RTM) to guest") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250610232010.162191-5-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h index b7dded3c8113..fa878b136eba 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -419,6 +419,7 @@ #define DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI (1UL << 12) #define DEBUGCTLMSR_FREEZE_IN_SMM_BIT 14 #define DEBUGCTLMSR_FREEZE_IN_SMM (1UL << DEBUGCTLMSR_FREEZE_IN_SMM_BIT) +#define DEBUGCTLMSR_RTM_DEBUG BIT(15) #define MSR_PEBS_FRONTEND 0x000003f7 diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 4ee6cc796855..311f6fa53b67 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2186,6 +2186,10 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated (host_initiated || intel_pmu_lbr_is_enabled(vcpu))) debugctl |= DEBUGCTLMSR_LBR | DEBUGCTLMSR_FREEZE_LBRS_ON_PMI; + if (boot_cpu_has(X86_FEATURE_RTM) && + (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM))) + debugctl |= DEBUGCTLMSR_RTM_DEBUG; + return debugctl; }

1 month, 1 week

3
2
0 0

FAILED: patch "[PATCH] KVM: VMX: Flush shadow VMCS on emergency reboot" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x a0ee1d5faff135e28810f29e0f06328c66f89852 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062034-chastise-wrecking-9a12@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a0ee1d5faff135e28810f29e0f06328c66f89852 Mon Sep 17 00:00:00 2001 From: Chao Gao <chao.gao(a)intel.com> Date: Mon, 24 Mar 2025 22:08:48 +0800 Subject: [PATCH] KVM: VMX: Flush shadow VMCS on emergency reboot Ensure the shadow VMCS cache is evicted during an emergency reboot to prevent potential memory corruption if the cache is evicted after reboot. This issue was identified through code inspection, as __loaded_vmcs_clear() flushes both the normal VMCS and the shadow VMCS. Avoid checking the "launched" state during an emergency reboot, unlike the behavior in __loaded_vmcs_clear(). This is important because reboot NMIs can interfere with operations like copy_shadow_to_vmcs12(), where shadow VMCSes are loaded directly using VMPTRLD. In such cases, if NMIs occur right after the VMCS load, the shadow VMCSes will be active but the "launched" state may not be set. Fixes: 16f5b9034b69 ("KVM: nVMX: Copy processor-specific shadow-vmcs to VMCS12") Cc: stable(a)vger.kernel.org Signed-off-by: Chao Gao <chao.gao(a)intel.com> Reviewed-by: Kai Huang <kai.huang(a)intel.com> Link: https://lore.kernel.org/r/20250324140849.2099723-1-chao.gao@intel.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index ef2d7208dd20..848c4963bdb8 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -770,8 +770,11 @@ void vmx_emergency_disable_virtualization_cpu(void) return; list_for_each_entry(v, &per_cpu(loaded_vmcss_on_cpu, cpu), - loaded_vmcss_on_cpu_link) + loaded_vmcss_on_cpu_link) { vmcs_clear(v->vmcs); + if (v->shadow_vmcs) + vmcs_clear(v->shadow_vmcs); + } kvm_cpu_vmxoff(); }

1 month, 1 week

3
6
0 0

FAILED: patch "[PATCH] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 7d0cce6cbe71af6e9c1831bff101a2b9c249c4a2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081214-bonanza-germproof-173f@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7d0cce6cbe71af6e9c1831bff101a2b9c249c4a2 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Tue, 10 Jun 2025 16:20:09 -0700 Subject: [PATCH] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs Introduce vmx_guest_debugctl_{read,write}() to handle all accesses to vmcs.GUEST_IA32_DEBUGCTL. This will allow stuffing FREEZE_IN_SMM into GUEST_IA32_DEBUGCTL based on the host setting without bleeding the state into the guest, and without needing to copy+paste the FREEZE_IN_SMM logic into every patch that accesses GUEST_IA32_DEBUGCTL. No functional change intended. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> [sean: massage changelog, make inline, use in all prepare_vmcs02() cases] Reviewed-by: Dapeng Mi <dapeng1.mi(a)linux.intel.com> Link: https://lore.kernel.org/r/20250610232010.162191-8-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 1b8b0642fc2d..ef20184b8b11 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2663,11 +2663,11 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, if (vmx->nested.nested_run_pending && (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) { kvm_set_dr(vcpu, 7, vmcs12->guest_dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl & - vmx_get_supported_debugctl(vcpu, false)); + vmx_guest_debugctl_write(vcpu, vmcs12->guest_ia32_debugctl & + vmx_get_supported_debugctl(vcpu, false)); } else { kvm_set_dr(vcpu, 7, vcpu->arch.dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl); + vmx_guest_debugctl_write(vcpu, vmx->nested.pre_vmenter_debugctl); } if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) @@ -3532,7 +3532,7 @@ enum nvmx_vmentry_status nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu, if (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) - vmx->nested.pre_vmenter_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL); + vmx->nested.pre_vmenter_debugctl = vmx_guest_debugctl_read(); if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) @@ -4806,7 +4806,7 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu, __vmx_set_segment(vcpu, &seg, VCPU_SREG_LDTR); kvm_set_dr(vcpu, 7, 0x400); - vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + vmx_guest_debugctl_write(vcpu, 0); if (nested_vmx_load_msr(vcpu, vmcs12->vm_exit_msr_load_addr, vmcs12->vm_exit_msr_load_count)) diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c index bbf4509f32d0..0b173602821b 100644 --- a/arch/x86/kvm/vmx/pmu_intel.c +++ b/arch/x86/kvm/vmx/pmu_intel.c @@ -653,11 +653,11 @@ static void intel_pmu_reset(struct kvm_vcpu *vcpu) */ static void intel_pmu_legacy_freezing_lbrs_on_pmi(struct kvm_vcpu *vcpu) { - u64 data = vmcs_read64(GUEST_IA32_DEBUGCTL); + u64 data = vmx_guest_debugctl_read(); if (data & DEBUGCTLMSR_FREEZE_LBRS_ON_PMI) { data &= ~DEBUGCTLMSR_LBR; - vmcs_write64(GUEST_IA32_DEBUGCTL, data); + vmx_guest_debugctl_write(vcpu, data); } } @@ -730,7 +730,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu) if (!lbr_desc->event) { vmx_disable_lbr_msrs_passthrough(vcpu); - if (vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR) + if (vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR) goto warn; if (test_bit(INTEL_PMC_IDX_FIXED_VLBR, pmu->pmc_in_use)) goto warn; @@ -752,7 +752,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu) static void intel_pmu_cleanup(struct kvm_vcpu *vcpu) { - if (!(vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR)) + if (!(vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR)) intel_pmu_release_guest_lbr_event(vcpu); } diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 6a8b78e954cd..a77d325fe78b 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2149,7 +2149,7 @@ int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) msr_info->data = vmx->pt_desc.guest.addr_a[index / 2]; break; case MSR_IA32_DEBUGCTLMSR: - msr_info->data = vmcs_read64(GUEST_IA32_DEBUGCTL); + msr_info->data = vmx_guest_debugctl_read(); break; default: find_uret_msr: @@ -2283,7 +2283,8 @@ int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) VM_EXIT_SAVE_DEBUG_CONTROLS) get_vmcs12(vcpu)->guest_ia32_debugctl = data; - vmcs_write64(GUEST_IA32_DEBUGCTL, data); + vmx_guest_debugctl_write(vcpu, data); + if (intel_pmu_lbr_is_enabled(vcpu) && !to_vmx(vcpu)->lbr_desc.event && (data & DEBUGCTLMSR_LBR)) intel_pmu_create_guest_lbr_event(vcpu); @@ -4798,7 +4799,8 @@ static void init_vmcs(struct vcpu_vmx *vmx) vmcs_write32(GUEST_SYSENTER_CS, 0); vmcs_writel(GUEST_SYSENTER_ESP, 0); vmcs_writel(GUEST_SYSENTER_EIP, 0); - vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + + vmx_guest_debugctl_write(&vmx->vcpu, 0); if (cpu_has_vmx_tpr_shadow()) { vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, 0); diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index 392e66c7e5fe..c20a4185d10a 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -417,6 +417,16 @@ void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu); u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated); bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated); +static inline void vmx_guest_debugctl_write(struct kvm_vcpu *vcpu, u64 val) +{ + vmcs_write64(GUEST_IA32_DEBUGCTL, val); +} + +static inline u64 vmx_guest_debugctl_read(void) +{ + return vmcs_read64(GUEST_IA32_DEBUGCTL); +} + /* * Note, early Intel manuals have the write-low and read-high bitmap offsets * the wrong way round. The bitmaps control MSRs 0x00000000-0x00001fff and

1 month, 1 week

3
6
0 0

FAILED: patch "[PATCH] KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081209-porcupine-shut-1d95@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Tue, 10 Jun 2025 16:20:06 -0700 Subject: [PATCH] KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported Let the guest set DEBUGCTL.RTM_DEBUG if RTM is supported according to the guest CPUID model, as debug support is supposed to be available if RTM is supported, and there are no known downsides to letting the guest debug RTM aborts. Note, there are no known bug reports related to RTM_DEBUG, the primary motivation is to reduce the probability of breaking existing guests when a future change adds a missing consistency check on vmcs12.GUEST_DEBUGCTL (KVM currently lets L2 run with whatever hardware supports; whoops). Note #2, KVM already emulates DR6.RTM, and doesn't restrict access to DR7.RTM. Fixes: 83c529151ab0 ("KVM: x86: expose Intel cpu new features (HLE, RTM) to guest") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250610232010.162191-5-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h index b7dded3c8113..fa878b136eba 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -419,6 +419,7 @@ #define DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI (1UL << 12) #define DEBUGCTLMSR_FREEZE_IN_SMM_BIT 14 #define DEBUGCTLMSR_FREEZE_IN_SMM (1UL << DEBUGCTLMSR_FREEZE_IN_SMM_BIT) +#define DEBUGCTLMSR_RTM_DEBUG BIT(15) #define MSR_PEBS_FRONTEND 0x000003f7 diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 4ee6cc796855..311f6fa53b67 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2186,6 +2186,10 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated (host_initiated || intel_pmu_lbr_is_enabled(vcpu))) debugctl |= DEBUGCTLMSR_LBR | DEBUGCTLMSR_FREEZE_LBRS_ON_PMI; + if (boot_cpu_has(X86_FEATURE_RTM) && + (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM))) + debugctl |= DEBUGCTLMSR_RTM_DEBUG; + return debugctl; }

1 month, 1 week

3
2
0 0

FAILED: patch "[PATCH] KVM: VMX: Preserve host's DEBUGCTLMSR_FREEZE_IN_SMM while" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 6b1dd26544d045f6a79e8c73572c0c0db3ef3c1a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081231-vengeful-creasing-d789@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6b1dd26544d045f6a79e8c73572c0c0db3ef3c1a Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Tue, 10 Jun 2025 16:20:10 -0700 Subject: [PATCH] KVM: VMX: Preserve host's DEBUGCTLMSR_FREEZE_IN_SMM while running the guest Set/clear DEBUGCTLMSR_FREEZE_IN_SMM in GUEST_IA32_DEBUGCTL based on the host's pre-VM-Enter value, i.e. preserve the host's FREEZE_IN_SMM setting while running the guest. When running with the "default treatment of SMIs" in effect (the only mode KVM supports), SMIs do not generate a VM-Exit that is visible to host (non-SMM) software, and instead transitions directly from VMX non-root to SMM. And critically, DEBUGCTL isn't context switched by hardware on SMI or RSM, i.e. SMM will run with whatever value was resident in hardware at the time of the SMI. Failure to preserve FREEZE_IN_SMM results in the PMU unexpectedly counting events while the CPU is executing in SMM, which can pollute profiling and potentially leak information into the guest. Check for changes in FREEZE_IN_SMM prior to every entry into KVM's inner run loop, as the bit can be toggled in IRQ context via IPI callback (SMP function call), by way of /sys/devices/cpu/freeze_on_smi. Add a field in kvm_x86_ops to communicate which DEBUGCTL bits need to be preserved, as FREEZE_IN_SMM is only supported and defined for Intel CPUs, i.e. explicitly checking FREEZE_IN_SMM in common x86 is at best weird, and at worst could lead to undesirable behavior in the future if AMD CPUs ever happened to pick up a collision with the bit. Exempt TDX vCPUs, i.e. protected guests, from the check, as the TDX Module owns and controls GUEST_IA32_DEBUGCTL. WARN in SVM if KVM_RUN_LOAD_DEBUGCTL is set, mostly to document that the lack of handling isn't a KVM bug (TDX already WARNs on any run_flag). Lastly, explicitly reload GUEST_IA32_DEBUGCTL on a VM-Fail that is missed by KVM but detected by hardware, i.e. in nested_vmx_restore_host_state(). Doing so avoids the need to track host_debugctl on a per-VMCS basis, as GUEST_IA32_DEBUGCTL is unconditionally written by prepare_vmcs02() and load_vmcs12_host_state(). For the VM-Fail case, even though KVM won't have actually entered the guest, vcpu_enter_guest() will have run with vmcs02 active and thus could result in vmcs01 being run with a stale value. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Co-developed-by: Sean Christopherson <seanjc(a)google.com> Link: https://lore.kernel.org/r/20250610232010.162191-9-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 4f7ee2dbf10e..5e0415a8ee3f 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1677,6 +1677,7 @@ static inline u16 kvm_lapic_irq_dest_mode(bool dest_mode_logical) enum kvm_x86_run_flags { KVM_RUN_FORCE_IMMEDIATE_EXIT = BIT(0), KVM_RUN_LOAD_GUEST_DR6 = BIT(1), + KVM_RUN_LOAD_DEBUGCTL = BIT(2), }; struct kvm_x86_ops { @@ -1707,6 +1708,12 @@ struct kvm_x86_ops { void (*vcpu_load)(struct kvm_vcpu *vcpu, int cpu); void (*vcpu_put)(struct kvm_vcpu *vcpu); + /* + * Mask of DEBUGCTL bits that are owned by the host, i.e. that need to + * match the host's value even while the guest is active. + */ + const u64 HOST_OWNED_DEBUGCTL; + void (*update_exception_bitmap)(struct kvm_vcpu *vcpu); int (*get_msr)(struct kvm_vcpu *vcpu, struct msr_data *msr); int (*set_msr)(struct kvm_vcpu *vcpu, struct msr_data *msr); diff --git a/arch/x86/kvm/vmx/main.c b/arch/x86/kvm/vmx/main.c index c85cbce6d2f6..4a6d4460f947 100644 --- a/arch/x86/kvm/vmx/main.c +++ b/arch/x86/kvm/vmx/main.c @@ -915,6 +915,8 @@ struct kvm_x86_ops vt_x86_ops __initdata = { .vcpu_load = vt_op(vcpu_load), .vcpu_put = vt_op(vcpu_put), + .HOST_OWNED_DEBUGCTL = DEBUGCTLMSR_FREEZE_IN_SMM, + .update_exception_bitmap = vt_op(update_exception_bitmap), .get_feature_msr = vmx_get_feature_msr, .get_msr = vt_op(get_msr), diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index ef20184b8b11..c69df3aba8d1 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -4861,6 +4861,9 @@ static void nested_vmx_restore_host_state(struct kvm_vcpu *vcpu) WARN_ON(kvm_set_dr(vcpu, 7, vmcs_readl(GUEST_DR7))); } + /* Reload DEBUGCTL to ensure vmcs01 has a fresh FREEZE_IN_SMM value. */ + vmx_reload_guest_debugctl(vcpu); + /* * Note that calling vmx_set_{efer,cr0,cr4} is important as they * handle a variety of side effects to KVM's software model. diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index a77d325fe78b..0db1bd383302 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -7377,6 +7377,9 @@ fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags) if (run_flags & KVM_RUN_LOAD_GUEST_DR6) set_debugreg(vcpu->arch.dr6, 6); + if (run_flags & KVM_RUN_LOAD_DEBUGCTL) + vmx_reload_guest_debugctl(vcpu); + /* * Refresh vmcs.HOST_CR3 if necessary. This must be done immediately * prior to VM-Enter, as the kernel may load a new ASID (PCID) any time diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index c20a4185d10a..076af78af151 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -419,12 +419,25 @@ bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated) static inline void vmx_guest_debugctl_write(struct kvm_vcpu *vcpu, u64 val) { + WARN_ON_ONCE(val & DEBUGCTLMSR_FREEZE_IN_SMM); + + val |= vcpu->arch.host_debugctl & DEBUGCTLMSR_FREEZE_IN_SMM; vmcs_write64(GUEST_IA32_DEBUGCTL, val); } static inline u64 vmx_guest_debugctl_read(void) { - return vmcs_read64(GUEST_IA32_DEBUGCTL); + return vmcs_read64(GUEST_IA32_DEBUGCTL) & ~DEBUGCTLMSR_FREEZE_IN_SMM; +} + +static inline void vmx_reload_guest_debugctl(struct kvm_vcpu *vcpu) +{ + u64 val = vmcs_read64(GUEST_IA32_DEBUGCTL); + + if (!((val ^ vcpu->arch.host_debugctl) & DEBUGCTLMSR_FREEZE_IN_SMM)) + return; + + vmx_guest_debugctl_write(vcpu, val & ~DEBUGCTLMSR_FREEZE_IN_SMM); } /* diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 7fe3549bbd93..179c2c550c8d 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -10779,7 +10779,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) dm_request_for_irq_injection(vcpu) && kvm_cpu_accept_dm_intr(vcpu); fastpath_t exit_fastpath; - u64 run_flags; + u64 run_flags, debug_ctl; bool req_immediate_exit = false; @@ -11051,7 +11051,17 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) set_debugreg(0, 7); } - vcpu->arch.host_debugctl = get_debugctlmsr(); + /* + * Refresh the host DEBUGCTL snapshot after disabling IRQs, as DEBUGCTL + * can be modified in IRQ context, e.g. via SMP function calls. Inform + * vendor code if any host-owned bits were changed, e.g. so that the + * value loaded into hardware while running the guest can be updated. + */ + debug_ctl = get_debugctlmsr(); + if ((debug_ctl ^ vcpu->arch.host_debugctl) & kvm_x86_ops.HOST_OWNED_DEBUGCTL && + !vcpu->arch.guest_state_protected) + run_flags |= KVM_RUN_LOAD_DEBUGCTL; + vcpu->arch.host_debugctl = debug_ctl; guest_timing_enter_irqoff();

1 month, 1 week

3
12
0 0

[PATCH] USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles

by Zenm Chen

Many Realtek USB Wi-Fi dongles released in recent years have two modes: one is driver CD mode which has Windows driver onboard, another one is Wi-Fi mode. Add the US_FL_IGNORE_DEVICE quirk for these multi-mode devices. Otherwise, usb_modeswitch may fail to switch them to Wi-Fi mode. Currently there are only two USB IDs known to be used by these multi-mode Wi-Fi dongles: 0bda:1a2b and 0bda:a192. Information about Mercury MW310UH in /sys/kernel/debug/usb/devices. T: Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 12 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=0bda ProdID=a192 Rev= 2.00 S: Manufacturer=Realtek S: Product=DISK C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none) E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Information about D-Link AX9U rev. A1 in /sys/kernel/debug/usb/devices. T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 55 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=0bda ProdID=1a2b Rev= 0.00 S: Manufacturer=Realtek S: Product=DISK C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none) E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Cc: stable(a)vger.kernel.org # 5.4.x Signed-off-by: Zenm Chen <zenmchen(a)gmail.com> --- drivers/usb/storage/unusual_devs.h | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h index 54f0b1c83..5a6577a57 100644 --- a/drivers/usb/storage/unusual_devs.h +++ b/drivers/usb/storage/unusual_devs.h @@ -1494,6 +1494,28 @@ UNUSUAL_DEV( 0x0bc2, 0x3332, 0x0000, 0x9999, USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_NO_WP_DETECT ), +/* + * Reported by Zenm Chen <zenmchen(a)gmail.com> + * Ignore driver CD mode, otherwise usb_modeswitch may fail to switch + * the device into Wi-Fi mode. + */ +UNUSUAL_DEV( 0x0bda, 0x1a2b, 0x0000, 0xffff, + "Realtek", + "DISK", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_IGNORE_DEVICE ), + +/* + * Reported by Zenm Chen <zenmchen(a)gmail.com> + * Ignore driver CD mode, otherwise usb_modeswitch may fail to switch + * the device into Wi-Fi mode. + */ +UNUSUAL_DEV( 0x0bda, 0xa192, 0x0000, 0xffff, + "Realtek", + "DISK", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_IGNORE_DEVICE ), + UNUSUAL_DEV( 0x0d49, 0x7310, 0x0000, 0x9999, "Maxtor", "USB to SATA", -- 2.50.1

1 month, 1 week

4
11
0 0

FAILED: patch "[PATCH] mm/hmm: move pmd_to_hmm_pfn_flags() to the respective" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 188cb385bbf04d486df3e52f28c47b3961f5f0c0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081229-useable-overhung-5a62@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 188cb385bbf04d486df3e52f28c47b3961f5f0c0 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Date: Thu, 10 Jul 2025 11:23:53 +0300 Subject: [PATCH] mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery When pmd_to_hmm_pfn_flags() is unused, it prevents kernel builds with clang, `make W=1` and CONFIG_TRANSPARENT_HUGEPAGE=n: mm/hmm.c:186:29: warning: unused function 'pmd_to_hmm_pfn_flags' [-Wunused-function] Fix this by moving the function to the respective existing ifdeffery for its the only user. See also: 6863f5643dd7 ("kbuild: allow Clang to find unused static inline functions for W=1 build") Link: https://lkml.kernel.org/r/20250710082403.664093-1-andriy.shevchenko@linux.i… Fixes: 992de9a8b751 ("mm/hmm: allow to mirror vma of a file on a DAX backed filesystem") Signed-off-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Reviewed-by: Leon Romanovsky <leonro(a)nvidia.com> Reviewed-by: Alistair Popple <apopple(a)nvidia.com> Cc: Andriy Shevchenko <andriy.shevchenko(a)linux.intel.com> Cc: Bill Wendling <morbo(a)google.com> Cc: Jerome Glisse <jglisse(a)redhat.com> Cc: Justin Stitt <justinstitt(a)google.com> Cc: Nathan Chancellor <nathan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/hmm.c b/mm/hmm.c index f2415b4b2cdd..d545e2494994 100644 --- a/mm/hmm.c +++ b/mm/hmm.c @@ -183,6 +183,7 @@ static inline unsigned long hmm_pfn_flags_order(unsigned long order) return order << HMM_PFN_ORDER_SHIFT; } +#ifdef CONFIG_TRANSPARENT_HUGEPAGE static inline unsigned long pmd_to_hmm_pfn_flags(struct hmm_range *range, pmd_t pmd) { @@ -193,7 +194,6 @@ static inline unsigned long pmd_to_hmm_pfn_flags(struct hmm_range *range, hmm_pfn_flags_order(PMD_SHIFT - PAGE_SHIFT); } -#ifdef CONFIG_TRANSPARENT_HUGEPAGE static int hmm_vma_handle_pmd(struct mm_walk *walk, unsigned long addr, unsigned long end, unsigned long hmm_pfns[], pmd_t pmd)

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 7d0cce6cbe71af6e9c1831bff101a2b9c249c4a2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081209-sworn-unholy-36ad@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7d0cce6cbe71af6e9c1831bff101a2b9c249c4a2 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Tue, 10 Jun 2025 16:20:09 -0700 Subject: [PATCH] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs Introduce vmx_guest_debugctl_{read,write}() to handle all accesses to vmcs.GUEST_IA32_DEBUGCTL. This will allow stuffing FREEZE_IN_SMM into GUEST_IA32_DEBUGCTL based on the host setting without bleeding the state into the guest, and without needing to copy+paste the FREEZE_IN_SMM logic into every patch that accesses GUEST_IA32_DEBUGCTL. No functional change intended. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> [sean: massage changelog, make inline, use in all prepare_vmcs02() cases] Reviewed-by: Dapeng Mi <dapeng1.mi(a)linux.intel.com> Link: https://lore.kernel.org/r/20250610232010.162191-8-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 1b8b0642fc2d..ef20184b8b11 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2663,11 +2663,11 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, if (vmx->nested.nested_run_pending && (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) { kvm_set_dr(vcpu, 7, vmcs12->guest_dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl & - vmx_get_supported_debugctl(vcpu, false)); + vmx_guest_debugctl_write(vcpu, vmcs12->guest_ia32_debugctl & + vmx_get_supported_debugctl(vcpu, false)); } else { kvm_set_dr(vcpu, 7, vcpu->arch.dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl); + vmx_guest_debugctl_write(vcpu, vmx->nested.pre_vmenter_debugctl); } if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) @@ -3532,7 +3532,7 @@ enum nvmx_vmentry_status nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu, if (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) - vmx->nested.pre_vmenter_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL); + vmx->nested.pre_vmenter_debugctl = vmx_guest_debugctl_read(); if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) @@ -4806,7 +4806,7 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu, __vmx_set_segment(vcpu, &seg, VCPU_SREG_LDTR); kvm_set_dr(vcpu, 7, 0x400); - vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + vmx_guest_debugctl_write(vcpu, 0); if (nested_vmx_load_msr(vcpu, vmcs12->vm_exit_msr_load_addr, vmcs12->vm_exit_msr_load_count)) diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c index bbf4509f32d0..0b173602821b 100644 --- a/arch/x86/kvm/vmx/pmu_intel.c +++ b/arch/x86/kvm/vmx/pmu_intel.c @@ -653,11 +653,11 @@ static void intel_pmu_reset(struct kvm_vcpu *vcpu) */ static void intel_pmu_legacy_freezing_lbrs_on_pmi(struct kvm_vcpu *vcpu) { - u64 data = vmcs_read64(GUEST_IA32_DEBUGCTL); + u64 data = vmx_guest_debugctl_read(); if (data & DEBUGCTLMSR_FREEZE_LBRS_ON_PMI) { data &= ~DEBUGCTLMSR_LBR; - vmcs_write64(GUEST_IA32_DEBUGCTL, data); + vmx_guest_debugctl_write(vcpu, data); } } @@ -730,7 +730,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu) if (!lbr_desc->event) { vmx_disable_lbr_msrs_passthrough(vcpu); - if (vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR) + if (vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR) goto warn; if (test_bit(INTEL_PMC_IDX_FIXED_VLBR, pmu->pmc_in_use)) goto warn; @@ -752,7 +752,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu) static void intel_pmu_cleanup(struct kvm_vcpu *vcpu) { - if (!(vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR)) + if (!(vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR)) intel_pmu_release_guest_lbr_event(vcpu); } diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 6a8b78e954cd..a77d325fe78b 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2149,7 +2149,7 @@ int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) msr_info->data = vmx->pt_desc.guest.addr_a[index / 2]; break; case MSR_IA32_DEBUGCTLMSR: - msr_info->data = vmcs_read64(GUEST_IA32_DEBUGCTL); + msr_info->data = vmx_guest_debugctl_read(); break; default: find_uret_msr: @@ -2283,7 +2283,8 @@ int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) VM_EXIT_SAVE_DEBUG_CONTROLS) get_vmcs12(vcpu)->guest_ia32_debugctl = data; - vmcs_write64(GUEST_IA32_DEBUGCTL, data); + vmx_guest_debugctl_write(vcpu, data); + if (intel_pmu_lbr_is_enabled(vcpu) && !to_vmx(vcpu)->lbr_desc.event && (data & DEBUGCTLMSR_LBR)) intel_pmu_create_guest_lbr_event(vcpu); @@ -4798,7 +4799,8 @@ static void init_vmcs(struct vcpu_vmx *vmx) vmcs_write32(GUEST_SYSENTER_CS, 0); vmcs_writel(GUEST_SYSENTER_ESP, 0); vmcs_writel(GUEST_SYSENTER_EIP, 0); - vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + + vmx_guest_debugctl_write(&vmx->vcpu, 0); if (cpu_has_vmx_tpr_shadow()) { vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, 0); diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index 392e66c7e5fe..c20a4185d10a 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -417,6 +417,16 @@ void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu); u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated); bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated); +static inline void vmx_guest_debugctl_write(struct kvm_vcpu *vcpu, u64 val) +{ + vmcs_write64(GUEST_IA32_DEBUGCTL, val); +} + +static inline u64 vmx_guest_debugctl_read(void) +{ + return vmcs_read64(GUEST_IA32_DEBUGCTL); +} + /* * Note, early Intel manuals have the write-low and read-high bitmap offsets * the wrong way round. The bitmaps control MSRs 0x00000000-0x00001fff and

1 month, 1 week

3
6
0 0

FAILED: patch "[PATCH] KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081210-overhand-panhandle-a07f@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Tue, 10 Jun 2025 16:20:06 -0700 Subject: [PATCH] KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported Let the guest set DEBUGCTL.RTM_DEBUG if RTM is supported according to the guest CPUID model, as debug support is supposed to be available if RTM is supported, and there are no known downsides to letting the guest debug RTM aborts. Note, there are no known bug reports related to RTM_DEBUG, the primary motivation is to reduce the probability of breaking existing guests when a future change adds a missing consistency check on vmcs12.GUEST_DEBUGCTL (KVM currently lets L2 run with whatever hardware supports; whoops). Note #2, KVM already emulates DR6.RTM, and doesn't restrict access to DR7.RTM. Fixes: 83c529151ab0 ("KVM: x86: expose Intel cpu new features (HLE, RTM) to guest") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250610232010.162191-5-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h index b7dded3c8113..fa878b136eba 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -419,6 +419,7 @@ #define DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI (1UL << 12) #define DEBUGCTLMSR_FREEZE_IN_SMM_BIT 14 #define DEBUGCTLMSR_FREEZE_IN_SMM (1UL << DEBUGCTLMSR_FREEZE_IN_SMM_BIT) +#define DEBUGCTLMSR_RTM_DEBUG BIT(15) #define MSR_PEBS_FRONTEND 0x000003f7 diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 4ee6cc796855..311f6fa53b67 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2186,6 +2186,10 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated (host_initiated || intel_pmu_lbr_is_enabled(vcpu))) debugctl |= DEBUGCTLMSR_LBR | DEBUGCTLMSR_FREEZE_LBRS_ON_PMI; + if (boot_cpu_has(X86_FEATURE_RTM) && + (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM))) + debugctl |= DEBUGCTLMSR_RTM_DEBUG; + return debugctl; }

1 month, 1 week

3
2
0 0

[PATCH] proc: proc_maps_open allow proc_mem_open to return NULL

by Dennis Beier

From: Jialin Wang <wjl.linux(a)gmail.com> The commit 65c66047259f ("proc: fix the issue of proc_mem_open returning NULL") caused proc_maps_open() to return -ESRCH when proc_mem_open() returns NULL. This breaks legitimate /proc/<pid>/maps access for kernel threads since kernel threads have NULL mm_struct. The regression causes perf to fail and exit when profiling a kernel thread: # perf record -v -g -p $(pgrep kswapd0) ... couldn't open /proc/65/task/65/maps This patch partially reverts the commit to fix it. Link: https://lkml.kernel.org/r/20250807165455.73656-1-wjl.linux@gmail.com Fixes: 65c66047259f ("proc: fix the issue of proc_mem_open returning NULL") Signed-off-by: Jialin Wang <wjl.linux(a)gmail.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index ee1e4ccd33bd..29cca0e6d0ff 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -340,8 +340,8 @@ static int proc_maps_open(struct inode *inode, struct file *file, priv->inode = inode; priv->mm = proc_mem_open(inode, PTRACE_MODE_READ); - if (IS_ERR_OR_NULL(priv->mm)) { - int err = priv->mm ? PTR_ERR(priv->mm) : -ESRCH; + if (IS_ERR(priv->mm)) { + int err = PTR_ERR(priv->mm); seq_release_private(inode, file); return err; -- 2.50.1

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: Convert vcpu_run()'s immediate exit param into a" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 2478b1b220c49d25cb1c3f061ec4f9b351d9a131 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081228-outthink-finisher-2a2a@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2478b1b220c49d25cb1c3f061ec4f9b351d9a131 Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Tue, 10 Jun 2025 16:20:04 -0700 Subject: [PATCH] KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap Convert kvm_x86_ops.vcpu_run()'s "force_immediate_exit" boolean parameter into an a generic bitmap so that similar "take action" information can be passed to vendor code without creating a pile of boolean parameters. This will allow dropping kvm_x86_ops.set_dr6() in favor of a new flag, and will also allow for adding similar functionality for re-loading debugctl in the active VMCS. Opportunistically massage the TDX WARN and comment to prepare for adding more run_flags, all of which are expected to be mutually exclusive with TDX, i.e. should be WARNed on. No functional change intended. Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250610232010.162191-3-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index b4a391929cdb..8d81684fa15d 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1674,6 +1674,10 @@ static inline u16 kvm_lapic_irq_dest_mode(bool dest_mode_logical) return dest_mode_logical ? APIC_DEST_LOGICAL : APIC_DEST_PHYSICAL; } +enum kvm_x86_run_flags { + KVM_RUN_FORCE_IMMEDIATE_EXIT = BIT(0), +}; + struct kvm_x86_ops { const char *name; @@ -1755,7 +1759,7 @@ struct kvm_x86_ops { int (*vcpu_pre_run)(struct kvm_vcpu *vcpu); enum exit_fastpath_completion (*vcpu_run)(struct kvm_vcpu *vcpu, - bool force_immediate_exit); + u64 run_flags); int (*handle_exit)(struct kvm_vcpu *vcpu, enum exit_fastpath_completion exit_fastpath); int (*skip_emulated_instruction)(struct kvm_vcpu *vcpu); diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index ab9b947dbf4f..83d1b62130b1 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -4389,9 +4389,9 @@ static noinstr void svm_vcpu_enter_exit(struct kvm_vcpu *vcpu, bool spec_ctrl_in guest_state_exit_irqoff(); } -static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, - bool force_immediate_exit) +static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags) { + bool force_immediate_exit = run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT; struct vcpu_svm *svm = to_svm(vcpu); bool spec_ctrl_intercepted = msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL); diff --git a/arch/x86/kvm/vmx/main.c b/arch/x86/kvm/vmx/main.c index d1e02e567b57..fef3e3803707 100644 --- a/arch/x86/kvm/vmx/main.c +++ b/arch/x86/kvm/vmx/main.c @@ -175,12 +175,12 @@ static int vt_vcpu_pre_run(struct kvm_vcpu *vcpu) return vmx_vcpu_pre_run(vcpu); } -static fastpath_t vt_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) +static fastpath_t vt_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags) { if (is_td_vcpu(vcpu)) - return tdx_vcpu_run(vcpu, force_immediate_exit); + return tdx_vcpu_run(vcpu, run_flags); - return vmx_vcpu_run(vcpu, force_immediate_exit); + return vmx_vcpu_run(vcpu, run_flags); } static int vt_handle_exit(struct kvm_vcpu *vcpu, diff --git a/arch/x86/kvm/vmx/tdx.c b/arch/x86/kvm/vmx/tdx.c index 4d2426ab6747..1c4b4d9a1acb 100644 --- a/arch/x86/kvm/vmx/tdx.c +++ b/arch/x86/kvm/vmx/tdx.c @@ -1025,20 +1025,20 @@ static void tdx_load_host_xsave_state(struct kvm_vcpu *vcpu) DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI | \ DEBUGCTLMSR_FREEZE_IN_SMM) -fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) +fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags) { struct vcpu_tdx *tdx = to_tdx(vcpu); struct vcpu_vt *vt = to_vt(vcpu); /* - * force_immediate_exit requires vCPU entering for events injection with - * an immediately exit followed. But The TDX module doesn't guarantee - * entry, it's already possible for KVM to _think_ it completely entry - * to the guest without actually having done so. - * Since KVM never needs to force an immediate exit for TDX, and can't - * do direct injection, just warn on force_immediate_exit. + * WARN if KVM wants to force an immediate exit, as the TDX module does + * not guarantee entry into the guest, i.e. it's possible for KVM to + * _think_ it completed entry to the guest and forced an immediate exit + * without actually having done so. Luckily, KVM never needs to force + * an immediate exit for TDX (KVM can't do direct event injection, so + * just WARN and continue on. */ - WARN_ON_ONCE(force_immediate_exit); + WARN_ON_ONCE(run_flags); /* * Wait until retry of SEPT-zap-related SEAMCALL completes before @@ -1048,7 +1048,7 @@ fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) if (unlikely(READ_ONCE(to_kvm_tdx(vcpu->kvm)->wait_for_sept_zap))) return EXIT_FASTPATH_EXIT_HANDLED; - trace_kvm_entry(vcpu, force_immediate_exit); + trace_kvm_entry(vcpu, run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT); if (pi_test_on(&vt->pi_desc)) { apic->send_IPI_self(POSTED_INTR_VECTOR); diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 4953846cb30d..a61a28944de6 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -7323,8 +7323,9 @@ static noinstr void vmx_vcpu_enter_exit(struct kvm_vcpu *vcpu, guest_state_exit_irqoff(); } -fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit) +fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags) { + bool force_immediate_exit = run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT; struct vcpu_vmx *vmx = to_vmx(vcpu); unsigned long cr3, cr4; diff --git a/arch/x86/kvm/vmx/x86_ops.h b/arch/x86/kvm/vmx/x86_ops.h index b4596f651232..0b4f5c5558d0 100644 --- a/arch/x86/kvm/vmx/x86_ops.h +++ b/arch/x86/kvm/vmx/x86_ops.h @@ -21,7 +21,7 @@ void vmx_vm_destroy(struct kvm *kvm); int vmx_vcpu_precreate(struct kvm *kvm); int vmx_vcpu_create(struct kvm_vcpu *vcpu); int vmx_vcpu_pre_run(struct kvm_vcpu *vcpu); -fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit); +fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags); void vmx_vcpu_free(struct kvm_vcpu *vcpu); void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event); void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu); @@ -133,7 +133,7 @@ void tdx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event); void tdx_vcpu_free(struct kvm_vcpu *vcpu); void tdx_vcpu_load(struct kvm_vcpu *vcpu, int cpu); int tdx_vcpu_pre_run(struct kvm_vcpu *vcpu); -fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit); +fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags); void tdx_prepare_switch_to_guest(struct kvm_vcpu *vcpu); void tdx_vcpu_put(struct kvm_vcpu *vcpu); bool tdx_protected_apic_has_interrupt(struct kvm_vcpu *vcpu); diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index b58a74c1722d..07ff02eed399 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -10779,6 +10779,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) dm_request_for_irq_injection(vcpu) && kvm_cpu_accept_dm_intr(vcpu); fastpath_t exit_fastpath; + u64 run_flags; bool req_immediate_exit = false; @@ -11023,8 +11024,11 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) goto cancel_injection; } - if (req_immediate_exit) + run_flags = 0; + if (req_immediate_exit) { + run_flags |= KVM_RUN_FORCE_IMMEDIATE_EXIT; kvm_make_request(KVM_REQ_EVENT, vcpu); + } fpregs_assert_state_consistent(); if (test_thread_flag(TIF_NEED_FPU_LOAD)) @@ -11061,8 +11065,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) WARN_ON_ONCE((kvm_vcpu_apicv_activated(vcpu) != kvm_vcpu_apicv_active(vcpu)) && (kvm_get_apic_mode(vcpu) != LAPIC_MODE_DISABLED)); - exit_fastpath = kvm_x86_call(vcpu_run)(vcpu, - req_immediate_exit); + exit_fastpath = kvm_x86_call(vcpu_run)(vcpu, run_flags); if (likely(exit_fastpath != EXIT_FASTPATH_REENTER_GUEST)) break; @@ -11074,6 +11077,8 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) break; } + run_flags = 0; + /* Note, VM-Exits that go down the "slow" path are accounted below. */ ++vcpu->stat.exits; }

1 month, 1 week

3
2
0 0

FAILED: patch "[PATCH] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 7d0cce6cbe71af6e9c1831bff101a2b9c249c4a2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081208-petition-barcode-1e2a@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7d0cce6cbe71af6e9c1831bff101a2b9c249c4a2 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Tue, 10 Jun 2025 16:20:09 -0700 Subject: [PATCH] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs Introduce vmx_guest_debugctl_{read,write}() to handle all accesses to vmcs.GUEST_IA32_DEBUGCTL. This will allow stuffing FREEZE_IN_SMM into GUEST_IA32_DEBUGCTL based on the host setting without bleeding the state into the guest, and without needing to copy+paste the FREEZE_IN_SMM logic into every patch that accesses GUEST_IA32_DEBUGCTL. No functional change intended. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> [sean: massage changelog, make inline, use in all prepare_vmcs02() cases] Reviewed-by: Dapeng Mi <dapeng1.mi(a)linux.intel.com> Link: https://lore.kernel.org/r/20250610232010.162191-8-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 1b8b0642fc2d..ef20184b8b11 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2663,11 +2663,11 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, if (vmx->nested.nested_run_pending && (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) { kvm_set_dr(vcpu, 7, vmcs12->guest_dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl & - vmx_get_supported_debugctl(vcpu, false)); + vmx_guest_debugctl_write(vcpu, vmcs12->guest_ia32_debugctl & + vmx_get_supported_debugctl(vcpu, false)); } else { kvm_set_dr(vcpu, 7, vcpu->arch.dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl); + vmx_guest_debugctl_write(vcpu, vmx->nested.pre_vmenter_debugctl); } if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) @@ -3532,7 +3532,7 @@ enum nvmx_vmentry_status nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu, if (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) - vmx->nested.pre_vmenter_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL); + vmx->nested.pre_vmenter_debugctl = vmx_guest_debugctl_read(); if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) @@ -4806,7 +4806,7 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu, __vmx_set_segment(vcpu, &seg, VCPU_SREG_LDTR); kvm_set_dr(vcpu, 7, 0x400); - vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + vmx_guest_debugctl_write(vcpu, 0); if (nested_vmx_load_msr(vcpu, vmcs12->vm_exit_msr_load_addr, vmcs12->vm_exit_msr_load_count)) diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c index bbf4509f32d0..0b173602821b 100644 --- a/arch/x86/kvm/vmx/pmu_intel.c +++ b/arch/x86/kvm/vmx/pmu_intel.c @@ -653,11 +653,11 @@ static void intel_pmu_reset(struct kvm_vcpu *vcpu) */ static void intel_pmu_legacy_freezing_lbrs_on_pmi(struct kvm_vcpu *vcpu) { - u64 data = vmcs_read64(GUEST_IA32_DEBUGCTL); + u64 data = vmx_guest_debugctl_read(); if (data & DEBUGCTLMSR_FREEZE_LBRS_ON_PMI) { data &= ~DEBUGCTLMSR_LBR; - vmcs_write64(GUEST_IA32_DEBUGCTL, data); + vmx_guest_debugctl_write(vcpu, data); } } @@ -730,7 +730,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu) if (!lbr_desc->event) { vmx_disable_lbr_msrs_passthrough(vcpu); - if (vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR) + if (vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR) goto warn; if (test_bit(INTEL_PMC_IDX_FIXED_VLBR, pmu->pmc_in_use)) goto warn; @@ -752,7 +752,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu) static void intel_pmu_cleanup(struct kvm_vcpu *vcpu) { - if (!(vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR)) + if (!(vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR)) intel_pmu_release_guest_lbr_event(vcpu); } diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 6a8b78e954cd..a77d325fe78b 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2149,7 +2149,7 @@ int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) msr_info->data = vmx->pt_desc.guest.addr_a[index / 2]; break; case MSR_IA32_DEBUGCTLMSR: - msr_info->data = vmcs_read64(GUEST_IA32_DEBUGCTL); + msr_info->data = vmx_guest_debugctl_read(); break; default: find_uret_msr: @@ -2283,7 +2283,8 @@ int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) VM_EXIT_SAVE_DEBUG_CONTROLS) get_vmcs12(vcpu)->guest_ia32_debugctl = data; - vmcs_write64(GUEST_IA32_DEBUGCTL, data); + vmx_guest_debugctl_write(vcpu, data); + if (intel_pmu_lbr_is_enabled(vcpu) && !to_vmx(vcpu)->lbr_desc.event && (data & DEBUGCTLMSR_LBR)) intel_pmu_create_guest_lbr_event(vcpu); @@ -4798,7 +4799,8 @@ static void init_vmcs(struct vcpu_vmx *vmx) vmcs_write32(GUEST_SYSENTER_CS, 0); vmcs_writel(GUEST_SYSENTER_ESP, 0); vmcs_writel(GUEST_SYSENTER_EIP, 0); - vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + + vmx_guest_debugctl_write(&vmx->vcpu, 0); if (cpu_has_vmx_tpr_shadow()) { vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, 0); diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index 392e66c7e5fe..c20a4185d10a 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -417,6 +417,16 @@ void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu); u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated); bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated); +static inline void vmx_guest_debugctl_write(struct kvm_vcpu *vcpu, u64 val) +{ + vmcs_write64(GUEST_IA32_DEBUGCTL, val); +} + +static inline u64 vmx_guest_debugctl_read(void) +{ + return vmcs_read64(GUEST_IA32_DEBUGCTL); +} + /* * Note, early Intel manuals have the write-low and read-high bitmap offsets * the wrong way round. The bitmaps control MSRs 0x00000000-0x00001fff and

1 month, 1 week

3
6
0 0

[PATCH 6.15 000/480] 6.15.10-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.15.10 release. There are 480 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 14 Aug 2025 17:42:20 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.15.10-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.15.10-rc1 Suren Baghdasaryan <surenb(a)google.com> mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped Tao Xue <xuetao09(a)huawei.com> usb: gadget : fix use-after-free in composite_dev_cleanup() Aditya Garg <gargaditya08(a)live.com> HID: apple: avoid setting up battery timer for devices without battery Alan Stern <stern(a)rowland.harvard.edu> HID: core: Harden s32ton() against conversion to 0 bits Yuhao Jiang <danisjiang(a)gmail.com> USB: gadget: f_hid: Fix memory leak in hidg_bind error path Qasim Ijaz <qasdev00(a)gmail.com> HID: apple: validate feature-report field count to prevent NULL pointer dereference Julien Massot <julien.massot(a)collabora.com> media: ti: j721e-csi2rx: fix list_del corruption Robin Murphy <robin.murphy(a)arm.com> perf/arm-ni: Set initial IRQ affinity Akash Kumar <quic_akakum(a)quicinc.com> usb: gadget: uvc: Initialize frame-based format color matching descriptor Baolin Wang <baolin.wang(a)linux.alibaba.com> mm: shmem: fix the shmem large folio allocation for the i915 driver Kemeng Shi <shikemeng(a)huaweicloud.com> mm: swap: move nr_swap_pages counter decrement from folio_alloc_swap() to swap_range_alloc() Kemeng Shi <shikemeng(a)huaweicloud.com> mm: swap: fix potential buffer overflow in setup_clusters() Kemeng Shi <shikemeng(a)huaweicloud.com> mm: swap: correctly use maxpages in swapon syscall to avoid potential deadloop Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: mm: tlb-r4k: Uniquify TLB entries on init Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> s390/mm: Remove possible false-positive warning in pte_free_defer() Sean Christopherson <seanjc(a)google.com> KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported Dave Hansen <dave.hansen(a)linux.intel.com> x86/fpu: Delay instruction pointer fixup until after warning Michael J. Ruhl <michael.j.ruhl(a)intel.com> platform/x86/intel/pmt: fix a crashlog NULL pointer access Edip Hazuri <edip(a)medip.dev> ALSA: hda/realtek - Fix mute LED for HP Victus 16-d1xxx (MB 8A26) Edip Hazuri <edip(a)medip.dev> ALSA: hda/realtek - Fix mute LED for HP Victus 16-s0xxx Edip Hazuri <edip(a)medip.dev> ALSA: hda/realtek - Fix mute LED for HP Victus 16-r1xxx Geoffrey D. Bennett <g(a)b4.vu> ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() Thorsten Blum <thorsten.blum(a)linux.dev> ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() Tom Lendacky <thomas.lendacky(a)amd.com> x86/sev: Evict cache lines during SNP memory validation Ammar Faizi <ammarfaizi2(a)gnuweeb.org> net: usbnet: Fix the wrong netif_carrier_on() call John Ernberg <john.ernberg(a)actia.se> net: usbnet: Avoid potential RCU stall on LINK_CHANGE event Zenm Chen <zenmchen(a)gmail.com> Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano Slark Xiao <slark_xiao(a)163.com> USB: serial: option: add Foxconn T99W709 Thorsten Blum <thorsten.blum(a)linux.dev> smb: server: Fix extension string in ksmbd_extract_shortname() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: limit repeated connections from clients with the same IP Paulo Alcantara <pc(a)manguebit.org> smb: client: default to nonativesocket under POSIX mounts Paulo Alcantara <pc(a)manguebit.org> smb: client: set symlink type as native for POSIX mounts Wang Zhaolong <wangzhaolong(a)huaweicloud.com> smb: client: fix netns refcount leak after net_passive changes Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix corrupted mtime and ctime in smb2_open Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix Preauh_HashValue race condition Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix null pointer dereference error in generate_encryptionkey Budimir Markovic <markovicbudimir(a)gmail.com> vsock: Do not allow binding to VMADDR_PORT_ANY Quang Le <quanglex97(a)gmail.com> net/packet: fix a race in packet_set_ring() and packet_notifier() Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> selftests/perf_events: Add a mmap() correctness test Thomas Gleixner <tglx(a)linutronix.de> perf/core: Prevent VMA split of buffer mappings Thomas Gleixner <tglx(a)linutronix.de> perf/core: Handle buffer mapping fail correctly in perf_mmap() Thomas Gleixner <tglx(a)linutronix.de> perf/core: Exit early on perf_mmap() fail Thomas Gleixner <tglx(a)linutronix.de> perf/core: Don't leak AUX buffer refcount on allocation failure Thomas Gleixner <tglx(a)linutronix.de> perf/core: Preserve AUX buffer allocation failure result Olga Kornievskaia <okorniev(a)redhat.com> sunrpc: fix handling of server side tls alerts NeilBrown <neil(a)brown.name> nfsd: avoid ref leak in nfsd_open_local_fh() Jeff Layton <jlayton(a)kernel.org> nfsd: don't set the ctime on delegated atime updates Zhang Rui <rui.zhang(a)intel.com> tools/power turbostat: Fix bogus SysWatt for forked program Stefan Metzmacher <metze(a)samba.org> smb: client: return an error if rdma_connect does not return within 5 seconds Eric Dumazet <edumazet(a)google.com> pptp: fix pptp_xmit() error path Mohamed Khalfella <mkhalfella(a)purestorage.com> nvmet: exit debugfs after discovery subsystem exits Stefan Metzmacher <metze(a)samba.org> smb: client: let recv_done() avoid touching data_transfer after cleanup/move Stefan Metzmacher <metze(a)samba.org> smb: client: let recv_done() cleanup before notifying the callers. Stefan Metzmacher <metze(a)samba.org> smb: client: make sure we call ib_dma_unmap_single() only if we called ib_dma_map_single already Stefan Metzmacher <metze(a)samba.org> smb: client: remove separate empty_packet_queue Stefan Metzmacher <metze(a)samba.org> smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection() Stefan Metzmacher <metze(a)samba.org> smb: server: let recv_done() avoid touching data_transfer after cleanup/move Stefan Metzmacher <metze(a)samba.org> smb: server: let recv_done() consistently call put_recvmsg/smb_direct_disconnect_rdma_connection Stefan Metzmacher <metze(a)samba.org> smb: server: make sure we call ib_dma_unmap_single() only if we called ib_dma_map_single already Stefan Metzmacher <metze(a)samba.org> smb: server: remove separate empty_recvmsg_queue Mikhail Zaslonko <zaslonko(a)linux.ibm.com> s390/boot: Fix startup debugging log Takashi Iwai <tiwai(a)suse.de> ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() Arnd Bergmann <arnd(a)arndb.de> ASoC: SOF: Intel: hda-sdw-bpt: fix SND_SOF_SOF_HDA_SDW_BPT dependencies Arnd Bergmann <arnd(a)arndb.de> irqchip: Build IMX_MU_MSI only on ARM Meghana Malladi <m-malladi(a)ti.com> net: ti: icssg-prueth: Fix skb handling for XDP_PASS Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS/localio: nfs_uuid_put() fix the wake up after unlinking the file Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS/localio: nfs_uuid_put() fix races with nfs_open/close_local_fh() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS/localio: nfs_close_local_fh() fix check for file closed Jakub Kicinski <kuba(a)kernel.org> eth: fbnic: remove the debugging trick of super high page bias Sumanth Korikkar <sumanthk(a)linux.ibm.com> s390/mm: Allocate page table with PAGE_SIZE granularity Maher Azzouzi <maherazz04(a)gmail.com> net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing Michal Schmidt <mschmidt(a)redhat.com> benet: fix BUG when creating VFs Lorenzo Bianconi <lorenzo(a)kernel.org> net: airoha: npu: Add missing MODULE_FIRMWARE macros Jakub Kicinski <kuba(a)kernel.org> eth: fbnic: unlink NAPIs from queues on error to open Thomas Gleixner <tglx(a)linutronix.de> x86/irq: Plug vector setup race Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Disable PF restart worker on device removal Olga Kornievskaia <okorniev(a)redhat.com> sunrpc: fix client side handling of tls alerts Takamitsu Iwai <takamitz(a)amazon.co.jp> net/sched: taprio: enforce minimum value for picos_per_byte Wang Liang <wangliang74(a)huawei.com> net: drop UFO packets in udp_rcv_segment() Florian Fainelli <florian.fainelli(a)broadcom.com> net: mdio: mdio-bcm-unimac: Correct rate fallback logic Eric Dumazet <edumazet(a)google.com> ipv6: reject malicious packets in ipv6_gso_segment() Christoph Paasch <cpaasch(a)openai.com> net/mlx5: Correctly set gso_segs when LRO is used Simon Trimmer <simont(a)opensource.cirrus.com> spi: cs42l43: Property entry should be a null-terminated array Baojun Xu <baojun.xu(a)ti.com> ASoC: tas2781: Fix the wrong step for TLV on tas2781 Christoph Hellwig <hch(a)lst.de> block: ensure discard_granularity is zero when discard is not supported Guenter Roeck <linux(a)roeck-us.net> block: Fix default IO priority if there is no IO context Jakub Kicinski <kuba(a)kernel.org> netlink: specs: ethtool: fix module EEPROM input/output arguments Alexander Gordeev <agordeev(a)linux.ibm.com> s390/mm: Set high_memory at the end of the identity mapping Harald Freudenberger <freude(a)linux.ibm.com> s390/ap: Unmask SLCF bit in card and queue ap functions sysfs Mohamed Khalfella <mkhalfella(a)purestorage.com> nvmet: initialize discovery subsys after debugfs is initialized Eric Dumazet <edumazet(a)google.com> pptp: ensure minimal skb length in pptp_xmit() Luca Weiss <luca.weiss(a)fairphone.com> net: ipa: add IPA v5.1 and v5.5 to ipa_version_string() Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Fix parsing of unicast frames Jakub Kicinski <kuba(a)kernel.org> netpoll: prevent hanging NAPI when netcons gets enabled Heming Zhao <heming.zhao(a)suse.com> md/md-cluster: handle REMOVE message earlier Benjamin Coddington <bcodding(a)redhat.com> NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: another fix for listxattr Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> pNFS/flexfiles: don't attempt pnfs on fatal DS errors Len Brown <len.brown(a)intel.com> tools/power turbostat: regression fix: --show C1E% Timothy Pearson <tpearson(a)raptorengineering.com> PCI: pnv_php: Fix surprise plug detection and recovery Timothy Pearson <tpearson(a)raptorengineering.com> powerpc/eeh: Make EEH driver device hotplug safe Timothy Pearson <tpearson(a)raptorengineering.com> powerpc/eeh: Export eeh_unfreeze_pe() Timothy Pearson <tpearson(a)raptorengineering.com> PCI: pnv_php: Work around switches with broken presence detection Timothy Pearson <tpearson(a)raptorengineering.com> PCI: pnv_php: Clean up allocated IRQs on unplug Herbert Xu <herbert(a)gondor.apana.org.au> padata: Remove comment for reorder_work Peter Zijlstra <peterz(a)infradead.org> sched/psi: Fix psi_seq initialization Jason Gunthorpe <jgg(a)ziepe.ca> vfio/pci: Do vf_token checks for VFIO_DEVICE_BIND_IOMMUFD Masahiro Yamada <masahiroy(a)kernel.org> kconfig: qconf: fix ConfigList::updateListAllforAll() Salomon Dushimirimana <salomondush(a)google.com> scsi: sd: Make sd shutdown issue START STOP UNIT appropriately Seunghui Lee <sh043.lee(a)samsung.com> scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume Li Lingfeng <lilingfeng3(a)huawei.com> scsi: Revert "scsi: iscsi: Fix HW conn removal use after free" Tomas Henzl <thenzl(a)redhat.com> scsi: mpt3sas: Fix a fw_event memory leak Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Separate SR-IOV VF dev_set Brett Creeley <brett.creeley(a)amd.com> vfio/pds: Fix missing detach_ioas op Jacob Pan <jacob.pan(a)linux.microsoft.com> vfio: Prevent open_count decrement to negative Jacob Pan <jacob.pan(a)linux.microsoft.com> vfio: Fix unbalanced vfio_df_close call in no-iommu mode Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: muxes: mule: Fix an error handling path in mule_i2c_mux_probe() Zhengxu Zhang <zhengxu.zhang(a)unisoc.com> exfat: fdatasync flag should be same like generic_write_sync() Chao Yu <chao(a)kernel.org> f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode Chao Yu <chao(a)kernel.org> f2fs: fix to calculate dirty data during has_not_enough_free_secs() Chao Yu <chao(a)kernel.org> f2fs: fix to update upper_p in __get_secs_required() correctly Jan Prusakowski <jprusakowski(a)google.com> f2fs: vm_unmap_ram() may be called from an invalid context Chao Yu <chao(a)kernel.org> f2fs: fix to avoid out-of-boundary access in devs.path Chao Yu <chao(a)kernel.org> f2fs: fix to avoid panic in f2fs_evict_inode Chao Yu <chao(a)kernel.org> f2fs: fix to avoid UAF in f2fs_sync_inode_meta() Chao Yu <chao(a)kernel.org> f2fs: doc: fix wrong quota mount option description Chao Yu <chao(a)kernel.org> f2fs: fix to check upper boundary for gc_no_zoned_gc_percent Chao Yu <chao(a)kernel.org> f2fs: fix to check upper boundary for gc_valid_thresh_ratio yohan.joung <yohan.joung(a)sk.com> f2fs: fix to check upper boundary for value of gc_boost_zoned_gc_percent Abinash Singh <abinashlalotra(a)gmail.com> f2fs: fix KMSAN uninit-value in extent_info usage Chao Yu <chao(a)kernel.org> f2fs: fix to avoid invalid wait context issue Sheng Yong <shengyong1(a)xiaomi.com> f2fs: fix bio memleak when committing super block Daeho Jeong <daehojeong(a)google.com> f2fs: turn off one_time when forcibly set to foreground GC Brian Masney <bmasney(a)redhat.com> rtc: rv3028: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: pcf8563: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: pcf85063: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: nct3018y: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: hym8563: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: ds1307: fix incorrect maximum clock rate handling Uros Bizjak <ubizjak(a)gmail.com> ucount: fix atomic_long_inc_below() argument type Petr Pavlu <petr.pavlu(a)suse.com> module: Restore the moduleparam prefix length check Stanley Chu <yschu(a)nuvoton.com> i3c: master: svc: Fix npcm845 FIFO_EMPTY quirk Helge Deller <deller(a)gmx.de> apparmor: Fix unaligned memory accesses in KUnit test Johannes Berg <johannes.berg(a)intel.com> scripts: gdb: move MNT_* constants to gdb-parsed Ryan Lee <ryan.lee(a)canonical.com> apparmor: fix loop detection used in conflicting attachment resolution Ryan Lee <ryan.lee(a)canonical.com> apparmor: ensure WB_HISTORY_SIZE value is a power of 2 Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Check netfilter ctx accesses are aligned Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Check flow_dissector ctx accesses are aligned Cindy Lu <lulu(a)redhat.com> vhost: Reintroduce kthread API and add mode selection Anders Roxell <anders.roxell(a)linaro.org> vdpa: Fix IDR memory leak in VDUSE module exit Dragos Tatulea <dtatulea(a)nvidia.com> vdpa/mlx5: Fix release of uninitialized resources on error path Alok Tiwari <alok.a.tiwari(a)oracle.com> vhost-scsi: Fix check for inline_sg_cnt exceeding preallocated limit Mike Christie <michael.christie(a)oracle.com> vhost-scsi: Fix log flooding with target does not exist errors Dragos Tatulea <dtatulea(a)nvidia.com> vdpa/mlx5: Fix needs_teardown flag calculation Namhyung Kim <namhyung(a)kernel.org> perf record: Cache build-ID of hit DSOs only Takashi Iwai <tiwai(a)suse.de> ALSA: usb: scarlett2: Fix missing NULL check WangYuli <wangyuli(a)uniontech.com> selftests: ALSA: fix memory leak in utimer test Lukasz Laguna <lukasz.laguna(a)intel.com> drm/xe/vf: Disable CSC support on VF Balamanikandan Gunasundar <balamanikandan.gunasundar(a)microchip.com> mtd: rawnand: atmel: set pmecc data setup time Thomas Fourier <fourier.thomas(a)gmail.com> mtd: rawnand: rockchip: Add missing check after DMA map Thomas Fourier <fourier.thomas(a)gmail.com> mtd: rawnand: atmel: Fix dma_mapping_error() address Zheng Yu <zheng.yu(a)northwestern.edu> jfs: fix metapage reference count leak in dbAllocCtl Paulo Alcantara <pc(a)manguebit.org> smb: client: allow parsing zero-length AV pairs Chenyuan Yang <chenyuan0y(a)gmail.com> fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - fix seq_file position update in adf_ring_next() Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - fix DMA direction for compression on GEN2 devices Shubhrajyoti Datta <shubhrajyoti.datta(a)amd.com> clk: clocking-wizard: Fix the round rate handling for versal Chen Pei <cp0613(a)linux.alibaba.com> perf tools: Remove libtraceevent in .gitignore Ben Hutchings <benh(a)debian.org> sh: Do not use hyphen in exported variable name Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_xcvr: get channel status data with firmware exists Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_xcvr: get channel status data when PHY is not exists Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: SDCA: Fix some holes in the regmap readable/writeable helpers Shree Ramamoorthy <s-ramamoorthy(a)ti.com> mfd: tps65219: Update TPS65214 MFD cell's GPIO compatible string Thomas Fourier <fourier.thomas(a)gmail.com> dmaengine: nbpfaxi: Add missing check after DMA map Thomas Fourier <fourier.thomas(a)gmail.com> dmaengine: mv_xor: Fix missing check after DMA map and missing unmap Ian Rogers <irogers(a)google.com> tools subcmd: Tighten the filename size in check_if_command_finished Dan Carpenter <dan.carpenter(a)linaro.org> fs/orangefs: Allow 2 more characters in do_c_string() Tanmay Shah <tanmay.shah(a)amd.com> remoteproc: xlnx: Disable unsupported features Laurentiu Palcu <laurentiu.palcu(a)oss.nxp.com> clk: imx95-blk-ctl: Fix synchronous abort Manivannan Sadhasivam <mani(a)kernel.org> PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute Bard Liao <yung-chuan.liao(a)linux.intel.com> soundwire: stream: restore params when prepare ports fail Eric Biggers <ebiggers(a)kernel.org> crypto: krb5 - Fix memory leak in krb5_test_one_prf() Bairavi Alagappan <bairavix.alagappan(a)intel.com> crypto: qat - disable ZUC-256 capability for QAT GEN5 Thomas Fourier <fourier.thomas(a)gmail.com> crypto: img-hash - Fix dma_unmap_sg() nents value Thomas Fourier <fourier.thomas(a)gmail.com> crypto: keembay - Fix dma_unmap_sg() nents value Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> hwrng: mtk - handle devm_pm_runtime_enable errors Varshini Rajendran <varshini.rajendran(a)microchip.com> clk: at91: sam9x7: update pll clk ranges Jan Kara <jack(a)suse.cz> ext4: Make sure BH_New bit is cleared in ->write_end handler Baokun Li <libaokun1(a)huawei.com> ext4: fix inode use after free in ext4_end_io_rsv_work() Dan Carpenter <dan.carpenter(a)linaro.org> watchdog: ziirave_wdt: check record length in ziirave_firm_verify() Robin Murphy <robin.murphy(a)arm.com> PCI: Fix driver_managed_dma check Thomas Fourier <fourier.thomas(a)gmail.com> scsi: isci: Fix dma_unmap_sg() nents value Thomas Fourier <fourier.thomas(a)gmail.com> scsi: mvsas: Fix dma_unmap_sg() nents value Thomas Fourier <fourier.thomas(a)gmail.com> scsi: elx: efct: Fix dma_unmap_sg() nents value Thomas Fourier <fourier.thomas(a)gmail.com> scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value Paul Kocialkowski <paulk(a)sys-base.io> clk: sunxi-ng: v3s: Fix de clock definition Yao Zi <ziyao(a)disroot.org> clk: thead: th1520-ap: Correctly refer the parent of osc_12m Shiraz Saleem <shirazsaleem(a)microsoft.com> RDMA/mana_ib: Fix DSCP value in modify QP Ian Rogers <irogers(a)google.com> perf hwmon_pmu: Avoid shortening hwmon PMU name Leo Yan <leo.yan(a)arm.com> perf tests bp_account: Fix leaked file descriptor Mukesh Ojha <mukesh.ojha(a)oss.qualcomm.com> pinmux: fix race causing mux_owner NULL with active mux_usecount wangzijie <wangzijie1(a)honor.com> proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Arnd Bergmann <arnd(a)arndb.de> kernel: trace: preemptirq_delay_test: use offstack cpu mask Steven Rostedt <rostedt(a)goodmis.org> tracing: Use queue_rcu_work() to free filters Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix -Wframe-larger-than issue Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Drop GFP_NOWARN Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix accessing uninitialized resources Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Get message length of ack_req from FW Mengbiao Xiong <xisme1998(a)gmail.com> crypto: ccp - Fix crash when rebind ccp device for ccp.ko Thomas Fourier <fourier.thomas(a)gmail.com> crypto: inside-secure - Fix `dma_unmap_sg()` nents value Alexey Kardashevskiy <aik(a)amd.com> crypto: ccp - Fix locking on alloc failure handling wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix HW configurations not cleared in error flow wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix double destruction of rsv_qp Namhyung Kim <namhyung(a)kernel.org> perf sched: Fix memory leaks in 'perf sched latency' Namhyung Kim <namhyung(a)kernel.org> perf sched: Use RC_CHK_EQUAL() to compare pointers Namhyung Kim <namhyung(a)kernel.org> perf sched: Fix memory leaks for evsel->priv in timehist Namhyung Kim <namhyung(a)kernel.org> perf sched: Fix thread leaks in 'perf sched timehist' Namhyung Kim <namhyung(a)kernel.org> perf sched: Fix memory leaks in 'perf sched map' Namhyung Kim <namhyung(a)kernel.org> perf sched: Free thread->priv using priv_destructor Namhyung Kim <namhyung(a)kernel.org> perf sched: Make sure it frees the usage string Takahiro Kuwano <Takahiro.Kuwano(a)infineon.com> mtd: spi-nor: spansion: Fixup params->set_4byte_addr_mode for SEMPER Ian Rogers <irogers(a)google.com> perf dso: Add missed dso__put to dso__load_kcore Namhyung Kim <namhyung(a)kernel.org> perf tools: Fix use-after-free in help_unknown_cmd() Thomas Fourier <fourier.thomas(a)gmail.com> Fix dma_unmap_sg() nents value Nuno Sá <nuno.sa(a)analog.com> clk: clk-axi-clkgen: fix fpfd_max frequency for zynq Amir Goldstein <amir73il(a)gmail.com> fanotify: sanitize handle_type values when reporting fid Luca Weiss <luca.weiss(a)fairphone.com> phy: qualcomm: phy-qcom-eusb2-repeater: Don't zero-out registers Rodrigo Gobbi <rodrigo.gobbi.7(a)gmail.com> soundwire: debugfs: move debug statement outside of error handling Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dmaengine: mmp: Fix again Wvoid-pointer-to-enum-cast warning Charles Keepax <ckeepax(a)opensource.cirrus.com> soundwire: Correct some property names Jiwei Sun <sunjw10(a)lenovo.com> PCI: Adjust the position of reading the Link Control 2 register Ze Huang <huangze(a)whut.edu.cn> pinctrl: canaan: k230: Fix order of DT parse and pinctrl register Ze Huang <huangze(a)whut.edu.cn> pinctrl: canaan: k230: add NULL check in DT parse Yuan Chen <chenyuan(a)kylinos.cn> pinctrl: berlin: fix memory leak in berlin_pinctrl_build_state() Yuan Chen <chenyuan(a)kylinos.cn> pinctrl: sunxi: Fix memory leak on krealloc failure Jerome Brunet <jbrunet(a)baylibre.com> PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails Arnd Bergmann <arnd(a)arndb.de> crypto: arm/aes-neonbs - work around gcc-15 warning Thomas Antoine <t.antoine(a)uclouvain.be> power: supply: max1720x correct capacity computation Casey Connolly <casey.connolly(a)linaro.org> power: supply: qcom_pmi8998_charger: fix wakeirq Charles Han <hanchunchao(a)inspur.com> power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set Charles Han <hanchunchao(a)inspur.com> power: supply: cpcap-charger: Fix null check for power_supply_get_by_name Rohit Visavalia <rohit.visavalia(a)amd.com> clk: xilinx: vcu: unregister pll_post only if registered correctly Namhyung Kim <namhyung(a)kernel.org> perf parse-events: Set default GH modifier properly James Cowgill <james.cowgill(a)blaize.com> media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check Henry Martin <bsdhenrymartin(a)gmail.com> clk: davinci: Add NULL check in davinci_lpsc_clk_register() Ivan Stepchenko <sid(a)itb.spb.ru> mtd: fix possible integer overflow in erase_xfer() Svyatoslav Pankratov <svyatoslav.pankratov(a)intel.com> crypto: qat - fix state restore for banks with exceptions Ahsan Atta <ahsan.atta(a)intel.com> crypto: qat - allow enabling VFs in the absence of IOMMU Herbert Xu <herbert(a)gondor.apana.org.au> padata: Fix pd UAF once and for all Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Fix engine load inaccuracy Suman Kumar Chakraborty <suman.kumar.chakraborty(a)intel.com> crypto: qat - use unmanaged allocation for dc_data Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> crypto: sun8i-ce - fix nents passed to dma_unmap_sg() Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> clk: renesas: rzv2h: Fix missing CLK_SET_RATE_PARENT flag for ddiv clocks Hans Zhang <18255117159(a)163.com> PCI: rockchip-host: Fix "Unexpected Completion" log message Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> remoteproc: qcom: pas: Conclude the rename from adsp Kees Cook <kees(a)kernel.org> fortify: Fix incorrect reporting of read buffer size Kees Cook <kees(a)kernel.org> staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() Gabriele Monaco <gmonaco(a)redhat.com> rv: Adjust monitor dependencies Samuel Holland <samuel.holland(a)sifive.com> RISC-V: KVM: Fix inclusion of Smnpm in the guest ISA bitmap Puranjay Mohan <puranjay(a)kernel.org> bpf, arm64: Fix fp initialization for exception boundary Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> bpf/preload: Don't select USERMODE_DRIVER Eric Dumazet <edumazet(a)google.com> ipv6: annotate data-races around rt->fib6_nsiblings Eric Dumazet <edumazet(a)google.com> ipv6: fix possible infinite loop in fib6_info_uses_dev() Eric Dumazet <edumazet(a)google.com> ipv6: prevent infinite loop in rt6_nlmsg_size() Stanislav Fomichev <sdf(a)fomichev.me> vrf: Drop existing dst reference in vrf_ip6_input_dst Xiumei Mu <xmu(a)redhat.com> selftests: rtnetlink.sh: remove esp4_offload after test Jason Xing <kernelxing(a)tencent.com> igb: xsk: solve negative overflow of nb_pkts in zerocopy mode Jason Xing <kernelxing(a)tencent.com> stmmac: xsk: fix negative overflow of budget in zerocopy mode Kuniyuki Iwashima <kuniyu(a)google.com> neighbour: Fix null-ptr-deref in neigh_flush_dev(). Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: Fix wrong rx drop MIB counter for KSZ8863 Stanislav Fomichev <sdf(a)fomichev.me> macsec: set IFF_UNICAST_FLT priv flag Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Remove skb secpath if xfrm state is not found Alexei Lazar <alazar(a)nvidia.com> net/mlx5e: Clear Read-Only port buffer size in PBMC before update Florian Westphal <fw(a)strlen.de> netfilter: xt_nfacct: don't assume acct name is null-terminated Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: Assign netdev.dev_port based on device channel index Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_pciefd: Store device channel index Stephane Grosjean <stephane.grosjean(a)hms-networks.com> can: peak_usb: fix USB FD devices potential malfunction Daniel Zahka <daniel.zahka(a)gmail.com> selftests: drv-net: tso: fix non-tunneled tso6 test case name Daniel Zahka <daniel.zahka(a)gmail.com> selftests: drv-net: tso: fix vxlan tunnel flags to get correct gso_type Daniel Zahka <daniel.zahka(a)gmail.com> selftests: drv-net: tso: enable test cases based on hw_features Gal Pressman <gal(a)nvidia.com> selftests: drv-net: Fix remote command checking in require_cmd() Gabriele Monaco <gmonaco(a)redhat.com> tools/rv: Do not skip idle in trace Kuniyuki Iwashima <kuniyu(a)google.com> bpf: Disable migration in nf_hook_run_bpf(). Chris Down <chris(a)chrisdown.name> Bluetooth: hci_event: Mask data status from LE ext adv reports Ivan Pravdin <ipravdin.official(a)gmail.com> Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' Benjamin Berg <benjamin.berg(a)intel.com> wifi: iwlwifi: mld: decode EOF bit for AMPDUs Jeremy Linton <jeremy.linton(a)arm.com> arm64/gcs: task_gcs_el0_enable() should use passed task Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix WARN_ON for monitor mode on some devices Matthew Wilcox (Oracle) <willy(a)infradead.org> memcg_slabinfo: Fix use of PG_slab Marco Elver <elver(a)google.com> kcsan: test: Initialize dummy variable Steven Rostedt <rostedt(a)goodmis.org> ring-buffer: Remove ring_buffer_read_prepare_sync() Kees Cook <kees(a)kernel.org> wifi: nl80211: Set num_sub_specs before looping through sub_specs Kees Cook <kees(a)kernel.org> wifi: mac80211: Write cnt before copying in ieee80211_copy_rnr_beacon() Steven Rostedt <rostedt(a)goodmis.org> PM: cpufreq: powernv/tracing: Move powernv_throttle trace event Gokul Sivakumar <gokulkumar.sivakumar(a)infineon.com> wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE Tamizh Chelvam Raja <tamizh.raja(a)oss.qualcomm.com> wifi: ath12k: fix endianness handling while accessing wmi service bit Remi Pommarel <repk(a)triplefau.lt> Reapply "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() Alexander Wetzel <Alexander(a)wetzel-home.de> wifi: mac80211: Don't call fq_flow_idx() for management frames Alexander Wetzel <Alexander(a)wetzel-home.de> wifi: mac80211: Do not schedule stopped TXQs Alexander Wetzel <Alexander(a)wetzel-home.de> wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Murad Masimov <m.masimov(a)mt-integration.ru> wifi: plfxlc: Fix error handling in usb driver probe Moon Hee Lee <moonhee.lee.ca(a)gmail.com> wifi: mac80211: reject TDLS operations when station is not associated Tze-nan Wu <Tze-nan.Wu(a)mediatek.com> rcu: Fix delayed execution of hurry callbacks Jason Gunthorpe <jgg(a)ziepe.ca> iommu/amd: Fix geometry.aperture_end for V2 tables Puranjay Mohan <puranjay(a)kernel.org> selftests/bpf: fix implementation of smp_mb() Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx10: fix kiq locking in KCQ reset Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9.4.3: fix kiq locking in KCQ reset Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9: fix kiq locking in KCQ reset Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask() Aaradhana Sahu <aaradhana.sahu(a)oss.qualcomm.com> wifi: ath12k: Use HTT_TCL_METADATA_VER_V1 in FTM mode Thomas Fourier <fourier.thomas(a)gmail.com> mwl8k: Add missing check after DMA map Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: Fix macid assigned to TDLS station Martin Kaistra <martin.kaistra(a)linutronix.de> wifi: rtl8xxxu: Fix RX skb size for aggregation disabled Eric Dumazet <edumazet(a)google.com> tcp: call tcp_measure_rcv_mss() for ooo packets Juergen Gross <jgross(a)suse.com> xen/gntdev: remove struct gntdev_copy_batch from stack Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> iommu/arm-smmu: disable PRR on SM8250 Jason Gunthorpe <jgg(a)ziepe.ca> iommu/vt-d: Do not wipe out the page table NID when devices detach Juri Lelli <juri.lelli(a)redhat.com> sched/deadline: Reset extra_bw to max_bw when clearing root domains Juri Lelli <juri.lelli(a)redhat.com> sched/deadline: Initialize dl_servers after SMP Al Viro <viro(a)zeniv.linux.org.uk> xen: fix UAF in dmabuf_exp_from_pages() Edward Srouji <edwards(a)nvidia.com> RDMA/mlx5: Fix UMR modifying of mkey page size Eric Dumazet <edumazet(a)google.com> net_sched: act_ctinfo: use atomic64_t for three counters William Liu <will(a)willsroot.io> net/sched: Restrict conditions for adding duplicating netems to qdisc tree Easwar Hariharan <eahariha(a)linux.microsoft.com> iommu/amd: Enable PASID and ATS capabilities in the correct order Tiwei Bie <tiwei.btw(a)antgroup.com> um: rtc: Avoid shadowing err in uml_rtc_start() Johan Korsnes <johan.korsnes(a)gmail.com> arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX Fedor Pchelkin <pchelkin(a)ispras.ru> netfilter: nf_tables: adjust lockdep assertions handling Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Drop dead code from fill_*_info routines Shixiong Ou <oushixiong(a)kylinos.cn> fbcon: Fix outdated registered_fb reference in comment Peter Zijlstra <peterz(a)infradead.org> sched/deadline: Less agressive dl_server handling Peter Zijlstra <peterz(a)infradead.org> sched/psi: Optimize psi_group_change() cpu_clock() usage Andy Yan <andy.yan(a)rock-chips.com> drm/rockchip: vop2: Fix the update of LAYER/PORT select registers when there are multi display output on rk3588/rk3568 Heiko Stuebner <heiko(a)sntech.de> drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port Aaradhana Sahu <aaradhana.sahu(a)oss.qualcomm.com> wifi: ath12k: Block radio bring-up in FTM mode Fedor Pchelkin <pchelkin(a)ispras.ru> drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: mt7996: Fix valid_links bitmask in mt7996_mac_sta_{add,remove} Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: mt7996: Fix possible OOB access in mt7996_tx() Lorenzo Bianconi <lorenzo(a)kernel.org> wifi: mt76: mt7996: Fix secondary link lookup in mt7996_mcu_sta_mld_setup_tlv() Artem Sadovnikov <a.sadovnikov(a)ispras.ru> refscale: Check that nreaders and loops multiplication doesn't overflow Finn Thain <fthain(a)linux-m68k.org> m68k: Don't unregister boot console needlessly Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> drm/msm/dpu: Fill in min_prefill_lines for SC8180X Kumar Kartikeya Dwivedi <memxor(a)gmail.com> bpf: Ensure RCU lock is held around bpf_prog_ksym_find Mark Brown <broonie(a)kernel.org> kselftest/arm64: Fix check for setting new VLs in sve-ptrace Dan Carpenter <dan.carpenter(a)linaro.org> wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() Eric Dumazet <edumazet(a)google.com> net: dst: add four helpers to annotate data-races around dst->dev Eric Dumazet <edumazet(a)google.com> net: dst: annotate data-races around dst->output Eric Dumazet <edumazet(a)google.com> net: dst: annotate data-races around dst->input Stav Aviram <saviram(a)nvidia.com> net/mlx5: Check device memory pointer before usage xin.guo <guoxin0309(a)gmail.com> tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range Thiraviyam Mariyappan <thiraviyam.mariyappan(a)oss.qualcomm.com> wifi: ath12k: Clear auth flag only for actual association in security mode Sergey Senozhatsky <senozhatsky(a)chromium.org> wifi: ath11k: clear initialized flag for deinit-ed srng lists Stanislav Fomichev <sdf(a)fomichev.me> team: replace team lock with rtnl lock Jiasheng Jiang <jiasheng(a)iscas.ac.cn> iwlwifi: Add missing check for alloc_ordered_workqueue Xiu Jianfeng <xiujianfeng(a)huawei.com> wifi: iwlwifi: Fix memory leak in iwl_mvm_init() Daniil Dulov <d.dulov(a)aladdin.ru> wifi: rtl818x: Kill URBs before clearing tx status queue Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band Arnd Bergmann <arnd(a)arndb.de> caif: reduce stack size, again Tamizh Chelvam Raja <tamizh.raja(a)oss.qualcomm.com> wifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type() P Praneesh <praneesh.p(a)oss.qualcomm.com> wifi: ath12k: Fix double budget decrement while reaping monitor ring Rameshkumar Sundaram <rameshkumar.sundaram(a)oss.qualcomm.com> wifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon miss Haren Myneni <haren(a)linux.ibm.com> powerpc/pseries/dlpar: Search DRC index from ibm,drc-indexes for IO add Yuan Chen <chenyuan(a)kylinos.cn> bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Remove nbiov7.9 replay count reporting Jonathan Corbet <corbet(a)lwn.net> slub: Fix a documentation build error for krealloc() Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel Petr Machata <petrm(a)nvidia.com> net: ipv6: ip6mr: Fix in/out netdev to pass to the FORWARD chain Mykyta Yatsenko <yatsenko(a)meta.com> selftests/bpf: Fix unintentional switch case fall through Eduard Zingerman <eddyz87(a)gmail.com> bpf: handle jset (if a & b ...) as a jump in CFG computation Fushuai Wang <wangfushuai(a)baidu.com> selftests/bpf: fix signedness bug in redir_partial() Jiayuan Chen <jiayuan.chen(a)linux.dev> bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls Breno Leitao <leitao(a)debian.org> netconsole: Only register console drivers when targets are configured Jiayuan Chen <jiayuan.chen(a)linux.dev> bpf, sockmap: Fix psock incorrectly pointing to sk Kuan-Chung Chen <damon.chen(a)realtek.com> wifi: rtw89: fix EHT 20MHz TX rate for non-AP STA Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Add missing explicit padding in drm_panthor_gpu_info Adrián Larumbe <adrian.larumbe(a)collabora.com> drm/panfrost: Fix panfrost device variable name in devfreq Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> drm/connector: hdmi: Evaluate limited range after computing format Andy Yan <andy.yan(a)rock-chips.com> drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed Steven Rostedt <rostedt(a)goodmis.org> selftests/tracing: Fix false failure of subsystem event test Alok Tiwari <alok.a.tiwari(a)oracle.com> staging: nvec: Fix incorrect null termination of battery manufacturer Michael J. Ruhl <michael.j.ruhl(a)intel.com> drm/xe: Correct BMG VSEC header sizing Michael J. Ruhl <michael.j.ruhl(a)intel.com> drm/xe: Correct the rev value for the DVSEC entries Slark Xiao <slark_xiao(a)163.com> bus: mhi: host: pci_generic: Fix the modem name of Foxconn T99W640 Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> interconnect: qcom: qcs615: Drop IP0 interconnects Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> interconnect: qcom: sc8180x: specify num_nodes Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> interconnect: qcom: sc8280xp: specify num_links for qnm_a1noc_cfg Johan Hovold <johan(a)kernel.org> soc: qcom: pmic_glink: fix OF node leak Brahmajit Das <listout(a)listout.xyz> samples: mei: Fix building on musl libc Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> staging: greybus: gbphy: fix up const issue with the match callback Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: SDCA: Allow read-only controls to be deferrable Lifeng Zheng <zhenglifeng1(a)huawei.com> cpufreq: Init policy->rwsem before it may be possibly used Lifeng Zheng <zhenglifeng1(a)huawei.com> cpufreq: Initialize cpufreq-based frequency-invariance later Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode Chanwoo Choi <cw00.choi(a)samsung.com> PM / devfreq: Fix a index typo in trans_stat Lifeng Zheng <zhenglifeng1(a)huawei.com> PM / devfreq: Check governor before using governor->name Jonas Karlman <jonas(a)kwiboo.se> arm64: dts: rockchip: Fix pinctrl node names for RK3528 Adam Ford <aford173(a)gmail.com> arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed Adam Ford <aford173(a)gmail.com> arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed Annette Kobou <annette.kobou(a)kontron.de> ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface Moon Hee Lee <moonhee.lee.ca(a)gmail.com> selftests: breakpoints: use suspend_stats to reliably check suspend success Patrick Delaunay <patrick.delaunay(a)foss.st.com> arm64: dts: st: fix timer used for ticks Sebastian Reichel <sebastian.reichel(a)collabora.com> arm64: dts: rockchip: fix PHY handling for ROCK 4D Sumit Gupta <sumitg(a)nvidia.com> soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> staging: gpib: Fix error handling paths in cb_gpib_probe() Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> staging: gpib: Fix error code in board_type_ioctl() Albin Törnqvist <albin.tornqvist(a)codiax.se> arm: dts: ti: omap: Fixup pinheader typo Lucas De Marchi <lucas.demarchi(a)intel.com> usb: early: xhci-dbc: Fix early_ioremap leak Sivan Zohar-Kotzer <sivany32(a)gmail.com> powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "vmci: Prevent the dispatching of uninitialized payloads" Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> selftests: vDSO: chacha: Correctly skip test if necessary Tim Harvey <tharvey(a)gateworks.com> arm64: dts: imx8mp-venice-gw74xx: update name of M2SKT_WDIS2# gpio Denis OSTERLAND-HEIM <denis.osterland(a)diehl.com> pps: fix poll support Lizhi Xu <lizhi.xu(a)windriver.com> vmci: Prevent the dispatching of uninitialized payloads Shankari Anand <shankari.ak0208(a)gmail.com> rust: miscdevice: clarify invariant for `MiscDeviceRegistration` Abdun Nihaal <abdun.nihaal(a)gmail.com> staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() Jonas Karlman <jonas(a)kwiboo.se> arm64: dts: rockchip: Enable eMMC HS200 mode on Radxa E20C Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> power: sequencing: qcom-wcn: fix bluetooth-wifi copypasta for WCN6855 Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> drivers: misc: sram: fix up some const issues with recent attribute changes Clément Le Goffic <clement.legoffic(a)foss.st.com> spi: stm32: Check for cfg availability in stm32_spi_probe Hans de Goede <hansg(a)kernel.org> mei: vsc: Unset the event callback on remove and probe errors Hans de Goede <hansg(a)kernel.org> mei: vsc: Event notifier fixes Hans de Goede <hansg(a)kernel.org> mei: vsc: Destroy mutex after freeing the IRQ Hans de Goede <hansg(a)kernel.org> mei: vsc: Don't re-init VSC from mei_vsc_hw_reset() on stop Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> usb: typec: ucsi: yoga-c630: fix error and remove paths Sibi Sankar <quic_sibis(a)quicinc.com> firmware: arm_scmi: Fix up turbo frequencies selection Arnd Bergmann <arnd(a)arndb.de> cpufreq: armada-8k: make both cpu masks static Ryan Wanner <Ryan.Wanner(a)microchip.com> ARM: dts: microchip: sam9x7: Add clock name property Ryan Wanner <Ryan.Wanner(a)microchip.com> ARM: dts: microchip: sama7d65: Add clock name property Michael Walle <mwalle(a)kernel.org> arm64: dts: ti: k3-am62p-j722s: fix pinctrl-single size Wadim Egorov <w.egorov(a)phytec.de> arm64: dts: ti: k3-am642-phyboard-electra: Fix PRU-ICSSG Ethernet ports Charalampos Mitrodimas <charmitro(a)posteo.net> usb: misc: apple-mfi-fastcharge: Make power supply names unique Seungjin Bae <eeodqql09(a)gmail.com> usb: host: xhci-plat: fix incorrect type for of_match variable in xhci_plat_probe() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: vfxxx: Correctly use two tuples for timer address Gautham R. Shenoy <gautham.shenoy(a)amd.com> pm: cpupower: Fix printing of CORE, CPU fields in cpupower-monitor André Apitzsch <git(a)apitzsch.eu> arm64: dts: qcom: msm8976: Make blsp_dma controlled-remotely Lijuan Gao <lijuan.gao(a)oss.qualcomm.com> arm64: dts: qcom: sa8775p: Correct the interrupt for remoteproc Will Deacon <willdeacon(a)google.com> arm64: dts: exynos: gs101: Add 'local-timer-stop' to cpuidle nodes Jie Gan <jie.gan(a)oss.qualcomm.com> arm64: dts: qcom: qcs615: disable the CTI device of the camera block Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> arm64: dts: qcom: sc7180: Expand IMEM region Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> arm64: dts: qcom: sdm845: Expand IMEM region Jie Gan <jie.gan(a)oss.qualcomm.com> arm64: dts: qcom: qcs615: fix a crash issue caused by infinite loop for Coresight Alexander Wilhelm <alexander.wilhelm(a)westermo.com> soc: qcom: QMI encoding/decoding for big endian Dmitry Vyukov <dvyukov(a)google.com> selftests: Fix errno checking in syscall_user_dispatch test Alexander Stein <alexander.stein(a)ew.tq-group.com> arm64: dts: freescale: imx93-tqma9352: Limit BUCK2 to 600mV Chen-Yu Tsai <wenst(a)chromium.org> ASoC: mediatek: use reserved memory or enable buffer pre-allocation Arnd Bergmann <arnd(a)arndb.de> ASoC: ops: dynamically allocate struct snd_ctl_elem_value Venkata Prasad Potturu <venkataprasad.potturu(a)amd.com> ASoC: amd: acp: Fix pointer assignments for snd_soc_acpi_mach structures Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() Sun YangKai <sunk67188(a)gmail.com> btrfs: remove partial support for lowest level from btrfs_search_forward() Randy Dunlap <rdunlap(a)infradead.org> io_uring: fix breakage in EXPERT menu John Garry <john.g.garry(a)oracle.com> block: sanitize chunk_sectors for atomic write limits Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: No more self recovery Kees Cook <kees(a)kernel.org> kunit/fortify: Add back "volatile" for sizeof() constants Zheng Qixing <zhengqixing(a)huawei.com> md: allow removing faulty rdev during resync Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Minor do_xmote cancelation fix Thomas Fourier <fourier.thomas(a)gmail.com> block: mtip32xx: Fix usage of dma_map_sg() Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Revert "fs/ntfs3: Replace inode_trylock with inode_lock" Yangtao Li <frank.li(a)vivo.com> hfsplus: remove mutex_lock check in hfsplus_free_extents Yangtao Li <frank.li(a)vivo.com> hfs: make splice write available again Yangtao Li <frank.li(a)vivo.com> hfsplus: make splice write available again Caleb Sander Mateos <csander(a)purestorage.com> ublk: use vmalloc for ublk_device's __queues Tingmao Wang <m(a)maowtm.org> landlock: Fix warning from KUnit tests Edward Adam Davis <eadavis(a)qq.com> fs/ntfs3: cancle set bad inode after removing name fails Song Liu <song(a)kernel.org> selftests/landlock: Fix build of audit_test Mickaël Salaün <mic(a)digikod.net> selftests/landlock: Fix readlink check RubenKelevra <rubenkelevra(a)gmail.com> fs_context: fix parameter name in infofc() macro Al Viro <viro(a)zeniv.linux.org.uk> parse_longname(): strrchr() expects NUL-terminated string Richard Guy Briggs <rgb(a)redhat.com> audit,module: restore audit logging in load failure case Alexandru Andries <alex.andries.aa(a)gmail.com> ASoC: amd: yc: add DMI quirk for ASUS M6501RM Arnd Bergmann <arnd(a)arndb.de> ASoC: Intel: fix SND_SOC_SOF dependencies Jackie Dong <xy-jackie(a)139.com> ALSA: hda/realtek: Support mute LED for Yoga with ALC287 Richard Fitzgerald <rf(a)opensource.cirrus.com> ALSA: hda/cs35l56: Workaround bad dev-index on Lenovo Yoga Book 9i GenX Adam Queler <queler(a)gmail.com> ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx Arnd Bergmann <arnd(a)arndb.de> ethernet: intel: fix building with large NR_CPUS Lane Odenbach <laodenbach(a)gmail.com> ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx Thomas Zimmermann <tzimmermann(a)suse.de> drm/radeon: Do not hold console lock while suspending clients ------------- Diffstat: Documentation/filesystems/f2fs.rst | 6 +- Documentation/netlink/specs/ethtool.yaml | 6 +- Makefile | 4 +- arch/arm/boot/dts/microchip/sam9x7.dtsi | 2 + arch/arm/boot/dts/microchip/sama7d65.dtsi | 2 + .../boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi | 1 - arch/arm/boot/dts/nxp/vf/vfxxx.dtsi | 2 +- arch/arm/boot/dts/ti/omap/am335x-boneblack.dts | 2 +- arch/arm/crypto/aes-neonbs-glue.c | 2 +- arch/arm64/boot/dts/exynos/google/gs101.dtsi | 3 + .../boot/dts/freescale/imx8mm-beacon-som.dtsi | 2 + .../boot/dts/freescale/imx8mn-beacon-som.dtsi | 2 + .../boot/dts/freescale/imx8mp-venice-gw74xx.dts | 8 +- arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi | 6 +- arch/arm64/boot/dts/qcom/msm8976.dtsi | 2 + arch/arm64/boot/dts/qcom/qcs615.dtsi | 4 + arch/arm64/boot/dts/qcom/sa8775p.dtsi | 10 +- arch/arm64/boot/dts/qcom/sc7180.dtsi | 10 +- arch/arm64/boot/dts/qcom/sdm845.dtsi | 10 +- arch/arm64/boot/dts/rockchip/rk3528-pinctrl.dtsi | 20 +- arch/arm64/boot/dts/rockchip/rk3528-radxa-e20c.dts | 1 + arch/arm64/boot/dts/rockchip/rk3576-rock-4d.dts | 6 +- arch/arm64/boot/dts/st/stm32mp251.dtsi | 2 +- .../boot/dts/ti/k3-am62p-j722s-common-main.dtsi | 2 +- .../boot/dts/ti/k3-am642-phyboard-electra-rdk.dts | 2 + arch/arm64/include/asm/gcs.h | 2 +- arch/arm64/kernel/process.c | 6 +- arch/arm64/net/bpf_jit_comp.c | 1 + arch/m68k/Kconfig.debug | 2 +- arch/m68k/kernel/early_printk.c | 42 +- arch/m68k/kernel/head.S | 8 +- arch/mips/mm/tlb-r4k.c | 56 +- arch/powerpc/configs/ppc6xx_defconfig | 1 - arch/powerpc/kernel/eeh.c | 1 + arch/powerpc/kernel/eeh_driver.c | 48 +- arch/powerpc/kernel/eeh_pe.c | 10 +- arch/powerpc/kernel/pci-hotplug.c | 3 + arch/powerpc/platforms/pseries/dlpar.c | 52 +- arch/riscv/kvm/vcpu_onereg.c | 83 ++- arch/s390/boot/startup.c | 2 +- arch/s390/include/asm/ap.h | 2 +- arch/s390/kernel/setup.c | 6 + arch/s390/mm/pgalloc.c | 5 - arch/s390/mm/vmem.c | 5 +- arch/sh/Makefile | 10 +- arch/sh/boot/compressed/Makefile | 4 +- arch/sh/boot/romimage/Makefile | 4 +- arch/um/drivers/rtc_user.c | 2 +- arch/x86/boot/cpuflags.c | 13 + arch/x86/coco/sev/shared.c | 46 ++ arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/hw_irq.h | 12 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kernel/irq.c | 63 ++- arch/x86/kvm/vmx/vmx.c | 4 + arch/x86/mm/extable.c | 5 +- block/blk-settings.c | 19 +- crypto/krb5/selftest.c | 1 + drivers/block/mtip32xx/mtip32xx.c | 27 +- drivers/block/ublk_drv.c | 4 +- drivers/bluetooth/btusb.c | 4 + drivers/bus/mhi/host/pci_generic.c | 8 +- drivers/char/hw_random/mtk-rng.c | 4 +- drivers/clk/at91/sam9x7.c | 20 +- drivers/clk/clk-axi-clkgen.c | 2 +- drivers/clk/davinci/psc.c | 5 + drivers/clk/imx/clk-imx95-blk-ctl.c | 13 +- drivers/clk/renesas/rzv2h-cpg.c | 1 + drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 3 +- drivers/clk/thead/clk-th1520-ap.c | 9 +- drivers/clk/xilinx/clk-xlnx-clock-wizard.c | 2 +- drivers/clk/xilinx/xlnx_vcu.c | 4 +- drivers/cpufreq/Makefile | 1 + drivers/cpufreq/armada-8k-cpufreq.c | 3 +- drivers/cpufreq/cpufreq.c | 21 +- drivers/cpufreq/intel_pstate.c | 4 +- drivers/cpufreq/powernv-cpufreq.c | 4 +- drivers/cpufreq/powernv-trace.h | 44 ++ .../crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 4 +- drivers/crypto/ccp/ccp-debugfs.c | 3 + drivers/crypto/ccp/sev-dev.c | 8 +- drivers/crypto/img-hash.c | 2 +- drivers/crypto/inside-secure/safexcel_hash.c | 8 +- .../crypto/intel/keembay/keembay-ocs-hcu-core.c | 8 +- .../crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c | 9 +- .../crypto/intel/qat/qat_common/adf_gen4_hw_data.c | 29 +- drivers/crypto/intel/qat/qat_common/adf_sriov.c | 1 - .../intel/qat/qat_common/adf_transport_debug.c | 4 +- drivers/crypto/intel/qat/qat_common/qat_bl.c | 6 +- .../crypto/intel/qat/qat_common/qat_compression.c | 8 +- drivers/crypto/marvell/cesa/cipher.c | 4 +- drivers/crypto/marvell/cesa/hash.c | 5 +- drivers/devfreq/devfreq.c | 12 +- drivers/dma/mmp_tdma.c | 2 +- drivers/dma/mv_xor.c | 21 +- drivers/dma/nbpfaxi.c | 13 + drivers/firmware/arm_scmi/perf.c | 2 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 6 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 3 +- drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c | 20 - .../gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c | 2 +- drivers/gpu/drm/display/drm_hdmi_state_helper.c | 4 +- .../drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h | 1 + drivers/gpu/drm/panfrost/panfrost_devfreq.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 8 +- drivers/gpu/drm/rockchip/rockchip_drm_fb.c | 9 +- drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 29 +- drivers/gpu/drm/rockchip/rockchip_drm_vop2.h | 33 ++ drivers/gpu/drm/rockchip/rockchip_vop2_reg.c | 89 ++- drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 2 +- drivers/gpu/drm/xe/xe_device.c | 1 + drivers/gpu/drm/xe/xe_gt_sriov_pf.c | 32 +- drivers/gpu/drm/xe/xe_vsec.c | 20 +- drivers/hid/hid-apple.c | 20 +- drivers/hid/hid-core.c | 6 +- drivers/i2c/muxes/i2c-mux-mule.c | 3 +- drivers/i3c/master/svc-i3c-master.c | 20 +- drivers/infiniband/hw/erdma/erdma_verbs.c | 3 +- drivers/infiniband/hw/hns/hns_roce_device.h | 1 + drivers/infiniband/hw/hns/hns_roce_hem.c | 18 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 87 ++- drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 8 +- drivers/infiniband/hw/hns/hns_roce_main.c | 22 +- drivers/infiniband/hw/mana/qp.c | 2 +- drivers/infiniband/hw/mlx5/dm.c | 2 +- drivers/infiniband/hw/mlx5/umr.c | 6 +- drivers/interconnect/qcom/qcs615.c | 42 -- drivers/interconnect/qcom/sc8180x.c | 6 + drivers/interconnect/qcom/sc8280xp.c | 1 + drivers/iommu/amd/iommu.c | 19 +- drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 3 +- drivers/iommu/intel/iommu.c | 1 - drivers/irqchip/Kconfig | 1 + drivers/md/md.c | 33 +- .../media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 1 + drivers/media/v4l2-core/v4l2-ctrls-core.c | 8 +- drivers/mfd/tps65219.c | 2 +- drivers/misc/mei/platform-vsc.c | 8 + drivers/misc/mei/vsc-tp.c | 20 +- drivers/misc/sram.c | 10 +- drivers/mtd/ftl.c | 2 +- drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +- drivers/mtd/nand/raw/atmel/pmecc.c | 6 + drivers/mtd/nand/raw/rockchip-nand-controller.c | 15 + drivers/mtd/spi-nor/spansion.c | 31 ++ drivers/net/can/kvaser_pciefd.c | 1 + drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 17 +- drivers/net/dsa/microchip/ksz8.c | 3 + drivers/net/dsa/microchip/ksz8_reg.h | 4 +- drivers/net/ethernet/airoha/airoha_npu.c | 2 + drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- drivers/net/ethernet/intel/fm10k/fm10k.h | 3 +- drivers/net/ethernet/intel/i40e/i40e.h | 2 +- drivers/net/ethernet/intel/igb/igb_xsk.c | 3 +- drivers/net/ethernet/intel/ixgbe/ixgbe.h | 3 +- .../ethernet/mellanox/mlx5/core/en/port_buffer.c | 3 + .../mellanox/mlx5/core/en_accel/ipsec_rxtx.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 - drivers/net/ethernet/meta/fbnic/fbnic_netdev.c | 4 +- drivers/net/ethernet/meta/fbnic/fbnic_txrx.c | 4 +- drivers/net/ethernet/meta/fbnic/fbnic_txrx.h | 6 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/ethernet/ti/icssg/icssg_common.c | 15 +- drivers/net/ipa/ipa_sysfs.c | 6 +- drivers/net/macsec.c | 2 +- drivers/net/mdio/mdio-bcm-unimac.c | 5 +- drivers/net/netconsole.c | 30 +- drivers/net/phy/mscc/mscc_ptp.c | 1 + drivers/net/phy/mscc/mscc_ptp.h | 1 + drivers/net/ppp/pptp.c | 18 +- drivers/net/team/team_core.c | 96 ++-- drivers/net/team/team_mode_activebackup.c | 3 +- drivers/net/team/team_mode_loadbalance.c | 13 +- drivers/net/usb/usbnet.c | 11 +- drivers/net/vrf.c | 2 + drivers/net/wireless/ath/ath11k/hal.c | 4 + drivers/net/wireless/ath/ath11k/mac.c | 12 +- drivers/net/wireless/ath/ath12k/dp.h | 1 + drivers/net/wireless/ath/ath12k/dp_mon.c | 1 - drivers/net/wireless/ath/ath12k/dp_tx.c | 10 +- drivers/net/wireless/ath/ath12k/mac.c | 29 +- drivers/net/wireless/ath/ath12k/p2p.c | 3 +- drivers/net/wireless/ath/ath12k/wmi.c | 14 +- .../broadcom/brcm80211/brcmfmac/cfg80211.c | 8 +- drivers/net/wireless/intel/iwlwifi/dvm/main.c | 12 +- drivers/net/wireless/intel/iwlwifi/mld/rx.c | 9 + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 +- drivers/net/wireless/marvell/mwl8k.c | 4 + drivers/net/wireless/mediatek/mt76/mt7996/main.c | 21 +- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 3 +- drivers/net/wireless/purelifi/plfxlc/mac.c | 11 +- drivers/net/wireless/purelifi/plfxlc/mac.h | 2 +- drivers/net/wireless/purelifi/plfxlc/usb.c | 29 +- drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 +- drivers/net/wireless/realtek/rtl8xxxu/core.c | 2 +- drivers/net/wireless/realtek/rtw88/main.c | 4 +- drivers/net/wireless/realtek/rtw89/core.c | 5 + drivers/net/wireless/realtek/rtw89/phy.c | 12 +- drivers/nvme/target/core.c | 18 +- drivers/pci/controller/pcie-rockchip-host.c | 2 +- drivers/pci/endpoint/functions/pci-epf-vntb.c | 4 +- drivers/pci/hotplug/pnv_php.c | 235 +++++++- drivers/pci/pci-driver.c | 6 +- drivers/pci/quirks.c | 6 +- drivers/perf/arm-ni.c | 2 + drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 83 +-- drivers/pinctrl/berlin/berlin.c | 8 +- drivers/pinctrl/pinctrl-k230.c | 13 +- drivers/pinctrl/pinmux.c | 20 +- drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 +- drivers/platform/x86/intel/pmt/class.c | 3 +- drivers/platform/x86/intel/pmt/class.h | 1 + drivers/power/sequencing/pwrseq-qcom-wcn.c | 2 +- drivers/power/supply/cpcap-charger.c | 5 +- drivers/power/supply/max14577_charger.c | 4 +- drivers/power/supply/max1720x_battery.c | 11 +- drivers/power/supply/qcom_pmi8998_charger.c | 4 +- drivers/powercap/dtpm_cpu.c | 2 + drivers/pps/pps.c | 11 +- drivers/remoteproc/Kconfig | 11 +- drivers/remoteproc/qcom_q6v5_pas.c | 615 ++++++++++----------- drivers/remoteproc/xlnx_r5_remoteproc.c | 2 + drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-hym8563.c | 2 +- drivers/rtc/rtc-nct3018y.c | 2 +- drivers/rtc/rtc-pcf85063.c | 2 +- drivers/rtc/rtc-pcf8563.c | 2 +- drivers/rtc/rtc-rv3028.c | 2 +- drivers/s390/crypto/ap_bus.h | 2 +- drivers/scsi/elx/efct/efct_lio.c | 2 +- drivers/scsi/ibmvscsi_tgt/libsrp.c | 6 +- drivers/scsi/isci/request.c | 2 +- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +- drivers/scsi/mvsas/mv_sas.c | 4 +- drivers/scsi/scsi_transport_iscsi.c | 2 + drivers/scsi/sd.c | 4 +- drivers/soc/qcom/pmic_glink.c | 9 +- drivers/soc/qcom/qmi_encdec.c | 46 +- drivers/soc/tegra/cbb/tegra234-cbb.c | 2 + drivers/soundwire/debugfs.c | 6 +- drivers/soundwire/mipi_disco.c | 4 +- drivers/soundwire/stream.c | 2 +- drivers/spi/spi-cs42l43.c | 2 +- drivers/spi/spi-stm32.c | 8 +- drivers/staging/fbtft/fbtft-core.c | 1 + drivers/staging/gpib/cb7210/cb7210.c | 15 +- drivers/staging/gpib/common/gpib_os.c | 2 +- drivers/staging/greybus/gbphy.c | 6 +- .../media/atomisp/pci/atomisp_gmin_platform.c | 9 +- drivers/staging/nvec/nvec_power.c | 2 +- drivers/ufs/core/ufshcd.c | 10 +- drivers/usb/early/xhci-dbc.c | 4 + drivers/usb/gadget/composite.c | 5 + drivers/usb/gadget/function/f_hid.c | 7 +- drivers/usb/gadget/function/uvc_configfs.c | 10 + drivers/usb/host/xhci-plat.c | 2 +- drivers/usb/misc/apple-mfi-fastcharge.c | 24 +- drivers/usb/serial/option.c | 2 + drivers/usb/typec/ucsi/ucsi_yoga_c630.c | 19 +- drivers/vdpa/mlx5/core/mr.c | 3 + drivers/vdpa/mlx5/net/mlx5_vnet.c | 12 +- drivers/vdpa/vdpa_user/vduse_dev.c | 1 + drivers/vfio/device_cdev.c | 38 +- drivers/vfio/group.c | 7 +- drivers/vfio/iommufd.c | 4 + drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 1 + drivers/vfio/pci/mlx5/main.c | 1 + drivers/vfio/pci/nvgrace-gpu/main.c | 2 + drivers/vfio/pci/pds/vfio_dev.c | 2 + drivers/vfio/pci/qat/main.c | 1 + drivers/vfio/pci/vfio_pci.c | 1 + drivers/vfio/pci/vfio_pci_core.c | 24 +- drivers/vfio/pci/virtio/main.c | 3 + drivers/vfio/vfio_main.c | 3 +- drivers/vhost/Kconfig | 18 + drivers/vhost/scsi.c | 6 +- drivers/vhost/vhost.c | 244 +++++++- drivers/vhost/vhost.h | 22 + drivers/video/fbdev/core/fbcon.c | 4 +- drivers/video/fbdev/imxfb.c | 9 +- drivers/watchdog/ziirave_wdt.c | 3 + drivers/xen/gntdev-common.h | 4 + drivers/xen/gntdev-dmabuf.c | 28 +- drivers/xen/gntdev.c | 71 ++- fs/btrfs/ctree.c | 18 +- fs/ceph/crypto.c | 31 +- fs/exfat/file.c | 5 +- fs/ext4/inline.c | 2 + fs/ext4/inode.c | 3 +- fs/ext4/page-io.c | 16 +- fs/f2fs/data.c | 7 +- fs/f2fs/debug.c | 17 +- fs/f2fs/extent_cache.c | 2 +- fs/f2fs/f2fs.h | 2 +- fs/f2fs/gc.c | 1 + fs/f2fs/inode.c | 21 +- fs/f2fs/segment.h | 5 +- fs/f2fs/super.c | 1 + fs/f2fs/sysfs.c | 21 + fs/gfs2/glock.c | 3 +- fs/gfs2/util.c | 37 +- fs/hfs/inode.c | 1 + fs/hfsplus/extents.c | 3 - fs/hfsplus/inode.c | 1 + fs/jfs/jfs_dmap.c | 4 +- fs/nfs/dir.c | 4 +- fs/nfs/export.c | 11 +- fs/nfs/flexfilelayout/flexfilelayout.c | 26 +- fs/nfs/flexfilelayout/flexfilelayoutdev.c | 6 +- fs/nfs/internal.h | 9 +- fs/nfs/nfs4proc.c | 10 +- fs/nfs_common/nfslocalio.c | 28 +- fs/nfsd/localio.c | 5 +- fs/nfsd/vfs.c | 10 +- fs/notify/fanotify/fanotify.c | 8 +- fs/ntfs3/file.c | 5 +- fs/ntfs3/frecord.c | 7 +- fs/ntfs3/namei.c | 10 +- fs/ntfs3/ntfs_fs.h | 3 +- fs/orangefs/orangefs-debugfs.c | 6 +- fs/proc/generic.c | 2 + fs/proc/inode.c | 2 +- fs/proc/internal.h | 5 + fs/smb/client/cifs_debug.c | 6 +- fs/smb/client/cifsencrypt.c | 4 +- fs/smb/client/cifsfs.c | 2 +- fs/smb/client/connect.c | 9 +- fs/smb/client/fs_context.c | 19 +- fs/smb/client/fs_context.h | 18 +- fs/smb/client/link.c | 11 +- fs/smb/client/reparse.c | 2 +- fs/smb/client/smbdirect.c | 130 ++--- fs/smb/client/smbdirect.h | 4 - fs/smb/server/connection.h | 1 + fs/smb/server/smb2pdu.c | 22 +- fs/smb/server/smb_common.c | 2 +- fs/smb/server/transport_rdma.c | 97 ++-- fs/smb/server/transport_tcp.c | 17 + fs/smb/server/vfs.c | 3 +- include/linux/audit.h | 9 +- include/linux/fortify-string.h | 2 +- include/linux/fs_context.h | 2 +- include/linux/if_team.h | 3 - include/linux/ioprio.h | 3 +- include/linux/mlx5/device.h | 1 + include/linux/mm.h | 30 + include/linux/moduleparam.h | 5 +- include/linux/padata.h | 4 - include/linux/pps_kernel.h | 1 + include/linux/proc_fs.h | 1 + include/linux/psi_types.h | 6 +- include/linux/ring_buffer.h | 4 +- include/linux/sched.h | 1 + include/linux/skbuff.h | 23 + include/linux/usb/usbnet.h | 1 + include/linux/vfio.h | 4 + include/linux/vfio_pci_core.h | 2 + include/net/bluetooth/hci.h | 1 + include/net/bluetooth/hci_core.h | 6 + include/net/dst.h | 24 +- include/net/lwtunnel.h | 8 +- include/net/tc_act/tc_ctinfo.h | 6 +- include/net/udp.h | 24 +- include/sound/tas2781-tlv.h | 2 +- include/trace/events/power.h | 22 - include/uapi/drm/panthor_drm.h | 3 + include/uapi/linux/vfio.h | 12 +- include/uapi/linux/vhost.h | 29 + init/Kconfig | 2 +- kernel/audit.h | 2 +- kernel/auditsc.c | 2 +- kernel/bpf/core.c | 5 +- kernel/bpf/helpers.c | 11 +- kernel/bpf/preload/Kconfig | 1 - kernel/bpf/verifier.c | 1 + kernel/events/core.c | 38 +- kernel/kcsan/kcsan_test.c | 2 +- kernel/module/main.c | 6 +- kernel/padata.c | 132 ++--- kernel/rcu/refscale.c | 10 +- kernel/rcu/tree_nocb.h | 2 +- kernel/sched/core.c | 2 + kernel/sched/deadline.c | 78 ++- kernel/sched/fair.c | 9 - kernel/sched/psi.c | 123 +++-- kernel/sched/sched.h | 1 + kernel/trace/power-traces.c | 1 - kernel/trace/preemptirq_delay_test.c | 13 +- kernel/trace/ring_buffer.c | 63 +-- kernel/trace/rv/monitors/scpd/Kconfig | 2 +- kernel/trace/rv/monitors/sncid/Kconfig | 2 +- kernel/trace/rv/monitors/snep/Kconfig | 2 +- kernel/trace/rv/monitors/wip/Kconfig | 2 +- kernel/trace/trace.c | 14 +- kernel/trace/trace_events_filter.c | 28 +- kernel/trace/trace_kdb.c | 8 +- kernel/ucount.c | 2 +- lib/tests/fortify_kunit.c | 4 +- mm/hmm.c | 2 +- mm/memory.c | 3 +- mm/shmem.c | 4 +- mm/slub.c | 10 +- mm/swapfile.c | 65 +-- net/bluetooth/coredump.c | 6 +- net/bluetooth/hci_event.c | 8 +- net/caif/cfctrl.c | 294 +++++----- net/core/dst.c | 8 +- net/core/filter.c | 3 + net/core/neighbour.c | 88 ++- net/core/netpoll.c | 7 + net/core/skmsg.c | 7 + net/core/sock.c | 8 +- net/ipv4/route.c | 4 +- net/ipv4/tcp_input.c | 4 +- net/ipv6/ip6_fib.c | 24 +- net/ipv6/ip6_offload.c | 4 +- net/ipv6/ip6mr.c | 3 +- net/ipv6/route.c | 60 +- net/mac80211/cfg.c | 2 +- net/mac80211/main.c | 13 +- net/mac80211/tdls.c | 2 +- net/mac80211/tx.c | 14 +- net/netfilter/nf_bpf_link.c | 5 +- net/netfilter/nf_tables_api.c | 29 +- net/netfilter/xt_nfacct.c | 4 +- net/packet/af_packet.c | 12 +- net/sched/act_ctinfo.c | 19 +- net/sched/sch_mqprio.c | 2 +- net/sched/sch_netem.c | 40 ++ net/sched/sch_taprio.c | 21 +- net/sunrpc/svcsock.c | 43 +- net/sunrpc/xprtsock.c | 40 +- net/tls/tls_sw.c | 13 + net/vmw_vsock/af_vsock.c | 3 +- net/wireless/nl80211.c | 1 + net/wireless/reg.c | 2 + rust/kernel/miscdevice.rs | 8 +- samples/mei/mei-amt-version.c | 2 +- scripts/gdb/linux/constants.py.in | 12 +- scripts/kconfig/qconf.cc | 2 +- security/apparmor/include/match.h | 8 +- security/apparmor/match.c | 23 +- security/apparmor/policy_unpack_test.c | 6 +- security/landlock/id.c | 69 ++- sound/pci/hda/cs35l56_hda.c | 114 +++- sound/pci/hda/patch_ca0132.c | 5 +- sound/pci/hda/patch_realtek.c | 6 + sound/soc/amd/acp/acp-pci.c | 8 +- sound/soc/amd/acp/amd-acpi-mach.c | 4 +- sound/soc/amd/acp/amd.h | 8 +- sound/soc/amd/yc/acp6x-mach.c | 21 + sound/soc/fsl/fsl_xcvr.c | 25 +- sound/soc/intel/boards/Kconfig | 2 +- .../soc/mediatek/common/mtk-afe-platform-driver.c | 4 +- sound/soc/mediatek/common/mtk-base-afe.h | 1 + sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 7 + sound/soc/mediatek/mt8183/mt8183-afe-pcm.c | 7 + sound/soc/mediatek/mt8186/mt8186-afe-pcm.c | 7 + sound/soc/mediatek/mt8192/mt8192-afe-pcm.c | 7 + sound/soc/sdca/sdca_functions.c | 3 +- sound/soc/sdca/sdca_regmap.c | 16 +- sound/soc/soc-dai.c | 16 +- sound/soc/soc-ops.c | 28 +- sound/soc/sof/intel/Kconfig | 3 +- sound/usb/mixer_scarlett2.c | 14 +- sound/x86/intel_hdmi_audio.c | 2 +- tools/bpf/bpftool/net.c | 15 +- tools/cgroup/memcg_slabinfo.py | 4 +- tools/lib/subcmd/help.c | 12 +- tools/lib/subcmd/run-command.c | 15 +- tools/perf/.gitignore | 2 - tools/perf/builtin-sched.c | 147 +++-- tools/perf/tests/bp_account.c | 1 + tools/perf/util/build-id.c | 2 +- tools/perf/util/evsel.c | 11 + tools/perf/util/evsel.h | 2 + tools/perf/util/hwmon_pmu.c | 2 +- tools/perf/util/parse-events.c | 11 +- tools/perf/util/symbol.c | 1 + .../cpupower/utils/idle_monitor/cpupower-monitor.c | 4 - tools/power/x86/turbostat/turbostat.c | 5 +- tools/testing/selftests/alsa/utimer-test.c | 1 + tools/testing/selftests/arm64/fp/sve-ptrace.c | 2 +- tools/testing/selftests/bpf/bpf_atomic.h | 2 +- .../selftests/bpf/prog_tests/sockmap_listen.c | 2 + tools/testing/selftests/bpf/veristat.c | 1 + .../breakpoints/step_after_suspend_test.c | 41 +- tools/testing/selftests/drivers/net/hw/tso.py | 99 ++-- tools/testing/selftests/drivers/net/lib/py/env.py | 2 +- .../ftrace/test.d/event/subsystem-enable.tc | 28 +- tools/testing/selftests/landlock/audit.h | 7 +- tools/testing/selftests/landlock/audit_test.c | 1 + tools/testing/selftests/net/rtnetlink.sh | 6 + tools/testing/selftests/perf_events/.gitignore | 1 + tools/testing/selftests/perf_events/Makefile | 2 +- tools/testing/selftests/perf_events/mmap.c | 236 ++++++++ .../selftests/syscall_user_dispatch/sud_test.c | 50 +- tools/testing/selftests/vDSO/vdso_test_chacha.c | 3 +- tools/verification/rv/src/in_kernel.c | 4 +- 504 files changed, 4855 insertions(+), 2641 deletions(-)

1 month, 1 week

14
493
0 0

[PATCH] ext4: check fast symlink for ea_inode correctly

by Andreas Dilger

The check for a fast symlink in the presence of only an external xattr inode is incorrect. If a fast symlink does not have an xattr block (i_file_acl == 0), but does have an external xattr inode that increases inode i_blocks, then the check for a fast symlink will incorrectly fail and __ext4_iget()->ext4_ind_check_inode() will report the inode is corrupt when it "validates" i_data[] on the next read: # ln -s foo /mnt/tmp/bar # setfattr -h -n trusted.test \ -v "$(yes | head -n 4000)" /mnt/tmp/bar # umount /mnt/tmp # mount /mnt/tmp # ls -l /mnt/tmp ls: cannot access '/mnt/tmp/bar': Structure needs cleaning total 4 ? l?????????? ? ? ? ? ? bar # dmesg | tail -1 EXT4-fs error (device dm-8): __ext4_iget:5098: inode #24578: block 7303014: comm ls: invalid block (note that "block 7303014" = 0x6f6f66 = "foo" in LE order). ext4_inode_is_fast_symlink() should check the superblock EXT4_FEATURE_INCOMPAT_EA_INODE feature flag, not the inode EXT4_EA_INODE_FL, since the latter is only set on the xattr inode itself, and not on the inode that uses this xattr. Cc: stable(a)vger.kernel.org Fixes: fc82228a5e38 ("ext4: support fast symlinks from ext3 file systems") Signed-off-by: Andreas Dilger <adilger(a)whamcloud.com> Reviewed-by: Li Dongyang <dongyangli(a)ddn.com> Reviewed-by: Alex Zhuravlev <bzzz(a)whamcloud.com> Reviewed-by: Oleg Drokin <green(a)whamcloud.com> Reviewed-on: https://review.whamcloud.com/59879 Lustre-bug-id: https://jira.whamcloud.com/browse/LU-19121 --- fs/ext4/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index be9a4cba35fd..caca88521c75 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -146,7 +146,7 @@ static inline int ext4_begin_ordered_truncate(struct inode *inode, */ int ext4_inode_is_fast_symlink(struct inode *inode) { - if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) { + if (!ext4_has_feature_ea_inode(inode->i_sb)) { int ea_blocks = EXT4_I(inode)->i_file_acl ? EXT4_CLUSTER_SIZE(inode->i_sb) >> 9 : 0; -- 2.43.5

1 month, 1 week

2
1
0 0

[PATCH 6.6 000/262] 6.6.102-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.102 release. There are 262 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 14 Aug 2025 17:27:08 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.102-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.102-rc1 Tao Xue <xuetao09(a)huawei.com> usb: gadget : fix use-after-free in composite_dev_cleanup() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: mm: tlb-r4k: Uniquify TLB entries on init Dave Hansen <dave.hansen(a)linux.intel.com> x86/fpu: Delay instruction pointer fixup until after warning Geoffrey D. Bennett <g(a)b4.vu> ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() Thorsten Blum <thorsten.blum(a)linux.dev> ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() Tom Lendacky <thomas.lendacky(a)amd.com> x86/sev: Evict cache lines during SNP memory validation Ammar Faizi <ammarfaizi2(a)gnuweeb.org> net: usbnet: Fix the wrong netif_carrier_on() call John Ernberg <john.ernberg(a)actia.se> net: usbnet: Avoid potential RCU stall on LINK_CHANGE event Zenm Chen <zenmchen(a)gmail.com> Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano Chen Ridong <chenridong(a)huawei.com> sched,freezer: Remove unnecessary warning in __thaw_task Elliot Berman <quic_eberman(a)quicinc.com> freezer,sched: Clean saved_state when restoring it during thaw Elliot Berman <quic_eberman(a)quicinc.com> freezer,sched: Do not restore saved_state of a thawed task Elliot Berman <quic_eberman(a)quicinc.com> freezer,sched: Use saved_state to reduce some spurious wakeups Elliot Berman <quic_eberman(a)quicinc.com> sched/core: Remove ifdeffery for saved_state Clément Le Goffic <clement.legoffic(a)foss.st.com> i2c: stm32f7: unmap DMA mapped buffer Alain Volmat <alain.volmat(a)foss.st.com> i2c: stm32f7: simplify status messages in case of errors Alain Volmat <alain.volmat(a)foss.st.com> i2c: stm32f7: perform most of irq job in threaded handler Alain Volmat <alain.volmat(a)foss.st.com> i2c: stm32f7: use dev_err_probe upon calls of devm_request_irq Andi Shyti <andi.shyti(a)kernel.org> i2c: stm32f7: Use devm_clk_get_enabled() Slark Xiao <slark_xiao(a)163.com> USB: serial: option: add Foxconn T99W709 Thorsten Blum <thorsten.blum(a)linux.dev> smb: server: Fix extension string in ksmbd_extract_shortname() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: limit repeated connections from clients with the same IP Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix corrupted mtime and ctime in smb2_open Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix Preauh_HashValue race condition Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix null pointer dereference error in generate_encryptionkey Budimir Markovic <markovicbudimir(a)gmail.com> vsock: Do not allow binding to VMADDR_PORT_ANY Quang Le <quanglex97(a)gmail.com> net/packet: fix a race in packet_set_ring() and packet_notifier() Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> selftests/perf_events: Add a mmap() correctness test Thomas Gleixner <tglx(a)linutronix.de> perf/core: Prevent VMA split of buffer mappings Thomas Gleixner <tglx(a)linutronix.de> perf/core: Exit early on perf_mmap() fail Thomas Gleixner <tglx(a)linutronix.de> perf/core: Don't leak AUX buffer refcount on allocation failure Olga Kornievskaia <okorniev(a)redhat.com> sunrpc: fix handling of server side tls alerts Stefan Metzmacher <metze(a)samba.org> smb: client: return an error if rdma_connect does not return within 5 seconds Eric Dumazet <edumazet(a)google.com> pptp: fix pptp_xmit() error path Stefan Metzmacher <metze(a)samba.org> smb: client: let recv_done() cleanup before notifying the callers. Stefan Metzmacher <metze(a)samba.org> smb: client: make sure we call ib_dma_unmap_single() only if we called ib_dma_map_single already Stefan Metzmacher <metze(a)samba.org> smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection() Stefan Metzmacher <metze(a)samba.org> smb: client: make use of common smbdirect_socket Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: add smbdirect_socket.h Shen Lichuan <shenlichuan(a)vivo.com> smb: client: Correct typos in multiple comments across various files Shen Lichuan <shenlichuan(a)vivo.com> smb: client: Use min() macro Stefan Metzmacher <metze(a)samba.org> smb: server: let recv_done() avoid touching data_transfer after cleanup/move Stefan Metzmacher <metze(a)samba.org> smb: server: let recv_done() consistently call put_recvmsg/smb_direct_disconnect_rdma_connection Stefan Metzmacher <metze(a)samba.org> smb: server: make sure we call ib_dma_unmap_single() only if we called ib_dma_map_single already Stefan Metzmacher <metze(a)samba.org> smb: server: remove separate empty_recvmsg_queue Takashi Iwai <tiwai(a)suse.de> ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() Arnd Bergmann <arnd(a)arndb.de> irqchip: Build IMX_MU_MSI only on ARM Maher Azzouzi <maherazz04(a)gmail.com> net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing Michal Schmidt <mschmidt(a)redhat.com> benet: fix BUG when creating VFs Olga Kornievskaia <okorniev(a)redhat.com> sunrpc: fix client side handling of tls alerts Takamitsu Iwai <takamitz(a)amazon.co.jp> net/sched: taprio: enforce minimum value for picos_per_byte Wang Liang <wangliang74(a)huawei.com> net: drop UFO packets in udp_rcv_segment() Eric Dumazet <edumazet(a)google.com> ipv6: reject malicious packets in ipv6_gso_segment() Christoph Paasch <cpaasch(a)openai.com> net/mlx5: Correctly set gso_segs when LRO is used Jakub Kicinski <kuba(a)kernel.org> netlink: specs: ethtool: fix module EEPROM input/output arguments Eric Dumazet <edumazet(a)google.com> pptp: ensure minimal skb length in pptp_xmit() Luca Weiss <luca.weiss(a)fairphone.com> net: ipa: add IPA v5.1 and v5.5 to ipa_version_string() Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Fix parsing of unicast frames Jakub Kicinski <kuba(a)kernel.org> netpoll: prevent hanging NAPI when netcons gets enabled Heming Zhao <heming.zhao(a)suse.com> md/md-cluster: handle REMOVE message earlier Benjamin Coddington <bcodding(a)redhat.com> NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: another fix for listxattr Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() NeilBrown <neilb(a)suse.de> sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> pNFS/flexfiles: don't attempt pnfs on fatal DS errors Timothy Pearson <tpearson(a)raptorengineering.com> PCI: pnv_php: Fix surprise plug detection and recovery Timothy Pearson <tpearson(a)raptorengineering.com> powerpc/eeh: Make EEH driver device hotplug safe Timothy Pearson <tpearson(a)raptorengineering.com> powerpc/eeh: Export eeh_unfreeze_pe() Timothy Pearson <tpearson(a)raptorengineering.com> PCI: pnv_php: Work around switches with broken presence detection Timothy Pearson <tpearson(a)raptorengineering.com> PCI: pnv_php: Clean up allocated IRQs on unplug Peter Zijlstra <peterz(a)infradead.org> sched/psi: Fix psi_seq initialization Masahiro Yamada <masahiroy(a)kernel.org> kconfig: qconf: fix ConfigList::updateListAllforAll() Salomon Dushimirimana <salomondush(a)google.com> scsi: sd: Make sd shutdown issue START STOP UNIT appropriately Seunghui Lee <sh043.lee(a)samsung.com> scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume Li Lingfeng <lilingfeng3(a)huawei.com> scsi: Revert "scsi: iscsi: Fix HW conn removal use after free" Tomas Henzl <thenzl(a)redhat.com> scsi: mpt3sas: Fix a fw_event memory leak Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Separate SR-IOV VF dev_set Brett Creeley <brett.creeley(a)amd.com> vfio/pds: Fix missing detach_ioas op Jacob Pan <jacob.pan(a)linux.microsoft.com> vfio: Prevent open_count decrement to negative Jacob Pan <jacob.pan(a)linux.microsoft.com> vfio: Fix unbalanced vfio_df_close call in no-iommu mode Chao Yu <chao(a)kernel.org> f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode Chao Yu <chao(a)kernel.org> f2fs: fix to calculate dirty data during has_not_enough_free_secs() Chao Yu <chao(a)kernel.org> f2fs: fix to update upper_p in __get_secs_required() correctly Jan Prusakowski <jprusakowski(a)google.com> f2fs: vm_unmap_ram() may be called from an invalid context Chao Yu <chao(a)kernel.org> f2fs: fix to avoid out-of-boundary access in devs.path Chao Yu <chao(a)kernel.org> f2fs: fix to avoid panic in f2fs_evict_inode Chao Yu <chao(a)kernel.org> f2fs: fix to avoid UAF in f2fs_sync_inode_meta() Chao Yu <chao(a)kernel.org> f2fs: doc: fix wrong quota mount option description Abinash Singh <abinashlalotra(a)gmail.com> f2fs: fix KMSAN uninit-value in extent_info usage Brian Masney <bmasney(a)redhat.com> rtc: rv3028: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: pcf8563: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: pcf85063: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: nct3018y: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: hym8563: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: ds1307: fix incorrect maximum clock rate handling Uros Bizjak <ubizjak(a)gmail.com> ucount: fix atomic_long_inc_below() argument type Petr Pavlu <petr.pavlu(a)suse.com> module: Restore the moduleparam prefix length check Ryan Lee <ryan.lee(a)canonical.com> apparmor: fix loop detection used in conflicting attachment resolution Ryan Lee <ryan.lee(a)canonical.com> apparmor: ensure WB_HISTORY_SIZE value is a power of 2 Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Check netfilter ctx accesses are aligned Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Check flow_dissector ctx accesses are aligned Mike Christie <michael.christie(a)oracle.com> vhost-scsi: Fix log flooding with target does not exist errors Balamanikandan Gunasundar <balamanikandan.gunasundar(a)microchip.com> mtd: rawnand: atmel: set pmecc data setup time Thomas Fourier <fourier.thomas(a)gmail.com> mtd: rawnand: rockchip: Add missing check after DMA map Thomas Fourier <fourier.thomas(a)gmail.com> mtd: rawnand: atmel: Fix dma_mapping_error() address Zheng Yu <zheng.yu(a)northwestern.edu> jfs: fix metapage reference count leak in dbAllocCtl Chenyuan Yang <chenyuan0y(a)gmail.com> fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - fix seq_file position update in adf_ring_next() Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - fix DMA direction for compression on GEN2 devices Chen Pei <cp0613(a)linux.alibaba.com> perf tools: Remove libtraceevent in .gitignore Ben Hutchings <benh(a)debian.org> sh: Do not use hyphen in exported variable name Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_xcvr: get channel status data when PHY is not exists Thomas Fourier <fourier.thomas(a)gmail.com> dmaengine: nbpfaxi: Add missing check after DMA map Thomas Fourier <fourier.thomas(a)gmail.com> dmaengine: mv_xor: Fix missing check after DMA map and missing unmap Dan Carpenter <dan.carpenter(a)linaro.org> fs/orangefs: Allow 2 more characters in do_c_string() Manivannan Sadhasivam <mani(a)kernel.org> PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute Bard Liao <yung-chuan.liao(a)linux.intel.com> soundwire: stream: restore params when prepare ports fail Thomas Fourier <fourier.thomas(a)gmail.com> crypto: img-hash - Fix dma_unmap_sg() nents value Thomas Fourier <fourier.thomas(a)gmail.com> crypto: keembay - Fix dma_unmap_sg() nents value Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> hwrng: mtk - handle devm_pm_runtime_enable errors Dan Carpenter <dan.carpenter(a)linaro.org> watchdog: ziirave_wdt: check record length in ziirave_firm_verify() Thomas Fourier <fourier.thomas(a)gmail.com> scsi: isci: Fix dma_unmap_sg() nents value Thomas Fourier <fourier.thomas(a)gmail.com> scsi: mvsas: Fix dma_unmap_sg() nents value Thomas Fourier <fourier.thomas(a)gmail.com> scsi: elx: efct: Fix dma_unmap_sg() nents value Thomas Fourier <fourier.thomas(a)gmail.com> scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value Paul Kocialkowski <paulk(a)sys-base.io> clk: sunxi-ng: v3s: Fix de clock definition Leo Yan <leo.yan(a)arm.com> perf tests bp_account: Fix leaked file descriptor Mukesh Ojha <mukesh.ojha(a)oss.qualcomm.com> pinmux: fix race causing mux_owner NULL with active mux_usecount wangzijie <wangzijie1(a)honor.com> proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Arnd Bergmann <arnd(a)arndb.de> kernel: trace: preemptirq_delay_test: use offstack cpu mask Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix -Wframe-larger-than issue Mengbiao Xiong <xisme1998(a)gmail.com> crypto: ccp - Fix crash when rebind ccp device for ccp.ko Thomas Fourier <fourier.thomas(a)gmail.com> crypto: inside-secure - Fix `dma_unmap_sg()` nents value Namhyung Kim <namhyung(a)kernel.org> perf sched: Fix memory leaks in 'perf sched latency' Namhyung Kim <namhyung(a)kernel.org> perf sched: Fix memory leaks for evsel->priv in timehist Namhyung Kim <namhyung(a)kernel.org> perf sched: Free thread->priv using priv_destructor Ian Rogers <irogers(a)google.com> perf dso: Add missed dso__put to dso__load_kcore Namhyung Kim <namhyung(a)kernel.org> perf tools: Fix use-after-free in help_unknown_cmd() Thomas Fourier <fourier.thomas(a)gmail.com> Fix dma_unmap_sg() nents value Nuno Sá <nuno.sa(a)analog.com> clk: clk-axi-clkgen: fix fpfd_max frequency for zynq Amir Goldstein <amir73il(a)gmail.com> fanotify: sanitize handle_type values when reporting fid Yuan Chen <chenyuan(a)kylinos.cn> pinctrl: sunxi: Fix memory leak on krealloc failure Jerome Brunet <jbrunet(a)baylibre.com> PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails Arnd Bergmann <arnd(a)arndb.de> crypto: arm/aes-neonbs - work around gcc-15 warning Charles Han <hanchunchao(a)inspur.com> power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set Charles Han <hanchunchao(a)inspur.com> power: supply: cpcap-charger: Fix null check for power_supply_get_by_name Rohit Visavalia <rohit.visavalia(a)amd.com> clk: xilinx: vcu: unregister pll_post only if registered correctly James Cowgill <james.cowgill(a)blaize.com> media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check Henry Martin <bsdhenrymartin(a)gmail.com> clk: davinci: Add NULL check in davinci_lpsc_clk_register() Ivan Stepchenko <sid(a)itb.spb.ru> mtd: fix possible integer overflow in erase_xfer() Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Fix engine load inaccuracy Suman Kumar Chakraborty <suman.kumar.chakraborty(a)intel.com> crypto: qat - use unmanaged allocation for dc_data Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> crypto: sun8i-ce - fix nents passed to dma_unmap_sg() Hans Zhang <18255117159(a)163.com> PCI: rockchip-host: Fix "Unexpected Completion" log message Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> bpf/preload: Don't select USERMODE_DRIVER Eric Dumazet <edumazet(a)google.com> ipv6: annotate data-races around rt->fib6_nsiblings Eric Dumazet <edumazet(a)google.com> ipv6: fix possible infinite loop in fib6_info_uses_dev() Eric Dumazet <edumazet(a)google.com> ipv6: prevent infinite loop in rt6_nlmsg_size() Stanislav Fomichev <sdf(a)fomichev.me> vrf: Drop existing dst reference in vrf_ip6_input_dst Xiumei Mu <xmu(a)redhat.com> selftests: rtnetlink.sh: remove esp4_offload after test Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Remove skb secpath if xfrm state is not found Alexei Lazar <alazar(a)nvidia.com> net/mlx5e: Clear Read-Only port buffer size in PBMC before update Florian Westphal <fw(a)strlen.de> netfilter: xt_nfacct: don't assume acct name is null-terminated Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: Assign netdev.dev_port based on device channel index Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_pciefd: Store device channel index Stephane Grosjean <stephane.grosjean(a)hms-networks.com> can: peak_usb: fix USB FD devices potential malfunction Gabriele Monaco <gmonaco(a)redhat.com> tools/rv: Do not skip idle in trace Kuniyuki Iwashima <kuniyu(a)google.com> bpf: Disable migration in nf_hook_run_bpf(). Chris Down <chris(a)chrisdown.name> Bluetooth: hci_event: Mask data status from LE ext adv reports Marco Elver <elver(a)google.com> kcsan: test: Initialize dummy variable Kees Cook <kees(a)kernel.org> wifi: mac80211: Write cnt before copying in ieee80211_copy_rnr_beacon() Gokul Sivakumar <gokulkumar.sivakumar(a)infineon.com> wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE Tamizh Chelvam Raja <tamizh.raja(a)oss.qualcomm.com> wifi: ath12k: fix endianness handling while accessing wmi service bit Remi Pommarel <repk(a)triplefau.lt> Reapply "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() Alexander Wetzel <Alexander(a)wetzel-home.de> wifi: mac80211: Don't call fq_flow_idx() for management frames Alexander Wetzel <Alexander(a)wetzel-home.de> wifi: mac80211: Do not schedule stopped TXQs Murad Masimov <m.masimov(a)mt-integration.ru> wifi: plfxlc: Fix error handling in usb driver probe Moon Hee Lee <moonhee.lee.ca(a)gmail.com> wifi: mac80211: reject TDLS operations when station is not associated Jason Gunthorpe <jgg(a)ziepe.ca> iommu/amd: Fix geometry.aperture_end for V2 tables Thomas Fourier <fourier.thomas(a)gmail.com> mwl8k: Add missing check after DMA map Martin Kaistra <martin.kaistra(a)linutronix.de> wifi: rtl8xxxu: Fix RX skb size for aggregation disabled Eric Dumazet <edumazet(a)google.com> tcp: call tcp_measure_rcv_mss() for ooo packets Juergen Gross <jgross(a)suse.com> xen/gntdev: remove struct gntdev_copy_batch from stack Eric Dumazet <edumazet(a)google.com> net_sched: act_ctinfo: use atomic64_t for three counters William Liu <will(a)willsroot.io> net/sched: Restrict conditions for adding duplicating netems to qdisc tree Tiwei Bie <tiwei.btw(a)antgroup.com> um: rtc: Avoid shadowing err in uml_rtc_start() Johan Korsnes <johan.korsnes(a)gmail.com> arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX Fedor Pchelkin <pchelkin(a)ispras.ru> netfilter: nf_tables: adjust lockdep assertions handling Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Drop dead code from fill_*_info routines Shixiong Ou <oushixiong(a)kylinos.cn> fbcon: Fix outdated registered_fb reference in comment Peter Zijlstra <peterz(a)infradead.org> sched/psi: Optimize psi_group_change() cpu_clock() usage Fedor Pchelkin <pchelkin(a)ispras.ru> drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value Finn Thain <fthain(a)linux-m68k.org> m68k: Don't unregister boot console needlessly Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> drm/msm/dpu: Fill in min_prefill_lines for SC8180X Mark Brown <broonie(a)kernel.org> kselftest/arm64: Fix check for setting new VLs in sve-ptrace Eric Dumazet <edumazet(a)google.com> net: dst: annotate data-races around dst->output Eric Dumazet <edumazet(a)google.com> net: dst: annotate data-races around dst->input Stav Aviram <saviram(a)nvidia.com> net/mlx5: Check device memory pointer before usage xin.guo <guoxin0309(a)gmail.com> tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range Sergey Senozhatsky <senozhatsky(a)chromium.org> wifi: ath11k: clear initialized flag for deinit-ed srng lists Jiasheng Jiang <jiasheng(a)iscas.ac.cn> iwlwifi: Add missing check for alloc_ordered_workqueue Xiu Jianfeng <xiujianfeng(a)huawei.com> wifi: iwlwifi: Fix memory leak in iwl_mvm_init() Daniil Dulov <d.dulov(a)aladdin.ru> wifi: rtl818x: Kill URBs before clearing tx status queue Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band Arnd Bergmann <arnd(a)arndb.de> caif: reduce stack size, again Yuan Chen <chenyuan(a)kylinos.cn> bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel Petr Machata <petrm(a)nvidia.com> net: ipv6: ip6mr: Fix in/out netdev to pass to the FORWARD chain Fushuai Wang <wangfushuai(a)baidu.com> selftests/bpf: fix signedness bug in redir_partial() Jiayuan Chen <jiayuan.chen(a)linux.dev> bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls Jiayuan Chen <jiayuan.chen(a)linux.dev> bpf, sockmap: Fix psock incorrectly pointing to sk Andy Yan <andy.yan(a)rock-chips.com> drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed Steven Rostedt <rostedt(a)goodmis.org> selftests/tracing: Fix false failure of subsystem event test Alok Tiwari <alok.a.tiwari(a)oracle.com> staging: nvec: Fix incorrect null termination of battery manufacturer Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> interconnect: qcom: sc8180x: specify num_nodes Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> interconnect: qcom: sc8280xp: specify num_links for qnm_a1noc_cfg Johan Hovold <johan(a)kernel.org> soc: qcom: pmic_glink: fix OF node leak Brahmajit Das <listout(a)listout.xyz> samples: mei: Fix building on musl libc Lifeng Zheng <zhenglifeng1(a)huawei.com> cpufreq: Init policy->rwsem before it may be possibly used Lifeng Zheng <zhenglifeng1(a)huawei.com> cpufreq: Initialize cpufreq-based frequency-invariance later Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode Lifeng Zheng <zhenglifeng1(a)huawei.com> PM / devfreq: Check governor before using governor->name Adam Ford <aford173(a)gmail.com> arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed Adam Ford <aford173(a)gmail.com> arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed Annette Kobou <annette.kobou(a)kontron.de> ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface Sumit Gupta <sumitg(a)nvidia.com> soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS Albin Törnqvist <albin.tornqvist(a)codiax.se> arm: dts: ti: omap: Fixup pinheader typo Lucas De Marchi <lucas.demarchi(a)intel.com> usb: early: xhci-dbc: Fix early_ioremap leak Sivan Zohar-Kotzer <sivany32(a)gmail.com> powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "vmci: Prevent the dispatching of uninitialized payloads" Denis OSTERLAND-HEIM <denis.osterland(a)diehl.com> pps: fix poll support Lizhi Xu <lizhi.xu(a)windriver.com> vmci: Prevent the dispatching of uninitialized payloads Abdun Nihaal <abdun.nihaal(a)gmail.com> staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() Clément Le Goffic <clement.legoffic(a)foss.st.com> spi: stm32: Check for cfg availability in stm32_spi_probe Charalampos Mitrodimas <charmitro(a)posteo.net> usb: misc: apple-mfi-fastcharge: Make power supply names unique Seungjin Bae <eeodqql09(a)gmail.com> usb: host: xhci-plat: fix incorrect type for of_match variable in xhci_plat_probe() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: vfxxx: Correctly use two tuples for timer address André Apitzsch <git(a)apitzsch.eu> arm64: dts: qcom: msm8976: Make blsp_dma controlled-remotely Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> arm64: dts: qcom: sc7180: Expand IMEM region Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> arm64: dts: qcom: sdm845: Expand IMEM region Alexander Wilhelm <alexander.wilhelm(a)westermo.com> soc: qcom: QMI encoding/decoding for big endian Dmitry Vyukov <dvyukov(a)google.com> selftests: Fix errno checking in syscall_user_dispatch test Chen-Yu Tsai <wenst(a)chromium.org> ASoC: mediatek: use reserved memory or enable buffer pre-allocation Arnd Bergmann <arnd(a)arndb.de> ASoC: ops: dynamically allocate struct snd_ctl_elem_value Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: No more self recovery Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Revert "fs/ntfs3: Replace inode_trylock with inode_lock" Yangtao Li <frank.li(a)vivo.com> hfsplus: remove mutex_lock check in hfsplus_free_extents Yangtao Li <frank.li(a)vivo.com> hfs: make splice write available again Yangtao Li <frank.li(a)vivo.com> hfsplus: make splice write available again Caleb Sander Mateos <csander(a)purestorage.com> ublk: use vmalloc for ublk_device's __queues Edward Adam Davis <eadavis(a)qq.com> fs/ntfs3: cancle set bad inode after removing name fails RubenKelevra <rubenkelevra(a)gmail.com> fs_context: fix parameter name in infofc() macro Richard Guy Briggs <rgb(a)redhat.com> audit,module: restore audit logging in load failure case Alexandru Andries <alex.andries.aa(a)gmail.com> ASoC: amd: yc: add DMI quirk for ASUS M6501RM Arnd Bergmann <arnd(a)arndb.de> ASoC: Intel: fix SND_SOC_SOF dependencies Adam Queler <queler(a)gmail.com> ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx Arnd Bergmann <arnd(a)arndb.de> ethernet: intel: fix building with large NR_CPUS Lane Odenbach <laodenbach(a)gmail.com> ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx ------------- Diffstat: Documentation/filesystems/f2fs.rst | 6 +- Documentation/netlink/specs/ethtool.yaml | 6 +- Makefile | 4 +- .../boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi | 1 - arch/arm/boot/dts/nxp/vf/vfxxx.dtsi | 2 +- arch/arm/boot/dts/ti/omap/am335x-boneblack.dts | 2 +- arch/arm/crypto/aes-neonbs-glue.c | 2 +- .../boot/dts/freescale/imx8mm-beacon-som.dtsi | 2 + .../boot/dts/freescale/imx8mn-beacon-som.dtsi | 2 + arch/arm64/boot/dts/qcom/msm8976.dtsi | 2 + arch/arm64/boot/dts/qcom/sc7180.dtsi | 10 +- arch/arm64/boot/dts/qcom/sdm845.dtsi | 10 +- arch/m68k/Kconfig.debug | 2 +- arch/m68k/kernel/early_printk.c | 42 +-- arch/m68k/kernel/head.S | 8 +- arch/mips/mm/tlb-r4k.c | 56 +++- arch/powerpc/configs/ppc6xx_defconfig | 1 - arch/powerpc/kernel/eeh.c | 1 + arch/powerpc/kernel/eeh_driver.c | 48 ++-- arch/powerpc/kernel/eeh_pe.c | 10 +- arch/powerpc/kernel/pci-hotplug.c | 3 + arch/sh/Makefile | 10 +- arch/sh/boot/compressed/Makefile | 4 +- arch/sh/boot/romimage/Makefile | 4 +- arch/um/drivers/rtc_user.c | 2 +- arch/x86/boot/compressed/sev.c | 7 + arch/x86/boot/cpuflags.c | 13 + arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kernel/sev-shared.c | 36 +++ arch/x86/kernel/sev.c | 11 +- arch/x86/mm/extable.c | 5 +- drivers/block/ublk_drv.c | 4 +- drivers/bluetooth/btusb.c | 4 + drivers/char/hw_random/mtk-rng.c | 4 +- drivers/clk/clk-axi-clkgen.c | 2 +- drivers/clk/davinci/psc.c | 5 + drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 3 +- drivers/clk/xilinx/xlnx_vcu.c | 4 +- drivers/cpufreq/cpufreq.c | 21 +- drivers/cpufreq/intel_pstate.c | 4 +- .../crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 4 +- drivers/crypto/ccp/ccp-debugfs.c | 3 + drivers/crypto/img-hash.c | 2 +- drivers/crypto/inside-secure/safexcel_hash.c | 8 +- .../crypto/intel/keembay/keembay-ocs-hcu-core.c | 8 +- .../intel/qat/qat_common/adf_transport_debug.c | 4 +- drivers/crypto/intel/qat/qat_common/qat_bl.c | 6 +- .../crypto/intel/qat/qat_common/qat_compression.c | 8 +- drivers/crypto/marvell/cesa/cipher.c | 4 +- drivers/crypto/marvell/cesa/hash.c | 5 +- drivers/devfreq/devfreq.c | 10 +- drivers/dma/mv_xor.c | 21 +- drivers/dma/nbpfaxi.c | 13 + .../gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c | 2 +- .../drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h | 1 + drivers/gpu/drm/rockchip/rockchip_drm_fb.c | 9 +- drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 2 +- drivers/i2c/busses/i2c-stm32f7.c | 215 ++++++--------- drivers/infiniband/hw/erdma/erdma_verbs.c | 3 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 15 +- drivers/infiniband/hw/mlx5/dm.c | 2 +- drivers/interconnect/qcom/sc8180x.c | 6 + drivers/interconnect/qcom/sc8280xp.c | 1 + drivers/iommu/amd/iommu.c | 17 +- drivers/irqchip/Kconfig | 1 + drivers/md/md.c | 9 +- drivers/media/v4l2-core/v4l2-ctrls-core.c | 8 +- drivers/mtd/ftl.c | 2 +- drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +- drivers/mtd/nand/raw/atmel/pmecc.c | 6 + drivers/mtd/nand/raw/rockchip-nand-controller.c | 15 + drivers/net/can/kvaser_pciefd.c | 1 + drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 17 +- drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- drivers/net/ethernet/intel/fm10k/fm10k.h | 3 +- drivers/net/ethernet/intel/i40e/i40e.h | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe.h | 3 +- .../ethernet/mellanox/mlx5/core/en/port_buffer.c | 3 + .../mellanox/mlx5/core/en_accel/ipsec_rxtx.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 - drivers/net/ipa/ipa_sysfs.c | 6 +- drivers/net/phy/mscc/mscc_ptp.c | 1 + drivers/net/phy/mscc/mscc_ptp.h | 1 + drivers/net/ppp/pptp.c | 18 +- drivers/net/usb/usbnet.c | 11 +- drivers/net/vrf.c | 2 + drivers/net/wireless/ath/ath11k/hal.c | 4 + drivers/net/wireless/ath/ath12k/wmi.c | 12 +- .../broadcom/brcm80211/brcmfmac/cfg80211.c | 8 +- drivers/net/wireless/intel/iwlwifi/dvm/main.c | 11 +- drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 +- drivers/net/wireless/marvell/mwl8k.c | 4 + drivers/net/wireless/purelifi/plfxlc/mac.c | 11 +- drivers/net/wireless/purelifi/plfxlc/mac.h | 2 +- drivers/net/wireless/purelifi/plfxlc/usb.c | 29 +- drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 +- .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +- drivers/net/wireless/realtek/rtw89/core.c | 5 + drivers/pci/controller/pcie-rockchip-host.c | 2 +- drivers/pci/endpoint/functions/pci-epf-vntb.c | 4 +- drivers/pci/hotplug/pnv_php.c | 235 ++++++++++++++-- drivers/pinctrl/pinmux.c | 20 +- drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 +- drivers/power/supply/cpcap-charger.c | 5 +- drivers/power/supply/max14577_charger.c | 4 +- drivers/powercap/dtpm_cpu.c | 2 + drivers/pps/pps.c | 11 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-hym8563.c | 2 +- drivers/rtc/rtc-nct3018y.c | 2 +- drivers/rtc/rtc-pcf85063.c | 2 +- drivers/rtc/rtc-pcf8563.c | 2 +- drivers/rtc/rtc-rv3028.c | 2 +- drivers/scsi/elx/efct/efct_lio.c | 2 +- drivers/scsi/ibmvscsi_tgt/libsrp.c | 6 +- drivers/scsi/isci/request.c | 2 +- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +- drivers/scsi/mvsas/mv_sas.c | 4 +- drivers/scsi/scsi_transport_iscsi.c | 2 + drivers/scsi/sd.c | 4 +- drivers/soc/qcom/pmic_glink.c | 9 +- drivers/soc/qcom/qmi_encdec.c | 46 ++- drivers/soc/tegra/cbb/tegra234-cbb.c | 2 + drivers/soundwire/stream.c | 2 +- drivers/spi/spi-stm32.c | 8 +- drivers/staging/fbtft/fbtft-core.c | 1 + drivers/staging/nvec/nvec_power.c | 2 +- drivers/ufs/core/ufshcd.c | 10 +- drivers/usb/early/xhci-dbc.c | 4 + drivers/usb/gadget/composite.c | 5 + drivers/usb/host/xhci-plat.c | 2 +- drivers/usb/misc/apple-mfi-fastcharge.c | 24 +- drivers/usb/serial/option.c | 2 + drivers/vfio/group.c | 7 +- drivers/vfio/iommufd.c | 4 + drivers/vfio/pci/pds/vfio_dev.c | 1 + drivers/vfio/pci/vfio_pci_core.c | 2 +- drivers/vfio/vfio_main.c | 3 +- drivers/vhost/scsi.c | 4 +- drivers/video/fbdev/core/fbcon.c | 4 +- drivers/video/fbdev/imxfb.c | 9 +- drivers/watchdog/ziirave_wdt.c | 3 + drivers/xen/gntdev-common.h | 4 + drivers/xen/gntdev.c | 71 +++-- fs/f2fs/data.c | 7 +- fs/f2fs/extent_cache.c | 2 +- fs/f2fs/f2fs.h | 2 +- fs/f2fs/inode.c | 21 +- fs/f2fs/segment.h | 5 +- fs/gfs2/util.c | 37 +-- fs/hfs/inode.c | 1 + fs/hfsplus/extents.c | 3 - fs/hfsplus/inode.c | 1 + fs/jfs/jfs_dmap.c | 4 +- fs/nfs/dir.c | 4 +- fs/nfs/export.c | 11 +- fs/nfs/flexfilelayout/flexfilelayout.c | 26 +- fs/nfs/flexfilelayout/flexfilelayoutdev.c | 6 +- fs/nfs/internal.h | 9 +- fs/nfs/nfs4proc.c | 10 +- fs/notify/fanotify/fanotify.c | 8 +- fs/ntfs3/file.c | 5 +- fs/ntfs3/frecord.c | 7 +- fs/ntfs3/namei.c | 10 +- fs/ntfs3/ntfs_fs.h | 3 +- fs/orangefs/orangefs-debugfs.c | 6 +- fs/proc/generic.c | 2 + fs/proc/inode.c | 2 +- fs/proc/internal.h | 5 + fs/smb/client/cifs_debug.c | 2 +- fs/smb/client/cifsacl.c | 2 +- fs/smb/client/cifsacl.h | 2 +- fs/smb/client/cifsencrypt.c | 2 +- fs/smb/client/cifsfs.c | 4 +- fs/smb/client/cifsglob.h | 2 +- fs/smb/client/cifspdu.h | 4 +- fs/smb/client/cifssmb.c | 6 +- fs/smb/client/file.c | 2 +- fs/smb/client/fs_context.h | 2 +- fs/smb/client/misc.c | 2 +- fs/smb/client/netmisc.c | 2 +- fs/smb/client/readdir.c | 4 +- fs/smb/client/smb2ops.c | 4 +- fs/smb/client/smb2pdu.c | 4 +- fs/smb/client/smb2transport.c | 2 +- fs/smb/client/smbdirect.c | 307 ++++++++++++--------- fs/smb/client/smbdirect.h | 12 +- fs/smb/common/smbdirect/smbdirect_socket.h | 41 +++ fs/smb/server/connection.h | 1 + fs/smb/server/smb2pdu.c | 22 +- fs/smb/server/smb_common.c | 2 +- fs/smb/server/transport_rdma.c | 97 +++---- fs/smb/server/transport_tcp.c | 17 ++ fs/smb/server/vfs.c | 3 +- include/linux/audit.h | 9 +- include/linux/fs_context.h | 2 +- include/linux/moduleparam.h | 5 +- include/linux/pps_kernel.h | 1 + include/linux/proc_fs.h | 1 + include/linux/psi_types.h | 6 +- include/linux/sched.h | 2 - include/linux/skbuff.h | 23 ++ include/linux/usb/usbnet.h | 1 + include/linux/wait_bit.h | 60 ++++ include/net/bluetooth/hci.h | 1 + include/net/dst.h | 4 +- include/net/lwtunnel.h | 8 +- include/net/tc_act/tc_ctinfo.h | 6 +- include/net/udp.h | 24 +- kernel/audit.h | 2 +- kernel/auditsc.c | 2 +- kernel/bpf/preload/Kconfig | 1 - kernel/events/core.c | 20 +- kernel/freezer.c | 51 ++-- kernel/kcsan/kcsan_test.c | 2 +- kernel/module/main.c | 6 +- kernel/sched/core.c | 31 +-- kernel/sched/psi.c | 123 +++++---- kernel/trace/preemptirq_delay_test.c | 13 +- kernel/ucount.c | 2 +- mm/hmm.c | 2 +- net/bluetooth/hci_event.c | 8 +- net/caif/cfctrl.c | 294 ++++++++++---------- net/core/dst.c | 4 +- net/core/filter.c | 3 + net/core/netpoll.c | 7 + net/core/skmsg.c | 7 + net/ipv4/route.c | 4 +- net/ipv4/tcp_input.c | 4 +- net/ipv6/ip6_fib.c | 24 +- net/ipv6/ip6_offload.c | 4 +- net/ipv6/ip6mr.c | 3 +- net/ipv6/route.c | 60 ++-- net/mac80211/cfg.c | 2 +- net/mac80211/tdls.c | 2 +- net/mac80211/tx.c | 14 +- net/netfilter/nf_bpf_link.c | 5 +- net/netfilter/nf_tables_api.c | 29 +- net/netfilter/xt_nfacct.c | 4 +- net/packet/af_packet.c | 12 +- net/sched/act_ctinfo.c | 19 +- net/sched/sch_mqprio.c | 2 +- net/sched/sch_netem.c | 40 +++ net/sched/sch_taprio.c | 21 +- net/sunrpc/svcsock.c | 43 ++- net/sunrpc/xprtsock.c | 40 ++- net/tls/tls_sw.c | 13 + net/vmw_vsock/af_vsock.c | 3 +- samples/mei/mei-amt-version.c | 2 +- scripts/kconfig/qconf.cc | 2 +- security/apparmor/include/match.h | 8 +- security/apparmor/match.c | 23 +- sound/pci/hda/patch_ca0132.c | 5 +- sound/soc/amd/yc/acp6x-mach.c | 21 ++ sound/soc/fsl/fsl_xcvr.c | 20 ++ sound/soc/intel/boards/Kconfig | 2 +- .../soc/mediatek/common/mtk-afe-platform-driver.c | 4 +- sound/soc/mediatek/common/mtk-base-afe.h | 1 + sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 7 + sound/soc/mediatek/mt8183/mt8183-afe-pcm.c | 7 + sound/soc/mediatek/mt8186/mt8186-afe-pcm.c | 7 + sound/soc/mediatek/mt8192/mt8192-afe-pcm.c | 7 + sound/soc/soc-dai.c | 16 +- sound/soc/soc-ops.c | 28 +- sound/usb/mixer_scarlett2.c | 7 + sound/x86/intel_hdmi_audio.c | 2 +- tools/bpf/bpftool/net.c | 15 +- tools/lib/subcmd/help.c | 12 +- tools/perf/.gitignore | 2 - tools/perf/builtin-sched.c | 41 ++- tools/perf/tests/bp_account.c | 1 + tools/perf/util/evsel.c | 11 + tools/perf/util/evsel.h | 2 + tools/perf/util/symbol.c | 1 + tools/testing/selftests/arm64/fp/sve-ptrace.c | 2 +- .../selftests/bpf/prog_tests/sockmap_listen.c | 2 + .../ftrace/test.d/event/subsystem-enable.tc | 28 +- tools/testing/selftests/net/rtnetlink.sh | 6 + tools/testing/selftests/perf_events/.gitignore | 1 + tools/testing/selftests/perf_events/Makefile | 2 +- tools/testing/selftests/perf_events/mmap.c | 236 ++++++++++++++++ .../selftests/syscall_user_dispatch/sud_test.c | 50 ++-- tools/verification/rv/src/in_kernel.c | 4 +- 287 files changed, 2632 insertions(+), 1290 deletions(-)

1 month, 1 week

10
271
0 0

[PATCH net] netlink: avoid infinite retry looping in netlink_unicast()

by Fedor Pchelkin

netlink_attachskb() checks for the socket's read memory allocation constraints. Firstly, it has: rmem < READ_ONCE(sk->sk_rcvbuf) to check if the just increased rmem value fits into the socket's receive buffer. If not, it proceeds and tries to wait for the memory under: rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf) The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is equal to sk->sk_rcvbuf. Thus the function neither successfully accepts these conditions, nor manages to reschedule the task - and is called in retry loop for indefinite time which is caught as: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212 (t=26000 jiffies g=230833 q=259957) NMI backtrace for cpu 0 CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014 Call Trace: <IRQ> dump_stack lib/dump_stack.c:120 nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105 nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62 rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335 rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590 update_process_times kernel/time/timer.c:1953 tick_sched_handle kernel/time/tick-sched.c:227 tick_sched_timer kernel/time/tick-sched.c:1399 __hrtimer_run_queues kernel/time/hrtimer.c:1652 hrtimer_interrupt kernel/time/hrtimer.c:1717 __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113 asm_call_irq_on_stack arch/x86/entry/entry_64.S:808 </IRQ> netlink_attachskb net/netlink/af_netlink.c:1234 netlink_unicast net/netlink/af_netlink.c:1349 kauditd_send_queue kernel/audit.c:776 kauditd_thread kernel/audit.c:897 kthread kernel/kthread.c:328 ret_from_fork arch/x86/entry/entry_64.S:304 Restore the original behavior of the check which commit in Fixes accidentally missed when restructuring the code. Found by Linux Verification Center (linuxtesting.org). Fixes: ae8f160e7eb2 ("netlink: Fix wraparounds of sk->sk_rmem_alloc.") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- Similar rmem and sk->sk_rcvbuf comparing pattern in netlink_broadcast_deliver() accepts these values being equal, while the netlink_dump() case does not - but it goes all the way down to f9c2288837ba ("netlink: implement memory mapped recvmsg()") and looks like an irrelevant issue without any real consequences. Though might be cleaned up if needed. Updated sk->sk_rmem_alloc vs sk->sk_rcvbuf checks throughout the kernel diverse in treating the corner case of them being equal. net/netlink/af_netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 6332a0e06596..0fc3f045fb65 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1218,7 +1218,7 @@ int netlink_attachskb(struct sock *sk, struct sk_buff *skb, nlk = nlk_sk(sk); rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); - if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) && + if ((rmem == skb->truesize || rmem <= READ_ONCE(sk->sk_rcvbuf)) && !test_bit(NETLINK_S_CONGESTED, &nlk->state)) { netlink_skb_set_owner_r(skb, sk); return 0; -- 2.50.1

1 month, 1 week

5
6
0 0

[PATCH 6.6.y v2 1/1] block: Fix bounce check logic in blk_queue_may_bounce()

by Hardeep Sharma

Buffer bouncing is needed only when memory exists above the lowmem region, i.e., when max_low_pfn < max_pfn. The previous check (max_low_pfn >= max_pfn) was inverted and prevented bouncing when it could actually be required. Note that bouncing depends on CONFIG_HIGHMEM, which is typically enabled on 32-bit ARM where not all memory is permanently mapped into the kernel’s lowmem region. Branch-Specific Note: This fix is specific to this branch (6.6.y) only. In the upstream “tip” kernel, bounce buffer support for highmem pages was completely removed after kernel version 6.12. Therefore, this modification is not possible or relevant in the tip branch. Fixes: 9bb33f24abbd0 ("block: refactor the bounce buffering code") Cc: stable(a)vger.kernel.org Signed-off-by: Hardeep Sharma <quic_hardshar(a)quicinc.com> --- block/blk.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/blk.h b/block/blk.h index 67915b04b3c1..f8a1d64be5a2 100644 --- a/block/blk.h +++ b/block/blk.h @@ -383,7 +383,7 @@ static inline bool blk_queue_may_bounce(struct request_queue *q) { return IS_ENABLED(CONFIG_BOUNCE) && q->limits.bounce == BLK_BOUNCE_HIGH && - max_low_pfn >= max_pfn; + max_low_pfn < max_pfn; } static inline struct bio *blk_queue_bounce(struct bio *bio, -- 2.25.1

1 month, 1 week

2
6
0 0

FAILED: patch "[PATCH] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 095686e6fcb4150f0a55b1a25987fad3d8af58d6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081224-material-dismay-771d@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 095686e6fcb4150f0a55b1a25987fad3d8af58d6 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Tue, 10 Jun 2025 16:20:08 -0700 Subject: [PATCH] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter Add a consistency check for L2's guest_ia32_debugctl, as KVM only supports a subset of hardware functionality, i.e. KVM can't rely on hardware to detect illegal/unsupported values. Failure to check the vmcs12 value would allow the guest to load any harware-supported value while running L2. Take care to exempt BTF and LBR from the validity check in order to match KVM's behavior for writes via WRMSR, but without clobbering vmcs12. Even if VM_EXIT_SAVE_DEBUG_CONTROLS is set in vmcs12, L1 can reasonably expect that vmcs12->guest_ia32_debugctl will not be modified if writes to the MSR are being intercepted. Arguably, KVM _should_ update vmcs12 if VM_EXIT_SAVE_DEBUG_CONTROLS is set *and* writes to MSR_IA32_DEBUGCTLMSR are not being intercepted by L1, but that would incur non-trivial complexity and wouldn't change the fact that KVM's handling of DEBUGCTL is blatantly broken. I.e. the extra complexity is not worth carrying. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Co-developed-by: Sean Christopherson <seanjc(a)google.com> Link: https://lore.kernel.org/r/20250610232010.162191-7-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 7211c71d4241..1b8b0642fc2d 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2663,7 +2663,8 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, if (vmx->nested.nested_run_pending && (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) { kvm_set_dr(vcpu, 7, vmcs12->guest_dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl); + vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl & + vmx_get_supported_debugctl(vcpu, false)); } else { kvm_set_dr(vcpu, 7, vcpu->arch.dr7); vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl); @@ -3156,7 +3157,8 @@ static int nested_vmx_check_guest_state(struct kvm_vcpu *vcpu, return -EINVAL; if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) && - CC(!kvm_dr7_valid(vmcs12->guest_dr7))) + (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) || + CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false)))) return -EINVAL; if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT) && @@ -4608,6 +4610,12 @@ static void sync_vmcs02_to_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12) (vmcs12->vm_entry_controls & ~VM_ENTRY_IA32E_MODE) | (vm_entry_controls_get(to_vmx(vcpu)) & VM_ENTRY_IA32E_MODE); + /* + * Note! Save DR7, but intentionally don't grab DEBUGCTL from vmcs02. + * Writes to DEBUGCTL that aren't intercepted by L1 are immediately + * propagated to vmcs12 (see vmx_set_msr()), as the value loaded into + * vmcs02 doesn't strictly track vmcs12. + */ if (vmcs12->vm_exit_controls & VM_EXIT_SAVE_DEBUG_CONTROLS) vmcs12->guest_dr7 = vcpu->arch.dr7; diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 4f827a75d980..6a8b78e954cd 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2174,7 +2174,7 @@ static u64 nested_vmx_truncate_sysenter_addr(struct kvm_vcpu *vcpu, return (unsigned long)data; } -static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated) +u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated) { u64 debugctl = 0; @@ -2193,8 +2193,7 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated return debugctl; } -static bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, - bool host_initiated) +bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated) { u64 invalid; diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index b5758c33c60f..392e66c7e5fe 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -414,6 +414,9 @@ static inline void vmx_set_intercept_for_msr(struct kvm_vcpu *vcpu, u32 msr, void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu); +u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated); +bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated); + /* * Note, early Intel manuals have the write-low and read-high bitmap offsets * the wrong way round. The bitmaps control MSRs 0x00000000-0x00001fff and

1 month, 1 week

2
3
0 0

FAILED: patch "[PATCH] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 095686e6fcb4150f0a55b1a25987fad3d8af58d6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081223-sugar-folic-11b0@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 095686e6fcb4150f0a55b1a25987fad3d8af58d6 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Tue, 10 Jun 2025 16:20:08 -0700 Subject: [PATCH] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter Add a consistency check for L2's guest_ia32_debugctl, as KVM only supports a subset of hardware functionality, i.e. KVM can't rely on hardware to detect illegal/unsupported values. Failure to check the vmcs12 value would allow the guest to load any harware-supported value while running L2. Take care to exempt BTF and LBR from the validity check in order to match KVM's behavior for writes via WRMSR, but without clobbering vmcs12. Even if VM_EXIT_SAVE_DEBUG_CONTROLS is set in vmcs12, L1 can reasonably expect that vmcs12->guest_ia32_debugctl will not be modified if writes to the MSR are being intercepted. Arguably, KVM _should_ update vmcs12 if VM_EXIT_SAVE_DEBUG_CONTROLS is set *and* writes to MSR_IA32_DEBUGCTLMSR are not being intercepted by L1, but that would incur non-trivial complexity and wouldn't change the fact that KVM's handling of DEBUGCTL is blatantly broken. I.e. the extra complexity is not worth carrying. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Co-developed-by: Sean Christopherson <seanjc(a)google.com> Link: https://lore.kernel.org/r/20250610232010.162191-7-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 7211c71d4241..1b8b0642fc2d 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2663,7 +2663,8 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, if (vmx->nested.nested_run_pending && (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) { kvm_set_dr(vcpu, 7, vmcs12->guest_dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl); + vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl & + vmx_get_supported_debugctl(vcpu, false)); } else { kvm_set_dr(vcpu, 7, vcpu->arch.dr7); vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl); @@ -3156,7 +3157,8 @@ static int nested_vmx_check_guest_state(struct kvm_vcpu *vcpu, return -EINVAL; if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) && - CC(!kvm_dr7_valid(vmcs12->guest_dr7))) + (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) || + CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false)))) return -EINVAL; if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT) && @@ -4608,6 +4610,12 @@ static void sync_vmcs02_to_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12) (vmcs12->vm_entry_controls & ~VM_ENTRY_IA32E_MODE) | (vm_entry_controls_get(to_vmx(vcpu)) & VM_ENTRY_IA32E_MODE); + /* + * Note! Save DR7, but intentionally don't grab DEBUGCTL from vmcs02. + * Writes to DEBUGCTL that aren't intercepted by L1 are immediately + * propagated to vmcs12 (see vmx_set_msr()), as the value loaded into + * vmcs02 doesn't strictly track vmcs12. + */ if (vmcs12->vm_exit_controls & VM_EXIT_SAVE_DEBUG_CONTROLS) vmcs12->guest_dr7 = vcpu->arch.dr7; diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 4f827a75d980..6a8b78e954cd 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2174,7 +2174,7 @@ static u64 nested_vmx_truncate_sysenter_addr(struct kvm_vcpu *vcpu, return (unsigned long)data; } -static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated) +u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated) { u64 debugctl = 0; @@ -2193,8 +2193,7 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated return debugctl; } -static bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, - bool host_initiated) +bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated) { u64 invalid; diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index b5758c33c60f..392e66c7e5fe 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -414,6 +414,9 @@ static inline void vmx_set_intercept_for_msr(struct kvm_vcpu *vcpu, u32 msr, void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu); +u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated); +bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated); + /* * Note, early Intel manuals have the write-low and read-high bitmap offsets * the wrong way round. The bitmaps control MSRs 0x00000000-0x00001fff and

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 095686e6fcb4150f0a55b1a25987fad3d8af58d6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081223-parameter-cope-c338@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 095686e6fcb4150f0a55b1a25987fad3d8af58d6 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Tue, 10 Jun 2025 16:20:08 -0700 Subject: [PATCH] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter Add a consistency check for L2's guest_ia32_debugctl, as KVM only supports a subset of hardware functionality, i.e. KVM can't rely on hardware to detect illegal/unsupported values. Failure to check the vmcs12 value would allow the guest to load any harware-supported value while running L2. Take care to exempt BTF and LBR from the validity check in order to match KVM's behavior for writes via WRMSR, but without clobbering vmcs12. Even if VM_EXIT_SAVE_DEBUG_CONTROLS is set in vmcs12, L1 can reasonably expect that vmcs12->guest_ia32_debugctl will not be modified if writes to the MSR are being intercepted. Arguably, KVM _should_ update vmcs12 if VM_EXIT_SAVE_DEBUG_CONTROLS is set *and* writes to MSR_IA32_DEBUGCTLMSR are not being intercepted by L1, but that would incur non-trivial complexity and wouldn't change the fact that KVM's handling of DEBUGCTL is blatantly broken. I.e. the extra complexity is not worth carrying. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Co-developed-by: Sean Christopherson <seanjc(a)google.com> Link: https://lore.kernel.org/r/20250610232010.162191-7-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 7211c71d4241..1b8b0642fc2d 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2663,7 +2663,8 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, if (vmx->nested.nested_run_pending && (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) { kvm_set_dr(vcpu, 7, vmcs12->guest_dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl); + vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl & + vmx_get_supported_debugctl(vcpu, false)); } else { kvm_set_dr(vcpu, 7, vcpu->arch.dr7); vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl); @@ -3156,7 +3157,8 @@ static int nested_vmx_check_guest_state(struct kvm_vcpu *vcpu, return -EINVAL; if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) && - CC(!kvm_dr7_valid(vmcs12->guest_dr7))) + (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) || + CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false)))) return -EINVAL; if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT) && @@ -4608,6 +4610,12 @@ static void sync_vmcs02_to_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12) (vmcs12->vm_entry_controls & ~VM_ENTRY_IA32E_MODE) | (vm_entry_controls_get(to_vmx(vcpu)) & VM_ENTRY_IA32E_MODE); + /* + * Note! Save DR7, but intentionally don't grab DEBUGCTL from vmcs02. + * Writes to DEBUGCTL that aren't intercepted by L1 are immediately + * propagated to vmcs12 (see vmx_set_msr()), as the value loaded into + * vmcs02 doesn't strictly track vmcs12. + */ if (vmcs12->vm_exit_controls & VM_EXIT_SAVE_DEBUG_CONTROLS) vmcs12->guest_dr7 = vcpu->arch.dr7; diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 4f827a75d980..6a8b78e954cd 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2174,7 +2174,7 @@ static u64 nested_vmx_truncate_sysenter_addr(struct kvm_vcpu *vcpu, return (unsigned long)data; } -static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated) +u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated) { u64 debugctl = 0; @@ -2193,8 +2193,7 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated return debugctl; } -static bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, - bool host_initiated) +bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated) { u64 invalid; diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index b5758c33c60f..392e66c7e5fe 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -414,6 +414,9 @@ static inline void vmx_set_intercept_for_msr(struct kvm_vcpu *vcpu, u32 msr, void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu); +u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated); +bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated); + /* * Note, early Intel manuals have the write-low and read-high bitmap offsets * the wrong way round. The bitmaps control MSRs 0x00000000-0x00001fff and

1 month, 1 week

2
2
0 0

FAILED: patch "[PATCH] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 095686e6fcb4150f0a55b1a25987fad3d8af58d6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081222-nearness-monogram-75ab@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 095686e6fcb4150f0a55b1a25987fad3d8af58d6 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Tue, 10 Jun 2025 16:20:08 -0700 Subject: [PATCH] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter Add a consistency check for L2's guest_ia32_debugctl, as KVM only supports a subset of hardware functionality, i.e. KVM can't rely on hardware to detect illegal/unsupported values. Failure to check the vmcs12 value would allow the guest to load any harware-supported value while running L2. Take care to exempt BTF and LBR from the validity check in order to match KVM's behavior for writes via WRMSR, but without clobbering vmcs12. Even if VM_EXIT_SAVE_DEBUG_CONTROLS is set in vmcs12, L1 can reasonably expect that vmcs12->guest_ia32_debugctl will not be modified if writes to the MSR are being intercepted. Arguably, KVM _should_ update vmcs12 if VM_EXIT_SAVE_DEBUG_CONTROLS is set *and* writes to MSR_IA32_DEBUGCTLMSR are not being intercepted by L1, but that would incur non-trivial complexity and wouldn't change the fact that KVM's handling of DEBUGCTL is blatantly broken. I.e. the extra complexity is not worth carrying. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Co-developed-by: Sean Christopherson <seanjc(a)google.com> Link: https://lore.kernel.org/r/20250610232010.162191-7-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 7211c71d4241..1b8b0642fc2d 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2663,7 +2663,8 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, if (vmx->nested.nested_run_pending && (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) { kvm_set_dr(vcpu, 7, vmcs12->guest_dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl); + vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl & + vmx_get_supported_debugctl(vcpu, false)); } else { kvm_set_dr(vcpu, 7, vcpu->arch.dr7); vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl); @@ -3156,7 +3157,8 @@ static int nested_vmx_check_guest_state(struct kvm_vcpu *vcpu, return -EINVAL; if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) && - CC(!kvm_dr7_valid(vmcs12->guest_dr7))) + (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) || + CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false)))) return -EINVAL; if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT) && @@ -4608,6 +4610,12 @@ static void sync_vmcs02_to_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12) (vmcs12->vm_entry_controls & ~VM_ENTRY_IA32E_MODE) | (vm_entry_controls_get(to_vmx(vcpu)) & VM_ENTRY_IA32E_MODE); + /* + * Note! Save DR7, but intentionally don't grab DEBUGCTL from vmcs02. + * Writes to DEBUGCTL that aren't intercepted by L1 are immediately + * propagated to vmcs12 (see vmx_set_msr()), as the value loaded into + * vmcs02 doesn't strictly track vmcs12. + */ if (vmcs12->vm_exit_controls & VM_EXIT_SAVE_DEBUG_CONTROLS) vmcs12->guest_dr7 = vcpu->arch.dr7; diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 4f827a75d980..6a8b78e954cd 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2174,7 +2174,7 @@ static u64 nested_vmx_truncate_sysenter_addr(struct kvm_vcpu *vcpu, return (unsigned long)data; } -static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated) +u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated) { u64 debugctl = 0; @@ -2193,8 +2193,7 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated return debugctl; } -static bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, - bool host_initiated) +bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated) { u64 invalid; diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index b5758c33c60f..392e66c7e5fe 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -414,6 +414,9 @@ static inline void vmx_set_intercept_for_msr(struct kvm_vcpu *vcpu, u32 msr, void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu); +u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated); +bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated); + /* * Note, early Intel manuals have the write-low and read-high bitmap offsets * the wrong way round. The bitmaps control MSRs 0x00000000-0x00001fff and

1 month, 1 week

2
2
0 0

[PATCH] drm/i915: silence rpm wakeref asserts on GEN11_GU_MISC_IIR access

by Jani Nikula

Commit 8d9908e8fe9c ("drm/i915/display: remove small micro-optimizations in irq handling") not only removed the optimizations, it also enabled wakeref asserts for the GEN11_GU_MISC_IIR access. Silence the asserts by wrapping the access inside intel_display_rpm_assert_{block,unblock}(). Reported-by: Jason A. Donenfeld <Jason(a)zx2c4.com> Closes: https://lore.kernel.org/r/aG0tWkfmxWtxl_xc@zx2c4.com Fixes: 8d9908e8fe9c ("drm/i915/display: remove small micro-optimizations in irq handling") Cc: <stable(a)vger.kernel.org> # v6.13+ Suggested-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> --- drivers/gpu/drm/i915/display/intel_display_irq.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/i915/display/intel_display_irq.c b/drivers/gpu/drm/i915/display/intel_display_irq.c index fb25ec8adae3..68157f177b6a 100644 --- a/drivers/gpu/drm/i915/display/intel_display_irq.c +++ b/drivers/gpu/drm/i915/display/intel_display_irq.c @@ -1506,10 +1506,14 @@ u32 gen11_gu_misc_irq_ack(struct intel_display *display, const u32 master_ctl) if (!(master_ctl & GEN11_GU_MISC_IRQ)) return 0; + intel_display_rpm_assert_block(display); + iir = intel_de_read(display, GEN11_GU_MISC_IIR); if (likely(iir)) intel_de_write(display, GEN11_GU_MISC_IIR, iir); + intel_display_rpm_assert_unblock(display); + return iir; } -- 2.39.5

1 month, 1 week

2
2
0 0

[PATCH] powerpc/mm: Fix SLB multihit issue during SLB preload

by Donet Tom

On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer. This preload cache is subject to periodic eviction — typically after every 256 context switches — to remove old entry. To optimize performance, the kernel skips switch_mmu_context() in switch_mm_irqs_off() when the prev and next mm_struct are the same. However, on hash MMU systems, this can lead to inconsistencies between the hardware SLB and the software preload cache. If an SLB entry for a process is evicted from the software cache on one CPU, and the same process later runs on another CPU without executing switch_mmu_context(), the hardware SLB may retain stale entries. If the kernel then attempts to reload that entry, it can trigger an SLB multi-hit error. The following timeline shows how stale SLB entries are created and can cause a multi-hit error when a process moves between CPUs without a MMU context switch. CPU 0 CPU 1 ----- ----- Process P exec swapper/1 load_elf_binary begin_new_exc activate_mm switch_mm_irqs_off switch_mmu_context switch_slb /* * This invalidates all * the entries in the HW * and setup the new HW * SLB entries as per the * preload cache. */ context_switch sched_migrate_task migrates process P to cpu-1 Process swapper/0 context switch (to process P) (uses mm_struct of Process P) switch_mm_irqs_off() switch_slb load_slb++ /* * load_slb becomes 0 here * and we evict an entry from * the preload cache with * preload_age(). We still * keep HW SLB and preload * cache in sync, that is * because all HW SLB entries * anyways gets evicted in * switch_slb during SLBIA. * We then only add those * entries back in HW SLB, * which are currently * present in preload_cache * (after eviction). */ load_elf_binary continues... setup_new_exec() slb_setup_new_exec() sched_switch event sched_migrate_task migrates process P to cpu-0 context_switch from swapper/0 to Process P switch_mm_irqs_off() /* * Since both prev and next mm struct are same we don't call * switch_mmu_context(). This will cause the HW SLB and SW preload * cache to go out of sync in preload_new_slb_context. Because there * was an SLB entry which was evicted from both HW and preload cache * on cpu-1. Now later in preload_new_slb_context(), when we will try * to add the same preload entry again, we will add this to the SW * preload cache and then will add it to the HW SLB. Since on cpu-0 * this entry was never invalidated, hence adding this entry to the HW * SLB will cause a SLB multi-hit error. */ load_elf_binary continues... START_THREAD start_thread preload_new_slb_context /* * This tries to add a new EA to preload cache which was earlier * evicted from both cpu-1 HW SLB and preload cache. This caused the * HW SLB of cpu-0 to go out of sync with the SW preload cache. The * reason for this was, that when we context switched back on CPU-0, * we should have ideally called switch_mmu_context() which will * bring the HW SLB entries on CPU-0 in sync with SW preload cache * entries by setting up the mmu context properly. But we didn't do * that since the prev mm_struct running on cpu-0 was same as the * next mm_struct (which is true for swapper / kernel threads). So * now when we try to add this new entry into the HW SLB of cpu-0, * we hit a SLB multi-hit error. */ WARNING: CPU: 0 PID: 1810970 at arch/powerpc/mm/book3s64/slb.c:62 assert_slb_presence+0x2c/0x50(48 results) 02:47:29 [20157/42149] Modules linked in: CPU: 0 UID: 0 PID: 1810970 Comm: dd Not tainted 6.16.0-rc3-dirty #12 VOLUNTARY Hardware name: IBM pSeries (emulated by qemu) POWER8 (architected) 0x4d0200 0xf000004 of:SLOF,HEAD hv:linux,kvm pSeries NIP: c00000000015426c LR: c0000000001543b4 CTR: 0000000000000000 REGS: c0000000497c77e0 TRAP: 0700 Not tainted (6.16.0-rc3-dirty) MSR: 8000000002823033 <SF,VEC,VSX,FP,ME,IR,DR,RI,LE> CR: 28888482 XER: 00000000 CFAR: c0000000001543b0 IRQMASK: 3 <...> NIP [c00000000015426c] assert_slb_presence+0x2c/0x50 LR [c0000000001543b4] slb_insert_entry+0x124/0x390 Call Trace: 0x7fffceb5ffff (unreliable) preload_new_slb_context+0x100/0x1a0 start_thread+0x26c/0x420 load_elf_binary+0x1b04/0x1c40 bprm_execve+0x358/0x680 do_execveat_common+0x1f8/0x240 sys_execve+0x58/0x70 system_call_exception+0x114/0x300 system_call_common+0x160/0x2c4 From the above analysis, during early exec the hardware SLB is cleared, and entries from the software preload cache are reloaded into hardware by switch_slb. However, preload_new_slb_context and slb_setup_new_exec also attempt to load some of the same entries, which can trigger a multi-hit. In most cases, these additional preloads simply hit existing entries and add nothing new. Removing these functions avoids redundant preloads and eliminates the multi-hit issue. This patch removes these two functions. We tested process switching performance using the context_switch benchmark on POWER9/hash, and observed no regression. Without this patch: 129041 ops/sec With this patch: 129341 ops/sec We also measured SLB faults during boot, and the counts are essentially the same with and without this patch. SLB faults without this patch: 19727 SLB faults with this patch: 19786 Fixes: 5434ae74629a ("powerpc/64s/hash: Add a SLB preload cache") cc: stable(a)vger.kernel.org Suggested-by: Nicholas Piggin <npiggin(a)gmail.com> Signed-off-by: Donet Tom <donettom(a)linux.ibm.com> --- arch/powerpc/include/asm/book3s/64/mmu-hash.h | 1 - arch/powerpc/kernel/process.c | 5 -- arch/powerpc/mm/book3s64/internal.h | 2 - arch/powerpc/mm/book3s64/mmu_context.c | 2 - arch/powerpc/mm/book3s64/slb.c | 88 ------------------- 5 files changed, 98 deletions(-) diff --git a/arch/powerpc/include/asm/book3s/64/mmu-hash.h b/arch/powerpc/include/asm/book3s/64/mmu-hash.h index 1c4eebbc69c9..e1f77e2eead4 100644 --- a/arch/powerpc/include/asm/book3s/64/mmu-hash.h +++ b/arch/powerpc/include/asm/book3s/64/mmu-hash.h @@ -524,7 +524,6 @@ void slb_save_contents(struct slb_entry *slb_ptr); void slb_dump_contents(struct slb_entry *slb_ptr); extern void slb_vmalloc_update(void); -void preload_new_slb_context(unsigned long start, unsigned long sp); #ifdef CONFIG_PPC_64S_HASH_MMU void slb_set_size(u16 size); diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c index 855e09886503..2b9799157eb4 100644 --- a/arch/powerpc/kernel/process.c +++ b/arch/powerpc/kernel/process.c @@ -1897,8 +1897,6 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args) return 0; } -void preload_new_slb_context(unsigned long start, unsigned long sp); - /* * Set up a thread for executing a new program */ @@ -1906,9 +1904,6 @@ void start_thread(struct pt_regs *regs, unsigned long start, unsigned long sp) { #ifdef CONFIG_PPC64 unsigned long load_addr = regs->gpr[2]; /* saved by ELF_PLAT_INIT */ - - if (IS_ENABLED(CONFIG_PPC_BOOK3S_64) && !radix_enabled()) - preload_new_slb_context(start, sp); #endif #ifdef CONFIG_PPC_TRANSACTIONAL_MEM diff --git a/arch/powerpc/mm/book3s64/internal.h b/arch/powerpc/mm/book3s64/internal.h index a57a25f06a21..c26a6f0c90fc 100644 --- a/arch/powerpc/mm/book3s64/internal.h +++ b/arch/powerpc/mm/book3s64/internal.h @@ -24,8 +24,6 @@ static inline bool stress_hpt(void) void hpt_do_stress(unsigned long ea, unsigned long hpte_group); -void slb_setup_new_exec(void); - void exit_lazy_flush_tlb(struct mm_struct *mm, bool always_flush); #endif /* ARCH_POWERPC_MM_BOOK3S64_INTERNAL_H */ diff --git a/arch/powerpc/mm/book3s64/mmu_context.c b/arch/powerpc/mm/book3s64/mmu_context.c index 4e1e45420bd4..fb9dcf9ca599 100644 --- a/arch/powerpc/mm/book3s64/mmu_context.c +++ b/arch/powerpc/mm/book3s64/mmu_context.c @@ -150,8 +150,6 @@ static int hash__init_new_context(struct mm_struct *mm) void hash__setup_new_exec(void) { slice_setup_new_exec(); - - slb_setup_new_exec(); } #else static inline int hash__init_new_context(struct mm_struct *mm) diff --git a/arch/powerpc/mm/book3s64/slb.c b/arch/powerpc/mm/book3s64/slb.c index 6b783552403c..7e053c561a09 100644 --- a/arch/powerpc/mm/book3s64/slb.c +++ b/arch/powerpc/mm/book3s64/slb.c @@ -328,94 +328,6 @@ static void preload_age(struct thread_info *ti) ti->slb_preload_tail = (ti->slb_preload_tail + 1) % SLB_PRELOAD_NR; } -void slb_setup_new_exec(void) -{ - struct thread_info *ti = current_thread_info(); - struct mm_struct *mm = current->mm; - unsigned long exec = 0x10000000; - - WARN_ON(irqs_disabled()); - - /* - * preload cache can only be used to determine whether a SLB - * entry exists if it does not start to overflow. - */ - if (ti->slb_preload_nr + 2 > SLB_PRELOAD_NR) - return; - - hard_irq_disable(); - - /* - * We have no good place to clear the slb preload cache on exec, - * flush_thread is about the earliest arch hook but that happens - * after we switch to the mm and have already preloaded the SLBEs. - * - * For the most part that's probably okay to use entries from the - * previous exec, they will age out if unused. It may turn out to - * be an advantage to clear the cache before switching to it, - * however. - */ - - /* - * preload some userspace segments into the SLB. - * Almost all 32 and 64bit PowerPC executables are linked at - * 0x10000000 so it makes sense to preload this segment. - */ - if (!is_kernel_addr(exec)) { - if (preload_add(ti, exec)) - slb_allocate_user(mm, exec); - } - - /* Libraries and mmaps. */ - if (!is_kernel_addr(mm->mmap_base)) { - if (preload_add(ti, mm->mmap_base)) - slb_allocate_user(mm, mm->mmap_base); - } - - /* see switch_slb */ - asm volatile("isync" : : : "memory"); - - local_irq_enable(); -} - -void preload_new_slb_context(unsigned long start, unsigned long sp) -{ - struct thread_info *ti = current_thread_info(); - struct mm_struct *mm = current->mm; - unsigned long heap = mm->start_brk; - - WARN_ON(irqs_disabled()); - - /* see above */ - if (ti->slb_preload_nr + 3 > SLB_PRELOAD_NR) - return; - - hard_irq_disable(); - - /* Userspace entry address. */ - if (!is_kernel_addr(start)) { - if (preload_add(ti, start)) - slb_allocate_user(mm, start); - } - - /* Top of stack, grows down. */ - if (!is_kernel_addr(sp)) { - if (preload_add(ti, sp)) - slb_allocate_user(mm, sp); - } - - /* Bottom of heap, grows up. */ - if (heap && !is_kernel_addr(heap)) { - if (preload_add(ti, heap)) - slb_allocate_user(mm, heap); - } - - /* see switch_slb */ - asm volatile("isync" : : : "memory"); - - local_irq_enable(); -} - static void slb_cache_slbie_kernel(unsigned int index) { unsigned long slbie_data = get_paca()->slb_cache[index]; -- 2.47.3

1 month, 1 week

1
0
0 0

[PATCH v2] block: restore default wbt enablement

by Julian Sun

The commit 245618f8e45f ("block: protect wbt_lat_usec using q->elevator_lock") protected wbt_enable_default() with q->elevator_lock; however, it also placed wbt_enable_default() before blk_queue_flag_set(QUEUE_FLAG_REGISTERED, q);, resulting in wbt failing to be enabled. Moreover, the protection of wbt_enable_default() by q->elevator_lock was removed in commit 78c271344b6f ("block: move wbt_enable_default() out of queue freezing from sched ->exit()"), so we can directly fix this issue by placing wbt_enable_default() after blk_queue_flag_set(QUEUE_FLAG_REGISTERED, q);. Additionally, this issue also causes the inability to read the wbt_lat_usec file, and the scenario is as follows: root@q:/sys/block/sda/queue# cat wbt_lat_usec cat: wbt_lat_usec: Invalid argument root@q:/data00/sjc/linux# ls /sys/kernel/debug/block/sda/rqos cannot access '/sys/kernel/debug/block/sda/rqos': No such file or directory root@q:/data00/sjc/linux# find /sys -name wbt /sys/kernel/debug/tracing/events/wbt After testing with this patch, wbt can be enabled normally. Signed-off-by: Julian Sun <sunjunchao(a)bytedance.com> Cc: stable(a)vger.kernel.org Fixes: 245618f8e45f ("block: protect wbt_lat_usec using q->elevator_lock") --- Changed in v2: - Improved commit message and comment - Added Fixes and Cc stable block/blk-sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c index 396cded255ea..979f01bbca01 100644 --- a/block/blk-sysfs.c +++ b/block/blk-sysfs.c @@ -903,9 +903,9 @@ int blk_register_queue(struct gendisk *disk) if (queue_is_mq(q)) elevator_set_default(q); - wbt_enable_default(disk); blk_queue_flag_set(QUEUE_FLAG_REGISTERED, q); + wbt_enable_default(disk); /* Now everything is ready and send out KOBJ_ADD uevent */ kobject_uevent(&disk->queue_kobj, KOBJ_ADD); -- 2.39.5

1 month, 1 week

6
6
0 0

Re: do_change_type(): refuse to operate on unmounted/not ours mounts

by Andrei Vagin

On Thu, Jul 24, 2025 at 4:00 PM Al Viro <viro(a)zeniv.linux.org.uk> wrote: > > On Thu, Jul 24, 2025 at 01:02:48PM -0700, Andrei Vagin wrote: > > Hi Al and Christian, > > > > The commit 12f147ddd6de ("do_change_type(): refuse to operate on > > unmounted/not ours mounts") introduced an ABI backward compatibility > > break. CRIU depends on the previous behavior, and users are now > > reporting criu restore failures following the kernel update. This change > > has been propagated to stable kernels. Is this check strictly required? > > Yes. > > > Would it be possible to check only if the current process has > > CAP_SYS_ADMIN within the mount user namespace? > > Not enough, both in terms of permissions *and* in terms of "thou > shalt not bugger the kernel data structures - nobody's priveleged > enough for that". Al, I am still thinking in terms of "Thou shalt not break userspace"... Seriously though, this original behavior has been in the kernel for 20 years, and it hasn't triggered any corruptions in all that time. I understand this change might be necessary in its current form, and that some collateral damage could be unavoidable. But if that's the case, I'd expect a detailed explanation of why it had to be so and why userspace breakage is unavoidable. The original change was merged two decades ago. We need to consider that some applications might rely on that behavior. I'm not questioning the security aspect - that must be addressed. But for anything else, we need to minimize the impact on user applications that don't violate security. We can consider a cleaner fix for the upstream kernel, but when we are talking about stable kernels, the user-space backward compatibility aspect should be even more critical. Thanks, Andrei

1 month, 1 week

7
15
0 0

[PATCH 6.12.y] wifi: mac80211: check basic rates validity in sta_link_apply_parameters

by Hanne-Lotta Mäenpää

From: Mikhail Lobanov <m.lobanov(a)rosa.ru> [ Upstream commit 16ee3ea8faef8ff042acc15867a6c458c573de61 ] When userspace sets supported rates for a new station via NL80211_CMD_NEW_STATION, it might send a list that's empty or contains only invalid values. Currently, we process these values in sta_link_apply_parameters() without checking the result of ieee80211_parse_bitrates(), which can lead to an empty rates bitmap. A similar issue was addressed for NL80211_CMD_SET_BSS in commit ce04abc3fcc6 ("wifi: mac80211: check basic rates validity"). This patch applies the same approach in sta_link_apply_parameters() for NL80211_CMD_NEW_STATION, ensuring there is at least one valid rate by inspecting the result of ieee80211_parse_bitrates(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: b95eb7f0eee4 ("wifi: cfg80211/mac80211: separate link params from station params") Signed-off-by: Mikhail Lobanov <m.lobanov(a)rosa.ru> Link: https://patch.msgid.link/20250317103139.17625-1-m.lobanov@rosa.ru Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> (cherry picked from commit 16ee3ea8faef8ff042acc15867a6c458c573de61) Signed-off-by: Hanne-Lotta Mäenpää <hannelotta(a)gmail.com> --- net/mac80211/cfg.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index cf2b8a05c338..9da17d653238 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -1879,12 +1879,12 @@ static int sta_link_apply_parameters(struct ieee80211_local *local, } if (params->supported_rates && - params->supported_rates_len) { - ieee80211_parse_bitrates(link->conf->chanreq.oper.width, - sband, params->supported_rates, - params->supported_rates_len, - &link_sta->pub->supp_rates[sband->band]); - } + params->supported_rates_len && + !ieee80211_parse_bitrates(link->conf->chanreq.oper.width, + sband, params->supported_rates, + params->supported_rates_len, + &link_sta->pub->supp_rates[sband->band])) + return -EINVAL; if (params->ht_capa) ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband, -- 2.50.0

1 month, 1 week

1
0
0 0

[PATCH] usb: hub: Don't try to recover devices lost during warm reset.

by Mathias Nyman

Hub driver warm-resets ports in SS.Inactive or Compliance mode to recover a possible connected device. The port reset code correctly detects if a connection is lost during reset, but hub driver port_event() fails to take this into account in some cases. port_event() ends up using stale values and assumes there is a connected device, and will try all means to recover it, including power-cycling the port. Details: This case was triggered when xHC host was suspended with DbC (Debug Capability) enabled and connected. DbC turns one xHC port into a simple usb debug device, allowing debugging a system with an A-to-A USB debug cable. xhci DbC code disables DbC when xHC is system suspended to D3, and enables it back during resume. We essentially end up with two hosts connected to each other during suspend, and, for a short while during resume, until DbC is enabled back. The suspended xHC host notices some activity on the roothub port, but can't train the link due to being suspended, so xHC hardware sets a CAS (Cold Attach Status) flag for this port to inform xhci host driver that the port needs to be warm reset once xHC resumes. CAS is xHCI specific, and not part of USB specification, so xhci driver tells usb core that the port has a connection and link is in compliance mode. Recovery from complinace mode is similar to CAS recovery. xhci CAS driver support that fakes a compliance mode connection was added in commit 8bea2bd37df0 ("usb: Add support for root hub port status CAS") Once xHCI resumes and DbC is enabled back, all activity on the xHC roothub host side port disappears. The hub driver will anyway think port has a connection and link is in compliance mode, and hub driver will try to recover it. The port power-cycle during recovery seems to cause issues to the active DbC connection. Fix this by clearing connect_change flag if hub_port_reset() returns -ENOTCONN, thus avoiding the whole unnecessary port recovery and initialization attempt. Cc: stable(a)vger.kernel.org Fixes: 8bea2bd37df0 ("usb: Add support for root hub port status CAS") Tested-by: Łukasz Bartosik <ukaszb(a)chromium.org> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/core/hub.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 6bb6e92cb0a4..f981e365be36 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -5754,6 +5754,7 @@ static void port_event(struct usb_hub *hub, int port1) struct usb_device *hdev = hub->hdev; u16 portstatus, portchange; int i = 0; + int err; connect_change = test_bit(port1, hub->change_bits); clear_bit(port1, hub->event_bits); @@ -5850,8 +5851,11 @@ static void port_event(struct usb_hub *hub, int port1) } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) || udev->state == USB_STATE_NOTATTACHED) { dev_dbg(&port_dev->dev, "do warm reset, port only\n"); - if (hub_port_reset(hub, port1, NULL, - HUB_BH_RESET_TIME, true) < 0) + err = hub_port_reset(hub, port1, NULL, + HUB_BH_RESET_TIME, true); + if (!udev && err == -ENOTCONN) + connect_change = 0; + else if (err < 0) hub_port_disable(hub, port1, 1); } else { dev_dbg(&port_dev->dev, "do warm reset, full device\n"); -- 2.43.0

1 month, 1 week

6
17
0 0

[PATCH] cifs: Fix UAF in cifs_demultiplex_thread()

by Chanho Min

From: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> commit d527f51331cace562393a8038d870b3e9916686f upstream. There is a UAF when xfstests on cifs: BUG: KASAN: use-after-free in smb2_is_network_name_deleted+0x27/0x160 Read of size 4 at addr ffff88810103fc08 by task cifsd/923 CPU: 1 PID: 923 Comm: cifsd Not tainted 6.1.0-rc4+ #45 ... Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130 kasan_check_range+0x145/0x1a0 smb2_is_network_name_deleted+0x27/0x160 cifs_demultiplex_thread.cold+0x172/0x5a4 kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 </TASK> Allocated by task 923: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_slab_alloc+0x54/0x60 kmem_cache_alloc+0x147/0x320 mempool_alloc+0xe1/0x260 cifs_small_buf_get+0x24/0x60 allocate_buffers+0xa1/0x1c0 cifs_demultiplex_thread+0x199/0x10d0 kthread+0x165/0x1a0 ret_from_fork+0x1f/0x30 Freed by task 921: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x143/0x1b0 kmem_cache_free+0xe3/0x4d0 cifs_small_buf_release+0x29/0x90 SMB2_negotiate+0x8b7/0x1c60 smb2_negotiate+0x51/0x70 cifs_negotiate_protocol+0xf0/0x160 cifs_get_smb_ses+0x5fa/0x13c0 mount_get_conns+0x7a/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The UAF is because: mount(pid: 921) | cifsd(pid: 923) -------------------------------|------------------------------- | cifs_demultiplex_thread SMB2_negotiate | cifs_send_recv | compound_send_recv | smb_send_rqst | wait_for_response | wait_event_state [1] | | standard_receive3 | cifs_handle_standard | handle_mid | mid->resp_buf = buf; [2] | dequeue_mid [3] KILL the process [4] | resp_iov[i].iov_base = buf | free_rsp_buf [5] | | is_network_name_deleted [6] | callback 1. After send request to server, wait the response until mid->mid_state != SUBMITTED; 2. Receive response from server, and set it to mid; 3. Set the mid state to RECEIVED; 4. Kill the process, the mid state already RECEIVED, get 0; 5. Handle and release the negotiate response; 6. UAF. It can be easily reproduce with add some delay in [3] - [6]. Only sync call has the problem since async call's callback is executed in cifsd process. Add an extra state to mark the mid state to READY before wakeup the waitter, then it can get the resp safely. Cc: stable(a)vger.kernel.org # 5.4 Fixes: ec637e3ffb6b ("[CIFS] Avoid extra large buffer allocation (and memcpy) in cifs_readpages") Reviewed-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5(a)huawei.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [fs/cifs was moved to fs/smb/client since 38c8a9a52082 ("smb: move client and server files to common directory fs/smb"). We apply the patch to fs/cifs with some minor context changes.] Signed-off-by: He Zhe <zhe.he(a)windriver.com> Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> [ chanho: Backported to v5.4.y ] Signed-off-by: Chanho Min <chanho.min(a)lge.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/cifs/cifsglob.h | 1 + fs/cifs/transport.c | 34 +++++++++++++++++++++++----------- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 5f545a240afa6..19107b77f8c00 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -1722,6 +1722,7 @@ static inline bool is_retryable_error(int error) #define MID_RETRY_NEEDED 8 /* session closed while this request out */ #define MID_RESPONSE_MALFORMED 0x10 #define MID_SHUTDOWN 0x20 +#define MID_RESPONSE_READY 0x40 /* ready for other process handle the rsp */ /* Flags */ #define MID_WAIT_CANCELLED 1 /* Cancelled while waiting for response */ diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c index fc237b920f231..d0bc90746fa64 100644 --- a/fs/cifs/transport.c +++ b/fs/cifs/transport.c @@ -47,6 +47,8 @@ void cifs_wake_up_task(struct mid_q_entry *mid) { + if (mid->mid_state == MID_RESPONSE_RECEIVED) + mid->mid_state = MID_RESPONSE_READY; wake_up_process(mid->callback_data); } @@ -99,7 +101,8 @@ void _cifs_mid_q_entry_release(struct kref *refcount) struct TCP_Server_Info *server = midEntry->server; if (midEntry->resp_buf && (midEntry->mid_flags & MID_WAIT_CANCELLED) && - midEntry->mid_state == MID_RESPONSE_RECEIVED && + (midEntry->mid_state == MID_RESPONSE_RECEIVED || + midEntry->mid_state == MID_RESPONSE_READY) && server->ops->handle_cancelled_mid) server->ops->handle_cancelled_mid(midEntry->resp_buf, server); @@ -730,7 +733,8 @@ wait_for_response(struct TCP_Server_Info *server, struct mid_q_entry *midQ) int error; error = wait_event_freezekillable_unsafe(server->response_q, - midQ->mid_state != MID_REQUEST_SUBMITTED); + midQ->mid_state != MID_REQUEST_SUBMITTED && + midQ->mid_state != MID_RESPONSE_RECEIVED); if (error < 0) return -ERESTARTSYS; @@ -882,7 +886,7 @@ cifs_sync_mid_result(struct mid_q_entry *mid, struct TCP_Server_Info *server) spin_lock(&GlobalMid_Lock); switch (mid->mid_state) { - case MID_RESPONSE_RECEIVED: + case MID_RESPONSE_READY: spin_unlock(&GlobalMid_Lock); return rc; case MID_RETRY_NEEDED: @@ -980,6 +984,9 @@ cifs_compound_callback(struct mid_q_entry *mid) credits.instance = server->reconnect_instance; add_credits(server, &credits, mid->optype); + + if (mid->mid_state == MID_RESPONSE_RECEIVED) + mid->mid_state = MID_RESPONSE_READY; } static void @@ -1143,7 +1150,8 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses, send_cancel(server, &rqst[i], midQ[i]); spin_lock(&GlobalMid_Lock); midQ[i]->mid_flags |= MID_WAIT_CANCELLED; - if (midQ[i]->mid_state == MID_REQUEST_SUBMITTED) { + if (midQ[i]->mid_state == MID_REQUEST_SUBMITTED || + midQ[i]->mid_state == MID_RESPONSE_RECEIVED) { midQ[i]->callback = cifs_cancelled_callback; cancelled_mid[i] = true; credits[i].value = 0; @@ -1164,7 +1172,7 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses, } if (!midQ[i]->resp_buf || - midQ[i]->mid_state != MID_RESPONSE_RECEIVED) { + midQ[i]->mid_state != MID_RESPONSE_READY) { rc = -EIO; cifs_dbg(FYI, "Bad MID state?\n"); goto out; @@ -1341,7 +1349,8 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses, if (rc != 0) { send_cancel(server, &rqst, midQ); spin_lock(&GlobalMid_Lock); - if (midQ->mid_state == MID_REQUEST_SUBMITTED) { + if (midQ->mid_state == MID_REQUEST_SUBMITTED || + midQ->mid_state == MID_RESPONSE_RECEIVED) { /* no longer considered to be "in-flight" */ midQ->callback = DeleteMidQEntry; spin_unlock(&GlobalMid_Lock); @@ -1358,7 +1367,7 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses, } if (!midQ->resp_buf || !out_buf || - midQ->mid_state != MID_RESPONSE_RECEIVED) { + midQ->mid_state != MID_RESPONSE_READY) { rc = -EIO; cifs_server_dbg(VFS, "Bad MID state?\n"); goto out; @@ -1478,13 +1487,15 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon, /* Wait for a reply - allow signals to interrupt. */ rc = wait_event_interruptible(server->response_q, - (!(midQ->mid_state == MID_REQUEST_SUBMITTED)) || + (!(midQ->mid_state == MID_REQUEST_SUBMITTED || + midQ->mid_state == MID_RESPONSE_RECEIVED)) || ((server->tcpStatus != CifsGood) && (server->tcpStatus != CifsNew))); /* Were we interrupted by a signal ? */ if ((rc == -ERESTARTSYS) && - (midQ->mid_state == MID_REQUEST_SUBMITTED) && + (midQ->mid_state == MID_REQUEST_SUBMITTED || + midQ->mid_state == MID_RESPONSE_RECEIVED) && ((server->tcpStatus == CifsGood) || (server->tcpStatus == CifsNew))) { @@ -1514,7 +1525,8 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon, if (rc) { send_cancel(server, &rqst, midQ); spin_lock(&GlobalMid_Lock); - if (midQ->mid_state == MID_REQUEST_SUBMITTED) { + if (midQ->mid_state == MID_REQUEST_SUBMITTED || + midQ->mid_state == MID_RESPONSE_RECEIVED) { /* no longer considered to be "in-flight" */ midQ->callback = DeleteMidQEntry; spin_unlock(&GlobalMid_Lock); @@ -1532,7 +1544,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon, return rc; /* rcvd frame is ok */ - if (out_buf == NULL || midQ->mid_state != MID_RESPONSE_RECEIVED) { + if (out_buf == NULL || midQ->mid_state != MID_RESPONSE_READY) { rc = -EIO; cifs_tcon_dbg(VFS, "Bad MID state?\n"); goto out;

1 month, 1 week

1
0
0 0

[PATCH] Bluetooth: fix use-after-free in device_for_each_child()

by Chanho Min

From: Dmitry Antipov <dmantipov(a)yandex.ru> [ Upstream commit 27aabf27fd014ae037cc179c61b0bee7cff55b3d ] Syzbot has reported the following KASAN splat: BUG: KASAN: slab-use-after-free in device_for_each_child+0x18f/0x1a0 Read of size 8 at addr ffff88801f605308 by task kbnepd bnep0/4980 CPU: 0 UID: 0 PID: 4980 Comm: kbnepd bnep0 Not tainted 6.12.0-rc4-00161-gae90f6a6170d #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x100/0x190 ? device_for_each_child+0x18f/0x1a0 print_report+0x13a/0x4cb ? __virt_addr_valid+0x5e/0x590 ? __phys_addr+0xc6/0x150 ? device_for_each_child+0x18f/0x1a0 kasan_report+0xda/0x110 ? device_for_each_child+0x18f/0x1a0 ? __pfx_dev_memalloc_noio+0x10/0x10 device_for_each_child+0x18f/0x1a0 ? __pfx_device_for_each_child+0x10/0x10 pm_runtime_set_memalloc_noio+0xf2/0x180 netdev_unregister_kobject+0x1ed/0x270 unregister_netdevice_many_notify+0x123c/0x1d80 ? __mutex_trylock_common+0xde/0x250 ? __pfx_unregister_netdevice_many_notify+0x10/0x10 ? trace_contention_end+0xe6/0x140 ? __mutex_lock+0x4e7/0x8f0 ? __pfx_lock_acquire.part.0+0x10/0x10 ? rcu_is_watching+0x12/0xc0 ? unregister_netdev+0x12/0x30 unregister_netdevice_queue+0x30d/0x3f0 ? __pfx_unregister_netdevice_queue+0x10/0x10 ? __pfx_down_write+0x10/0x10 unregister_netdev+0x1c/0x30 bnep_session+0x1fb3/0x2ab0 ? __pfx_bnep_session+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __pfx_woken_wake_function+0x10/0x10 ? __kthread_parkme+0x132/0x200 ? __pfx_bnep_session+0x10/0x10 ? kthread+0x13a/0x370 ? __pfx_bnep_session+0x10/0x10 kthread+0x2b7/0x370 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x48/0x80 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 4974: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 __kmalloc_noprof+0x1d1/0x440 hci_alloc_dev_priv+0x1d/0x2820 __vhci_create_device+0xef/0x7d0 vhci_write+0x2c7/0x480 vfs_write+0x6a0/0xfc0 ksys_write+0x12f/0x260 do_syscall_64+0xc7/0x250 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 4979: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x4f/0x70 kfree+0x141/0x490 hci_release_dev+0x4d9/0x600 bt_host_release+0x6a/0xb0 device_release+0xa4/0x240 kobject_put+0x1ec/0x5a0 put_device+0x1f/0x30 vhci_release+0x81/0xf0 __fput+0x3f6/0xb30 task_work_run+0x151/0x250 do_exit+0xa79/0x2c30 do_group_exit+0xd5/0x2a0 get_signal+0x1fcd/0x2210 arch_do_signal_or_restart+0x93/0x780 syscall_exit_to_user_mode+0x140/0x290 do_syscall_64+0xd4/0x250 entry_SYSCALL_64_after_hwframe+0x77/0x7f In 'hci_conn_del_sysfs()', 'device_unregister()' may be called when an underlying (kobject) reference counter is greater than 1. This means that reparenting (happened when the device is actually freed) is delayed and, during that delay, parent controller device (hciX) may be deleted. Since the latter may create a dangling pointer to freed parent, avoid that scenario by reparenting to NULL explicitly. Cc: stable(a)vger.kernel.org # 5.4 Reported-by: syzbot+6cf5652d3df49fae2e3f(a)syzkaller.appspotmail.com Tested-by: syzbot+6cf5652d3df49fae2e3f(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6cf5652d3df49fae2e3f Fixes: a85fb91e3d72 ("Bluetooth: Fix double free in hci_conn_cleanup") Signed-off-by: Dmitry Antipov <dmantipov(a)yandex.ru> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [ chanho: Backported from v5.10.y to v5.4.y. device_find_any_child() is not supported in v5.4.y, so changed to use device_find_child() with __match_any ] Signed-off-by: Chanho Min <chanho.min(a)lge.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- net/bluetooth/hci_sysfs.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c index 266112c960ee8..f8e7b0ba2d273 100644 --- a/net/bluetooth/hci_sysfs.c +++ b/net/bluetooth/hci_sysfs.c @@ -19,14 +19,9 @@ static const struct device_type bt_link = { .release = bt_link_release, }; -/* - * The rfcomm tty device will possibly retain even when conn - * is down, and sysfs doesn't support move zombie device, - * so we should move the device before conn device is destroyed. - */ -static int __match_tty(struct device *dev, void *data) +static int __match_any(struct device *dev, void *unused) { - return !strncmp(dev_name(dev), "rfcomm", 6); + return 1; } void hci_conn_init_sysfs(struct hci_conn *conn) @@ -71,10 +66,12 @@ void hci_conn_del_sysfs(struct hci_conn *conn) return; } + /* If there are devices using the connection as parent reset it to NULL + * before unregistering the device. + */ while (1) { struct device *dev; - - dev = device_find_child(&conn->dev, NULL, __match_tty); + dev = device_find_child(&conn->dev, NULL, __match_any); if (!dev) break; device_move(dev, NULL, DPM_ORDER_DEV_LAST);

1 month, 1 week

1
0
0 0

[PATCH] rust: cpumask: Mark CpumaskVar as transparent

by Baptiste Lepers

Unsafe code in CpumaskVar's methods assumes that the type has the same layout as `bindings::cpumask_var_t`. This is not guaranteed by the default struct representation in Rust, but requires specifying the `transparent` representation. Fixes: 8961b8cb3099a ("rust: cpumask: Add initial abstractions") Cc: stable(a)vger.kernel.org Signed-off-by: Baptiste Lepers <baptiste.lepers(a)gmail.com> --- rust/kernel/cpumask.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/rust/kernel/cpumask.rs b/rust/kernel/cpumask.rs index 3fcbff438670..05e1c882404e 100644 --- a/rust/kernel/cpumask.rs +++ b/rust/kernel/cpumask.rs @@ -212,6 +212,7 @@ pub fn copy(&self, dstp: &mut Self) { /// } /// assert_eq!(mask2.weight(), count); /// ``` +#[repr(transparent)] pub struct CpumaskVar { #[cfg(CONFIG_CPUMASK_OFFSTACK)] ptr: NonNull<Cpumask>, -- 2.43.0

1 month, 1 week

3
2
0 0

FAILED: patch "[PATCH] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 7d0cce6cbe71af6e9c1831bff101a2b9c249c4a2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081208-gerbil-shelve-9cc8@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7d0cce6cbe71af6e9c1831bff101a2b9c249c4a2 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Tue, 10 Jun 2025 16:20:09 -0700 Subject: [PATCH] KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs Introduce vmx_guest_debugctl_{read,write}() to handle all accesses to vmcs.GUEST_IA32_DEBUGCTL. This will allow stuffing FREEZE_IN_SMM into GUEST_IA32_DEBUGCTL based on the host setting without bleeding the state into the guest, and without needing to copy+paste the FREEZE_IN_SMM logic into every patch that accesses GUEST_IA32_DEBUGCTL. No functional change intended. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> [sean: massage changelog, make inline, use in all prepare_vmcs02() cases] Reviewed-by: Dapeng Mi <dapeng1.mi(a)linux.intel.com> Link: https://lore.kernel.org/r/20250610232010.162191-8-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 1b8b0642fc2d..ef20184b8b11 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2663,11 +2663,11 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, if (vmx->nested.nested_run_pending && (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) { kvm_set_dr(vcpu, 7, vmcs12->guest_dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl & - vmx_get_supported_debugctl(vcpu, false)); + vmx_guest_debugctl_write(vcpu, vmcs12->guest_ia32_debugctl & + vmx_get_supported_debugctl(vcpu, false)); } else { kvm_set_dr(vcpu, 7, vcpu->arch.dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl); + vmx_guest_debugctl_write(vcpu, vmx->nested.pre_vmenter_debugctl); } if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) @@ -3532,7 +3532,7 @@ enum nvmx_vmentry_status nested_vmx_enter_non_root_mode(struct kvm_vcpu *vcpu, if (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) - vmx->nested.pre_vmenter_debugctl = vmcs_read64(GUEST_IA32_DEBUGCTL); + vmx->nested.pre_vmenter_debugctl = vmx_guest_debugctl_read(); if (kvm_mpx_supported() && (!vmx->nested.nested_run_pending || !(vmcs12->vm_entry_controls & VM_ENTRY_LOAD_BNDCFGS))) @@ -4806,7 +4806,7 @@ static void load_vmcs12_host_state(struct kvm_vcpu *vcpu, __vmx_set_segment(vcpu, &seg, VCPU_SREG_LDTR); kvm_set_dr(vcpu, 7, 0x400); - vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + vmx_guest_debugctl_write(vcpu, 0); if (nested_vmx_load_msr(vcpu, vmcs12->vm_exit_msr_load_addr, vmcs12->vm_exit_msr_load_count)) diff --git a/arch/x86/kvm/vmx/pmu_intel.c b/arch/x86/kvm/vmx/pmu_intel.c index bbf4509f32d0..0b173602821b 100644 --- a/arch/x86/kvm/vmx/pmu_intel.c +++ b/arch/x86/kvm/vmx/pmu_intel.c @@ -653,11 +653,11 @@ static void intel_pmu_reset(struct kvm_vcpu *vcpu) */ static void intel_pmu_legacy_freezing_lbrs_on_pmi(struct kvm_vcpu *vcpu) { - u64 data = vmcs_read64(GUEST_IA32_DEBUGCTL); + u64 data = vmx_guest_debugctl_read(); if (data & DEBUGCTLMSR_FREEZE_LBRS_ON_PMI) { data &= ~DEBUGCTLMSR_LBR; - vmcs_write64(GUEST_IA32_DEBUGCTL, data); + vmx_guest_debugctl_write(vcpu, data); } } @@ -730,7 +730,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu) if (!lbr_desc->event) { vmx_disable_lbr_msrs_passthrough(vcpu); - if (vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR) + if (vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR) goto warn; if (test_bit(INTEL_PMC_IDX_FIXED_VLBR, pmu->pmc_in_use)) goto warn; @@ -752,7 +752,7 @@ void vmx_passthrough_lbr_msrs(struct kvm_vcpu *vcpu) static void intel_pmu_cleanup(struct kvm_vcpu *vcpu) { - if (!(vmcs_read64(GUEST_IA32_DEBUGCTL) & DEBUGCTLMSR_LBR)) + if (!(vmx_guest_debugctl_read() & DEBUGCTLMSR_LBR)) intel_pmu_release_guest_lbr_event(vcpu); } diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 6a8b78e954cd..a77d325fe78b 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2149,7 +2149,7 @@ int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) msr_info->data = vmx->pt_desc.guest.addr_a[index / 2]; break; case MSR_IA32_DEBUGCTLMSR: - msr_info->data = vmcs_read64(GUEST_IA32_DEBUGCTL); + msr_info->data = vmx_guest_debugctl_read(); break; default: find_uret_msr: @@ -2283,7 +2283,8 @@ int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) VM_EXIT_SAVE_DEBUG_CONTROLS) get_vmcs12(vcpu)->guest_ia32_debugctl = data; - vmcs_write64(GUEST_IA32_DEBUGCTL, data); + vmx_guest_debugctl_write(vcpu, data); + if (intel_pmu_lbr_is_enabled(vcpu) && !to_vmx(vcpu)->lbr_desc.event && (data & DEBUGCTLMSR_LBR)) intel_pmu_create_guest_lbr_event(vcpu); @@ -4798,7 +4799,8 @@ static void init_vmcs(struct vcpu_vmx *vmx) vmcs_write32(GUEST_SYSENTER_CS, 0); vmcs_writel(GUEST_SYSENTER_ESP, 0); vmcs_writel(GUEST_SYSENTER_EIP, 0); - vmcs_write64(GUEST_IA32_DEBUGCTL, 0); + + vmx_guest_debugctl_write(&vmx->vcpu, 0); if (cpu_has_vmx_tpr_shadow()) { vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, 0); diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index 392e66c7e5fe..c20a4185d10a 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -417,6 +417,16 @@ void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu); u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated); bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated); +static inline void vmx_guest_debugctl_write(struct kvm_vcpu *vcpu, u64 val) +{ + vmcs_write64(GUEST_IA32_DEBUGCTL, val); +} + +static inline u64 vmx_guest_debugctl_read(void) +{ + return vmcs_read64(GUEST_IA32_DEBUGCTL); +} + /* * Note, early Intel manuals have the write-low and read-high bitmap offsets * the wrong way round. The bitmaps control MSRs 0x00000000-0x00001fff and

1 month, 1 week

2
3
0 0

FAILED: patch "[PATCH] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 095686e6fcb4150f0a55b1a25987fad3d8af58d6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081221-finicky-ensure-b830@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 095686e6fcb4150f0a55b1a25987fad3d8af58d6 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky <mlevitsk(a)redhat.com> Date: Tue, 10 Jun 2025 16:20:08 -0700 Subject: [PATCH] KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter Add a consistency check for L2's guest_ia32_debugctl, as KVM only supports a subset of hardware functionality, i.e. KVM can't rely on hardware to detect illegal/unsupported values. Failure to check the vmcs12 value would allow the guest to load any harware-supported value while running L2. Take care to exempt BTF and LBR from the validity check in order to match KVM's behavior for writes via WRMSR, but without clobbering vmcs12. Even if VM_EXIT_SAVE_DEBUG_CONTROLS is set in vmcs12, L1 can reasonably expect that vmcs12->guest_ia32_debugctl will not be modified if writes to the MSR are being intercepted. Arguably, KVM _should_ update vmcs12 if VM_EXIT_SAVE_DEBUG_CONTROLS is set *and* writes to MSR_IA32_DEBUGCTLMSR are not being intercepted by L1, but that would incur non-trivial complexity and wouldn't change the fact that KVM's handling of DEBUGCTL is blatantly broken. I.e. the extra complexity is not worth carrying. Cc: stable(a)vger.kernel.org Signed-off-by: Maxim Levitsky <mlevitsk(a)redhat.com> Co-developed-by: Sean Christopherson <seanjc(a)google.com> Link: https://lore.kernel.org/r/20250610232010.162191-7-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 7211c71d4241..1b8b0642fc2d 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -2663,7 +2663,8 @@ static int prepare_vmcs02(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12, if (vmx->nested.nested_run_pending && (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS)) { kvm_set_dr(vcpu, 7, vmcs12->guest_dr7); - vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl); + vmcs_write64(GUEST_IA32_DEBUGCTL, vmcs12->guest_ia32_debugctl & + vmx_get_supported_debugctl(vcpu, false)); } else { kvm_set_dr(vcpu, 7, vcpu->arch.dr7); vmcs_write64(GUEST_IA32_DEBUGCTL, vmx->nested.pre_vmenter_debugctl); @@ -3156,7 +3157,8 @@ static int nested_vmx_check_guest_state(struct kvm_vcpu *vcpu, return -EINVAL; if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_DEBUG_CONTROLS) && - CC(!kvm_dr7_valid(vmcs12->guest_dr7))) + (CC(!kvm_dr7_valid(vmcs12->guest_dr7)) || + CC(!vmx_is_valid_debugctl(vcpu, vmcs12->guest_ia32_debugctl, false)))) return -EINVAL; if ((vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_PAT) && @@ -4608,6 +4610,12 @@ static void sync_vmcs02_to_vmcs12(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12) (vmcs12->vm_entry_controls & ~VM_ENTRY_IA32E_MODE) | (vm_entry_controls_get(to_vmx(vcpu)) & VM_ENTRY_IA32E_MODE); + /* + * Note! Save DR7, but intentionally don't grab DEBUGCTL from vmcs02. + * Writes to DEBUGCTL that aren't intercepted by L1 are immediately + * propagated to vmcs12 (see vmx_set_msr()), as the value loaded into + * vmcs02 doesn't strictly track vmcs12. + */ if (vmcs12->vm_exit_controls & VM_EXIT_SAVE_DEBUG_CONTROLS) vmcs12->guest_dr7 = vcpu->arch.dr7; diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 4f827a75d980..6a8b78e954cd 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2174,7 +2174,7 @@ static u64 nested_vmx_truncate_sysenter_addr(struct kvm_vcpu *vcpu, return (unsigned long)data; } -static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated) +u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated) { u64 debugctl = 0; @@ -2193,8 +2193,7 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated return debugctl; } -static bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, - bool host_initiated) +bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated) { u64 invalid; diff --git a/arch/x86/kvm/vmx/vmx.h b/arch/x86/kvm/vmx/vmx.h index b5758c33c60f..392e66c7e5fe 100644 --- a/arch/x86/kvm/vmx/vmx.h +++ b/arch/x86/kvm/vmx/vmx.h @@ -414,6 +414,9 @@ static inline void vmx_set_intercept_for_msr(struct kvm_vcpu *vcpu, u32 msr, void vmx_update_cpu_dirty_logging(struct kvm_vcpu *vcpu); +u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated); +bool vmx_is_valid_debugctl(struct kvm_vcpu *vcpu, u64 data, bool host_initiated); + /* * Note, early Intel manuals have the write-low and read-high bitmap offsets * the wrong way round. The bitmaps control MSRs 0x00000000-0x00001fff and

1 month, 1 week

2
2
0 0

[PATCH net v2 0/2] ets: use old 'nbands' while purging unused classes

by Davide Caratti

- patch 1/2 fixes a NULL dereference in the control path of sch_ets qdisc - patch 2/2 extends kselftests to verify effectiveness of the above fix Changes since v1: - added a kselftest (thanks Victor) Davide Caratti (2): net/sched: ets: use old 'nbands' while purging unused classes selftests: net/forwarding: test purge of active DWRR classes net/sched/sch_ets.c | 11 ++++++----- tools/testing/selftests/net/forwarding/sch_ets.sh | 1 + .../testing/selftests/net/forwarding/sch_ets_tests.sh | 8 ++++++++ 3 files changed, 15 insertions(+), 5 deletions(-) -- 2.47.0

1 month, 1 week

4
5
0 0

[PATCH 0/2] iterate_folioq bug when offset==size (Was: [REGRESSION] 9pfs issues on 6.12-rc1)

by Dominique Martinet via B4 Relay

So we've had this regression in 9p for.. almost a year, which is way too long, but there was no "easy" reproducer until yesterday (thank you again!!) It turned out to be a bug with iov_iter on folios, iov_iter_get_pages_alloc2() would advance the iov_iter correctly up to the end edge of a folio and the later copy_to_iter() fails on the iterate_folioq() bug. Happy to consider alternative ways of fixing this, now there's a reproducer it's all much clearer; for the bug to be visible we basically need to make and IO with non-contiguous folios in the iov_iter which is not obvious to test with synthetic VMs, with size that triggers a zero-copy read followed by a non-zero-copy read. Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> --- Dominique Martinet (2): iov_iter: iterate_folioq: fix handling of offset >= folio size iov_iter: iov_folioq_get_pages: don't leave empty slot behind include/linux/iov_iter.h | 3 +++ lib/iov_iter.c | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) --- base-commit: 8f5ae30d69d7543eee0d70083daf4de8fe15d585 change-id: 20250811-iot_iter_folio-1b7849f88fed Best regards, -- Dominique Martinet <asmadeus(a)codewreck.org>

1 month, 1 week

8
14
0 0

[PATCH] drm/amd/display: Add HDR workaround for specific eDP

by Kevin Oh

[WHY & HOW] Some eDP panels suffer from flicking when HDR is enabled. I am adding a case for my panel to disable VSC to stop flickering. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/4452 Cc: Rodrigo Siqueira <siqueira(a)igalia.com> Cc: stable(a)vger.kernel.org Signed-off-by: Kevin Oh <kevoh1516(a)gmail.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c index fe100e4c9801..1a16bea10afb 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c @@ -86,6 +86,10 @@ static void apply_edid_quirks(struct drm_device *dev, struct edid *edid, struct drm_dbg_driver(dev, "Disabling VSC on monitor with panel id %X\n", panel_id); edid_caps->panel_patch.disable_colorimetry = true; break; + case drm_edid_encode_panel_id('S', 'D', 'C', 0x4171): + drm_dbg_driver(dev, "Disabling VSC on monitor with panel id %X\n", panel_id); + edid_caps->panel_patch.disable_colorimetry = true; + break; default: return; } -- 2.50.1

1 month, 1 week

1
0
0 0

Re: [PATCH] USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles

by Giorgi

Maybe we could only add US_FL_IGNORE_DEVICE for the exact Realtek-based models (Mercury MW310UH, D-Link AX9U, etc.) that fail with usb_modeswitch. This avoids disabling access to the emulated CD for unrelated devices. >On August 13, 2025 9:53:12 PM GMT+04:00, Zenm Chen <zenmchen(a)gmail.com> wrote: >>Alan Stern <stern(a)rowland.harvard.edu> 於 2025年8月14日週四上午12:58寫道： >>> >>> On Thu, Aug 14, 2025 at 12:24:15AM +0800, Zenm Chen wrote: >>> > Many Realtek USB Wi-Fi dongles released in recent years have two modes: >>> > one is driver CD mode which has Windows driver onboard, another one is >>> > Wi-Fi mode. Add the US_FL_IGNORE_DEVICE quirk for these multi-mode devices. >>> > Otherwise, usb_modeswitch may fail to switch them to Wi-Fi mode. >>> >>> There are several other entries like this already in the unusual_devs.h >>> file. But I wonder if we really still need them. Shouldn't the >>> usb_modeswitch program be smart enough by now to know how to handle >>> these things? >> >>Hi Alan, >> >>Thanks for your review and reply. >> >>Without this patch applied, usb_modeswitch cannot switch my Mercury MW310UH >>into Wi-Fi mode [1]. I also ran into a similar problem like [2] with D-Link >>AX9U, so I believe this patch is needed. >> >>> >>> In theory, someone might want to access the Windows driver on the >>> emulated CD. With this quirk, they wouldn't be able to. >>> >> >>Actually an emulated CD doesn't appear when I insert these 2 Wi-Fi dongles into >>my Linux PC, so users cannot access that Windows driver even if this patch is not >>applied. >> >>> Alan Stern >> >>[1] https://drive.google.com/file/d/1YfWUTxKnvSeu1egMSwcF-memu3Kis8Mg/view?usp=… >> >>[2] https://github.com/morrownr/rtw89/issues/10 >>

1 month, 1 week

2
1
0 0

[PATCH 10/11] drm/amd/display: Fix Xorg desktop unresponsive on Replay panel

by Alex Hung

From: Tom Chung <chiahsuan.chung(a)amd.com> [WHY & HOW] IPS & self-fresh feature can cause vblank counter resets between vblank disable and enable. It may cause system stuck due to wait the vblank counter. Call the drm_crtc_vblank_restore() during vblank enable to estimate missed vblanks by using timestamps and update the vblank counter in DRM. It can make the vblank counter increase smoothly and resolve this issue. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Sun peng (Leo) Li <sunpeng.li(a)amd.com> Signed-off-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> --- .../amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c index 010172f930ae..45feb404b097 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c @@ -299,6 +299,25 @@ static inline int amdgpu_dm_crtc_set_vblank(struct drm_crtc *crtc, bool enable) irq_type = amdgpu_display_crtc_idx_to_irq_type(adev, acrtc->crtc_id); if (enable) { + struct dc *dc = adev->dm.dc; + struct drm_vblank_crtc *vblank = drm_crtc_vblank_crtc(crtc); + struct psr_settings *psr = &acrtc_state->stream->link->psr_settings; + struct replay_settings *pr = &acrtc_state->stream->link->replay_settings; + bool sr_supported = (psr->psr_version != DC_PSR_VERSION_UNSUPPORTED) || + pr->config.replay_supported; + + /* + * IPS & self-refresh feature can cause vblank counter resets between + * vblank disable and enable. + * It may cause system stuck due to waiting for the vblank counter. + * Call this function to estimate missed vblanks by using timestamps and + * update the vblank counter in DRM. + */ + if (dc->caps.ips_support && + dc->config.disable_ips != DMUB_IPS_DISABLE_ALL && + sr_supported && vblank->config.disable_immediate) + drm_crtc_vblank_restore(crtc); + /* vblank irq on -> Only need vupdate irq in vrr mode */ if (amdgpu_dm_crtc_vrr_active(acrtc_state)) rc = amdgpu_dm_crtc_set_vupdate_irq(crtc, true); -- 2.43.0

1 month, 1 week

1
0
0 0

[PATCH 08/11] drm/amd/display: Avoid a NULL pointer dereference

by Alex Hung

From: Mario Limonciello <mario.limonciello(a)amd.com> [WHY] Although unlikely drm_atomic_get_new_connector_state() or drm_atomic_get_old_connector_state() can return NULL. [HOW] Check returns before dereference. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Harry Wentland <harry.wentland(a)amd.com> Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 176f420effd9..b944abea306d 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -7836,6 +7836,9 @@ amdgpu_dm_connector_atomic_check(struct drm_connector *conn, struct amdgpu_dm_connector *aconn = to_amdgpu_dm_connector(conn); int ret; + if (WARN_ON(unlikely(!old_con_state || !new_con_state))) + return -EINVAL; + trace_amdgpu_dm_connector_atomic_check(new_con_state); if (conn->connector_type == DRM_MODE_CONNECTOR_DisplayPort) { -- 2.43.0

1 month, 1 week

1
0
0 0

+ iov_iter-iterate_folioq-fix-handling-of-offset-=-folio-size.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: iov_iter: iterate_folioq: fix handling of offset >= folio size has been added to the -mm mm-hotfixes-unstable branch. Its filename is iov_iter-iterate_folioq-fix-handling-of-offset-=-folio-size.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Dominique Martinet <asmadeus(a)codewreck.org> Subject: iov_iter: iterate_folioq: fix handling of offset >= folio size Date: Wed, 13 Aug 2025 15:04:55 +0900 It's apparently possible to get an iov advanced all the way up to the end of the current page we're looking at, e.g. (gdb) p *iter $24 = {iter_type = 4 '\004', nofault = false, data_source = false, iov_offset = 4096, {__ubuf_iovec = { iov_base = 0xffff88800f5bc000, iov_len = 655}, {{__iov = 0xffff88800f5bc000, kvec = 0xffff88800f5bc000, bvec = 0xffff88800f5bc000, folioq = 0xffff88800f5bc000, xarray = 0xffff88800f5bc000, ubuf = 0xffff88800f5bc000}, count = 655}}, {nr_segs = 2, folioq_slot = 2 '\002', xarray_start = 2}} Where iov_offset is 4k with 4k-sized folios This should have been fine because we're only in the 2nd slot and there's another one after this, but iterate_folioq should not try to map a folio that skips the whole size, and more importantly part here does not end up zero (because 'PAGE_SIZE - skip % PAGE_SIZE' ends up PAGE_SIZE and not zero..), so skip forward to the "advance to next folio" code Link: https://lkml.kernel.org/r/20250813-iot_iter_folio-v3-0-a0ffad2b665a@codewre… Link: https://lkml.kernel.org/r/20250813-iot_iter_folio-v3-1-a0ffad2b665a@codewre… Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> Fixes: db0aa2e9566f ("mm: Define struct folio_queue and ITER_FOLIOQ to handle a sequence of folios") Reported-by: Maximilian Bosch <maximilian(a)mbosch.me> Reported-by: Ryan Lahfa <ryan(a)lahfa.xyz> Reported-by: Christian Theune <ct(a)flyingcircus.io> Reported-by: Arnout Engelen <arnout(a)bzzt.net> Link: https://lkml.kernel.org/r/D4LHHUNLG79Y.12PI0X6BEHRHW@mbosch.me/ Acked-by: David Howells <dhowells(a)redhat.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> [6.12+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/iov_iter.h | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) --- a/include/linux/iov_iter.h~iov_iter-iterate_folioq-fix-handling-of-offset-=-folio-size +++ a/include/linux/iov_iter.h @@ -160,7 +160,7 @@ size_t iterate_folioq(struct iov_iter *i do { struct folio *folio = folioq_folio(folioq, slot); - size_t part, remain, consumed; + size_t part, remain = 0, consumed; size_t fsize; void *base; @@ -168,14 +168,16 @@ size_t iterate_folioq(struct iov_iter *i break; fsize = folioq_folio_size(folioq, slot); - base = kmap_local_folio(folio, skip); - part = umin(len, PAGE_SIZE - skip % PAGE_SIZE); - remain = step(base, progress, part, priv, priv2); - kunmap_local(base); - consumed = part - remain; - len -= consumed; - progress += consumed; - skip += consumed; + if (skip < fsize) { + base = kmap_local_folio(folio, skip); + part = umin(len, PAGE_SIZE - skip % PAGE_SIZE); + remain = step(base, progress, part, priv, priv2); + kunmap_local(base); + consumed = part - remain; + len -= consumed; + progress += consumed; + skip += consumed; + } if (skip >= fsize) { skip = 0; slot++; _ Patches currently in -mm which might be from asmadeus(a)codewreck.org are iov_iter-iterate_folioq-fix-handling-of-offset-=-folio-size.patch iov_iter-iov_folioq_get_pages-dont-leave-empty-slot-behind.patch

1 month, 1 week

1
0
0 0

[tip: x86/entry] x86/fred: Remove ENDBR64 from FRED entry points

by tip-bot2 for Xin Li (Intel)

The following commit has been merged into the x86/entry branch of tip: Commit-ID: 3da01ffe1aeaa0d427ab5235ba735226670a80d9 Gitweb: https://git.kernel.org/tip/3da01ffe1aeaa0d427ab5235ba735226670a80d9 Author: Xin Li (Intel) <xin(a)zytor.com> AuthorDate: Tue, 15 Jul 2025 23:33:20 -07:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Wed, 13 Aug 2025 15:05:32 -07:00 x86/fred: Remove ENDBR64 from FRED entry points The FRED specification has been changed in v9.0 to state that there is no need for FRED event handlers to begin with ENDBR64, because in the presence of supervisor indirect branch tracking, FRED event delivery does not enter the WAIT_FOR_ENDBRANCH state. As a result, remove ENDBR64 from FRED entry points. Then add ANNOTATE_NOENDBR to indicate that FRED entry points will never be used for indirect calls to suppress an objtool warning. This change implies that any indirect CALL/JMP to FRED entry points causes #CP in the presence of supervisor indirect branch tracking. Credit goes to Jennifer Miller <jmill(a)asu.edu> and other contributors from Arizona State University whose research shows that placing ENDBR at entry points has negative value thus led to this change. Note: This is obviously an incompatible change to the FRED architecture. But, it's OK because there no FRED systems out in the wild today. All production hardware and late pre-production hardware will follow the FRED v9 spec and be compatible with this approach. [ dhansen: add note to changelog about incompatibility ] Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code") Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Reviewed-by: Andrew Cooper <andrew.cooper3(a)citrix.com> Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/ Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250716063320.1337818-1-xin%40zytor.com --- arch/x86/entry/entry_64_fred.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_64_fred.S b/arch/x86/entry/entry_64_fred.S index 29c5c32..907bd23 100644 --- a/arch/x86/entry/entry_64_fred.S +++ b/arch/x86/entry/entry_64_fred.S @@ -16,7 +16,7 @@ .macro FRED_ENTER UNWIND_HINT_END_OF_STACK - ENDBR + ANNOTATE_NOENDBR PUSH_AND_CLEAR_REGS movq %rsp, %rdi /* %rdi -> pt_regs */ .endm

1 month, 1 week

1
0
0 0

Re: [PATCH 6.15 000/480] 6.15.10-rc1 review

by Ron Economos

On 8/13/25 10:25, Jon Hunter wrote: > On Wed, Aug 13, 2025 at 08:48:28AM -0700, Jon Hunter wrote: >> On Tue, 12 Aug 2025 19:43:28 +0200, Greg Kroah-Hartman wrote: >>> This is the start of the stable review cycle for the 6.15.10 release. >>> There are 480 patches in this series, all will be posted as a response >>> to this one. If anyone has any issues with these being applied, please >>> let me know. >>> >>> Responses should be made by Thu, 14 Aug 2025 17:42:20 +0000. >>> Anything received after that time might be too late. >>> >>> The whole patch series can be found in one patch at: >>> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.15.10-rc… >>> or in the git tree and branch at: >>> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.15.y >>> and the diffstat can be found below. >>> >>> thanks, >>> >>> greg k-h >> Failures detected for Tegra ... >> >> Test results for stable-v6.15: >> 10 builds: 10 pass, 0 fail >> 28 boots: 28 pass, 0 fail >> 120 tests: 119 pass, 1 fail >> >> Linux version: 6.15.10-rc1-g2510f67e2e34 >> Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000, >> tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000, >> tegra194-p3509-0000+p3668-0000, tegra20-ventana, >> tegra210-p2371-2180, tegra210-p3450-0000, >> tegra30-cardhu-a04 >> >> Test failures: tegra194-p2972-0000: boot.py > I am seeing the following kernel warning for both linux-6.15.y and linux-6.16.y … > > WARNING KERN sched: DL replenish lagged too much > > I believe that this is introduced by … > > Peter Zijlstra <peterz(a)infradead.org> > sched/deadline: Less agressive dl_server handling > > This has been reported here: https://lore.kernel.org/all/CAMuHMdXn4z1pioTtBGMfQM0jsLviqS2jwysaWXpoLxWYoG… > > Jon Seeing this kernel warning on RISC-V also.

1 month, 1 week

1
0
0 0

[PATCH v3 1/1] x86/fred: Remove ENDBR64 from FRED entry points

by Xin Li (Intel)

The FRED specification has been changed in v9.0 to state that there is no need for FRED event handlers to begin with ENDBR64, because in the presence of supervisor indirect branch tracking, FRED event delivery does not enter the WAIT_FOR_ENDBRANCH state. As a result, remove ENDBR64 from FRED entry points. Then add ANNOTATE_NOENDBR to indicate that FRED entry points will never be used for indirect calls to suppress an objtool warning. This change implies that any indirect CALL/JMP to FRED entry points causes #CP in the presence of supervisor indirect branch tracking. Credit goes to Jennifer Miller <jmill(a)asu.edu> and other contributors from Arizona State University whose research shows that placing ENDBR at entry points has negative value thus led to this change. Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code") Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/ Reviewed-by: H. Peter Anvin (Intel) <hpa(a)zytor.com> Reviewed-by: Andrew Cooper <andrew.cooper3(a)citrix.com> Signed-off-by: Xin Li (Intel) <xin(a)zytor.com> Cc: Jennifer Miller <jmill(a)asu.edu> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Andrew Cooper <andrew.cooper3(a)citrix.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: stable(a)vger.kernel.org # v6.9+ --- Change in v3: *) Revise the FRED spec change description to clearly indicate that it deviates from previous versions and is based on new research showing that placing ENDBR at entry points has negative value (Andrew Cooper). Change in v2: *) CC stable and add a fixes tag (PeterZ). --- arch/x86/entry/entry_64_fred.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_64_fred.S b/arch/x86/entry/entry_64_fred.S index 29c5c32c16c3..907bd233c6c1 100644 --- a/arch/x86/entry/entry_64_fred.S +++ b/arch/x86/entry/entry_64_fred.S @@ -16,7 +16,7 @@ .macro FRED_ENTER UNWIND_HINT_END_OF_STACK - ENDBR + ANNOTATE_NOENDBR PUSH_AND_CLEAR_REGS movq %rsp, %rdi /* %rdi -> pt_regs */ .endm -- 2.50.1

1 month, 1 week

4
3
0 0

[PATCH] Revert "ata: libata-scsi: Improve CDL control"

by Igor Pylypiv

This reverts commit 17e897a456752ec9c2d7afb3d9baf268b442451b. The extra checks for the ATA_DFLAG_CDL_ENABLED flag prevent SET FEATURES command from being issued to a drive when NCQ commands are active. ata_mselect_control_ata_feature() sets / clears the ATA_DFLAG_CDL_ENABLED flag during the translation of MODE SELECT to SET FEATURES. If SET FEATURES gets deferred due to outstanding NCQ commands, the original MODE SELECT command will be re-queued. When the re-queued MODE SELECT goes through the ata_mselect_control_ata_feature() translation again, SET FEATURES will not be issued because ATA_DFLAG_CDL_ENABLED has been already set or cleared by the initial translation of MODE SELECT. The ATA_DFLAG_CDL_ENABLED checks in ata_mselect_control_ata_feature() are safe to remove because scsi_cdl_enable() implements a similar logic that avoids enabling CDL if it has been already enabled. Cc: stable(a)vger.kernel.org Signed-off-by: Igor Pylypiv <ipylypiv(a)google.com> --- drivers/ata/libata-scsi.c | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c index 57f674f51b0c..856eabfd5a17 100644 --- a/drivers/ata/libata-scsi.c +++ b/drivers/ata/libata-scsi.c @@ -3904,27 +3904,17 @@ static int ata_mselect_control_ata_feature(struct ata_queued_cmd *qc, /* Check cdl_ctrl */ switch (buf[0] & 0x03) { case 0: - /* Disable CDL if it is enabled */ - if (!(dev->flags & ATA_DFLAG_CDL_ENABLED)) - return 0; - ata_dev_dbg(dev, "Disabling CDL\n"); + /* Disable CDL */ cdl_action = 0; dev->flags &= ~ATA_DFLAG_CDL_ENABLED; break; case 0x02: - /* - * Enable CDL if not already enabled. Since this is mutually - * exclusive with NCQ priority, allow this only if NCQ priority - * is disabled. - */ - if (dev->flags & ATA_DFLAG_CDL_ENABLED) - return 0; + /* Enable CDL T2A/T2B: NCQ priority must be disabled */ if (dev->flags & ATA_DFLAG_NCQ_PRIO_ENABLED) { ata_dev_err(dev, "NCQ priority must be disabled to enable CDL\n"); return -EINVAL; } - ata_dev_dbg(dev, "Enabling CDL\n"); cdl_action = 1; dev->flags |= ATA_DFLAG_CDL_ENABLED; break; -- 2.51.0.rc0.215.g125493bb4a-goog

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] s390/mm: Remove possible false-positive warning in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 5647f61ad9171e8f025558ed6dc5702c56a33ba3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081255-shabby-impound-4a47@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5647f61ad9171e8f025558ed6dc5702c56a33ba3 Mon Sep 17 00:00:00 2001 From: Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> Date: Wed, 9 Jul 2025 20:34:30 +0200 Subject: [PATCH] s390/mm: Remove possible false-positive warning in pte_free_defer() Commit 8211dad627981 ("s390: add pte_free_defer() for pgtables sharing page") added a warning to pte_free_defer(), on our request. It was meant to warn if this would ever be reached for KVM guest mappings, because the page table would be freed w/o a gmap_unlink(). THP mappings are not allowed for KVM guests on s390, so this should never happen. However, it is possible that the warning is triggered in a valid case as false-positive. s390_enable_sie() takes the mmap_lock, marks all VMAs as VM_NOHUGEPAGE and splits possibly existing THP guest mappings. mm->context.has_pgste is set to 1 before that, to prevent races with the mm_has_pgste() check in MADV_HUGEPAGE. khugepaged drops the mmap_lock for file mappings and might run in parallel, before a vma is marked VM_NOHUGEPAGE, but after mm->context.has_pgste was set to 1. If it finds file mappings to collapse, it will eventually call pte_free_defer(). This will trigger the warning, but it is a valid case because gmap is not yet set up, and the THP mappings will be split again. Therefore, remove the warning and the comment. Fixes: 8211dad627981 ("s390: add pte_free_defer() for pgtables sharing page") Cc: <stable(a)vger.kernel.org> # 6.6+ Reviewed-by: Alexander Gordeev <agordeev(a)linux.ibm.com> Reviewed-by: Claudio Imbrenda <imbrenda(a)linux.ibm.com> Signed-off-by: Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> diff --git a/arch/s390/mm/pgalloc.c b/arch/s390/mm/pgalloc.c index b449fd2605b0..d2f6f1f6d2fc 100644 --- a/arch/s390/mm/pgalloc.c +++ b/arch/s390/mm/pgalloc.c @@ -173,11 +173,6 @@ void pte_free_defer(struct mm_struct *mm, pgtable_t pgtable) struct ptdesc *ptdesc = virt_to_ptdesc(pgtable); call_rcu(&ptdesc->pt_rcu_head, pte_free_now); - /* - * THPs are not allowed for KVM guests. Warn if pgste ever reaches here. - * Turn to the generic pte_free_defer() version once gmap is removed. - */ - WARN_ON_ONCE(mm_has_pgste(mm)); } #endif /* CONFIG_TRANSPARENT_HUGEPAGE */

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] x86/fpu: Delay instruction pointer fixup until after warning" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1cec9ac2d071cfd2da562241aab0ef701355762a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081252-serotonin-cranium-3e92@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1cec9ac2d071cfd2da562241aab0ef701355762a Mon Sep 17 00:00:00 2001 From: Dave Hansen <dave.hansen(a)linux.intel.com> Date: Tue, 24 Jun 2025 14:01:48 -0700 Subject: [PATCH] x86/fpu: Delay instruction pointer fixup until after warning Right now, if XRSTOR fails a console message like this is be printed: Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers. However, the text location (...+0x9a in this case) is the instruction *AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump also points one instruction late. The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and keep on running after returning from the #GP handler. But it does this fixup before warning. The resulting warning output is nonsensical because it looks like the non-FPU-related instruction is #GP'ing. Do not fix up RIP until after printing the warning. Do this by using the more generic and standard ex_handler_default(). Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails") Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: Chao Gao <chao.gao(a)intel.com> Acked-by: Alison Schofield <alison.schofield(a)intel.com> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.i… diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c index bf8dab18be97..2fdc1f1f5adb 100644 --- a/arch/x86/mm/extable.c +++ b/arch/x86/mm/extable.c @@ -122,13 +122,12 @@ static bool ex_handler_sgx(const struct exception_table_entry *fixup, static bool ex_handler_fprestore(const struct exception_table_entry *fixup, struct pt_regs *regs) { - regs->ip = ex_fixup_addr(fixup); - WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.", (void *)instruction_pointer(regs)); fpu_reset_from_exception_fixup(); - return true; + + return ex_handler_default(fixup, regs); } /*

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] x86/fpu: Delay instruction pointer fixup until after warning" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1cec9ac2d071cfd2da562241aab0ef701355762a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081251-sitter-agreed-26a4@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1cec9ac2d071cfd2da562241aab0ef701355762a Mon Sep 17 00:00:00 2001 From: Dave Hansen <dave.hansen(a)linux.intel.com> Date: Tue, 24 Jun 2025 14:01:48 -0700 Subject: [PATCH] x86/fpu: Delay instruction pointer fixup until after warning Right now, if XRSTOR fails a console message like this is be printed: Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers. However, the text location (...+0x9a in this case) is the instruction *AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump also points one instruction late. The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and keep on running after returning from the #GP handler. But it does this fixup before warning. The resulting warning output is nonsensical because it looks like the non-FPU-related instruction is #GP'ing. Do not fix up RIP until after printing the warning. Do this by using the more generic and standard ex_handler_default(). Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails") Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: Chao Gao <chao.gao(a)intel.com> Acked-by: Alison Schofield <alison.schofield(a)intel.com> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.i… diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c index bf8dab18be97..2fdc1f1f5adb 100644 --- a/arch/x86/mm/extable.c +++ b/arch/x86/mm/extable.c @@ -122,13 +122,12 @@ static bool ex_handler_sgx(const struct exception_table_entry *fixup, static bool ex_handler_fprestore(const struct exception_table_entry *fixup, struct pt_regs *regs) { - regs->ip = ex_fixup_addr(fixup); - WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.", (void *)instruction_pointer(regs)); fpu_reset_from_exception_fixup(); - return true; + + return ex_handler_default(fixup, regs); } /*

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] x86/fpu: Delay instruction pointer fixup until after warning" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1cec9ac2d071cfd2da562241aab0ef701355762a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081250-ominous-saddling-5ac5@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1cec9ac2d071cfd2da562241aab0ef701355762a Mon Sep 17 00:00:00 2001 From: Dave Hansen <dave.hansen(a)linux.intel.com> Date: Tue, 24 Jun 2025 14:01:48 -0700 Subject: [PATCH] x86/fpu: Delay instruction pointer fixup until after warning Right now, if XRSTOR fails a console message like this is be printed: Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers. However, the text location (...+0x9a in this case) is the instruction *AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump also points one instruction late. The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and keep on running after returning from the #GP handler. But it does this fixup before warning. The resulting warning output is nonsensical because it looks like the non-FPU-related instruction is #GP'ing. Do not fix up RIP until after printing the warning. Do this by using the more generic and standard ex_handler_default(). Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails") Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: Chao Gao <chao.gao(a)intel.com> Acked-by: Alison Schofield <alison.schofield(a)intel.com> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.i… diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c index bf8dab18be97..2fdc1f1f5adb 100644 --- a/arch/x86/mm/extable.c +++ b/arch/x86/mm/extable.c @@ -122,13 +122,12 @@ static bool ex_handler_sgx(const struct exception_table_entry *fixup, static bool ex_handler_fprestore(const struct exception_table_entry *fixup, struct pt_regs *regs) { - regs->ip = ex_fixup_addr(fixup); - WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.", (void *)instruction_pointer(regs)); fpu_reset_from_exception_fixup(); - return true; + + return ex_handler_default(fixup, regs); } /*

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 8a15ca0ca51399b652b1bbb23b590b220cf03d62 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081244-epileptic-value-7d4e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8a15ca0ca51399b652b1bbb23b590b220cf03d62 Mon Sep 17 00:00:00 2001 From: "Geoffrey D. Bennett" <g(a)b4.vu> Date: Mon, 28 Jul 2025 19:00:35 +0930 Subject: [PATCH] ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() During communication with Focusrite Scarlett Gen 2/3/4 USB audio interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(), snd_usb_ctl_msg() which can cause initialisation and control operations to fail intermittently. This patch adds up to 5 retries in scarlett2_usb(), with a delay starting at 5ms and doubling each time. This follows the same approach as the fix for usb_set_interface() in endpoint.c (commit f406005e162b ("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")), which resolved similar -EPROTO issues during device initialisation, and is the same approach as in fcp.c:fcp_usb(). Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") Closes: https://github.com/geoffreybennett/linux-fcp/issues/41 Cc: stable(a)vger.kernel.org Signed-off-by: Geoffrey D. Bennett <g(a)b4.vu> Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/usb/mixer_scarlett2.c b/sound/usb/mixer_scarlett2.c index 49eeb1444dce..15bbdafc4894 100644 --- a/sound/usb/mixer_scarlett2.c +++ b/sound/usb/mixer_scarlett2.c @@ -2351,6 +2351,8 @@ static int scarlett2_usb( struct scarlett2_usb_packet *req, *resp = NULL; size_t req_buf_size = struct_size(req, data, req_size); size_t resp_buf_size = struct_size(resp, data, resp_size); + int retries = 0; + const int max_retries = 5; int err; req = kmalloc(req_buf_size, GFP_KERNEL); @@ -2374,10 +2376,15 @@ static int scarlett2_usb( if (req_size) memcpy(req->data, req_data, req_size); +retry: err = scarlett2_usb_tx(dev, private->bInterfaceNumber, req, req_buf_size); if (err != req_buf_size) { + if (err == -EPROTO && ++retries <= max_retries) { + msleep(5 * (1 << (retries - 1))); + goto retry; + } usb_audio_err( mixer->chip, "%s USB request result cmd %x was %d\n",

1 month, 1 week

2
1
0 0

[PATCH v2 2/3] fuse: prevent overflow in copy_file_range return value

by Miklos Szeredi

The FUSE protocol uses struct fuse_write_out to convey the return value of copy_file_range, which is restricted to uint32_t. But the COPY_FILE_RANGE interface supports a 64-bit size copies. Currently the number of bytes copied is silently truncated to 32-bit, which may result in poor performance or even failure to copy in case of truncation to zero. Reported-by: Florian Weimer <fweimer(a)redhat.com> Closes: https://lore.kernel.org/all/lhuh5ynl8z5.fsf@oldenburg.str.redhat.com/ Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()") Cc: <stable(a)vger.kernel.org> # v4.20 Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> --- fs/fuse/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 45207a6bb85f..4adcf09d4b01 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -2960,7 +2960,7 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in, .nodeid_out = ff_out->nodeid, .fh_out = ff_out->fh, .off_out = pos_out, - .len = len, + .len = min_t(size_t, len, UINT_MAX & PAGE_MASK), .flags = flags }; struct fuse_write_out outarg; -- 2.49.0

1 month, 1 week

1
0
0 0

[PATCH v2 1/3] fuse: check if copy_file_range() returns larger than requested size

by Miklos Szeredi

Just like write(), copy_file_range() should check if the return value is less or equal to the requested number of bytes. Reported-by: Chunsheng Luo <luochunsheng(a)ustc.edu> Closes: https://lore.kernel.org/all/20250807062425.694-1-luochunsheng@ustc.edu/ Fixes: 88bc7d5097a1 ("fuse: add support for copy_file_range()") Cc: <stable(a)vger.kernel.org> # v4.20 Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> --- fs/fuse/file.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 5525a4520b0f..45207a6bb85f 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -3026,6 +3026,9 @@ static ssize_t __fuse_copy_file_range(struct file *file_in, loff_t pos_in, fc->no_copy_file_range = 1; err = -EOPNOTSUPP; } + if (!err && outarg.size > len) + err = -EIO; + if (err) goto out; -- 2.49.0

1 month, 1 week

1
0
0 0

[PATCH 3/3] usb: storage: realtek_cr: Use correct byte order for bcs->Residue

by Thorsten Blum

Since 'bcs->Residue' has the data type '__le32', we must convert it to the correct byte order of the CPU using this driver when assigning it to the local variable 'residue'. Cc: stable(a)vger.kernel.org Fixes: 50a6cb932d5c ("USB: usb_storage: add ums-realtek driver") Suggested-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- drivers/usb/storage/realtek_cr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c index 8a4d7c0f2662..758258a569a6 100644 --- a/drivers/usb/storage/realtek_cr.c +++ b/drivers/usb/storage/realtek_cr.c @@ -253,7 +253,7 @@ static int rts51x_bulk_transport(struct us_data *us, u8 lun, return USB_STOR_TRANSPORT_ERROR; } - residue = bcs->Residue; + residue = le32_to_cpu(bcs->Residue); if (bcs->Tag != us->tag) return USB_STOR_TRANSPORT_ERROR; -- 2.50.1

1 month, 1 week

3
3
0 0

[PATCH] usb: storage: realtek_cr: Use correct byte order for bcs->Residue

by Thorsten Blum

Since 'bcs->Residue' has the data type '__le32', convert it to the correct byte order of the CPU using this driver when assigning it to the local variable 'residue'. Cc: stable(a)vger.kernel.org Fixes: 50a6cb932d5c ("USB: usb_storage: add ums-realtek driver") Suggested-by: Alan Stern <stern(a)rowland.harvard.edu> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- Resending this as a separate patch for backporting as requested by Greg. Link to previous patch: https://lore.kernel.org/lkml/20250813101249.158270-6-thorsten.blum@linux.de… --- drivers/usb/storage/realtek_cr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/storage/realtek_cr.c b/drivers/usb/storage/realtek_cr.c index 8a4d7c0f2662..758258a569a6 100644 --- a/drivers/usb/storage/realtek_cr.c +++ b/drivers/usb/storage/realtek_cr.c @@ -253,7 +253,7 @@ static int rts51x_bulk_transport(struct us_data *us, u8 lun, return USB_STOR_TRANSPORT_ERROR; } - residue = bcs->Residue; + residue = le32_to_cpu(bcs->Residue); if (bcs->Tag != us->tag) return USB_STOR_TRANSPORT_ERROR; -- 2.50.1

1 month, 1 week

1
0
0 0

[PATCH 03/15] drm/xe/vm: Clear the scratch_pt pointer on error

by Thomas Hellström

Avoid triggering a dereference of an error pointer on cleanup in xe_vm_free_scratch() by clearing any scratch_pt error pointer. Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Fixes: 06951c2ee72d ("drm/xe: Use NULL PTEs as scratch PTEs") Cc: Brian Welty <brian.welty(a)intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: Lucas De Marchi <lucas.demarchi(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_vm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c index d40d2d43c041..12e661960244 100644 --- a/drivers/gpu/drm/xe/xe_vm.c +++ b/drivers/gpu/drm/xe/xe_vm.c @@ -1635,8 +1635,12 @@ static int xe_vm_create_scratch(struct xe_device *xe, struct xe_tile *tile, for (i = MAX_HUGEPTE_LEVEL; i < vm->pt_root[id]->level; i++) { vm->scratch_pt[id][i] = xe_pt_create(vm, tile, i); - if (IS_ERR(vm->scratch_pt[id][i])) - return PTR_ERR(vm->scratch_pt[id][i]); + if (IS_ERR(vm->scratch_pt[id][i])) { + int err = PTR_ERR(vm->scratch_pt[id][i]); + + vm->scratch_pt[id][i] = NULL; + return err; + } xe_pt_populate_empty(tile, vm, vm->scratch_pt[id][i]); } -- 2.50.1

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 8a15ca0ca51399b652b1bbb23b590b220cf03d62 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081244-chokehold-itunes-2e5a@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8a15ca0ca51399b652b1bbb23b590b220cf03d62 Mon Sep 17 00:00:00 2001 From: "Geoffrey D. Bennett" <g(a)b4.vu> Date: Mon, 28 Jul 2025 19:00:35 +0930 Subject: [PATCH] ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() During communication with Focusrite Scarlett Gen 2/3/4 USB audio interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(), snd_usb_ctl_msg() which can cause initialisation and control operations to fail intermittently. This patch adds up to 5 retries in scarlett2_usb(), with a delay starting at 5ms and doubling each time. This follows the same approach as the fix for usb_set_interface() in endpoint.c (commit f406005e162b ("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")), which resolved similar -EPROTO issues during device initialisation, and is the same approach as in fcp.c:fcp_usb(). Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") Closes: https://github.com/geoffreybennett/linux-fcp/issues/41 Cc: stable(a)vger.kernel.org Signed-off-by: Geoffrey D. Bennett <g(a)b4.vu> Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/usb/mixer_scarlett2.c b/sound/usb/mixer_scarlett2.c index 49eeb1444dce..15bbdafc4894 100644 --- a/sound/usb/mixer_scarlett2.c +++ b/sound/usb/mixer_scarlett2.c @@ -2351,6 +2351,8 @@ static int scarlett2_usb( struct scarlett2_usb_packet *req, *resp = NULL; size_t req_buf_size = struct_size(req, data, req_size); size_t resp_buf_size = struct_size(resp, data, resp_size); + int retries = 0; + const int max_retries = 5; int err; req = kmalloc(req_buf_size, GFP_KERNEL); @@ -2374,10 +2376,15 @@ static int scarlett2_usb( if (req_size) memcpy(req->data, req_data, req_size); +retry: err = scarlett2_usb_tx(dev, private->bInterfaceNumber, req, req_buf_size); if (err != req_buf_size) { + if (err == -EPROTO && ++retries <= max_retries) { + msleep(5 * (1 << (retries - 1))); + goto retry; + } usb_audio_err( mixer->chip, "%s USB request result cmd %x was %d\n",

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 8a15ca0ca51399b652b1bbb23b590b220cf03d62 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081243-disaster-wrinkly-bdc6@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8a15ca0ca51399b652b1bbb23b590b220cf03d62 Mon Sep 17 00:00:00 2001 From: "Geoffrey D. Bennett" <g(a)b4.vu> Date: Mon, 28 Jul 2025 19:00:35 +0930 Subject: [PATCH] ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() During communication with Focusrite Scarlett Gen 2/3/4 USB audio interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(), snd_usb_ctl_msg() which can cause initialisation and control operations to fail intermittently. This patch adds up to 5 retries in scarlett2_usb(), with a delay starting at 5ms and doubling each time. This follows the same approach as the fix for usb_set_interface() in endpoint.c (commit f406005e162b ("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")), which resolved similar -EPROTO issues during device initialisation, and is the same approach as in fcp.c:fcp_usb(). Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") Closes: https://github.com/geoffreybennett/linux-fcp/issues/41 Cc: stable(a)vger.kernel.org Signed-off-by: Geoffrey D. Bennett <g(a)b4.vu> Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu Signed-off-by: Takashi Iwai <tiwai(a)suse.de> diff --git a/sound/usb/mixer_scarlett2.c b/sound/usb/mixer_scarlett2.c index 49eeb1444dce..15bbdafc4894 100644 --- a/sound/usb/mixer_scarlett2.c +++ b/sound/usb/mixer_scarlett2.c @@ -2351,6 +2351,8 @@ static int scarlett2_usb( struct scarlett2_usb_packet *req, *resp = NULL; size_t req_buf_size = struct_size(req, data, req_size); size_t resp_buf_size = struct_size(resp, data, resp_size); + int retries = 0; + const int max_retries = 5; int err; req = kmalloc(req_buf_size, GFP_KERNEL); @@ -2374,10 +2376,15 @@ static int scarlett2_usb( if (req_size) memcpy(req->data, req_data, req_size); +retry: err = scarlett2_usb_tx(dev, private->bInterfaceNumber, req, req_buf_size); if (err != req_buf_size) { + if (err == -EPROTO && ++retries <= max_retries) { + msleep(5 * (1 << (retries - 1))); + goto retry; + } usb_audio_err( mixer->chip, "%s USB request result cmd %x was %d\n",

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] net: usbnet: Avoid potential RCU stall on LINK_CHANGE event" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 0d9cfc9b8cb17dbc29a98792d36ec39a1cf1395f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081258-value-bobbing-e1b7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0d9cfc9b8cb17dbc29a98792d36ec39a1cf1395f Mon Sep 17 00:00:00 2001 From: John Ernberg <john.ernberg(a)actia.se> Date: Wed, 23 Jul 2025 10:25:35 +0000 Subject: [PATCH] net: usbnet: Avoid potential RCU stall on LINK_CHANGE event The Gemalto Cinterion PLS83-W modem (cdc_ether) is emitting confusing link up and down events when the WWAN interface is activated on the modem-side. Interrupt URBs will in consecutive polls grab: * Link Connected * Link Disconnected * Link Connected Where the last Connected is then a stable link state. When the system is under load this may cause the unlink_urbs() work in __handle_link_change() to not complete before the next usbnet_link_change() call turns the carrier on again, allowing rx_submit() to queue new SKBs. In that event the URB queue is filled faster than it can drain, ending up in a RCU stall: rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 0-.... } 33108 jiffies s: 201 root: 0x1/. rcu: blocking rcu_node structures (internal RCU debug): Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 Call trace: arch_local_irq_enable+0x4/0x8 local_bh_enable+0x18/0x20 __netdev_alloc_skb+0x18c/0x1cc rx_submit+0x68/0x1f8 [usbnet] rx_alloc_submit+0x4c/0x74 [usbnet] usbnet_bh+0x1d8/0x218 [usbnet] usbnet_bh_tasklet+0x10/0x18 [usbnet] tasklet_action_common+0xa8/0x110 tasklet_action+0x2c/0x34 handle_softirqs+0x2cc/0x3a0 __do_softirq+0x10/0x18 ____do_softirq+0xc/0x14 call_on_irq_stack+0x24/0x34 do_softirq_own_stack+0x18/0x20 __irq_exit_rcu+0xa8/0xb8 irq_exit_rcu+0xc/0x30 el1_interrupt+0x34/0x48 el1h_64_irq_handler+0x14/0x1c el1h_64_irq+0x68/0x6c _raw_spin_unlock_irqrestore+0x38/0x48 xhci_urb_dequeue+0x1ac/0x45c [xhci_hcd] unlink1+0xd4/0xdc [usbcore] usb_hcd_unlink_urb+0x70/0xb0 [usbcore] usb_unlink_urb+0x24/0x44 [usbcore] unlink_urbs.constprop.0.isra.0+0x64/0xa8 [usbnet] __handle_link_change+0x34/0x70 [usbnet] usbnet_deferred_kevent+0x1c0/0x320 [usbnet] process_scheduled_works+0x2d0/0x48c worker_thread+0x150/0x1dc kthread+0xd8/0xe8 ret_from_fork+0x10/0x20 Get around the problem by delaying the carrier on to the scheduled work. This needs a new flag to keep track of the necessary action. The carrier ok check cannot be removed as it remains required for the LINK_RESET event flow. Fixes: 4b49f58fff00 ("usbnet: handle link change") Cc: stable(a)vger.kernel.org Signed-off-by: John Ernberg <john.ernberg(a)actia.se> Link: https://patch.msgid.link/20250723102526.1305339-1-john.ernberg@actia.se Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index c04e715a4c2a..bc1d8631ffe0 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1122,6 +1122,9 @@ static void __handle_link_change(struct usbnet *dev) * tx queue is stopped by netcore after link becomes off */ } else { + if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags)) + netif_carrier_on(dev->net); + /* submitting URBs for reading packets */ tasklet_schedule(&dev->bh); } @@ -2009,10 +2012,12 @@ EXPORT_SYMBOL(usbnet_manage_power); void usbnet_link_change(struct usbnet *dev, bool link, bool need_reset) { /* update link after link is reseted */ - if (link && !need_reset) - netif_carrier_on(dev->net); - else + if (link && !need_reset) { + set_bit(EVENT_LINK_CARRIER_ON, &dev->flags); + } else { + clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags); netif_carrier_off(dev->net); + } if (need_reset && link) usbnet_defer_kevent(dev, EVENT_LINK_RESET); diff --git a/include/linux/usb/usbnet.h b/include/linux/usb/usbnet.h index 0b9f1e598e3a..4bc6bb01a0eb 100644 --- a/include/linux/usb/usbnet.h +++ b/include/linux/usb/usbnet.h @@ -76,6 +76,7 @@ struct usbnet { # define EVENT_LINK_CHANGE 11 # define EVENT_SET_RX_MODE 12 # define EVENT_NO_IP_ALIGN 13 +# define EVENT_LINK_CARRIER_ON 14 /* This one is special, as it indicates that the device is going away * there are cyclic dependencies between tasklet, timer and bh * that must be broken

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] smb: server: Fix extension string in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 8e7d178d06e8937454b6d2f2811fa6a15656a214 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081211-chirping-aversion-8b66@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8e7d178d06e8937454b6d2f2811fa6a15656a214 Mon Sep 17 00:00:00 2001 From: Thorsten Blum <thorsten.blum(a)linux.dev> Date: Wed, 6 Aug 2025 03:03:49 +0200 Subject: [PATCH] smb: server: Fix extension string in ksmbd_extract_shortname() In ksmbd_extract_shortname(), strscpy() is incorrectly called with the length of the source string (excluding the NUL terminator) rather than the size of the destination buffer. This results in "__" being copied to 'extension' rather than "___" (two underscores instead of three). Use the destination buffer size instead to ensure that the string "___" (three underscores) is copied correctly. Cc: stable(a)vger.kernel.org Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index 425c756bcfb8..b23203a1c286 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -515,7 +515,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, p = strrchr(longname, '.'); if (p == longname) { /*name starts with a dot*/ - strscpy(extension, "___", strlen("___")); + strscpy(extension, "___", sizeof(extension)); } else { if (p) { p++;

1 month, 1 week

2
1
0 0

Re: Patch "pwm: rockchip: Round period/duty down on apply, up on get" has been added to the 6.16-stable tree

by Uwe Kleine-König

Hello Sasha, On Fri, Aug 08, 2025 at 06:30:33PM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > pwm: rockchip: Round period/duty down on apply, up on get > > to the 6.16-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > pwm-rockchip-round-period-duty-down-on-apply-up-on-g.patch > and it can be found in the queue-6.16 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 51144efa3159cd95ab37e786c982822a060d7d1a > Author: Nicolas Frattaroli <nicolas.frattaroli(a)collabora.com> > Date: Mon Jun 16 17:14:17 2025 +0200 > > pwm: rockchip: Round period/duty down on apply, up on get > > [ Upstream commit 0b4d1abe5ca568c5b7f667345ec2b5ad0fb2e54b ] > > With CONFIG_PWM_DEBUG=y, the rockchip PWM driver produces warnings like > this: > > rockchip-pwm fd8b0010.pwm: .apply is supposed to round down > duty_cycle (requested: 23529/50000, applied: 23542/50000) > > This is because the driver chooses ROUND_CLOSEST for purported > idempotency reasons. However, it's possible to keep idempotency while > always rounding down in .apply(). > > Do this by making .get_state() always round up, and making .apply() > always round down. This is done with u64 maths, and setting both period > and duty to U32_MAX (the biggest the hardware can support) if they would > exceed their 32 bits confines. > > Fixes: 12f9ce4a5198 ("pwm: rockchip: Fix period and duty cycle approximation") > Fixes: 1ebb74cf3537 ("pwm: rockchip: Add support for hardware readout") > Signed-off-by: Nicolas Frattaroli <nicolas.frattaroli(a)collabora.com> > Link: https://lore.kernel.org/r/20250616-rockchip-pwm-rounding-fix-v2-1-a9c65acad… > Signed-off-by: Uwe Kleine-König <ukleinek(a)kernel.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> while the new code makes the driver match the PWM rules now, I'd be conservative and not backport that patch because while I consider it a (very minor) fix that's a change in behaviour and maybe people depend on that old behaviour. So let's not break our user's workflows and reserve that for a major release. Please drop this patch from your queue. Best regards Uwe

1 month, 1 week

3
5
0 0

Re: [PATCH v3] clocksource: clps711x: Fix resource leaks in error paths

by Daniel Lezcano

Hi, this patch does not seem to have reached lkml@, making impossible to extract via git b4 neither adding the Link tag. On 05/08/2025 05:56, Zhen Ni wrote: > The current implementation of clps711x_timer_init() has multiple error > paths that directly return without releasing the base I/O memory mapped > via of_iomap(). Fix of_iomap leaks in error paths. > > Fixes: 04410efbb6bc ("clocksource/drivers/clps711x: Convert init function to return error") > Fixes: 2a6a8e2d9004 ("clocksource/drivers/clps711x: Remove board support") > Cc: stable(a)vger.kernel.org > Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> > --- > changes in v3: > - Change "err" to "error" in the commit message. > changes in v2: > - Add tags of 'Fixes' and 'Cc' > - Reduce detailed enumeration of err paths > - Omit a pointer check before iounmap() > - Change goto target from out to unmap_io > --- > drivers/clocksource/clps711x-timer.c | 23 ++++++++++++++++------- > 1 file changed, 16 insertions(+), 7 deletions(-) > > diff --git a/drivers/clocksource/clps711x-timer.c b/drivers/clocksource/clps711x-timer.c > index e95fdc49c226..bbceb0289d45 100644 > --- a/drivers/clocksource/clps711x-timer.c > +++ b/drivers/clocksource/clps711x-timer.c > @@ -78,24 +78,33 @@ static int __init clps711x_timer_init(struct device_node *np) > unsigned int irq = irq_of_parse_and_map(np, 0); > struct clk *clock = of_clk_get(np, 0); > void __iomem *base = of_iomap(np, 0); > + int ret = 0; > > if (!base) > return -ENOMEM; > - if (!irq) > - return -EINVAL; > - if (IS_ERR(clock)) > - return PTR_ERR(clock); > + if (!irq) { > + ret = -EINVAL; > + goto unmap_io; > + } > + if (IS_ERR(clock)) { > + ret = PTR_ERR(clock); > + goto unmap_io; > + } > > switch (of_alias_get_id(np, "timer")) { > case CLPS711X_CLKSRC_CLOCKSOURCE: > clps711x_clksrc_init(clock, base); > break; > case CLPS711X_CLKSRC_CLOCKEVENT: > - return _clps711x_clkevt_init(clock, base, irq); > + ret = _clps711x_clkevt_init(clock, base, irq); > + break; > default: > - return -EINVAL; > + ret = -EINVAL; > + break; > } > > - return 0; > +unmap_io: > + iounmap(base); > + return ret; > } > TIMER_OF_DECLARE(clps711x, "cirrus,ep7209-timer", clps711x_timer_init); -- <http://www.linaro.org/> Linaro.org │ Open source software for ARM SoCs Follow Linaro: <http://www.facebook.com/pages/Linaro> Facebook | <http://twitter.com/#!/linaroorg> Twitter | <http://www.linaro.org/linaro-blog/> Blog

1 month, 1 week

1
0
0 0

[BUG] arm64: Sleeping function called from invalid context in do_debug_exception on PREEMPT_RT

by Yunseong Kim

Hi, On a PREEMPT_RT kernel based on v6.16-rc1, I hit the following splat: | BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 | in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 20466, name: syz.0.1689 | preempt_count: 1, expected: 0 | RCU nest depth: 0, expected: 0 | Preemption disabled at: | [<ffff800080241600>] debug_exception_enter arch/arm64/mm/fault.c:978 [inline] | [<ffff800080241600>] do_debug_exception+0x68/0x2fc arch/arm64/mm/fault.c:997 | CPU: 0 UID: 0 PID: 20466 Comm: syz.0.1689 Not tainted 6.16.0-rc1-rt1-dirty #12 PREEMPT_RT | Hardware name: QEMU KVM Virtual Machine, BIOS 2025.02-8 05/13/2025 | Call trace: | show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) | __dump_stack+0x30/0x40 lib/dump_stack.c:94 | dump_stack_lvl+0x148/0x1d8 lib/dump_stack.c:120 | dump_stack+0x1c/0x3c lib/dump_stack.c:129 | __might_resched+0x2e4/0x52c kernel/sched/core.c:8800 | __rt_spin_lock kernel/locking/spinlock_rt.c:48 [inline] | rt_spin_lock+0xa8/0x1bc kernel/locking/spinlock_rt.c:57 | spin_lock include/linux/spinlock_rt.h:44 [inline] | force_sig_info_to_task+0x6c/0x4a8 kernel/signal.c:1302 | force_sig_fault_to_task kernel/signal.c:1699 [inline] | force_sig_fault+0xc4/0x110 kernel/signal.c:1704 | arm64_force_sig_fault+0x6c/0x80 arch/arm64/kernel/traps.c:265 | send_user_sigtrap arch/arm64/kernel/debug-monitors.c:237 [inline] | single_step_handler+0x1f4/0x36c arch/arm64/kernel/debug-monitors.c:257 | do_debug_exception+0x154/0x2fc arch/arm64/mm/fault.c:1002 | el0_dbg+0x44/0x120 arch/arm64/kernel/entry-common.c:756 | el0t_64_sync_handler+0x3c/0x108 arch/arm64/kernel/entry-common.c:832 | el0t_64_sync+0x1ac/0x1b0 arch/arm64/kernel/entry.S:600 It seems that commit eaff68b32861 ("arm64: entry: Add entry and exit functions for debug exception") in 6.17-rc1, also present as 6fb44438a5e1 in mainline, removed code that previously avoided sleeping context issues when handling debug exceptions: Link: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/arch… This appears to be triggered when force_sig_fault() is called from debug exception context, which is not sleepable under PREEMPT_RT. I understand that this path is primarily for debugging, but I would like to discuss whether the patch needs some adjustment for PREEMPT_RT. I also found that the issue can be reproduced depending on the changes introduced by the following commit: Link: https://github.com/torvalds/linux/commit/d8bb6718c4d arm64: Make debug exception handlers visible from RCU Make debug exceptions visible from RCU so that synchronize_rcu() correctly tracks the debug exception handler. This also introduces sanity checks for user-mode exceptions as same as x86's ist_enter()/ist_exit(). The debug exception can interrupt in idle task. For example, it warns if we put a kprobe on a function called from idle task as below. The warning message showed that the rcu_read_lock() caused this problem. But actually, this means the RCU lost the context which was already in NMI/IRQ. /sys/kernel/debug/tracing # echo p default_idle_call >> kprobe_events /sys/kernel/debug/tracing # echo 1 > events/kprobes/enable ... For reference: - v5.2.10: https://elixir.bootlin.com/linux/v5.2.10/source/arch/arm64/mm/fault.c#L810 - v5.3-rc3: https://elixir.bootlin.com/linux/v5.3-rc3/source/arch/arm64/mm/fault.c#L787 Do we need to restore some form of non-sleeping signal delivery in debug exception context for PREEMPT_RT, or is there another preferred fix? Thanks, Yunseong

1 month, 1 week

4
5
0 0

[PATCH v2] memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe

by Zhen Ni

The of_platform_populate() call at the end of the function has a possible failure path, causing a resource leak. Replace of_iomap() with devm_platform_ioremap_resource() to ensure automatic cleanup of srom->reg_base. This issue was detected by smatch static analysis: drivers/memory/samsung/exynos-srom.c:155 exynos_srom_probe()warn: 'srom->reg_base' from of_iomap() not released on lines: 155. Fixes: 8ac2266d8831 ("memory: samsung: exynos-srom: Add support for bank configuration") Cc: stable(a)vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> --- chanegs in v2: - Update commit msg --- drivers/memory/samsung/exynos-srom.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/memory/samsung/exynos-srom.c b/drivers/memory/samsung/exynos-srom.c index e73dd330af47..d913fb901973 100644 --- a/drivers/memory/samsung/exynos-srom.c +++ b/drivers/memory/samsung/exynos-srom.c @@ -121,20 +121,18 @@ static int exynos_srom_probe(struct platform_device *pdev) return -ENOMEM; srom->dev = dev; - srom->reg_base = of_iomap(np, 0); - if (!srom->reg_base) { + srom->reg_base = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(srom->reg_base)) { dev_err(&pdev->dev, "iomap of exynos srom controller failed\n"); - return -ENOMEM; + return PTR_ERR(srom->reg_base); } platform_set_drvdata(pdev, srom); srom->reg_offset = exynos_srom_alloc_reg_dump(exynos_srom_offsets, ARRAY_SIZE(exynos_srom_offsets)); - if (!srom->reg_offset) { - iounmap(srom->reg_base); + if (!srom->reg_offset) return -ENOMEM; - } for_each_child_of_node(np, child) { if (exynos_srom_configure_bank(srom, child)) { -- 2.20.1

1 month, 1 week

2
1
0 0

[PATCH RESEND] HID: asus: fix UAF via HID_CLAIMED_INPUT validation

by Qasim Ijaz

After hid_hw_start() is called hidinput_connect() will eventually be called to set up the device with the input layer since the HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect() all input and output reports are processed and corresponding hid_inputs are allocated and configured via hidinput_configure_usages(). This process involves slot tagging report fields and configuring usages by setting relevant bits in the capability bitmaps. However it is possible that the capability bitmaps are not set at all leading to the subsequent hidinput_has_been_populated() check to fail leading to the freeing of the hid_input and the underlying input device. This becomes problematic because a malicious HID device like a ASUS ROG N-Key keyboard can trigger the above scenario via a specially crafted descriptor which then leads to a user-after-free when the name of the freed input device is written to later on after hid_hw_start(). Below, report 93 intentionally utilises the HID_UP_UNDEFINED Usage Page which is skipped during usage configuration, leading to the frees. 0x05, 0x0D, // Usage Page (Digitizer) 0x09, 0x05, // Usage (Touch Pad) 0xA1, 0x01, // Collection (Application) 0x85, 0x0D, // Report ID (13) 0x06, 0x00, 0xFF, // Usage Page (Vendor Defined 0xFF00) 0x09, 0xC5, // Usage (0xC5) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x04, // Report Count (4) 0xB1, 0x02, // Feature (Data,Var,Abs) 0x85, 0x5D, // Report ID (93) 0x06, 0x00, 0x00, // Usage Page (Undefined) 0x09, 0x01, // Usage (0x01) 0x15, 0x00, // Logical Minimum (0) 0x26, 0xFF, 0x00, // Logical Maximum (255) 0x75, 0x08, // Report Size (8) 0x95, 0x1B, // Report Count (27) 0x81, 0x02, // Input (Data,Var,Abs) 0xC0, // End Collection Below is the KASAN splat after triggering the UAF: [ 21.672709] ================================================================== [ 21.673700] BUG: KASAN: slab-use-after-free in asus_probe+0xeeb/0xf80 [ 21.673700] Write of size 8 at addr ffff88810a0ac000 by task kworker/1:2/54 [ 21.673700] [ 21.673700] CPU: 1 UID: 0 PID: 54 Comm: kworker/1:2 Not tainted 6.16.0-rc4-g9773391cf4dd-dirty #36 PREEMPT(voluntary) [ 21.673700] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 21.673700] Call Trace: [ 21.673700] <TASK> [ 21.673700] dump_stack_lvl+0x5f/0x80 [ 21.673700] print_report+0xd1/0x660 [ 21.673700] kasan_report+0xe5/0x120 [ 21.673700] __asan_report_store8_noabort+0x1b/0x30 [ 21.673700] asus_probe+0xeeb/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Allocated by task 54: [ 21.673700] kasan_save_stack+0x3d/0x60 [ 21.673700] kasan_save_track+0x18/0x40 [ 21.673700] kasan_save_alloc_info+0x3b/0x50 [ 21.673700] __kasan_kmalloc+0x9c/0xa0 [ 21.673700] __kmalloc_cache_noprof+0x139/0x340 [ 21.673700] input_allocate_device+0x44/0x370 [ 21.673700] hidinput_connect+0xcb6/0x2630 [ 21.673700] hid_connect+0xf74/0x1d60 [ 21.673700] hid_hw_start+0x8c/0x110 [ 21.673700] asus_probe+0x5a3/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] [ 21.673700] [ 21.673700] Freed by task 54: [ 21.673700] kasan_save_stack+0x3d/0x60 [ 21.673700] kasan_save_track+0x18/0x40 [ 21.673700] kasan_save_free_info+0x3f/0x60 [ 21.673700] __kasan_slab_free+0x3c/0x50 [ 21.673700] kfree+0xcf/0x350 [ 21.673700] input_dev_release+0xab/0xd0 [ 21.673700] device_release+0x9f/0x220 [ 21.673700] kobject_put+0x12b/0x220 [ 21.673700] put_device+0x12/0x20 [ 21.673700] input_free_device+0x4c/0xb0 [ 21.673700] hidinput_connect+0x1862/0x2630 [ 21.673700] hid_connect+0xf74/0x1d60 [ 21.673700] hid_hw_start+0x8c/0x110 [ 21.673700] asus_probe+0x5a3/0xf80 [ 21.673700] hid_device_probe+0x2ee/0x700 [ 21.673700] really_probe+0x1c6/0x6b0 [ 21.673700] __driver_probe_device+0x24f/0x310 [ 21.673700] driver_probe_device+0x4e/0x220 [...] Fixes: 9ce12d8be12c ("HID: asus: Add i2c touchpad support") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/hid/hid-asus.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c index 4b45e31f0bab..9bce9c84ab20 100644 --- a/drivers/hid/hid-asus.c +++ b/drivers/hid/hid-asus.c @@ -1212,8 +1212,14 @@ static int asus_probe(struct hid_device *hdev, const struct hid_device_id *id) hid_err(hdev, "Asus hw start failed: %d\n", ret); return ret; } - - if (!drvdata->input) { + + /* + * Check that input registration succeeded. Checking that + * HID_CLAIMED_INPUT is set prevents a UAF when all input devices + * were freed during registration due to no usages being mapped, + * leaving drvdata->input pointing to freed memory. + */ + if (!drvdata->input || !(hdev->claimed & HID_CLAIMED_INPUT)) { hid_err(hdev, "Asus input not registered\n"); ret = -ENOMEM; goto err_stop_hw; -- 2.39.5

1 month, 1 week

2
1
0 0

[PATCH v2] dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted

by Shanker Donthineni

When CONFIG_DMA_DIRECT_REMAP is enabled, atomic pool pages are remapped via dma_common_contiguous_remap() using the supplied pgprot. Currently, the mapping uses pgprot_dmacoherent(PAGE_KERNEL), which leaves the memory encrypted on systems with memory encryption enabled (e.g., ARM CCA Realms). This can cause the DMA layer to fail or crash when accessing the memory, as the underlying physical pages are not configured as expected. Fix this by requesting a decrypted mapping in the vmap() call: pgprot_decrypted(pgprot_dmacoherent(PAGE_KERNEL)) This ensures that atomic pool memory is consistently mapped unencrypted. Cc: stable(a)vger.kernel.org Signed-off-by: Shanker Donthineni <sdonthineni(a)nvidia.com> --- kernel/dma/pool.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c index 7b04f7575796b..ee45dee33d491 100644 --- a/kernel/dma/pool.c +++ b/kernel/dma/pool.c @@ -102,8 +102,8 @@ static int atomic_pool_expand(struct gen_pool *pool, size_t pool_size, #ifdef CONFIG_DMA_DIRECT_REMAP addr = dma_common_contiguous_remap(page, pool_size, - pgprot_dmacoherent(PAGE_KERNEL), - __builtin_return_address(0)); + pgprot_decrypted(pgprot_dmacoherent(PAGE_KERNEL)), + __builtin_return_address(0)); if (!addr) goto free_page; #else -- 2.25.1

1 month, 1 week

3
2
0 0

International Broadcast Conference 2025 Attendee's List

by Jack Reacher

Hi, We are offering the visitors contact list International Broadcast Conference (IBC) 2025. We currently have 50,656 verified visitor contacts. Each contact contains: Contact name, Job Title, Business Name, Physical Address, Phone Numbers, Official Email address and many more… Rest assured, our contacts are 100% opt-in and GDPR compliant, ensuring the utmost integrity in your outreach. Let me know if you are interested so that I can share the pricing for the same. Kind Regards, Jack Reacher Sr. Marketing Manager If you do not wish to receive this newsletter reply as “Unfollow”

1 month, 1 week

1
0
0 0

[PATCH] arm64: dts: qcom: sm8450: Fix address for usb controller node

by Krishna Kurapati

Correct the address in usb controller node to fix the following warning: Warning (simple_bus_reg): /soc@0/usb@a6f8800: simple-bus unit address format error, expected "a600000" Fixes: c015f76c23ac ("arm64: dts: qcom: sm8450: Fix address for usb controller node") Cc: stable(a)vger.kernel.org Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202508121834.953Mvah2-lkp@intel.com/ Signed-off-by: Krishna Kurapati <krishna.kurapati(a)oss.qualcomm.com> --- arch/arm64/boot/dts/qcom/sm8450.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/qcom/sm8450.dtsi b/arch/arm64/boot/dts/qcom/sm8450.dtsi index 2baef6869ed7..38c91c3ec787 100644 --- a/arch/arm64/boot/dts/qcom/sm8450.dtsi +++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi @@ -5417,7 +5417,7 @@ opp-202000000 { }; }; - usb_1: usb@a6f8800 { + usb_1: usb@a600000 { compatible = "qcom,sm8450-dwc3", "qcom,snps-dwc3"; reg = <0 0x0a600000 0 0xfc100>; status = "disabled"; -- 2.34.1

1 month, 1 week

3
3
0 0

Re: [PATCH 00/12] ice: split ice_virtchnl.c git-blame friendly way

by Jakub Kicinski

On Tue, 12 Aug 2025 15:28:58 +0200 Przemek Kitszel wrote: > Summary: > Split ice_virtchnl.c into two more files (+headers), in a way > that git-blame works better. > Then move virtchnl files into a new subdir. > No logic changes. > > I have developed (or discovered ;)) how to split a file in a way that > both old and new are nice in terms of git-blame > There were no much disscussion on [RFC], so I would like to propose > to go forward with this approach. > > There is more commits needed to have it nice, so it forms a git-log vs > git-blame tradeoff, but (after the brief moment that this is on the top) > we spend orders of magnitude more time looking at the blame output (and > commit messages linked from that) - so I find it much better to see > actual logic changes instead of "move xx to yy" stuff (typical for > "squashed/single-commit splits"). > > Cherry-picks/rebases work the same with this method as with simple > "squashed/single-commit" approach (literally all commits squashed into > one (to have better git-log, but shitty git-blame output). > > Rationale for the split itself is, as usual, "file is big and we want to > extend it". > > This series is available on my github (just rebased from any > earlier mentions): > https://github.com/pkitszel/linux/tree/virtchnl-split-Aug12 > (the simple git-email view flattens this series, removing two > merges from the view). > > > [RFC]: > https://lore.kernel.org/netdev/5b94d14e-a0e7-47bd-82fc-c85171cbf26e@intel.c… > > (I would really look at my fork via your preferred git interaction tool > instead of looking at the patches below). UI tools aside I wish you didn't cut off the diffstat from the cover letter :/ It'd make it much easier to understand what you're splitting. Greg, Sasha, I suspect stable will suffer the most from any file split / movement. Do you have any recommendation on what should be allowed?

1 month, 1 week

3
2
0 0

FAILED: patch "[PATCH] HID: magicmouse: avoid setting up battery timer when not" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081244-result-from-825c@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 Mon Sep 17 00:00:00 2001 From: Aditya Garg <gargaditya08(a)live.com> Date: Mon, 30 Jun 2025 12:37:13 +0000 Subject: [PATCH] HID: magicmouse: avoid setting up battery timer when not needed Currently, the battery timer is set up for all devices using hid-magicmouse, irrespective of whether they actually need it or not. The current implementation requires the battery timer for Magic Mouse 2 and Magic Trackpad 2 when connected via USB only. Add checks to ensure that the battery timer is only set up when they are connected via USB. Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB") Cc: stable(a)vger.kernel.org Signed-off-by: Aditya Garg <gargaditya08(a)live.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c index 36f034ac605d..226682762db3 100644 --- a/drivers/hid/hid-magicmouse.c +++ b/drivers/hid/hid-magicmouse.c @@ -791,17 +791,31 @@ static void magicmouse_enable_mt_work(struct work_struct *work) hid_err(msc->hdev, "unable to request touch data (%d)\n", ret); } +static bool is_usb_magicmouse2(__u32 vendor, __u32 product) +{ + if (vendor != USB_VENDOR_ID_APPLE) + return false; + return product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || + product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC; +} + +static bool is_usb_magictrackpad2(__u32 vendor, __u32 product) +{ + if (vendor != USB_VENDOR_ID_APPLE) + return false; + return product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || + product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC; +} + static int magicmouse_fetch_battery(struct hid_device *hdev) { #ifdef CONFIG_HID_BATTERY_STRENGTH struct hid_report_enum *report_enum; struct hid_report *report; - if (!hdev->battery || hdev->vendor != USB_VENDOR_ID_APPLE || - (hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2 && - hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC && - hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 && - hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC)) + if (!hdev->battery || + (!is_usb_magicmouse2(hdev->vendor, hdev->product) && + !is_usb_magictrackpad2(hdev->vendor, hdev->product))) return -1; report_enum = &hdev->report_enum[hdev->battery_report_type]; @@ -863,17 +877,17 @@ static int magicmouse_probe(struct hid_device *hdev, return ret; } - timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0); - mod_timer(&msc->battery_timer, - jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS)); - magicmouse_fetch_battery(hdev); + if (is_usb_magicmouse2(id->vendor, id->product) || + is_usb_magictrackpad2(id->vendor, id->product)) { + timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0); + mod_timer(&msc->battery_timer, + jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS)); + magicmouse_fetch_battery(hdev); + } - if (id->vendor == USB_VENDOR_ID_APPLE && - (id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || - id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC || - ((id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || - id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) && - hdev->type != HID_TYPE_USBMOUSE))) + if (is_usb_magicmouse2(id->vendor, id->product) || + (is_usb_magictrackpad2(id->vendor, id->product) && + hdev->type != HID_TYPE_USBMOUSE)) return 0; if (!msc->input) { @@ -936,7 +950,10 @@ static int magicmouse_probe(struct hid_device *hdev, return 0; err_stop_hw: - timer_delete_sync(&msc->battery_timer); + if (is_usb_magicmouse2(id->vendor, id->product) || + is_usb_magictrackpad2(id->vendor, id->product)) + timer_delete_sync(&msc->battery_timer); + hid_hw_stop(hdev); return ret; } @@ -947,7 +964,9 @@ static void magicmouse_remove(struct hid_device *hdev) if (msc) { cancel_delayed_work_sync(&msc->work); - timer_delete_sync(&msc->battery_timer); + if (is_usb_magicmouse2(hdev->vendor, hdev->product) || + is_usb_magictrackpad2(hdev->vendor, hdev->product)) + timer_delete_sync(&msc->battery_timer); } hid_hw_stop(hdev); @@ -964,11 +983,8 @@ static const __u8 *magicmouse_report_fixup(struct hid_device *hdev, __u8 *rdesc, * 0x05, 0x01, // Usage Page (Generic Desktop) 0 * 0x09, 0x02, // Usage (Mouse) 2 */ - if (hdev->vendor == USB_VENDOR_ID_APPLE && - (hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || - hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC || - hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || - hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) && + if ((is_usb_magicmouse2(hdev->vendor, hdev->product) || + is_usb_magictrackpad2(hdev->vendor, hdev->product)) && *rsize == 83 && rdesc[46] == 0x84 && rdesc[58] == 0x85) { hid_info(hdev, "fixing up magicmouse battery report descriptor\n");

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] HID: magicmouse: avoid setting up battery timer when not" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081244-swimsuit-darkening-ba01@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 Mon Sep 17 00:00:00 2001 From: Aditya Garg <gargaditya08(a)live.com> Date: Mon, 30 Jun 2025 12:37:13 +0000 Subject: [PATCH] HID: magicmouse: avoid setting up battery timer when not needed Currently, the battery timer is set up for all devices using hid-magicmouse, irrespective of whether they actually need it or not. The current implementation requires the battery timer for Magic Mouse 2 and Magic Trackpad 2 when connected via USB only. Add checks to ensure that the battery timer is only set up when they are connected via USB. Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB") Cc: stable(a)vger.kernel.org Signed-off-by: Aditya Garg <gargaditya08(a)live.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c index 36f034ac605d..226682762db3 100644 --- a/drivers/hid/hid-magicmouse.c +++ b/drivers/hid/hid-magicmouse.c @@ -791,17 +791,31 @@ static void magicmouse_enable_mt_work(struct work_struct *work) hid_err(msc->hdev, "unable to request touch data (%d)\n", ret); } +static bool is_usb_magicmouse2(__u32 vendor, __u32 product) +{ + if (vendor != USB_VENDOR_ID_APPLE) + return false; + return product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || + product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC; +} + +static bool is_usb_magictrackpad2(__u32 vendor, __u32 product) +{ + if (vendor != USB_VENDOR_ID_APPLE) + return false; + return product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || + product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC; +} + static int magicmouse_fetch_battery(struct hid_device *hdev) { #ifdef CONFIG_HID_BATTERY_STRENGTH struct hid_report_enum *report_enum; struct hid_report *report; - if (!hdev->battery || hdev->vendor != USB_VENDOR_ID_APPLE || - (hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2 && - hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC && - hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 && - hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC)) + if (!hdev->battery || + (!is_usb_magicmouse2(hdev->vendor, hdev->product) && + !is_usb_magictrackpad2(hdev->vendor, hdev->product))) return -1; report_enum = &hdev->report_enum[hdev->battery_report_type]; @@ -863,17 +877,17 @@ static int magicmouse_probe(struct hid_device *hdev, return ret; } - timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0); - mod_timer(&msc->battery_timer, - jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS)); - magicmouse_fetch_battery(hdev); + if (is_usb_magicmouse2(id->vendor, id->product) || + is_usb_magictrackpad2(id->vendor, id->product)) { + timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0); + mod_timer(&msc->battery_timer, + jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS)); + magicmouse_fetch_battery(hdev); + } - if (id->vendor == USB_VENDOR_ID_APPLE && - (id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || - id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC || - ((id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || - id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) && - hdev->type != HID_TYPE_USBMOUSE))) + if (is_usb_magicmouse2(id->vendor, id->product) || + (is_usb_magictrackpad2(id->vendor, id->product) && + hdev->type != HID_TYPE_USBMOUSE)) return 0; if (!msc->input) { @@ -936,7 +950,10 @@ static int magicmouse_probe(struct hid_device *hdev, return 0; err_stop_hw: - timer_delete_sync(&msc->battery_timer); + if (is_usb_magicmouse2(id->vendor, id->product) || + is_usb_magictrackpad2(id->vendor, id->product)) + timer_delete_sync(&msc->battery_timer); + hid_hw_stop(hdev); return ret; } @@ -947,7 +964,9 @@ static void magicmouse_remove(struct hid_device *hdev) if (msc) { cancel_delayed_work_sync(&msc->work); - timer_delete_sync(&msc->battery_timer); + if (is_usb_magicmouse2(hdev->vendor, hdev->product) || + is_usb_magictrackpad2(hdev->vendor, hdev->product)) + timer_delete_sync(&msc->battery_timer); } hid_hw_stop(hdev); @@ -964,11 +983,8 @@ static const __u8 *magicmouse_report_fixup(struct hid_device *hdev, __u8 *rdesc, * 0x05, 0x01, // Usage Page (Generic Desktop) 0 * 0x09, 0x02, // Usage (Mouse) 2 */ - if (hdev->vendor == USB_VENDOR_ID_APPLE && - (hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || - hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC || - hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || - hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) && + if ((is_usb_magicmouse2(hdev->vendor, hdev->product) || + is_usb_magictrackpad2(hdev->vendor, hdev->product)) && *rsize == 83 && rdesc[46] == 0x84 && rdesc[58] == 0x85) { hid_info(hdev, "fixing up magicmouse battery report descriptor\n");

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] HID: magicmouse: avoid setting up battery timer when not" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081245-fanatic-plenty-c5ac@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 Mon Sep 17 00:00:00 2001 From: Aditya Garg <gargaditya08(a)live.com> Date: Mon, 30 Jun 2025 12:37:13 +0000 Subject: [PATCH] HID: magicmouse: avoid setting up battery timer when not needed Currently, the battery timer is set up for all devices using hid-magicmouse, irrespective of whether they actually need it or not. The current implementation requires the battery timer for Magic Mouse 2 and Magic Trackpad 2 when connected via USB only. Add checks to ensure that the battery timer is only set up when they are connected via USB. Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB") Cc: stable(a)vger.kernel.org Signed-off-by: Aditya Garg <gargaditya08(a)live.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c index 36f034ac605d..226682762db3 100644 --- a/drivers/hid/hid-magicmouse.c +++ b/drivers/hid/hid-magicmouse.c @@ -791,17 +791,31 @@ static void magicmouse_enable_mt_work(struct work_struct *work) hid_err(msc->hdev, "unable to request touch data (%d)\n", ret); } +static bool is_usb_magicmouse2(__u32 vendor, __u32 product) +{ + if (vendor != USB_VENDOR_ID_APPLE) + return false; + return product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || + product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC; +} + +static bool is_usb_magictrackpad2(__u32 vendor, __u32 product) +{ + if (vendor != USB_VENDOR_ID_APPLE) + return false; + return product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || + product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC; +} + static int magicmouse_fetch_battery(struct hid_device *hdev) { #ifdef CONFIG_HID_BATTERY_STRENGTH struct hid_report_enum *report_enum; struct hid_report *report; - if (!hdev->battery || hdev->vendor != USB_VENDOR_ID_APPLE || - (hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2 && - hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC && - hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 && - hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC)) + if (!hdev->battery || + (!is_usb_magicmouse2(hdev->vendor, hdev->product) && + !is_usb_magictrackpad2(hdev->vendor, hdev->product))) return -1; report_enum = &hdev->report_enum[hdev->battery_report_type]; @@ -863,17 +877,17 @@ static int magicmouse_probe(struct hid_device *hdev, return ret; } - timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0); - mod_timer(&msc->battery_timer, - jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS)); - magicmouse_fetch_battery(hdev); + if (is_usb_magicmouse2(id->vendor, id->product) || + is_usb_magictrackpad2(id->vendor, id->product)) { + timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0); + mod_timer(&msc->battery_timer, + jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS)); + magicmouse_fetch_battery(hdev); + } - if (id->vendor == USB_VENDOR_ID_APPLE && - (id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || - id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC || - ((id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || - id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) && - hdev->type != HID_TYPE_USBMOUSE))) + if (is_usb_magicmouse2(id->vendor, id->product) || + (is_usb_magictrackpad2(id->vendor, id->product) && + hdev->type != HID_TYPE_USBMOUSE)) return 0; if (!msc->input) { @@ -936,7 +950,10 @@ static int magicmouse_probe(struct hid_device *hdev, return 0; err_stop_hw: - timer_delete_sync(&msc->battery_timer); + if (is_usb_magicmouse2(id->vendor, id->product) || + is_usb_magictrackpad2(id->vendor, id->product)) + timer_delete_sync(&msc->battery_timer); + hid_hw_stop(hdev); return ret; } @@ -947,7 +964,9 @@ static void magicmouse_remove(struct hid_device *hdev) if (msc) { cancel_delayed_work_sync(&msc->work); - timer_delete_sync(&msc->battery_timer); + if (is_usb_magicmouse2(hdev->vendor, hdev->product) || + is_usb_magictrackpad2(hdev->vendor, hdev->product)) + timer_delete_sync(&msc->battery_timer); } hid_hw_stop(hdev); @@ -964,11 +983,8 @@ static const __u8 *magicmouse_report_fixup(struct hid_device *hdev, __u8 *rdesc, * 0x05, 0x01, // Usage Page (Generic Desktop) 0 * 0x09, 0x02, // Usage (Mouse) 2 */ - if (hdev->vendor == USB_VENDOR_ID_APPLE && - (hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || - hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC || - hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || - hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) && + if ((is_usb_magicmouse2(hdev->vendor, hdev->product) || + is_usb_magictrackpad2(hdev->vendor, hdev->product)) && *rsize == 83 && rdesc[46] == 0x84 && rdesc[58] == 0x85) { hid_info(hdev, "fixing up magicmouse battery report descriptor\n");

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] HID: magicmouse: avoid setting up battery timer when not" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081245-chest-headband-a995@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 Mon Sep 17 00:00:00 2001 From: Aditya Garg <gargaditya08(a)live.com> Date: Mon, 30 Jun 2025 12:37:13 +0000 Subject: [PATCH] HID: magicmouse: avoid setting up battery timer when not needed Currently, the battery timer is set up for all devices using hid-magicmouse, irrespective of whether they actually need it or not. The current implementation requires the battery timer for Magic Mouse 2 and Magic Trackpad 2 when connected via USB only. Add checks to ensure that the battery timer is only set up when they are connected via USB. Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB") Cc: stable(a)vger.kernel.org Signed-off-by: Aditya Garg <gargaditya08(a)live.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c index 36f034ac605d..226682762db3 100644 --- a/drivers/hid/hid-magicmouse.c +++ b/drivers/hid/hid-magicmouse.c @@ -791,17 +791,31 @@ static void magicmouse_enable_mt_work(struct work_struct *work) hid_err(msc->hdev, "unable to request touch data (%d)\n", ret); } +static bool is_usb_magicmouse2(__u32 vendor, __u32 product) +{ + if (vendor != USB_VENDOR_ID_APPLE) + return false; + return product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || + product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC; +} + +static bool is_usb_magictrackpad2(__u32 vendor, __u32 product) +{ + if (vendor != USB_VENDOR_ID_APPLE) + return false; + return product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || + product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC; +} + static int magicmouse_fetch_battery(struct hid_device *hdev) { #ifdef CONFIG_HID_BATTERY_STRENGTH struct hid_report_enum *report_enum; struct hid_report *report; - if (!hdev->battery || hdev->vendor != USB_VENDOR_ID_APPLE || - (hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2 && - hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC && - hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 && - hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC)) + if (!hdev->battery || + (!is_usb_magicmouse2(hdev->vendor, hdev->product) && + !is_usb_magictrackpad2(hdev->vendor, hdev->product))) return -1; report_enum = &hdev->report_enum[hdev->battery_report_type]; @@ -863,17 +877,17 @@ static int magicmouse_probe(struct hid_device *hdev, return ret; } - timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0); - mod_timer(&msc->battery_timer, - jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS)); - magicmouse_fetch_battery(hdev); + if (is_usb_magicmouse2(id->vendor, id->product) || + is_usb_magictrackpad2(id->vendor, id->product)) { + timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0); + mod_timer(&msc->battery_timer, + jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS)); + magicmouse_fetch_battery(hdev); + } - if (id->vendor == USB_VENDOR_ID_APPLE && - (id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || - id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC || - ((id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || - id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) && - hdev->type != HID_TYPE_USBMOUSE))) + if (is_usb_magicmouse2(id->vendor, id->product) || + (is_usb_magictrackpad2(id->vendor, id->product) && + hdev->type != HID_TYPE_USBMOUSE)) return 0; if (!msc->input) { @@ -936,7 +950,10 @@ static int magicmouse_probe(struct hid_device *hdev, return 0; err_stop_hw: - timer_delete_sync(&msc->battery_timer); + if (is_usb_magicmouse2(id->vendor, id->product) || + is_usb_magictrackpad2(id->vendor, id->product)) + timer_delete_sync(&msc->battery_timer); + hid_hw_stop(hdev); return ret; } @@ -947,7 +964,9 @@ static void magicmouse_remove(struct hid_device *hdev) if (msc) { cancel_delayed_work_sync(&msc->work); - timer_delete_sync(&msc->battery_timer); + if (is_usb_magicmouse2(hdev->vendor, hdev->product) || + is_usb_magictrackpad2(hdev->vendor, hdev->product)) + timer_delete_sync(&msc->battery_timer); } hid_hw_stop(hdev); @@ -964,11 +983,8 @@ static const __u8 *magicmouse_report_fixup(struct hid_device *hdev, __u8 *rdesc, * 0x05, 0x01, // Usage Page (Generic Desktop) 0 * 0x09, 0x02, // Usage (Mouse) 2 */ - if (hdev->vendor == USB_VENDOR_ID_APPLE && - (hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || - hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC || - hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || - hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) && + if ((is_usb_magicmouse2(hdev->vendor, hdev->product) || + is_usb_magictrackpad2(hdev->vendor, hdev->product)) && *rsize == 83 && rdesc[46] == 0x84 && rdesc[58] == 0x85) { hid_info(hdev, "fixing up magicmouse battery report descriptor\n");

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] HID: magicmouse: avoid setting up battery timer when not" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081246-taco-trimmer-efd3@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 Mon Sep 17 00:00:00 2001 From: Aditya Garg <gargaditya08(a)live.com> Date: Mon, 30 Jun 2025 12:37:13 +0000 Subject: [PATCH] HID: magicmouse: avoid setting up battery timer when not needed Currently, the battery timer is set up for all devices using hid-magicmouse, irrespective of whether they actually need it or not. The current implementation requires the battery timer for Magic Mouse 2 and Magic Trackpad 2 when connected via USB only. Add checks to ensure that the battery timer is only set up when they are connected via USB. Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB") Cc: stable(a)vger.kernel.org Signed-off-by: Aditya Garg <gargaditya08(a)live.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c index 36f034ac605d..226682762db3 100644 --- a/drivers/hid/hid-magicmouse.c +++ b/drivers/hid/hid-magicmouse.c @@ -791,17 +791,31 @@ static void magicmouse_enable_mt_work(struct work_struct *work) hid_err(msc->hdev, "unable to request touch data (%d)\n", ret); } +static bool is_usb_magicmouse2(__u32 vendor, __u32 product) +{ + if (vendor != USB_VENDOR_ID_APPLE) + return false; + return product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || + product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC; +} + +static bool is_usb_magictrackpad2(__u32 vendor, __u32 product) +{ + if (vendor != USB_VENDOR_ID_APPLE) + return false; + return product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || + product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC; +} + static int magicmouse_fetch_battery(struct hid_device *hdev) { #ifdef CONFIG_HID_BATTERY_STRENGTH struct hid_report_enum *report_enum; struct hid_report *report; - if (!hdev->battery || hdev->vendor != USB_VENDOR_ID_APPLE || - (hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2 && - hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC && - hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 && - hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC)) + if (!hdev->battery || + (!is_usb_magicmouse2(hdev->vendor, hdev->product) && + !is_usb_magictrackpad2(hdev->vendor, hdev->product))) return -1; report_enum = &hdev->report_enum[hdev->battery_report_type]; @@ -863,17 +877,17 @@ static int magicmouse_probe(struct hid_device *hdev, return ret; } - timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0); - mod_timer(&msc->battery_timer, - jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS)); - magicmouse_fetch_battery(hdev); + if (is_usb_magicmouse2(id->vendor, id->product) || + is_usb_magictrackpad2(id->vendor, id->product)) { + timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0); + mod_timer(&msc->battery_timer, + jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS)); + magicmouse_fetch_battery(hdev); + } - if (id->vendor == USB_VENDOR_ID_APPLE && - (id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || - id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC || - ((id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || - id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) && - hdev->type != HID_TYPE_USBMOUSE))) + if (is_usb_magicmouse2(id->vendor, id->product) || + (is_usb_magictrackpad2(id->vendor, id->product) && + hdev->type != HID_TYPE_USBMOUSE)) return 0; if (!msc->input) { @@ -936,7 +950,10 @@ static int magicmouse_probe(struct hid_device *hdev, return 0; err_stop_hw: - timer_delete_sync(&msc->battery_timer); + if (is_usb_magicmouse2(id->vendor, id->product) || + is_usb_magictrackpad2(id->vendor, id->product)) + timer_delete_sync(&msc->battery_timer); + hid_hw_stop(hdev); return ret; } @@ -947,7 +964,9 @@ static void magicmouse_remove(struct hid_device *hdev) if (msc) { cancel_delayed_work_sync(&msc->work); - timer_delete_sync(&msc->battery_timer); + if (is_usb_magicmouse2(hdev->vendor, hdev->product) || + is_usb_magictrackpad2(hdev->vendor, hdev->product)) + timer_delete_sync(&msc->battery_timer); } hid_hw_stop(hdev); @@ -964,11 +983,8 @@ static const __u8 *magicmouse_report_fixup(struct hid_device *hdev, __u8 *rdesc, * 0x05, 0x01, // Usage Page (Generic Desktop) 0 * 0x09, 0x02, // Usage (Mouse) 2 */ - if (hdev->vendor == USB_VENDOR_ID_APPLE && - (hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 || - hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC || - hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 || - hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) && + if ((is_usb_magicmouse2(hdev->vendor, hdev->product) || + is_usb_magictrackpad2(hdev->vendor, hdev->product)) && *rsize == 83 && rdesc[46] == 0x84 && rdesc[58] == 0x85) { hid_info(hdev, "fixing up magicmouse battery report descriptor\n");

1 month, 1 week

2
1
0 0

+ iov_iter-iterate_folioq-fix-handling-of-offset-=-folio-size.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: iov_iter: iterate_folioq: fix handling of offset >= folio size has been added to the -mm mm-hotfixes-unstable branch. Its filename is iov_iter-iterate_folioq-fix-handling-of-offset-=-folio-size.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Dominique Martinet <asmadeus(a)codewreck.org> Subject: iov_iter: iterate_folioq: fix handling of offset >= folio size Date: Mon, 11 Aug 2025 16:39:05 +0900 So we've had this regression in 9p for.. almost a year, which is way too long, but there was no "easy" reproducer until yesterday (thank you again!!) It turned out to be a bug with iov_iter on folios, iov_iter_get_pages_alloc2() would advance the iov_iter correctly up to the end edge of a folio and the later copy_to_iter() fails on the iterate_folioq() bug. Happy to consider alternative ways of fixing this, now there's a reproducer it's all much clearer; for the bug to be visible we basically need to make and IO with non-contiguous folios in the iov_iter which is not obvious to test with synthetic VMs, with size that triggers a zero-copy read followed by a non-zero-copy read. It's apparently possible to get an iov forwarded all the way up to the end of the current page we're looking at, e.g. (gdb) p *iter $24 = {iter_type = 4 '\004', nofault = false, data_source = false, iov_offset = 4096, {__ubuf_iovec = { iov_base = 0xffff88800f5bc000, iov_len = 655}, {{__iov = 0xffff88800f5bc000, kvec = 0xffff88800f5bc000, bvec = 0xffff88800f5bc000, folioq = 0xffff88800f5bc000, xarray = 0xffff88800f5bc000, ubuf = 0xffff88800f5bc000}, count = 655}}, {nr_segs = 2, folioq_slot = 2 '\002', xarray_start = 2}} Where iov_offset is 4k with 4k-sized folios This should have been because we're only in the 2nd slot and there's another one after this, but iterate_folioq should not try to map a folio that skips the whole size, and more importantly part here does not end up zero (because 'PAGE_SIZE - skip % PAGE_SIZE' ends up PAGE_SIZE and not zero..), so skip forward to the "advance to next folio" code. Link: https://lkml.kernel.org/r/20250811-iot_iter_folio-v1-0-d9c223adf93c@codewre… Link: https://lkml.kernel.org/r/20250811-iot_iter_folio-v1-1-d9c223adf93c@codewre… Link: https://lkml.kernel.org/r/D4LHHUNLG79Y.12PI0X6BEHRHW@mbosch.me/ Fixes: db0aa2e9566f ("mm: Define struct folio_queue and ITER_FOLIOQ to handle a sequence of folios") Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> Reported-by: Maximilian Bosch <maximilian(a)mbosch.me> Reported-by: Ryan Lahfa <ryan(a)lahfa.xyz> Reported-by: Christian Theune <ct(a)flyingcircus.io> Reported-by: Arnout Engelen <arnout(a)bzzt.net> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Cc: David Howells <dhowells(a)redhat.com> Cc: Ryan Lahfa <ryan(a)lahfa.xyz> Cc: <stable(a)vger.kernel.org> [v6.12+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/iov_iter.h | 3 +++ 1 file changed, 3 insertions(+) --- a/include/linux/iov_iter.h~iov_iter-iterate_folioq-fix-handling-of-offset-=-folio-size +++ a/include/linux/iov_iter.h @@ -168,6 +168,8 @@ size_t iterate_folioq(struct iov_iter *i break; fsize = folioq_folio_size(folioq, slot); + if (skip >= fsize) + goto next; base = kmap_local_folio(folio, skip); part = umin(len, PAGE_SIZE - skip % PAGE_SIZE); remain = step(base, progress, part, priv, priv2); @@ -177,6 +179,7 @@ size_t iterate_folioq(struct iov_iter *i progress += consumed; skip += consumed; if (skip >= fsize) { +next: skip = 0; slot++; if (slot == folioq_nr_slots(folioq) && folioq->next) { _ Patches currently in -mm which might be from asmadeus(a)codewreck.org are iov_iter-iterate_folioq-fix-handling-of-offset-=-folio-size.patch iov_iter-iov_folioq_get_pages-dont-leave-empty-slot-behind.patch

1 month, 1 week

3
4
0 0

FAILED: patch "[PATCH] HID: apple: avoid setting up battery timer for devices" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x c061046fe9ce3ff31fb9a807144a2630ad349c17 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081201-cupid-custodian-14e8@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c061046fe9ce3ff31fb9a807144a2630ad349c17 Mon Sep 17 00:00:00 2001 From: Aditya Garg <gargaditya08(a)live.com> Date: Mon, 30 Jun 2025 12:37:13 +0000 Subject: [PATCH] HID: apple: avoid setting up battery timer for devices without battery Currently, the battery timer is set up for all devices using hid-apple, irrespective of whether they actually have a battery or not. APPLE_RDESC_BATTERY is a quirk that indicates the device has a battery and needs the battery timer. This patch checks for this quirk before setting up the timer, ensuring that only devices with a battery will have the timer set up. Fixes: 6e143293e17a ("HID: apple: Report Magic Keyboard battery over USB") Cc: stable(a)vger.kernel.org Signed-off-by: Aditya Garg <gargaditya08(a)live.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c index 0639b1f43d88..8ab15a8f3524 100644 --- a/drivers/hid/hid-apple.c +++ b/drivers/hid/hid-apple.c @@ -933,10 +933,12 @@ static int apple_probe(struct hid_device *hdev, return ret; } - timer_setup(&asc->battery_timer, apple_battery_timer_tick, 0); - mod_timer(&asc->battery_timer, - jiffies + msecs_to_jiffies(APPLE_BATTERY_TIMEOUT_MS)); - apple_fetch_battery(hdev); + if (quirks & APPLE_RDESC_BATTERY) { + timer_setup(&asc->battery_timer, apple_battery_timer_tick, 0); + mod_timer(&asc->battery_timer, + jiffies + msecs_to_jiffies(APPLE_BATTERY_TIMEOUT_MS)); + apple_fetch_battery(hdev); + } if (quirks & APPLE_BACKLIGHT_CTL) apple_backlight_init(hdev); @@ -950,7 +952,9 @@ static int apple_probe(struct hid_device *hdev, return 0; out_err: - timer_delete_sync(&asc->battery_timer); + if (quirks & APPLE_RDESC_BATTERY) + timer_delete_sync(&asc->battery_timer); + hid_hw_stop(hdev); return ret; } @@ -959,7 +963,8 @@ static void apple_remove(struct hid_device *hdev) { struct apple_sc *asc = hid_get_drvdata(hdev); - timer_delete_sync(&asc->battery_timer); + if (asc->quirks & APPLE_RDESC_BATTERY) + timer_delete_sync(&asc->battery_timer); hid_hw_stop(hdev); }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] HID: apple: avoid setting up battery timer for devices" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x c061046fe9ce3ff31fb9a807144a2630ad349c17 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081201-undamaged-referee-deb6@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c061046fe9ce3ff31fb9a807144a2630ad349c17 Mon Sep 17 00:00:00 2001 From: Aditya Garg <gargaditya08(a)live.com> Date: Mon, 30 Jun 2025 12:37:13 +0000 Subject: [PATCH] HID: apple: avoid setting up battery timer for devices without battery Currently, the battery timer is set up for all devices using hid-apple, irrespective of whether they actually have a battery or not. APPLE_RDESC_BATTERY is a quirk that indicates the device has a battery and needs the battery timer. This patch checks for this quirk before setting up the timer, ensuring that only devices with a battery will have the timer set up. Fixes: 6e143293e17a ("HID: apple: Report Magic Keyboard battery over USB") Cc: stable(a)vger.kernel.org Signed-off-by: Aditya Garg <gargaditya08(a)live.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c index 0639b1f43d88..8ab15a8f3524 100644 --- a/drivers/hid/hid-apple.c +++ b/drivers/hid/hid-apple.c @@ -933,10 +933,12 @@ static int apple_probe(struct hid_device *hdev, return ret; } - timer_setup(&asc->battery_timer, apple_battery_timer_tick, 0); - mod_timer(&asc->battery_timer, - jiffies + msecs_to_jiffies(APPLE_BATTERY_TIMEOUT_MS)); - apple_fetch_battery(hdev); + if (quirks & APPLE_RDESC_BATTERY) { + timer_setup(&asc->battery_timer, apple_battery_timer_tick, 0); + mod_timer(&asc->battery_timer, + jiffies + msecs_to_jiffies(APPLE_BATTERY_TIMEOUT_MS)); + apple_fetch_battery(hdev); + } if (quirks & APPLE_BACKLIGHT_CTL) apple_backlight_init(hdev); @@ -950,7 +952,9 @@ static int apple_probe(struct hid_device *hdev, return 0; out_err: - timer_delete_sync(&asc->battery_timer); + if (quirks & APPLE_RDESC_BATTERY) + timer_delete_sync(&asc->battery_timer); + hid_hw_stop(hdev); return ret; } @@ -959,7 +963,8 @@ static void apple_remove(struct hid_device *hdev) { struct apple_sc *asc = hid_get_drvdata(hdev); - timer_delete_sync(&asc->battery_timer); + if (asc->quirks & APPLE_RDESC_BATTERY) + timer_delete_sync(&asc->battery_timer); hid_hw_stop(hdev); }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] HID: apple: avoid setting up battery timer for devices" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x c061046fe9ce3ff31fb9a807144a2630ad349c17 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081202-delirium-stubborn-aa45@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c061046fe9ce3ff31fb9a807144a2630ad349c17 Mon Sep 17 00:00:00 2001 From: Aditya Garg <gargaditya08(a)live.com> Date: Mon, 30 Jun 2025 12:37:13 +0000 Subject: [PATCH] HID: apple: avoid setting up battery timer for devices without battery Currently, the battery timer is set up for all devices using hid-apple, irrespective of whether they actually have a battery or not. APPLE_RDESC_BATTERY is a quirk that indicates the device has a battery and needs the battery timer. This patch checks for this quirk before setting up the timer, ensuring that only devices with a battery will have the timer set up. Fixes: 6e143293e17a ("HID: apple: Report Magic Keyboard battery over USB") Cc: stable(a)vger.kernel.org Signed-off-by: Aditya Garg <gargaditya08(a)live.com> Signed-off-by: Jiri Kosina <jkosina(a)suse.com> diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c index 0639b1f43d88..8ab15a8f3524 100644 --- a/drivers/hid/hid-apple.c +++ b/drivers/hid/hid-apple.c @@ -933,10 +933,12 @@ static int apple_probe(struct hid_device *hdev, return ret; } - timer_setup(&asc->battery_timer, apple_battery_timer_tick, 0); - mod_timer(&asc->battery_timer, - jiffies + msecs_to_jiffies(APPLE_BATTERY_TIMEOUT_MS)); - apple_fetch_battery(hdev); + if (quirks & APPLE_RDESC_BATTERY) { + timer_setup(&asc->battery_timer, apple_battery_timer_tick, 0); + mod_timer(&asc->battery_timer, + jiffies + msecs_to_jiffies(APPLE_BATTERY_TIMEOUT_MS)); + apple_fetch_battery(hdev); + } if (quirks & APPLE_BACKLIGHT_CTL) apple_backlight_init(hdev); @@ -950,7 +952,9 @@ static int apple_probe(struct hid_device *hdev, return 0; out_err: - timer_delete_sync(&asc->battery_timer); + if (quirks & APPLE_RDESC_BATTERY) + timer_delete_sync(&asc->battery_timer); + hid_hw_stop(hdev); return ret; } @@ -959,7 +963,8 @@ static void apple_remove(struct hid_device *hdev) { struct apple_sc *asc = hid_get_drvdata(hdev); - timer_delete_sync(&asc->battery_timer); + if (asc->quirks & APPLE_RDESC_BATTERY) + timer_delete_sync(&asc->battery_timer); hid_hw_stop(hdev); }

1 month, 1 week

2
1
0 0

[PATCH v1] ufs: host: mediatek: Fix out-of-bounds access in MCQ IRQ mapping

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> This patch addresses a potential out-of-bounds access issue when accessing 'host->mcq_intr_info[q_index]'. The value of 'q_index' might exceed the valid array bounds if 'q_index == nr'. The condition is corrected to 'q_index >= nr' to prevent accessing invalid memory. Fixes: 66e26a4b8a77 ("scsi: ufs: host: mediatek: Set IRQ affinity policy for MCQ mode") Cc: <stable(a)vger.kernel.org> Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/host/ufs-mediatek.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ufs/host/ufs-mediatek.c b/drivers/ufs/host/ufs-mediatek.c index 86ae73b89d4d..f902ce08c95a 100644 --- a/drivers/ufs/host/ufs-mediatek.c +++ b/drivers/ufs/host/ufs-mediatek.c @@ -818,7 +818,7 @@ static u32 ufs_mtk_mcq_get_irq(struct ufs_hba *hba, unsigned int cpu) unsigned int q_index; q_index = map->mq_map[cpu]; - if (q_index > nr) { + if (q_index >= nr) { dev_err(hba->dev, "hwq index %d exceed %d\n", q_index, nr); return MTK_MCQ_INVALID_IRQ; -- 2.45.2

1 month, 1 week

2
2
0 0

We are interested in purchasing your products

by PERDIS SUPER U

-- Hi, PERDIS SUPER U is a leading retail group in France with numerous outlets across the country. After reviewing your company profile and products, we’re very interested in establishing a long-term partnership. Kindly share your product catalog or website so we can review your offerings and pricing. We are ready to place orders and begin cooperation.Please note: Our payment terms are SWIFT, 14 days after delivery. Looking forward to your response. Best regards, Dominique Schelcher Director, PERDIS SUPER U RUE DE SAVOIE, 45600 SAINT-PÈRE-SUR-LOIRE VAT: FR65380071464 www.magasins-u.com

1 month, 1 week

1
0
0 0

Re: [PATCH] ACPI: EC: Relax sanity check of the ECDT ID string

by Ilya K

On 2025-08-12 16:32, Rafael J. Wysocki wrote: > > Applied as 6.17-rc material and sorry for the delay (I was offline). > > Thanks! Thanks! Tagging stable@ so we're hopefully in time for 6.16.1.

1 month, 1 week

4
8
0 0

[PATCH 5.4 0/6] Fix build due to clang -Qunused-arguments change

by Nathan Chancellor

This is an updated version of [1], just for 5.4, which was waiting on commit 87c4e1459e80 ("ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS") to avoid regressing the build [2]. These changes are needed there due to an upstream LLVM change [3] that changes the behavior of -Qunused-arguments with unknown target options, which is only used in 6.1 and older since I removed it in commit 8d9acfce3332 ("kbuild: Stop using '-Qunused-arguments' with clang") in 6.3. Please let me know if there are any issues. [1]: https://lore.kernel.org/20250604233141.GA2374479@ax162/ [2]: https://lore.kernel.org/CACo-S-1qbCX4WAVFA63dWfHtrRHZBTyyr2js8Lx=Az03XHTTHg… [3]: https://github.com/llvm/llvm-project/commit/a4b2f4a72aa9b4655ecc723838830e0… Masahiro Yamada (1): kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS Nathan Chancellor (4): ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation kbuild: Add CLANG_FLAGS to as-instr kbuild: Add KBUILD_CPPFLAGS to as-option invocation Nick Desaulniers (1): kbuild: Update assembler calls to use proper flags and language target Makefile | 3 +-- arch/arm/Makefile | 2 +- arch/mips/Makefile | 2 +- scripts/Kbuild.include | 8 ++++---- 4 files changed, 7 insertions(+), 8 deletions(-) base-commit: 04b7726c3cdd2fb4da040c2b898bcf405ed607bd -- 2.50.1

1 month, 1 week

2
14
0 0

[REGRESSION] stable-rc/linux-5.15.y: (build) implicit declaration of function 'guest_cpu_cap_has' [-Werror,-Wim...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.15.y: --- implicit declaration of function 'guest_cpu_cap_has' [-Werror,-Wimplicit-function-declaration] in arch/x86/kvm/vmx/vmx.o (arch/x86/kvm/vmx/vmx.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:ffd38b22f4d3da011e2d8142fcd9b848083d18fb - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 62f5d931273c281f86db2d54bfa496b2a2b400cc Log excerpt: ===================================================== arch/x86/kvm/vmx/vmx.c:2022:25: error: implicit declaration of function 'guest_cpu_cap_has' [-Werror,-Wimplicit-function-declaration] 2022 | (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM))) | ^ arch/x86/kvm/vmx/vmx.c:2022:25: note: did you mean 'guest_cpuid_has'? ./arch/x86/kvm/cpuid.h:84:29: note: 'guest_cpuid_has' declared here 84 | static __always_inline bool guest_cpuid_has(struct kvm_vcpu *vcpu, | ^ arch/x86/kvm/vmx/vmx.c:2022:7: error: use of undeclared identifier 'host_initiated' 2022 | (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM))) | ^ 2 errors generated. ===================================================== # Builds where the incident occurred: ## i386_defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (i386): - compiler: clang-17 - dashboard: https://d.kernelci.org/build/maestro:689b7884233e484a3f8f254e #kernelci issue maestro:ffd38b22f4d3da011e2d8142fcd9b848083d18fb Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

1 month, 1 week

1
0
0 0

[PATCH net v2] net: usbnet: Fix the wrong netif_carrier_on() call placement

by Ammar Faizi

The commit in the Fixes tag breaks my laptop (found by git bisect). My home RJ45 LAN cable cannot connect after that commit. The call to netif_carrier_on() should be done when netif_carrier_ok() is false. Not when it's true. Because calling netif_carrier_on() when __LINK_STATE_NOCARRIER is not set actually does nothing. Cc: Armando Budianto <sprite(a)gnuweeb.org> Cc: stable(a)vger.kernel.org Closes: https://lore.kernel.org/netdev/0752dee6-43d6-4e1f-81d2-4248142cccd2@gnuweeb… Fixes: 0d9cfc9b8cb1 ("net: usbnet: Avoid potential RCU stall on LINK_CHANGE event") Signed-off-by: Ammar Faizi <ammarfaizi2(a)gnuweeb.org> --- v2: - Rebase on top of the latest netdev/net tree. The previous patch was based on 0d9cfc9b8cb1. Line numbers have changed since then. drivers/net/usb/usbnet.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index a38ffbf4b3f0..a1827684b92c 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1114,31 +1114,31 @@ static const struct ethtool_ops usbnet_ethtool_ops = { }; /*-------------------------------------------------------------------------*/ static void __handle_link_change(struct usbnet *dev) { if (!test_bit(EVENT_DEV_OPEN, &dev->flags)) return; if (!netif_carrier_ok(dev->net)) { + if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags)) + netif_carrier_on(dev->net); + /* kill URBs for reading packets to save bus bandwidth */ unlink_urbs(dev, &dev->rxq); /* * tx_timeout will unlink URBs for sending packets and * tx queue is stopped by netcore after link becomes off */ } else { - if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags)) - netif_carrier_on(dev->net); - /* submitting URBs for reading packets */ queue_work(system_bh_wq, &dev->bh_work); } /* hard_mtu or rx_urb_size may change during link change */ usbnet_update_max_qlen(dev); clear_bit(EVENT_LINK_CHANGE, &dev->flags); } -- Ammar Faizi

1 month, 1 week

5
12
0 0

[PATCH] rust: kbuild: clean output before running `rustdoc`

by Miguel Ojeda

`rustdoc` can get confused when generating documentation into a folder that contains generated files from other `rustdoc` versions. For instance, running something like: rustup default 1.78.0 make LLVM=1 rustdoc rustup default 1.88.0 make LLVM=1 rustdoc may generate errors like: error: couldn't generate documentation: invalid template: last line expected to start with a comment | = note: failed to create or modify "./Documentation/output/rust/rustdoc/src-files.js" Thus just always clean the output folder before generating the documentation -- we are anyway regenerating it every time the `rustdoc` target gets called, at least for the time being. Cc: stable(a)vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). Reported-by: Daniel Almeida <daniel.almeida(a)collabora.com> Closes: https://rust-for-linux.zulipchat.com/#narrow/channel/288089/topic/x/near/52… Signed-off-by: Miguel Ojeda <ojeda(a)kernel.org> --- rust/Makefile | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rust/Makefile b/rust/Makefile index 115b63b7d1e3..771246bc7ae6 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -103,14 +103,14 @@ rustdoc: rustdoc-core rustdoc-macros rustdoc-compiler_builtins \ rustdoc-macros: private rustdoc_host = yes rustdoc-macros: private rustc_target_flags = --crate-type proc-macro \ --extern proc_macro -rustdoc-macros: $(src)/macros/lib.rs FORCE +rustdoc-macros: $(src)/macros/lib.rs rustdoc-clean FORCE +$(call if_changed,rustdoc) # Starting with Rust 1.82.0, skipping `-Wrustdoc::unescaped_backticks` should # not be needed -- see https://github.com/rust-lang/rust/pull/128307. rustdoc-core: private skip_flags = --edition=2021 -Wrustdoc::unescaped_backticks rustdoc-core: private rustc_target_flags = --edition=$(core-edition) $(core-cfgs) -rustdoc-core: $(RUST_LIB_SRC)/core/src/lib.rs FORCE +rustdoc-core: $(RUST_LIB_SRC)/core/src/lib.rs rustdoc-clean FORCE +$(call if_changed,rustdoc) rustdoc-compiler_builtins: $(src)/compiler_builtins.rs rustdoc-core FORCE @@ -122,7 +122,8 @@ rustdoc-ffi: $(src)/ffi.rs rustdoc-core FORCE rustdoc-pin_init_internal: private rustdoc_host = yes rustdoc-pin_init_internal: private rustc_target_flags = --cfg kernel \ --extern proc_macro --crate-type proc-macro -rustdoc-pin_init_internal: $(src)/pin-init/internal/src/lib.rs FORCE +rustdoc-pin_init_internal: $(src)/pin-init/internal/src/lib.rs \ + rustdoc-clean FORCE +$(call if_changed,rustdoc) rustdoc-pin_init: private rustdoc_host = yes @@ -140,6 +141,9 @@ rustdoc-kernel: $(src)/kernel/lib.rs rustdoc-core rustdoc-ffi rustdoc-macros \ $(obj)/bindings.o FORCE +$(call if_changed,rustdoc) +rustdoc-clean: FORCE + $(Q)rm -rf $(rustdoc_output) + quiet_cmd_rustc_test_library = $(RUSTC_OR_CLIPPY_QUIET) TL $< cmd_rustc_test_library = \ OBJTREE=$(abspath $(objtree)) \ base-commit: 89be9a83ccf1f88522317ce02f854f30d6115c41 -- 2.50.1

1 month, 1 week

3
2
0 0

FAILED: patch "[PATCH] HID: core: Harden s32ton() against conversion to 0 bits" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081232-clear-humility-0629@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd Mon Sep 17 00:00:00 2001 From: Alan Stern <stern(a)rowland.harvard.edu> Date: Wed, 23 Jul 2025 10:37:04 -0400 Subject: [PATCH] HID: core: Harden s32ton() against conversion to 0 bits Testing by the syzbot fuzzer showed that the HID core gets a shift-out-of-bounds exception when it tries to convert a 32-bit quantity to a 0-bit quantity. Ideally this should never occur, but there are buggy devices and some might have a report field with size set to zero; we shouldn't reject the report or the device just because of that. Instead, harden the s32ton() routine so that it returns a reasonable result instead of crashing when it is called with the number of bits set to 0 -- the same as what snto32() does. Signed-off-by: Alan Stern <stern(a)rowland.harvard.edu> Reported-by: syzbot+b63d677d63bcac06cf90(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.… Tested-by: syzbot+b63d677d63bcac06cf90(a)syzkaller.appspotmail.com Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harva… Signed-off-by: Benjamin Tissoires <bentiss(a)kernel.org> diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index ef1f79951d9b..f7d4efcae603 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -66,8 +66,12 @@ static s32 snto32(__u32 value, unsigned int n) static u32 s32ton(__s32 value, unsigned int n) { - s32 a = value >> (n - 1); + s32 a; + if (!value || !n) + return 0; + + a = value >> (n - 1); if (a && a != -1) return value < 0 ? 1 << (n - 1) : (1 << (n - 1)) - 1; return value & ((1 << n) - 1);

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] smb: server: Fix extension string in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 8e7d178d06e8937454b6d2f2811fa6a15656a214 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081251-slang-colony-6d23@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8e7d178d06e8937454b6d2f2811fa6a15656a214 Mon Sep 17 00:00:00 2001 From: Thorsten Blum <thorsten.blum(a)linux.dev> Date: Wed, 6 Aug 2025 03:03:49 +0200 Subject: [PATCH] smb: server: Fix extension string in ksmbd_extract_shortname() In ksmbd_extract_shortname(), strscpy() is incorrectly called with the length of the source string (excluding the NUL terminator) rather than the size of the destination buffer. This results in "__" being copied to 'extension' rather than "___" (two underscores instead of three). Use the destination buffer size instead to ensure that the string "___" (three underscores) is copied correctly. Cc: stable(a)vger.kernel.org Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index 425c756bcfb8..b23203a1c286 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -515,7 +515,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, p = strrchr(longname, '.'); if (p == longname) { /*name starts with a dot*/ - strscpy(extension, "___", strlen("___")); + strscpy(extension, "___", sizeof(extension)); } else { if (p) { p++;

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] smb: server: Fix extension string in" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 8e7d178d06e8937454b6d2f2811fa6a15656a214 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081249-afar-gesture-7178@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8e7d178d06e8937454b6d2f2811fa6a15656a214 Mon Sep 17 00:00:00 2001 From: Thorsten Blum <thorsten.blum(a)linux.dev> Date: Wed, 6 Aug 2025 03:03:49 +0200 Subject: [PATCH] smb: server: Fix extension string in ksmbd_extract_shortname() In ksmbd_extract_shortname(), strscpy() is incorrectly called with the length of the source string (excluding the NUL terminator) rather than the size of the destination buffer. This results in "__" being copied to 'extension' rather than "___" (two underscores instead of three). Use the destination buffer size instead to ensure that the string "___" (three underscores) is copied correctly. Cc: stable(a)vger.kernel.org Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index 425c756bcfb8..b23203a1c286 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -515,7 +515,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, p = strrchr(longname, '.'); if (p == longname) { /*name starts with a dot*/ - strscpy(extension, "___", strlen("___")); + strscpy(extension, "___", sizeof(extension)); } else { if (p) { p++;

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] smb: server: Fix extension string in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 8e7d178d06e8937454b6d2f2811fa6a15656a214 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081246-wasting-private-5dd8@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8e7d178d06e8937454b6d2f2811fa6a15656a214 Mon Sep 17 00:00:00 2001 From: Thorsten Blum <thorsten.blum(a)linux.dev> Date: Wed, 6 Aug 2025 03:03:49 +0200 Subject: [PATCH] smb: server: Fix extension string in ksmbd_extract_shortname() In ksmbd_extract_shortname(), strscpy() is incorrectly called with the length of the source string (excluding the NUL terminator) rather than the size of the destination buffer. This results in "__" being copied to 'extension' rather than "___" (two underscores instead of three). Use the destination buffer size instead to ensure that the string "___" (three underscores) is copied correctly. Cc: stable(a)vger.kernel.org Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index 425c756bcfb8..b23203a1c286 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -515,7 +515,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, p = strrchr(longname, '.'); if (p == longname) { /*name starts with a dot*/ - strscpy(extension, "___", strlen("___")); + strscpy(extension, "___", sizeof(extension)); } else { if (p) { p++;

1 month, 1 week

2
1
0 0

[REGRESSION] stable-rc/linux-5.15.y: (build) ‘host_initiated’ undeclared (first use in this function) in arch/x...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.15.y: --- ‘host_initiated’ undeclared (first use in this function) in arch/x86/kvm/vmx/vmx.o (arch/x86/kvm/vmx/vmx.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:f3f2b1eabef22152c0bfbd86fe01d397c2c3478a - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 62f5d931273c281f86db2d54bfa496b2a2b400cc Log excerpt: ===================================================== arch/x86/kvm/vmx/vmx.c:2022:14: error: ‘host_initiated’ undeclared (first use in this function) 2022 | (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM))) | ^~~~~~~~~~~~~~ arch/x86/kvm/vmx/vmx.c:2022:14: note: each undeclared identifier is reported only once for each function it appears in arch/x86/kvm/vmx/vmx.c:2022:32: error: implicit declaration of function ‘guest_cpu_cap_has’; did you mean ‘guest_cpuid_has’? [-Werror=implicit-function-declaration] 2022 | (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM))) | ^~~~~~~~~~~~~~~~~ | guest_cpuid_has CC fs/kernfs/dir.o CC mm/msync.o CC security/landlock/fs.o CC arch/x86/kernel/cpu/perfctr-watchdog.o CC block/blk-mq-cpumap.o CC kernel/time/timekeeping.o cc1: all warnings being treated as errors ===================================================== # Builds where the incident occurred: ## cros://chromeos-5.15/x86_64/chromeos-intel-pineview.flavour.config+lab-setup+x86-board+CONFIG_MODULE_COMPRESS=n+CONFIG_MODULE_COMPRESS_NONE=y on (x86_64): - compiler: gcc-12 - dashboard: https://d.kernelci.org/build/maestro:689b7814233e484a3f8f20f4 #kernelci issue maestro:f3f2b1eabef22152c0bfbd86fe01d397c2c3478a Reported-by: kernelci.org bot <bot(a)kernelci.org> -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] smb: server: Fix extension string in" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 8e7d178d06e8937454b6d2f2811fa6a15656a214 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081244-octagon-curve-7925@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8e7d178d06e8937454b6d2f2811fa6a15656a214 Mon Sep 17 00:00:00 2001 From: Thorsten Blum <thorsten.blum(a)linux.dev> Date: Wed, 6 Aug 2025 03:03:49 +0200 Subject: [PATCH] smb: server: Fix extension string in ksmbd_extract_shortname() In ksmbd_extract_shortname(), strscpy() is incorrectly called with the length of the source string (excluding the NUL terminator) rather than the size of the destination buffer. This results in "__" being copied to 'extension' rather than "___" (two underscores instead of three). Use the destination buffer size instead to ensure that the string "___" (three underscores) is copied correctly. Cc: stable(a)vger.kernel.org Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index 425c756bcfb8..b23203a1c286 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -515,7 +515,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, p = strrchr(longname, '.'); if (p == longname) { /*name starts with a dot*/ - strscpy(extension, "___", strlen("___")); + strscpy(extension, "___", sizeof(extension)); } else { if (p) { p++;

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] smb: server: Fix extension string in" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 8e7d178d06e8937454b6d2f2811fa6a15656a214 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081241-bobsled-broiling-d341@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8e7d178d06e8937454b6d2f2811fa6a15656a214 Mon Sep 17 00:00:00 2001 From: Thorsten Blum <thorsten.blum(a)linux.dev> Date: Wed, 6 Aug 2025 03:03:49 +0200 Subject: [PATCH] smb: server: Fix extension string in ksmbd_extract_shortname() In ksmbd_extract_shortname(), strscpy() is incorrectly called with the length of the source string (excluding the NUL terminator) rather than the size of the destination buffer. This results in "__" being copied to 'extension' rather than "___" (two underscores instead of three). Use the destination buffer size instead to ensure that the string "___" (three underscores) is copied correctly. Cc: stable(a)vger.kernel.org Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index 425c756bcfb8..b23203a1c286 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -515,7 +515,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, p = strrchr(longname, '.'); if (p == longname) { /*name starts with a dot*/ - strscpy(extension, "___", strlen("___")); + strscpy(extension, "___", sizeof(extension)); } else { if (p) { p++;

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] smb: server: Fix extension string in" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 8e7d178d06e8937454b6d2f2811fa6a15656a214 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081238-unnamed-nappy-9be5@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8e7d178d06e8937454b6d2f2811fa6a15656a214 Mon Sep 17 00:00:00 2001 From: Thorsten Blum <thorsten.blum(a)linux.dev> Date: Wed, 6 Aug 2025 03:03:49 +0200 Subject: [PATCH] smb: server: Fix extension string in ksmbd_extract_shortname() In ksmbd_extract_shortname(), strscpy() is incorrectly called with the length of the source string (excluding the NUL terminator) rather than the size of the destination buffer. This results in "__" being copied to 'extension' rather than "___" (two underscores instead of three). Use the destination buffer size instead to ensure that the string "___" (three underscores) is copied correctly. Cc: stable(a)vger.kernel.org Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index 425c756bcfb8..b23203a1c286 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -515,7 +515,7 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, const char *longname, p = strrchr(longname, '.'); if (p == longname) { /*name starts with a dot*/ - strscpy(extension, "___", strlen("___")); + strscpy(extension, "___", sizeof(extension)); } else { if (p) { p++;

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] smb: client: fix netns refcount leak after net_passive" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 59b33fab4ca4d7dacc03367082777627e05d0323 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081245-premises-spoiler-440c@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 59b33fab4ca4d7dacc03367082777627e05d0323 Mon Sep 17 00:00:00 2001 From: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> Date: Thu, 17 Jul 2025 21:29:26 +0800 Subject: [PATCH] smb: client: fix netns refcount leak after net_passive changes After commit 5c70eb5c593d ("net: better track kernel sockets lifetime"), kernel sockets now use net_passive reference counting. However, commit 95d2b9f693ff ("Revert "smb: client: fix TCP timers deadlock after rmmod"") restored the manual socket refcount manipulation without adapting to this new mechanism, causing a memory leak. The issue can be reproduced by[1]: 1. Creating a network namespace 2. Mounting and Unmounting CIFS within the namespace 3. Deleting the namespace Some memory leaks may appear after a period of time following step 3. unreferenced object 0xffff9951419f6b00 (size 256): comm "ip", pid 447, jiffies 4294692389 (age 14.730s) hex dump (first 32 bytes): 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 80 77 c2 44 51 99 ff ff .........w.DQ... backtrace: __kmem_cache_alloc_node+0x30e/0x3d0 __kmalloc+0x52/0x120 net_alloc_generic+0x1d/0x30 copy_net_ns+0x86/0x200 create_new_namespaces+0x117/0x300 unshare_nsproxy_namespaces+0x60/0xa0 ksys_unshare+0x148/0x360 __x64_sys_unshare+0x12/0x20 do_syscall_64+0x59/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2 ... unreferenced object 0xffff9951442e7500 (size 32): comm "mount.cifs", pid 475, jiffies 4294693782 (age 13.343s) hex dump (first 32 bytes): 40 c5 38 46 51 99 ff ff 18 01 96 42 51 99 ff ff @.8FQ......BQ... 01 00 00 00 6f 00 c5 07 6f 00 d8 07 00 00 00 00 ....o...o....... backtrace: __kmem_cache_alloc_node+0x30e/0x3d0 kmalloc_trace+0x2a/0x90 ref_tracker_alloc+0x8e/0x1d0 sk_alloc+0x18c/0x1c0 inet_create+0xf1/0x370 __sock_create+0xd7/0x1e0 generic_ip_connect+0x1d4/0x5a0 [cifs] cifs_get_tcp_session+0x5d0/0x8a0 [cifs] cifs_mount_get_session+0x47/0x1b0 [cifs] dfs_mount_share+0xfa/0xa10 [cifs] cifs_mount+0x68/0x2b0 [cifs] cifs_smb3_do_mount+0x10b/0x760 [cifs] smb3_get_tree+0x112/0x2e0 [cifs] vfs_get_tree+0x29/0xf0 path_mount+0x2d4/0xa00 __se_sys_mount+0x165/0x1d0 Root cause: When creating kernel sockets, sk_alloc() calls net_passive_inc() for sockets with sk_net_refcnt=0. The CIFS code manually converts kernel sockets to user sockets by setting sk_net_refcnt=1, but doesn't call the corresponding net_passive_dec(). This creates an imbalance in the net_passive counter, which prevents the network namespace from being destroyed when its last user reference is dropped. As a result, the entire namespace and all its associated resources remain allocated. Timeline of patches leading to this issue: - commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") in v6.12 fixed the original netns UAF by manually managing socket refcounts - commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod") in v6.13 attempted to use kernel sockets but introduced TCP timer issues - commit 5c70eb5c593d ("net: better track kernel sockets lifetime") in v6.14-rc5 introduced the net_passive mechanism with sk_net_refcnt_upgrade() for proper socket conversion - commit 95d2b9f693ff ("Revert "smb: client: fix TCP timers deadlock after rmmod"") in v6.15-rc3 reverted to manual refcount management without adapting to the new net_passive changes Fix this by using sk_net_refcnt_upgrade() which properly handles the net_passive counter when converting kernel sockets to user sockets. Link: https://bugzilla.kernel.org/show_bug.cgi?id=220343 [1] Fixes: 95d2b9f693ff ("Revert "smb: client: fix TCP timers deadlock after rmmod"") Cc: stable(a)vger.kernel.org Reviewed-by: Kuniyuki Iwashima <kuniyu(a)google.com> Reviewed-by: Enzo Matsumiya <ematsumiya(a)suse.de> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 205f547ca49e..5eec8957f2a9 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -3362,18 +3362,15 @@ generic_ip_connect(struct TCP_Server_Info *server) struct net *net = cifs_net_ns(server); struct sock *sk; - rc = __sock_create(net, sfamily, SOCK_STREAM, - IPPROTO_TCP, &server->ssocket, 1); + rc = sock_create_kern(net, sfamily, SOCK_STREAM, + IPPROTO_TCP, &server->ssocket); if (rc < 0) { cifs_server_dbg(VFS, "Error %d creating socket\n", rc); return rc; } sk = server->ssocket->sk; - __netns_tracker_free(net, &sk->ns_tracker, false); - sk->sk_net_refcnt = 1; - get_net_track(net, &sk->ns_tracker, GFP_KERNEL); - sock_inuse_add(net, 1); + sk_net_refcnt_upgrade(sk); /* BB other socket options to set KEEPALIVE, NODELAY? */ cifs_dbg(FYI, "Socket created\n");

1 month, 1 week

2
3
0 0

FAILED: patch "[PATCH] smb: client: fix netns refcount leak after net_passive" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 59b33fab4ca4d7dacc03367082777627e05d0323 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081230-dentist-cautious-7bb4@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 59b33fab4ca4d7dacc03367082777627e05d0323 Mon Sep 17 00:00:00 2001 From: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> Date: Thu, 17 Jul 2025 21:29:26 +0800 Subject: [PATCH] smb: client: fix netns refcount leak after net_passive changes After commit 5c70eb5c593d ("net: better track kernel sockets lifetime"), kernel sockets now use net_passive reference counting. However, commit 95d2b9f693ff ("Revert "smb: client: fix TCP timers deadlock after rmmod"") restored the manual socket refcount manipulation without adapting to this new mechanism, causing a memory leak. The issue can be reproduced by[1]: 1. Creating a network namespace 2. Mounting and Unmounting CIFS within the namespace 3. Deleting the namespace Some memory leaks may appear after a period of time following step 3. unreferenced object 0xffff9951419f6b00 (size 256): comm "ip", pid 447, jiffies 4294692389 (age 14.730s) hex dump (first 32 bytes): 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 80 77 c2 44 51 99 ff ff .........w.DQ... backtrace: __kmem_cache_alloc_node+0x30e/0x3d0 __kmalloc+0x52/0x120 net_alloc_generic+0x1d/0x30 copy_net_ns+0x86/0x200 create_new_namespaces+0x117/0x300 unshare_nsproxy_namespaces+0x60/0xa0 ksys_unshare+0x148/0x360 __x64_sys_unshare+0x12/0x20 do_syscall_64+0x59/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2 ... unreferenced object 0xffff9951442e7500 (size 32): comm "mount.cifs", pid 475, jiffies 4294693782 (age 13.343s) hex dump (first 32 bytes): 40 c5 38 46 51 99 ff ff 18 01 96 42 51 99 ff ff @.8FQ......BQ... 01 00 00 00 6f 00 c5 07 6f 00 d8 07 00 00 00 00 ....o...o....... backtrace: __kmem_cache_alloc_node+0x30e/0x3d0 kmalloc_trace+0x2a/0x90 ref_tracker_alloc+0x8e/0x1d0 sk_alloc+0x18c/0x1c0 inet_create+0xf1/0x370 __sock_create+0xd7/0x1e0 generic_ip_connect+0x1d4/0x5a0 [cifs] cifs_get_tcp_session+0x5d0/0x8a0 [cifs] cifs_mount_get_session+0x47/0x1b0 [cifs] dfs_mount_share+0xfa/0xa10 [cifs] cifs_mount+0x68/0x2b0 [cifs] cifs_smb3_do_mount+0x10b/0x760 [cifs] smb3_get_tree+0x112/0x2e0 [cifs] vfs_get_tree+0x29/0xf0 path_mount+0x2d4/0xa00 __se_sys_mount+0x165/0x1d0 Root cause: When creating kernel sockets, sk_alloc() calls net_passive_inc() for sockets with sk_net_refcnt=0. The CIFS code manually converts kernel sockets to user sockets by setting sk_net_refcnt=1, but doesn't call the corresponding net_passive_dec(). This creates an imbalance in the net_passive counter, which prevents the network namespace from being destroyed when its last user reference is dropped. As a result, the entire namespace and all its associated resources remain allocated. Timeline of patches leading to this issue: - commit ef7134c7fc48 ("smb: client: Fix use-after-free of network namespace.") in v6.12 fixed the original netns UAF by manually managing socket refcounts - commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod") in v6.13 attempted to use kernel sockets but introduced TCP timer issues - commit 5c70eb5c593d ("net: better track kernel sockets lifetime") in v6.14-rc5 introduced the net_passive mechanism with sk_net_refcnt_upgrade() for proper socket conversion - commit 95d2b9f693ff ("Revert "smb: client: fix TCP timers deadlock after rmmod"") in v6.15-rc3 reverted to manual refcount management without adapting to the new net_passive changes Fix this by using sk_net_refcnt_upgrade() which properly handles the net_passive counter when converting kernel sockets to user sockets. Link: https://bugzilla.kernel.org/show_bug.cgi?id=220343 [1] Fixes: 95d2b9f693ff ("Revert "smb: client: fix TCP timers deadlock after rmmod"") Cc: stable(a)vger.kernel.org Reviewed-by: Kuniyuki Iwashima <kuniyu(a)google.com> Reviewed-by: Enzo Matsumiya <ematsumiya(a)suse.de> Signed-off-by: Wang Zhaolong <wangzhaolong(a)huaweicloud.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 205f547ca49e..5eec8957f2a9 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -3362,18 +3362,15 @@ generic_ip_connect(struct TCP_Server_Info *server) struct net *net = cifs_net_ns(server); struct sock *sk; - rc = __sock_create(net, sfamily, SOCK_STREAM, - IPPROTO_TCP, &server->ssocket, 1); + rc = sock_create_kern(net, sfamily, SOCK_STREAM, + IPPROTO_TCP, &server->ssocket); if (rc < 0) { cifs_server_dbg(VFS, "Error %d creating socket\n", rc); return rc; } sk = server->ssocket->sk; - __netns_tracker_free(net, &sk->ns_tracker, false); - sk->sk_net_refcnt = 1; - get_net_track(net, &sk->ns_tracker, GFP_KERNEL); - sock_inuse_add(net, 1); + sk_net_refcnt_upgrade(sk); /* BB other socket options to set KEEPALIVE, NODELAY? */ cifs_dbg(FYI, "Socket created\n");

1 month, 1 week

2
3
0 0

[PATCH 0/4] drm/tidss: Fixes data edge sampling

by Louis Chauvet

Currently the driver only configure the data edge sampling partially. The AM62 require it to be configured in two distincts registers: one in tidss and one in the general device registers. Introduce a new dt property to link the proper syscon node from the main device registers into the tidss driver. Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem") --- Cc: stable(a)vger.kernel.org Signed-off-by: Louis Chauvet <louis.chauvet(a)bootlin.com> --- Louis Chauvet (4): dt-bindings: display: ti,am65x-dss: Add clk property for data edge synchronization dt-bindings: mfd: syscon: Add ti,am625-dss-clk-ctrl arm64: dts: ti: k3-am62-main: Add tidss clk-ctrl property drm/tidss: Fix sampling edge configuration .../devicetree/bindings/display/ti/ti,am65x-dss.yaml | 6 ++++++ Documentation/devicetree/bindings/mfd/syscon.yaml | 3 ++- arch/arm64/boot/dts/ti/k3-am62-main.dtsi | 6 ++++++ drivers/gpu/drm/tidss/tidss_dispc.c | 14 ++++++++++++++ 4 files changed, 28 insertions(+), 1 deletion(-) --- base-commit: 85c23f28905cf20a86ceec3cfd7a0a5572c9eb13 change-id: 20250730-fix-edge-handling-9123f7438910 Best regards, -- Louis Chauvet <louis.chauvet(a)bootlin.com>

1 month, 1 week

6
21
0 0

FAILED: patch "[PATCH] mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got" failed to apply to 6.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.15.y git checkout FETCH_HEAD git cherry-pick -x 9bbffee67ffd16360179327b57f3b1245579ef08 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081243-dense-paragraph-ed33@gregkh' --subject-prefix 'PATCH 6.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9bbffee67ffd16360179327b57f3b1245579ef08 Mon Sep 17 00:00:00 2001 From: Suren Baghdasaryan <surenb(a)google.com> Date: Mon, 28 Jul 2025 10:53:55 -0700 Subject: [PATCH] mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped By inducing delays in the right places, Jann Horn created a reproducer for a hard to hit UAF issue that became possible after VMAs were allowed to be recycled by adding SLAB_TYPESAFE_BY_RCU to their cache. Race description is borrowed from Jann's discovery report: lock_vma_under_rcu() looks up a VMA locklessly with mas_walk() under rcu_read_lock(). At that point, the VMA may be concurrently freed, and it can be recycled by another process. vma_start_read() then increments the vma->vm_refcnt (if it is in an acceptable range), and if this succeeds, vma_start_read() can return a recycled VMA. In this scenario where the VMA has been recycled, lock_vma_under_rcu() will then detect the mismatching ->vm_mm pointer and drop the VMA through vma_end_read(), which calls vma_refcount_put(). vma_refcount_put() drops the refcount and then calls rcuwait_wake_up() using a copy of vma->vm_mm. This is wrong: It implicitly assumes that the caller is keeping the VMA's mm alive, but in this scenario the caller has no relation to the VMA's mm, so the rcuwait_wake_up() can cause UAF. The diagram depicting the race: T1 T2 T3 == == == lock_vma_under_rcu mas_walk <VMA gets removed from mm> mmap <the same VMA is reallocated> vma_start_read __refcount_inc_not_zero_limited_acquire munmap __vma_enter_locked refcount_add_not_zero vma_end_read vma_refcount_put __refcount_dec_and_test rcuwait_wait_event <finish operation> rcuwait_wake_up [UAF] Note that rcuwait_wait_event() in T3 does not block because refcount was already dropped by T1. At this point T3 can exit and free the mm causing UAF in T1. To avoid this we move vma->vm_mm verification into vma_start_read() and grab vma->vm_mm to stabilize it before vma_refcount_put() operation. [surenb(a)google.com: v3] Link: https://lkml.kernel.org/r/20250729145709.2731370-1-surenb@google.com Link: https://lkml.kernel.org/r/20250728175355.2282375-1-surenb@google.com Fixes: 3104138517fc ("mm: make vma cache SLAB_TYPESAFE_BY_RCU") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Reported-by: Jann Horn <jannh(a)google.com> Closes: https://lore.kernel.org/all/CAG48ez0-deFbVH=E3jbkWx=X3uVbd8nWeo6kbJPQ0KoUD+… Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Acked-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jann Horn <jannh(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/mmap_lock.h b/include/linux/mmap_lock.h index 1f4f44951abe..11a078de9150 100644 --- a/include/linux/mmap_lock.h +++ b/include/linux/mmap_lock.h @@ -12,6 +12,7 @@ extern int rcuwait_wake_up(struct rcuwait *w); #include <linux/tracepoint-defs.h> #include <linux/types.h> #include <linux/cleanup.h> +#include <linux/sched/mm.h> #define MMAP_LOCK_INITIALIZER(name) \ .mmap_lock = __RWSEM_INITIALIZER((name).mmap_lock), @@ -154,6 +155,10 @@ static inline void vma_refcount_put(struct vm_area_struct *vma) * reused and attached to a different mm before we lock it. * Returns the vma on success, NULL on failure to lock and EAGAIN if vma got * detached. + * + * WARNING! The vma passed to this function cannot be used if the function + * fails to lock it because in certain cases RCU lock is dropped and then + * reacquired. Once RCU lock is dropped the vma can be concurently freed. */ static inline struct vm_area_struct *vma_start_read(struct mm_struct *mm, struct vm_area_struct *vma) @@ -183,6 +188,31 @@ static inline struct vm_area_struct *vma_start_read(struct mm_struct *mm, } rwsem_acquire_read(&vma->vmlock_dep_map, 0, 1, _RET_IP_); + + /* + * If vma got attached to another mm from under us, that mm is not + * stable and can be freed in the narrow window after vma->vm_refcnt + * is dropped and before rcuwait_wake_up(mm) is called. Grab it before + * releasing vma->vm_refcnt. + */ + if (unlikely(vma->vm_mm != mm)) { + /* Use a copy of vm_mm in case vma is freed after we drop vm_refcnt */ + struct mm_struct *other_mm = vma->vm_mm; + + /* + * __mmdrop() is a heavy operation and we don't need RCU + * protection here. Release RCU lock during these operations. + * We reinstate the RCU read lock as the caller expects it to + * be held when this function returns even on error. + */ + rcu_read_unlock(); + mmgrab(other_mm); + vma_refcount_put(vma); + mmdrop(other_mm); + rcu_read_lock(); + return NULL; + } + /* * Overflow of vm_lock_seq/mm_lock_seq might produce false locked result. * False unlocked result is impossible because we modify and check diff --git a/mm/mmap_lock.c b/mm/mmap_lock.c index 729fb7d0dd59..b006cec8e6fe 100644 --- a/mm/mmap_lock.c +++ b/mm/mmap_lock.c @@ -164,8 +164,7 @@ struct vm_area_struct *lock_vma_under_rcu(struct mm_struct *mm, */ /* Check if the vma we locked is the right one. */ - if (unlikely(vma->vm_mm != mm || - address < vma->vm_start || address >= vma->vm_end)) + if (unlikely(address < vma->vm_start || address >= vma->vm_end)) goto inval_end_read; rcu_read_unlock(); @@ -236,11 +235,8 @@ struct vm_area_struct *lock_next_vma(struct mm_struct *mm, goto fallback; } - /* - * Verify the vma we locked belongs to the same address space and it's - * not behind of the last search position. - */ - if (unlikely(vma->vm_mm != mm || from_addr >= vma->vm_end)) + /* Verify the vma is not behind the last search position. */ + if (unlikely(from_addr >= vma->vm_end)) goto fallback_unlock; /*

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081208-scrubber-veggie-e1a5@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 Mon Sep 17 00:00:00 2001 From: Sean Christopherson <seanjc(a)google.com> Date: Tue, 10 Jun 2025 16:20:06 -0700 Subject: [PATCH] KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported Let the guest set DEBUGCTL.RTM_DEBUG if RTM is supported according to the guest CPUID model, as debug support is supposed to be available if RTM is supported, and there are no known downsides to letting the guest debug RTM aborts. Note, there are no known bug reports related to RTM_DEBUG, the primary motivation is to reduce the probability of breaking existing guests when a future change adds a missing consistency check on vmcs12.GUEST_DEBUGCTL (KVM currently lets L2 run with whatever hardware supports; whoops). Note #2, KVM already emulates DR6.RTM, and doesn't restrict access to DR7.RTM. Fixes: 83c529151ab0 ("KVM: x86: expose Intel cpu new features (HLE, RTM) to guest") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250610232010.162191-5-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h index b7dded3c8113..fa878b136eba 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -419,6 +419,7 @@ #define DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI (1UL << 12) #define DEBUGCTLMSR_FREEZE_IN_SMM_BIT 14 #define DEBUGCTLMSR_FREEZE_IN_SMM (1UL << DEBUGCTLMSR_FREEZE_IN_SMM_BIT) +#define DEBUGCTLMSR_RTM_DEBUG BIT(15) #define MSR_PEBS_FRONTEND 0x000003f7 diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 4ee6cc796855..311f6fa53b67 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -2186,6 +2186,10 @@ static u64 vmx_get_supported_debugctl(struct kvm_vcpu *vcpu, bool host_initiated (host_initiated || intel_pmu_lbr_is_enabled(vcpu))) debugctl |= DEBUGCTLMSR_LBR | DEBUGCTLMSR_FREEZE_LBRS_ON_PMI; + if (boot_cpu_has(X86_FEATURE_RTM) && + (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM))) + debugctl |= DEBUGCTLMSR_RTM_DEBUG; + return debugctl; }

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 9bbffee67ffd16360179327b57f3b1245579ef08 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025081237-buffed-scuba-d3f3@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9bbffee67ffd16360179327b57f3b1245579ef08 Mon Sep 17 00:00:00 2001 From: Suren Baghdasaryan <surenb(a)google.com> Date: Mon, 28 Jul 2025 10:53:55 -0700 Subject: [PATCH] mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped By inducing delays in the right places, Jann Horn created a reproducer for a hard to hit UAF issue that became possible after VMAs were allowed to be recycled by adding SLAB_TYPESAFE_BY_RCU to their cache. Race description is borrowed from Jann's discovery report: lock_vma_under_rcu() looks up a VMA locklessly with mas_walk() under rcu_read_lock(). At that point, the VMA may be concurrently freed, and it can be recycled by another process. vma_start_read() then increments the vma->vm_refcnt (if it is in an acceptable range), and if this succeeds, vma_start_read() can return a recycled VMA. In this scenario where the VMA has been recycled, lock_vma_under_rcu() will then detect the mismatching ->vm_mm pointer and drop the VMA through vma_end_read(), which calls vma_refcount_put(). vma_refcount_put() drops the refcount and then calls rcuwait_wake_up() using a copy of vma->vm_mm. This is wrong: It implicitly assumes that the caller is keeping the VMA's mm alive, but in this scenario the caller has no relation to the VMA's mm, so the rcuwait_wake_up() can cause UAF. The diagram depicting the race: T1 T2 T3 == == == lock_vma_under_rcu mas_walk <VMA gets removed from mm> mmap <the same VMA is reallocated> vma_start_read __refcount_inc_not_zero_limited_acquire munmap __vma_enter_locked refcount_add_not_zero vma_end_read vma_refcount_put __refcount_dec_and_test rcuwait_wait_event <finish operation> rcuwait_wake_up [UAF] Note that rcuwait_wait_event() in T3 does not block because refcount was already dropped by T1. At this point T3 can exit and free the mm causing UAF in T1. To avoid this we move vma->vm_mm verification into vma_start_read() and grab vma->vm_mm to stabilize it before vma_refcount_put() operation. [surenb(a)google.com: v3] Link: https://lkml.kernel.org/r/20250729145709.2731370-1-surenb@google.com Link: https://lkml.kernel.org/r/20250728175355.2282375-1-surenb@google.com Fixes: 3104138517fc ("mm: make vma cache SLAB_TYPESAFE_BY_RCU") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Reported-by: Jann Horn <jannh(a)google.com> Closes: https://lore.kernel.org/all/CAG48ez0-deFbVH=E3jbkWx=X3uVbd8nWeo6kbJPQ0KoUD+… Reviewed-by: Vlastimil Babka <vbabka(a)suse.cz> Acked-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jann Horn <jannh(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/mmap_lock.h b/include/linux/mmap_lock.h index 1f4f44951abe..11a078de9150 100644 --- a/include/linux/mmap_lock.h +++ b/include/linux/mmap_lock.h @@ -12,6 +12,7 @@ extern int rcuwait_wake_up(struct rcuwait *w); #include <linux/tracepoint-defs.h> #include <linux/types.h> #include <linux/cleanup.h> +#include <linux/sched/mm.h> #define MMAP_LOCK_INITIALIZER(name) \ .mmap_lock = __RWSEM_INITIALIZER((name).mmap_lock), @@ -154,6 +155,10 @@ static inline void vma_refcount_put(struct vm_area_struct *vma) * reused and attached to a different mm before we lock it. * Returns the vma on success, NULL on failure to lock and EAGAIN if vma got * detached. + * + * WARNING! The vma passed to this function cannot be used if the function + * fails to lock it because in certain cases RCU lock is dropped and then + * reacquired. Once RCU lock is dropped the vma can be concurently freed. */ static inline struct vm_area_struct *vma_start_read(struct mm_struct *mm, struct vm_area_struct *vma) @@ -183,6 +188,31 @@ static inline struct vm_area_struct *vma_start_read(struct mm_struct *mm, } rwsem_acquire_read(&vma->vmlock_dep_map, 0, 1, _RET_IP_); + + /* + * If vma got attached to another mm from under us, that mm is not + * stable and can be freed in the narrow window after vma->vm_refcnt + * is dropped and before rcuwait_wake_up(mm) is called. Grab it before + * releasing vma->vm_refcnt. + */ + if (unlikely(vma->vm_mm != mm)) { + /* Use a copy of vm_mm in case vma is freed after we drop vm_refcnt */ + struct mm_struct *other_mm = vma->vm_mm; + + /* + * __mmdrop() is a heavy operation and we don't need RCU + * protection here. Release RCU lock during these operations. + * We reinstate the RCU read lock as the caller expects it to + * be held when this function returns even on error. + */ + rcu_read_unlock(); + mmgrab(other_mm); + vma_refcount_put(vma); + mmdrop(other_mm); + rcu_read_lock(); + return NULL; + } + /* * Overflow of vm_lock_seq/mm_lock_seq might produce false locked result. * False unlocked result is impossible because we modify and check diff --git a/mm/mmap_lock.c b/mm/mmap_lock.c index 729fb7d0dd59..b006cec8e6fe 100644 --- a/mm/mmap_lock.c +++ b/mm/mmap_lock.c @@ -164,8 +164,7 @@ struct vm_area_struct *lock_vma_under_rcu(struct mm_struct *mm, */ /* Check if the vma we locked is the right one. */ - if (unlikely(vma->vm_mm != mm || - address < vma->vm_start || address >= vma->vm_end)) + if (unlikely(address < vma->vm_start || address >= vma->vm_end)) goto inval_end_read; rcu_read_unlock(); @@ -236,11 +235,8 @@ struct vm_area_struct *lock_next_vma(struct mm_struct *mm, goto fallback; } - /* - * Verify the vma we locked belongs to the same address space and it's - * not behind of the last search position. - */ - if (unlikely(vma->vm_mm != mm || from_addr >= vma->vm_end)) + /* Verify the vma is not behind the last search position. */ + if (unlikely(from_addr >= vma->vm_end)) goto fallback_unlock; /*

1 month, 1 week

3
4
0 0

[PATCH V4 mm-hotfixes 3/3] x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings()

by Harry Yoo

Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). It is inteneded to synchronize page tables via pgd_pouplate_kernel() when 5-level paging is in use and via p4d_pouplate_kernel() when 4-level paging is used. This fixes intermittent boot failures on systems using 4-level paging and a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI RIP: 0010:__init_single_page+0x9/0x6d Call Trace: <TASK> __init_zone_device_page+0x17/0x5d memmap_init_zone_device+0x154/0x1bb pagemap_range+0x2e0/0x40f memremap_pages+0x10b/0x2f0 devm_memremap_pages+0x1e/0x60 dev_dax_probe+0xce/0x2ec [device_dax] dax_bus_probe+0x6d/0xc9 [... snip ...] </TASK> It also fixes a crash in vmemmap_set_pmd() caused by accessing vmemmap before sync_global_pgds() [1]: BUG: unable to handle page fault for address: ffffeb3ff1200000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI Tainted: [W]=WARN RIP: 0010:vmemmap_set_pmd+0xff/0x230 <TASK> vmemmap_populate_hugepages+0x176/0x180 vmemmap_populate+0x34/0x80 __populate_section_memmap+0x41/0x90 sparse_add_section+0x121/0x3e0 __add_pages+0xba/0x150 add_pages+0x1d/0x70 memremap_pages+0x3dc/0x810 devm_memremap_pages+0x1c/0x60 xe_devm_add+0x8b/0x100 [xe] xe_tile_init_noalloc+0x6a/0x70 [xe] xe_device_probe+0x48c/0x740 [xe] [... snip ...] Cc: <stable(a)vger.kernel.org> Fixes: 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges") Closes: https://lore.kernel.org/linux-mm/20250311114420.240341-1-gwan-gyeong.mun@in… [1] Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> --- arch/x86/include/asm/pgtable_64_types.h | 3 +++ arch/x86/mm/init_64.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h index 4604f924d8b8..7eb61ef6a185 100644 --- a/arch/x86/include/asm/pgtable_64_types.h +++ b/arch/x86/include/asm/pgtable_64_types.h @@ -36,6 +36,9 @@ static inline bool pgtable_l5_enabled(void) #define pgtable_l5_enabled() cpu_feature_enabled(X86_FEATURE_LA57) #endif /* USE_EARLY_PGTABLE_L5 */ +#define ARCH_PAGE_TABLE_SYNC_MASK \ + (pgtable_l5_enabled() ? PGTBL_PGD_MODIFIED : PGTBL_P4D_MODIFIED) + extern unsigned int pgdir_shift; extern unsigned int ptrs_per_p4d; diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c index 76e33bd7c556..a78b498c0dc3 100644 --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -223,6 +223,11 @@ static void sync_global_pgds(unsigned long start, unsigned long end) sync_global_pgds_l4(start, end); } +void arch_sync_kernel_mappings(unsigned long start, unsigned long end) +{ + sync_global_pgds(start, end); +} + /* * NOTE: This function is marked __ref because it calls __init function * (alloc_bootmem_pages). It's safe to do it ONLY when after_bootmem == 0. -- 2.43.0

1 month, 1 week

3
4
0 0

Re: Don't apply "Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano" to kernel 6.1 and 5.15

by Greg KH

On Wed, Aug 13, 2025 at 12:29:10AM +0800, Zenm Chen wrote: > Hi Greg, > > Sorry that my patch [1] didn't clearly tell which kernels it should apply > to. > > The Bluetooth support for Realtek RTL8851BE/RTL8851BU chips was added into > the kernel since 6.4 [2], so please don't apply this patch to kernel 6.1, > 5.15 and other older stable kernels, thank you very much! > > [1] Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano > https://lore.kernel.org/stable/20250521013020.1983-1-zenmchen@gmail.com/ > > [2] Bluetooth: btrtl: Add the support for RTL8851B > https://github.com/torvalds/linux/commit/7948fe1c92d92313eea5453f83deb7f014… Ok, now dropped, thanks. greg k-h

1 month, 1 week

1
0
0 0

Re: [PATCH ath-next 0/2] wifi: ath12k: install pairwise key first

by Jeff Johnson

On 6/25/2025 3:15 AM, Baochen Qiang wrote: > > > On 6/25/2025 5:51 PM, Johan Hovold wrote: >> [ +CC: Gregoire ] >> >> On Fri, May 23, 2025 at 11:49:00AM +0800, Baochen Qiang wrote: >>> We got report that WCN7850 is not working with IWD [1][2]. Debug >>> shows the reason is that IWD installs group key before pairwise >>> key, which goes against WCN7850's firmware. >>> >>> Reorder key install to workaround this. >>> >>> [1] https://bugzilla.kernel.org/show_bug.cgi?id=218733 >>> [2] https://lore.kernel.org/all/AS8P190MB12051DDBD84CD88E71C40AD7873F2@AS8P190M… >>> >>> Signed-off-by: Baochen Qiang <quic_bqiang(a)quicinc.com> >>> --- >>> --- >>> Baochen Qiang (2): >>> wifi: ath12k: avoid bit operation on key flags >>> wifi: ath12k: install pairwise key first >> >> Thanks for fixing this, Baochen. >> >> I noticed the patches weren't clearly marked as fixes. Do you think we >> should ask the stable team to backport these once they are in mainline >> (e.g. after 6.17-rc1 is out)? Or do you think they are too intrusive and >> risky to backport or similar? > > Yeah, I think they should be backported. > >> >> [ Also please try to remember to CC any (public) reporters. I only found >> out today that this had been addressed in linux-next. ] > > Thanks, will keep in mind. +Stable team, Per the above discussion please backport the series: https://msgid.link/20250523-ath12k-unicast-key-first-v1-0-f53c3880e6d8@quic… This is a 0-day issue so ideally this should be backported from 6.6+ /jeff

1 month, 1 week

3
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror