- Linux-stable-mirror - lists.linaro.org

[PATCH] drm/tegra: dc: fix reference leak in tegra_dc_couple()

by Ma Ke

driver_find_device() calls get_device() to increment the reference count once a matching device is found, but there is no put_device() to balance the reference count. To avoid reference count leakage, add put_device() to decrease the reference count. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a31500fe7055 ("drm/tegra: dc: Restore coupling of display controllers") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/tegra/dc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c index 59d5c1ba145a..6c84bd69b11f 100644 --- a/drivers/gpu/drm/tegra/dc.c +++ b/drivers/gpu/drm/tegra/dc.c @@ -3148,6 +3148,7 @@ static int tegra_dc_couple(struct tegra_dc *dc) dc->client.parent = &parent->client; dev_dbg(dc->dev, "coupled to %s\n", dev_name(companion)); + put_device(companion); } return 0; -- 2.17.1

1 month, 1 week

3
2
0 0

[PATCH] Bluetooth: btusb: Add one more ID 0x13d3:0x3612 for Realtek 8852CE

by Levi Zim via B4 Relay

From: Levi Zim <rsworktech(a)outlook.com> Devices with ID 13d3:3612 are found in ASUS TUF Gaming A16 (2025) and ASUS TX Gaming FA608FM. The corresponding device info from /sys/kernel/debug/usb/devices is T: Bus=03 Lev=02 Prnt=03 Port=02 Cnt=02 Dev#= 6 Spd=12 MxCh= 0 D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=13d3 ProdID=3612 Rev= 0.00 S: Manufacturer=Realtek S: Product=Bluetooth Radio C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms Signed-off-by: Levi Zim <rsworktech(a)outlook.com> --- drivers/bluetooth/btusb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 8085fabadde8ff01171783b59226589757bbbbbc..d1e62b3158166a33153a6dfaade03fd3fb7d8231 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -552,6 +552,8 @@ static const struct usb_device_id quirks_table[] = { BTUSB_WIDEBAND_SPEECH }, { USB_DEVICE(0x13d3, 0x3592), .driver_info = BTUSB_REALTEK | BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x13d3, 0x3612), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, { USB_DEVICE(0x0489, 0xe122), .driver_info = BTUSB_REALTEK | BTUSB_WIDEBAND_SPEECH }, --- base-commit: 302a1f674c00dd5581ab8e493ef44767c5101aab change-id: 20250927-ble-13d3-3612-53a2246e4862 Best regards, -- Levi Zim <rsworktech(a)outlook.com>

1 month, 1 week

3
2
0 0

[PATCH] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

by Jeongjun Park

The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer. However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely. Therefore, to prevent this, the error timer must be killed before freeing the heap memory. Cc: <stable(a)vger.kernel.org> Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- sound/usb/midi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/usb/midi.c b/sound/usb/midi.c index acb3bf92857c..8d15f1caa92b 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) { int i; + timer_shutdown_sync(&umidi->error_timer); + for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) { struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i]; if (ep->out) @@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) snd_usbmidi_in_endpoint_delete(ep->in); } mutex_destroy(&umidi->mutex); - timer_shutdown_sync(&umidi->error_timer); kfree(umidi); } --

1 month, 1 week

2
3
0 0

Website Designing, Mobile Apps & Tie-ups.

by Sales Bard India

Greetings!! We are a 24+ yr old high tech Web Development firm with presence of over 18+ yrs in Mauritius; partners of RV TechAdvisora Ltd and headquartered in India We have catered to over 7000 trendy websites; are a team of 30 people. Our Services: Domain Registrations, Webhosting, Google Workspace, Mobile Responsive Website Designing, Wordpress Websites, Mobile Apps, Web Apps, E-commerce websites, Google Ads, SEO, Catalogue design & affiliated services Find below some of the ready packages we offer for making an easy selection for the kind of Mobile Responsive HTML Website: 5 page Responsive Website @ MUR 13,499/- 10 page Responsive Website @ MUR 19,999/- 15 page Responsive Website @ MUR 25,499/- 20 page Responsive Website @ MUR 31,499/- 25 page Responsive Website @ MUR 36,499/- 30 page Responsive Website @ MUR 40,999/- Additional page beyond 30 pages @ MUR 1199 per page Find below some of the ready packages we offer for making an easy selection for the kind of Mobile Responsive Wordpress Website; With Wordpress CMS, website content can be easily maintained by your company with a backend login. 5 page Responsive Website @ MUR 14,999/- 10 page Responsive Website @ MUR 21,999/- 15 page Responsive Website @ MUR 27,499/- 20 page Responsive Website @ MUR 32,999/- 25 page Responsive Website @ MUR 36,999/- 30 page Responsive Website @ MUR 40,999/- Additional page beyond 30 pages @ MUR 1199 per page Our brief website portfolio: http://www.mirackle.com/portfolio.html Note: We are also looking for tie-ups with IT/Web design cos. who would want to outsource work for high end Websites/Mobile APP requirements etc. We have a team of highly skilled php coders who can cater to any complex requirement. India Whatsapp: +91 9323272846 / 9323551195; Mauritius WharsApp: +230 5758 5497; Email: business(a)mirackle.com ; Web: http://www.mirackle.com Regards, Amit Patel

1 month, 1 week

1
0
0 0

[PATCH] perf: arm_cspmu: fix error handling in arm_cspmu_impl_unregister()

by Ma Ke

driver_find_device() calls get_device() to increment the reference count once a matching device is found. device_release_driver() releases the driver, but it does not decrease the reference count that was incremented by driver_find_device(). At the end of the loop, there is no put_device() to balance the reference count. To avoid reference count leakage, add put_device() to decrease the reference count. Found by code review. Cc: stable(a)vger.kernel.org Fixes: bfc653aa89cb ("perf: arm_cspmu: Separate Arm and vendor module") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/perf/arm_cspmu/arm_cspmu.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/perf/arm_cspmu/arm_cspmu.c b/drivers/perf/arm_cspmu/arm_cspmu.c index efa9b229e701..e0d4293f06f9 100644 --- a/drivers/perf/arm_cspmu/arm_cspmu.c +++ b/drivers/perf/arm_cspmu/arm_cspmu.c @@ -1365,8 +1365,10 @@ void arm_cspmu_impl_unregister(const struct arm_cspmu_impl_match *impl_match) /* Unbind the driver from all matching backend devices. */ while ((dev = driver_find_device(&arm_cspmu_driver.driver, NULL, - match, arm_cspmu_match_device))) + match, arm_cspmu_match_device))) { device_release_driver(dev); + put_device(dev); + } mutex_lock(&arm_cspmu_lock); -- 2.17.1

1 month, 1 week

2
1
0 0

Qualcomm Inventory Updated

by Alan Ye

The following are all Qualcomm's stock, original and authentic. If you need them, please contact us. Snapdragon骁龙 WIFI-5G/6G MPN QTY date code MPN QTY date code SM-6225-0-PSP807-TR-00-0-AB 8000 22+ IPQ5018-0-MRQFN232-MT-01-0 36000 22+ PM-6225-0-FOWNSP144-TR-01-0 8000 22+ QCN6102-0-DRQFN116-TR-01-0 30000 22+ WCD9375-0-WLPSP55-TR-01-3 8000 22+ QCA8337-AL3C 25000 22+ WTR3925-2-106BWLPSP-TR-03-1 8000 22+ WCN-3950-0-58WLPSP-TR-05-2 8000 22+ IPQ-6000-0-FCBGA570-TR-00-0 10000 22+ QCA-8072-0-108DRQFN-MT-00-0 10000 22+ QCM-6490-1-PSP1287-TR-00-0-AA E 12000 23+ QCN-5022-0-DRQFN100B-TR-00-0 10000 22+ PMK-7325-1-1-FOWPSP36-MT-01-0 12000 23+ QCN-5052-0-DRQFN100B-TR-00-0 10000 22+ PM-7325-0-WLNSP120B-TR-00-0 12000 23+ PM-7350C-0-FOWNSP143-MT-02-0 12000 23+ IPQ-6010-0-FCBGA570-TR-00-0 8000 22+ PM-7250B-2-FOWPSP110-TR-00-0 12000 23+ QCA-8075-0-108DRQFN-MT-01-0 8000 22+ WCD-9370-0-WLPSP55-TR-01-0 12000 23+ QCN-5052-0-DRQFN100B-TR-00-0 8000 22+ PM-8008-0-WLPSP20-TR-X0-0 12000 23+ QCN-5021-0-DRQFN100B-TR-03-0 8000 22+ SDR-735-0-PSP219B-TR-001-0 12000 23+ WCN-6750-0-PSP229-TR-01-0 12000 23+ QCA-9886-0-100DRQFN-MT-04-0 14000 22+ QCA9563-AL3A 14000 22+ SDM-450-B-792NSP-TR-01-0-AA 20000 24+ QCA8334-AL3C 14000 22+ WTR-2965-0-59F0WNSP-TR-07-1 20000 24+ PMI-8952-0-144WLNSP-TR-02-0-00 20000 24+ IPQ-5322-0-MRQFN251-MT-00-0 6000 24+ WCN-3680B-0-79BWLNSP-TR-05-1 20000 24+ QCN-6274-0-MSP264-MT-01-0 6000 24+ PM-8953-0-187F0WNSP-TR-01-1 20000 24+ QCA-8385-0-DRQFN172-MT-00-0 6000 24 SDM-660-3-692NSP-TR-01-0-A 28000 23+ IPQ-4018-0-180DRQFN-MT-00-0 150000 22+ PM-660-0-219WLPSP-TR-01-1-01 28000 23+ QCA-8072-0-108DRQFN-MT-00-0 100000 22+ PM-660L-0-196WLPSP-TR-04-0-01 28000 23+ SDR-660-0-180WLPSP-TR-03-0 28000 23+ QCN-9024-0-MSP234-TR-01-0 5000 23+ QET-4101-0-12WLNSP-HR-00-0 28000 23+ QCN-6024-0-MSP234-MT-01-0 20000 22+ WCN-3980-0-82BWLPSP-TR-0B-0 28000 23+ QCA-8081-0-56MQFN-MT-02-0 28000 22+ QCN-9074-0-MSP234-TR-01-0 8000 23+ QCM-2290-0-NSP752-TR-00-0 10000 24+ QCA-9377-3-115WLNSP-TR-03-0 10000 22+ PM-8008-0-WLPSP20-TR-X0-0 10000 24+ QCA-1023-0-115WLNSP-TR-03-0 20000 24+ WCN-3950-0-58WLPSP-TR-05-3 10000 24+ QCC-5181-0-WLNSP99-TR-05-0 10000 24+ PM-4125-3-NSP194-TR-01-0 10000 24+ QCC-5127-0-124CSP-TR-00-0 8000 23+ CSR8670C-ICXT-R 10000 23+ MSM-8909-2-504NSP-TR-01-1-AA 50000 22+ CSR8675C-IBBH-R 10000 23+ WCN-3660B-0-79BWLNSP-TR-05-1 50000 22+ AR8033-AL1A 25000 23+ PM-8909-0-152NSP-TR-01-0-02 50000 22+ AR8035-AL1A 45000 22+ WTR-4905-1-60WLNSP-TR-01-1 50000 22+ AR8031-AL1B 15000 22+ If you have other MPN requirements, please let me know and I will check the latest inventory status for you. We also recycle Qualcomm's excess inventory to help you solve the depreciation risk faced by electronic components Best Secure your updates and feature insights at . Continue Product News Wish to step back? Quickly hit Control Contact Settings.

1 month, 1 week

1
0
0 0

[PATCH net-next 00/15] mptcp: pm: special case for c-flag + luminar endp

by Matthieu Baerts (NGI0)

Here are some patches for the MPTCP PM, including some refactoring that I thought it would be best to send at the end of a cycle to avoid conflicts between net and net-next that could last a few weeks. The most interesting changes are in the first and last patch, the rest are patches refactoring the code & tests to validate the modifications. - Patches 1 & 2: When servers set the C-flag in their MP_CAPABLE to tell clients not to create subflows to the initial address and port -- e.g. a deployment behind a L4 load balancer like a typical CDN deployment -- clients will not use their other endpoints when default settings are used. That's because the in-kernel path-manager uses the 'subflow' endpoints to create subflows only to the initial address and port. The first patch fixes that (for >=v5.14), and the second one validates it. - Patches 3-14: various patches refactoring the code around the in-kernel PM (mainly): split too long functions, rename variables and functions to avoid confusions, reduce structure size, and compare IDs instead of IP addresses. Note that one patch modifies one internal variable used in one BPF selftest. - Patch 15: ability to control endpoints that are used in reaction to a new address announced by the other peer. With that, endpoints can be used only once. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Notes: - Patches 1 & 2 are sent to net-next on purpose: to delay a bit the backports, just in case. Plus we are at the end of a cycle, and not to delay the other refactoring patches. - Sorry, I wanted to send this series earlier on, but due to some unrelated issues (and holiday), it got delayed. Most patches are pure refactoring ones. --- Matthieu Baerts (NGI0) (15): mptcp: pm: in-kernel: usable client side with C-flag selftests: mptcp: join: validate C-flag + def limit mptcp: pm: in-kernel: refactor fill_local_addresses_vec mptcp: pm: in-kernel: refactor fill_remote_addresses_vec mptcp: pm: rename 'subflows' to 'extra_subflows' mptcp: pm: in-kernel: rename 'subflows_max' to 'limit_extra_subflows' mptcp: pm: in-kernel: rename 'add_addr_signal_max' to 'endp_signal_max' mptcp: pm: in-kernel: rename 'add_addr_accept_max' to 'limit_add_addr_accepted' mptcp: pm: in-kernel: rename 'local_addr_max' to 'endp_subflow_max' mptcp: pm: in-kernel: rename 'local_addr_list' to 'endp_list' mptcp: pm: in-kernel: rename 'addrs' to 'endpoints' mptcp: pm: in-kernel: remove stale_loss_cnt mptcp: pm: in-kernel: reduce pernet struct size mptcp: pm: in-kernel: compare IDs instead of addresses mptcp: pm: in-kernel: add laminar endpoints include/uapi/linux/mptcp.h | 11 +- net/mptcp/pm.c | 32 +- net/mptcp/pm_kernel.c | 569 ++++++++++++++-------- net/mptcp/pm_userspace.c | 2 +- net/mptcp/protocol.h | 21 +- net/mptcp/sockopt.c | 22 +- tools/testing/selftests/bpf/progs/mptcp_subflow.c | 2 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 11 + 8 files changed, 441 insertions(+), 229 deletions(-) --- base-commit: a1f1f2422e098485b09e55a492de05cf97f9954d change-id: 20250925-net-next-mptcp-c-flag-laminar-f8442e4d4bd9 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

1 month, 1 week

2
3
0 0

+ squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch added to mm-nonmm-unstable branch

by Andrew Morton

The patch titled Subject: Squashfs: reject negative file sizes in squashfs_read_inode() has been added to the -mm mm-nonmm-unstable branch. Its filename is squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-nonmm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Phillip Lougher <phillip(a)squashfs.org.uk> Subject: Squashfs: reject negative file sizes in squashfs_read_inode() Date: Fri, 26 Sep 2025 22:59:35 +0100 Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. Link: https://lkml.kernel.org/r/20250926215935.107233-1-phillip@squashfs.org.uk Fixes: 6545b246a2c8 ("Squashfs: inode operations") Signed-off-by: Phillip Lougher <phillip(a)squashfs.org.uk> Reported-by: syzbot+f754e01116421e9754b9(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68d580e5.a00a0220.303701.0019.GAE@google.com/ Cc: Amir Goldstein <amir73il(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/squashfs/inode.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) --- a/fs/squashfs/inode.c~squashfs-reject-negative-file-sizes-in-squashfs_read_inode +++ a/fs/squashfs/inode.c @@ -145,6 +145,10 @@ int squashfs_read_inode(struct inode *in goto failed_read; inode->i_size = le32_to_cpu(sqsh_ino->file_size); + if (inode->i_size < 0) { + err = -EINVAL; + goto failed_read; + } frag = le32_to_cpu(sqsh_ino->fragment); if (frag != SQUASHFS_INVALID_FRAG) { /* @@ -197,6 +201,10 @@ int squashfs_read_inode(struct inode *in goto failed_read; inode->i_size = le64_to_cpu(sqsh_ino->file_size); + if (inode->i_size < 0) { + err = -EINVAL; + goto failed_read; + } frag = le32_to_cpu(sqsh_ino->fragment); if (frag != SQUASHFS_INVALID_FRAG) { /* @@ -249,8 +257,12 @@ int squashfs_read_inode(struct inode *in if (err < 0) goto failed_read; - set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); inode->i_size = le16_to_cpu(sqsh_ino->file_size); + if (inode->i_size < 0) { + err = -EINVAL; + goto failed_read; + } + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); inode->i_op = &squashfs_dir_inode_ops; inode->i_fop = &squashfs_dir_ops; inode->i_mode |= S_IFDIR; @@ -273,9 +285,13 @@ int squashfs_read_inode(struct inode *in if (err < 0) goto failed_read; + inode->i_size = le32_to_cpu(sqsh_ino->file_size); + if (inode->i_size < 0) { + err = -EINVAL; + goto failed_read; + } xattr_id = le32_to_cpu(sqsh_ino->xattr); set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); - inode->i_size = le32_to_cpu(sqsh_ino->file_size); inode->i_op = &squashfs_dir_inode_ops; inode->i_fop = &squashfs_dir_ops; inode->i_mode |= S_IFDIR; @@ -302,7 +318,7 @@ int squashfs_read_inode(struct inode *in goto failed_read; inode->i_size = le32_to_cpu(sqsh_ino->symlink_size); - if (inode->i_size > PAGE_SIZE) { + if (inode->i_size < 0 || inode->i_size > PAGE_SIZE) { ERROR("Corrupted symlink\n"); return -EINVAL; } _ Patches currently in -mm which might be from phillip(a)squashfs.org.uk are squashfs-fix-uninit-value-in-squashfs_get_parent.patch squashfs-add-additional-inode-sanity-checking.patch squashfs-add-seek_data-seek_hole-support.patch squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch

1 month, 1 week

1
0
0 0

[PATCH] drm: mipi-dsi: Fix an API misuse in mipi_dsi_device_register_full()

by Haoxiang Li

mipi_dsi_device_alloc() calls device_initialize() to initialize value "&dsi->dev". Thus "dsi" should be freed using put_device() in error handling path. Fixes: 068a00233969 ("drm: Add MIPI DSI bus support") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- drivers/gpu/drm/drm_mipi_dsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c index 3a9b3278a6e3..21d9aa29ac34 100644 --- a/drivers/gpu/drm/drm_mipi_dsi.c +++ b/drivers/gpu/drm/drm_mipi_dsi.c @@ -233,7 +233,7 @@ mipi_dsi_device_register_full(struct mipi_dsi_host *host, ret = mipi_dsi_device_add(dsi); if (ret) { dev_err(host->dev, "failed to add DSI device %d\n", ret); - kfree(dsi); + put_device(&dsi->dev); return ERR_PTR(ret); } -- 2.25.1

1 month, 1 week

2
1
0 0

[PATCH v2 0/3] ext4: Add support for mounted updates to the superblock via an ioctl

by Theodore Ts'o via B4 Relay

This patch series enables a future version of tune2fs to be able to modify certain parts of the ext4 superblock without to write to the block device. The first patch fixes a potential buffer overrun caused by a maliciously moified superblock. The second patch adds support for 32-bit uid and gid's which can have access to the reserved blocks pool. The last patch adds the ioctl's which will be used by tune2fs. Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> --- Changes in v2: - fix bugs that were detected using sparse - remove tune (unsafe) ability to clear certain compat faatures - add the ability to set the encoding and encoding flags for case folding - Link to v1: https://lore.kernel.org/r/20250908-tune2fs-v1-0-e3a6929f3355@mit.edu --- Theodore Ts'o (3): ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() ext4: add support for 32-bit default reserved uid and gid values ext4: implemet new ioctls to set and get superblock parameters fs/ext4/ext4.h | 16 +++- fs/ext4/ioctl.c | 312 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- fs/ext4/super.c | 25 +++---- include/uapi/linux/ext4.h | 53 +++++++++++++ 4 files changed, 382 insertions(+), 24 deletions(-) --- base-commit: b320789d6883cc00ac78ce83bccbfe7ed58afcf0 change-id: 20250830-tune2fs-3376beb72403 Best regards, -- Theodore Ts'o <tytso(a)mit.edu>

1 month, 1 week

4
4
0 0

[PATCH 1/2] soc: qcom: ocmem: fix device leak on lookup

by Johan Hovold

Make sure to drop the reference taken to the ocmem platform device when looking up its driver data. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Also note that commit 0ff027027e05 ("soc: qcom: ocmem: Fix missing put_device() call in of_get_ocmem") fixed the leak in a lookup error path, but the reference is still leaking on success. Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver") Cc: stable(a)vger.kernel.org # 5.5: 0ff027027e05 Cc: Brian Masney <bmasney(a)redhat.com> Cc: Miaoqian Lin <linmq006(a)gmail.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/soc/qcom/ocmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/soc/qcom/ocmem.c b/drivers/soc/qcom/ocmem.c index 9c3bd37b6579..71130a2f62e9 100644 --- a/drivers/soc/qcom/ocmem.c +++ b/drivers/soc/qcom/ocmem.c @@ -202,9 +202,9 @@ struct ocmem *of_get_ocmem(struct device *dev) } ocmem = platform_get_drvdata(pdev); + put_device(&pdev->dev); if (!ocmem) { dev_err(dev, "Cannot get ocmem\n"); - put_device(&pdev->dev); return ERR_PTR(-ENODEV); } return ocmem; -- 2.49.1

1 month, 1 week

3
2
0 0

You have a donation of two Million Five Hundred Thousand

by Dr Leonard Valentinovic Blavatnik.

1 month, 1 week

1
0
0 0

[REGRESSION] workqueue/writeback: Severe CPU hang due to kworker proliferation during I/O flush and cgroup cleanup

by Chenglong Tang

Hello, This is Chenglong from Google Container Optimized OS. I'm reporting a severe CPU hang regression that occurs after a high volume of file creation and subsequent cgroup cleanup. Through bisection, the issue appears to be caused by a chain reaction between three commits related to writeback, unbound workqueues, and CPU-hogging detection. The issue is greatly alleviated on the latest mainline kernel but is not fully resolved, still occurring intermittently (~1 in 10 runs). How to reproduce The kernel v6.1 is good. The hang is reliably triggered(over 80% chance) on kernels v6.6 and 6.12 and intermittently on mainline(6.17-rc7) with the following steps: Environment: A machine with a fast SSD and a high core count (e.g., Google Cloud's N2-standard-128). Workload: Concurrently generate a large number of files (e.g., 2 million) using multiple services managed by systemd-run. This creates significant I/O and cgroup churn. Trigger: After the file generation completes, terminate the systemd-run services. Result: Shortly after the services are killed, the system's CPU load spikes, leading to a massive number of kworker/+inode_switch_wbs threads and a system-wide hang/livelock where the machine becomes unresponsive (20s - 300s). Analysis and Problematic Commits 1. The initial commit: The process begins with a worker that can get stuck busy-waiting on a spinlock. Commit: ("writeback, cgroup: release dying cgwbs by switching attached inodes") Effect: This introduced the inode_switch_wbs_work_fn worker to clean up cgroup writeback structures. Under our test load, this worker appears to hit a highly contended wb->list_lock spinlock, causing it to burn 100% CPU without sleeping. 2. The Kworker Explosion: A subsequent change misinterprets the spinning worker from Stage 1, leading to a runaway feedback loop of worker creation. Commit: 616db8779b1e ("workqueue: Automatically mark CPU-hogging work items CPU_INTENSIVE") Effect: This logic sees the spinning worker, marks it as CPU_INTENSIVE, and excludes it from concurrency management. To handle the work backlog, it spawns a new kworker, which then also gets stuck on the same lock, repeating the cycle. This directly causes the kworker count to explode from <50 to 100-2000+. 3. The System-Wide Lockdown: The final piece allows this localized worker explosion to saturate the entire system. Commit: 8639ecebc9b1 ("workqueue: Implement non-strict affinity scope for unbound workqueues") Effect: This change introduced non-strict affinity as the default. It allows the hundreds of kworkers created in Stage 2 to be spread by the scheduler across all available CPU cores, turning the problem into a system-wide hang. Current Status and Mitigation Mainline Status: On the latest mainline kernel, the hang is far less frequent and the kworker counts are reduced back to normal (<50), suggesting other changes have partially mitigated the issue. However, the hang still occurs, and when it does, the kworker count still explodes (e.g., 300+), indicating the underlying feedback loop remains. Workaround: A reliable mitigation is to revert to the old workqueue behavior by setting affinity_strict to 1. This contains the kworker proliferation to a single CPU pod, preventing the system-wide hang. Questions Given that the issue is not fully resolved, could you please provide some guidance? 1. Is this a known issue, and are there patches in development that might fully address the underlying spinlock contention or the kworker feedback loop? 2. Is there a better long-term mitigation we can apply other than forcing strict affinity? Thank you for your time and help. Best regards, Chenglong

1 month, 1 week

2
3
0 0

Re: [REGRESSION] workqueue/writeback: Severe CPU hang due to kworker proliferation during I/O flush and cgroup cleanup

by Tejun Heo

On Wed, Sep 24, 2025 at 05:24:15PM -0700, Chenglong Tang wrote: > The kernel v6.1 is good. The hang is reliably triggered(over 80% chance) on > kernels v6.6 and 6.12 and intermittently on mainline(6.17-rc7) with the > following steps: > - > > *Environment:* A machine with a fast SSD and a high core count (e.g., > Google Cloud's N2-standard-128). > - > > *Workload:* Concurrently generate a large number of files (e.g., 2 million) > using multiple services managed by systemd-run. This creates significant > I/O and cgroup churn. > - > > *Trigger:* After the file generation completes, terminate the systemd-run > services. > - > > *Result:* Shortly after the services are killed, the system's CPU load > spikes, leading to a massive number of kworker/+inode_switch_wbs threads > and a system-wide hang/livelock where the machine becomes unresponsive (20s > - 300s). Sounds like: http://lkml.kernel.org/r/20250912103522.2935-1-jack@suse.cz Can you see whether those patches resolve the problem? Thanks. -- tejun

1 month, 1 week

2
2
0 0

Re: [PATCH 2/2] soc: amlogic: canvas: simplify lookup error handling

by Markus Elfring

> Simplify the canvas lookup error handling by dropping the OF node > reference sooner. How do you think about to increase the application of scope-based resource management? https://elixir.bootlin.com/linux/v6.17-rc7/source/include/linux/of.h#L138 Regards, Markus

1 month, 1 week

1
0
0 0

[PATCH 2/2] soc: qcom: pbs: fix device leak on lookup

by Johan Hovold

Make sure to drop the reference taken to the pbs platform device when looking up its driver data. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: 5b2dd77be1d8 ("soc: qcom: add QCOM PBS driver") Cc: stable(a)vger.kernel.org # 6.9 Cc: Anjelique Melendez <quic_amelende(a)quicinc.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/soc/qcom/qcom-pbs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/soc/qcom/qcom-pbs.c b/drivers/soc/qcom/qcom-pbs.c index 1cc5d045f9dd..06b4a596e275 100644 --- a/drivers/soc/qcom/qcom-pbs.c +++ b/drivers/soc/qcom/qcom-pbs.c @@ -173,6 +173,8 @@ struct pbs_dev *get_pbs_client_device(struct device *dev) return ERR_PTR(-EINVAL); } + platform_device_put(pdev); + return pbs; } EXPORT_SYMBOL_GPL(get_pbs_client_device); -- 2.49.1

1 month, 1 week

2
1
0 0

[PATCH 1/2] soc: apple: mailbox: fix device leak on lookup

by Johan Hovold

Make sure to drop the reference taken to the mbox platform device when looking up its driver data. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: 6e1457fcad3f ("soc: apple: mailbox: Add ASC/M3 mailbox driver") Cc: stable(a)vger.kernel.org # 6.8 Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/soc/apple/mailbox.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/soc/apple/mailbox.c b/drivers/soc/apple/mailbox.c index 49a0955e82d6..1685da1da23d 100644 --- a/drivers/soc/apple/mailbox.c +++ b/drivers/soc/apple/mailbox.c @@ -299,11 +299,18 @@ struct apple_mbox *apple_mbox_get(struct device *dev, int index) return ERR_PTR(-EPROBE_DEFER); mbox = platform_get_drvdata(pdev); - if (!mbox) - return ERR_PTR(-EPROBE_DEFER); + if (!mbox) { + mbox = ERR_PTR(-EPROBE_DEFER); + goto out_put_pdev; + } + + if (!device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_CONSUMER)) { + mbox = ERR_PTR(-ENODEV); + goto out_put_pdev; + } - if (!device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_CONSUMER)) - return ERR_PTR(-ENODEV); +out_put_pdev: + put_device(&pdev->dev); return mbox; } -- 2.49.1

1 month, 1 week

2
1
0 0

[PATCH 6.12 000/105] 6.12.49-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.49 release. There are 105 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 24 Sep 2025 19:23:52 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.49-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.49-rc1 David Laight <David.Laight(a)ACULAB.COM> minmax.h: remove some #defines that are only expanded once David Laight <David.Laight(a)ACULAB.COM> minmax.h: simplify the variants of clamp() David Laight <David.Laight(a)ACULAB.COM> minmax.h: move all the clamp() definitions after the min/max() ones David Laight <David.Laight(a)ACULAB.COM> minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() David Laight <David.Laight(a)ACULAB.COM> minmax.h: reduce the #define expansion of min(), max() and clamp() David Laight <David.Laight(a)ACULAB.COM> minmax.h: update some comments David Laight <David.Laight(a)ACULAB.COM> minmax.h: add whitespace around operators and after commas Bruno Thomsen <bruno.thomsen(a)gmail.com> rtc: pcf2127: fix SPI command byte for PCF2131 backport Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Fix full DbC transfer ring after several reconnects Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: decouple endpoint allocation from initialization Niklas Neronin <niklas.neronin(a)linux.intel.com> usb: xhci: remove option to change a default ring's TRB cycle bit Niklas Neronin <niklas.neronin(a)linux.intel.com> usb: xhci: introduce macro for ring segment list iteration Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: nl: announce deny-join-id0 flag Hugh Dickins <hughd(a)google.com> mm/gup: check ref_count instead of lru before migration Shivank Garg <shivankg(a)amd.com> mm: add folio_expected_ref_count() for reference count calculation Sankararaman Jayaraman <sankararaman.jayaraman(a)broadcom.com> vmxnet3: unregister xdp rxq info in the reset path Sean Christopherson <seanjc(a)google.com> KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions Borislav Petkov <bp(a)alien8.de> x86/bugs: KVM: Add support for SRSO_MSR_FIX Borislav Petkov (AMD) <bp(a)alien8.de> x86/bugs: Add SRSO_USER_KERNEL_NO support Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: asus-wmi: Fix ROG button mapping, tablet mode on ASUS ROG Z13 Yang Xiuwei <yangxiuwei(a)kylinos.cn> io_uring: fix incorrect io_kiocb reference in io_link_skb Stefan Metzmacher <metze(a)samba.org> smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Set merge to zero early in af_alg_sendmsg Stefan Metzmacher <metze(a)samba.org> smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) Paulo Alcantara <pc(a)manguebit.org> smb: client: fix filename matching of deferred files Dan Carpenter <dan.carpenter(a)linaro.org> drm/xe: Fix a NULL vs IS_ERR() in xe_vm_add_compute_exec_queue() Qi Xi <xiqi2(a)huawei.com> drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Loic Poulain <loic.poulain(a)oss.qualcomm.com> drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/tile: Release kobject for the failure path Amadeusz Sławiński <amadeuszx.slawinski(a)linux.intel.com> ASoC: Intel: catpt: Expose correct bit depth to userspace Colin Ian King <colin.i.king(a)gmail.com> ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8974: Correct PLL rate rounding Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct typo in control name Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct PLL rate rounding Jens Axboe <axboe(a)kernel.dk> io_uring/kbuf: drop WARN_ON_ONCE() from incremental length check Jens Axboe <axboe(a)kernel.dk> io_uring/msg_ring: kill alloc_cache for io_kiocb allocations Jens Axboe <axboe(a)kernel.dk> io_uring: include dying ring in task_work "should cancel" state Jens Axboe <axboe(a)kernel.dk> io_uring: backport io_should_terminate_tw() Pavel Begunkov <asml.silence(a)gmail.com> io_uring/cmd: let cmds to know about dying task Praful Adiga <praful.adiga(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: avoid spurious errors on TCP disconnect Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: catch IO errors on listen side Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: propagate shutdown to subflows when possible Håkon Bugge <haakon.bugge(a)oracle.com> rds: ib: Increment i_fastreg_wrs before bailing out Hans de Goede <hansg(a)kernel.org> net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Allow RX6xxx & RX7700 to invoke amdgpu_irq_get/put Maciej S. Szmigiero <maciej.szmigiero(a)oracle.com> KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Thomas Fourier <fourier.thomas(a)gmail.com> mmc: mvsdio: Fix dma_unmap_sg() nents value Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: fix the incorrect inode ref size check Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd/pgtbl: Fix possible race while increase page table level Eugene Koira <eugkoira(a)amazon.com> iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Tao Cui <cuitao(a)kylinos.cn> LoongArch: Check the return value when creating kobj Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Guangshuo Li <202321181(a)mail.sdu.edu.cn> LoongArch: vDSO: Check kcalloc() result in init_vdso() Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Fix unreliable stack for live patching Tiezhu Yang <yangtiezhu(a)loongson.cn> objtool/LoongArch: Mark special atomic instruction as INSN_BUG type Tiezhu Yang <yangtiezhu(a)loongson.cn> objtool/LoongArch: Mark types based on break immediate code Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Update help info of ARCH_STRICT_ALIGN Hugh Dickins <hughd(a)google.com> mm: revert "mm: vmscan.c: fix OOM on swap stress test" Li Zhe <lizhe.67(a)bytedance.com> gup: optimize longterm pin_user_pages() for large folio Mikulas Patocka <mpatocka(a)redhat.com> dm-stripe: fix a possible integer overflow Mikulas Patocka <mpatocka(a)redhat.com> dm-raid: don't set io_min and io_opt for raid1 H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: restrict no-battery detection to bq27000 H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Nathan Chancellor <nathan(a)kernel.org> nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Stefan Metzmacher <metze(a)samba.org> ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Fix crash in icl_update_topdown_event() Duoming Zhou <duoming(a)zju.edu.cn> octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Duoming Zhou <duoming(a)zju.edu.cn> cnic: Fix use-after-free bugs in cnic_delete_task Alexey Nepomnyashih <sdl(a)nppct.ru> net: liquidio: fix overflow in octeon_init_instr_queue() Tariq Toukan <tariqt(a)nvidia.com> Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Jakub Kicinski <kuba(a)kernel.org> tls: make sure to abort the stream if headers are bogus Kuniyuki Iwashima <kuniyu(a)google.com> tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Sathesh B Edara <sedara(a)marvell.com> octeon_ep: fix VF MAC address lifecycle handling Hangbin Liu <liuhangbin(a)gmail.com> bonding: don't set oif to bond dev when getting NS target destination Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Harden uplink netdev access against device unbind Kohei Enju <enjuk(a)amazon.com> igc: don't fail igc_probe() on LED setup error Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> i40e: remove redundant memory barrier when cleaning Tx descs Jacob Keller <jacob.e.keller(a)intel.com> ice: fix Rx page leak on multi-buffer frames Jacob Keller <jacob.e.keller(a)intel.com> ice: store max_frame and rx_buf_len only in ice_rx_ring Yeounsu Moon <yyyynoom(a)gmail.com> net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Geliang Tang <geliang(a)kernel.org> selftests: mptcp: sockopt: fix error messages Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: tfo: record 'deny join id0' info Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: userspace pm: validate deny-join-id0 flag Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: set remote_deny_join_id0 on SYN recv Hangbin Liu <liuhangbin(a)gmail.com> bonding: set random address only when slaves already exist Jamie Bainbridge <jamie.bainbridge(a)gmail.com> qed: Don't collect too many protection override GRC elements Anderson Nascimento <anderson(a)allelesecurity.com> net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-switch: fix buffer pool seeding for control traffic Tiwei Bie <tiwei.btw(a)antgroup.com> um: Fix FD copy size in os_rcv_fd_msg() Miaoqian Lin <linmq006(a)gmail.com> um: virtio_uml: Fix use-after-free after put_device in probe Filipe Manana <fdmanana(a)suse.com> btrfs: fix invalid extref key setup when replaying dentry Chen Ridong <chenridong(a)huawei.com> cgroup: split cgroup_destroy_wq into 3 workqueues Geert Uytterhoeven <geert+renesas(a)glider.be> pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Liao Yuanhong <liaoyuanhong(a)vivo.com> wifi: mac80211: fix incorrect type for ret Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: increase scan_ies_len for S1G Takashi Sakamoto <o-takashi(a)sakamocchi.jp> ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Christoph Hellwig <hch(a)lst.de> nvme: fix PI insert on write Ajay.Kathat(a)microchip.com <Ajay.Kathat(a)microchip.com> wifi: wilc1000: avoid buffer overflow in WID string configuration ------------- Diffstat: Documentation/admin-guide/hw-vuln/srso.rst | 13 ++ Documentation/netlink/specs/mptcp_pm.yaml | 4 +- Makefile | 4 +- arch/loongarch/Kconfig | 8 +- arch/loongarch/include/asm/acenv.h | 7 +- arch/loongarch/kernel/env.c | 2 + arch/loongarch/kernel/stacktrace.c | 3 +- arch/loongarch/kernel/vdso.c | 3 + arch/um/drivers/virtio_uml.c | 6 +- arch/um/os-Linux/file.c | 2 +- arch/x86/events/intel/core.c | 2 +- arch/x86/include/asm/cpufeatures.h | 5 + arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/bugs.c | 28 ++- arch/x86/kvm/svm/svm.c | 68 ++++++- arch/x86/kvm/svm/svm.h | 2 + arch/x86/lib/msr.c | 2 + crypto/af_alg.c | 10 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 39 +++- drivers/gpu/drm/bridge/analogix/anx7625.c | 6 +- .../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 +- drivers/gpu/drm/xe/xe_tile_sysfs.c | 12 +- drivers/gpu/drm/xe/xe_vm.c | 4 +- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/io_pgtable.c | 25 ++- drivers/iommu/intel/iommu.c | 7 +- drivers/md/dm-raid.c | 6 +- drivers/md/dm-stripe.c | 10 +- drivers/mmc/host/mvsdio.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/broadcom/cnic.c | 3 +- .../net/ethernet/cavium/liquidio/request_manager.c | 2 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 - drivers/net/ethernet/intel/ice/ice.h | 3 - drivers/net/ethernet/intel/ice/ice_base.c | 34 ++-- drivers/net/ethernet/intel/ice/ice_txrx.c | 80 ++++---- drivers/net/ethernet/intel/ice/ice_txrx.h | 4 +- drivers/net/ethernet/intel/ice/ice_virtchnl.c | 7 +- drivers/net/ethernet/intel/igc/igc.h | 1 + drivers/net/ethernet/intel/igc/igc_main.c | 12 +- .../ethernet/marvell/octeon_ep/octep_pfvf_mbox.c | 3 + .../net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 - drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 ++- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 +- drivers/net/ethernet/natsemi/ns83820.c | 13 +- drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 +- drivers/net/vmxnet3/vmxnet3_drv.c | 10 +- drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 39 ++-- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 +- drivers/nvme/host/core.c | 18 +- drivers/pcmcia/omap_cf.c | 8 +- drivers/platform/x86/asus-nb-wmi.c | 25 ++- drivers/platform/x86/asus-wmi.h | 3 +- drivers/power/supply/bq27xxx_battery.c | 4 +- drivers/rtc/rtc-pcf2127.c | 10 +- drivers/usb/host/xhci-dbgcap.c | 94 ++++++--- drivers/usb/host/xhci-debugfs.c | 5 +- drivers/usb/host/xhci-mem.c | 74 +++---- drivers/usb/host/xhci.c | 22 +-- drivers/usb/host/xhci.h | 9 +- fs/btrfs/tree-checker.c | 4 +- fs/btrfs/tree-log.c | 2 +- fs/nilfs2/sysfs.c | 4 +- fs/nilfs2/sysfs.h | 8 +- fs/smb/client/cifsproto.h | 4 +- fs/smb/client/inode.c | 6 +- fs/smb/client/misc.c | 36 ++-- fs/smb/client/smbdirect.c | 7 +- fs/smb/server/transport_rdma.c | 26 ++- include/crypto/if_alg.h | 10 +- include/linux/io_uring_types.h | 4 +- include/linux/minmax.h | 219 ++++++++++----------- include/linux/mlx5/driver.h | 1 + include/linux/mm.h | 55 ++++++ include/uapi/linux/mptcp.h | 2 + include/uapi/linux/mptcp_pm.h | 4 +- io_uring/io_uring.c | 12 +- io_uring/io_uring.h | 13 ++ io_uring/kbuf.h | 2 +- io_uring/msg_ring.c | 24 +-- io_uring/notif.c | 2 +- io_uring/poll.c | 3 +- io_uring/timeout.c | 2 +- io_uring/uring_cmd.c | 6 +- kernel/cgroup/cgroup.c | 43 +++- mm/gup.c | 41 +++- mm/migrate.c | 22 +-- mm/vmscan.c | 2 +- net/ipv4/tcp.c | 5 + net/ipv4/tcp_ao.c | 4 +- net/mac80211/driver-ops.h | 2 +- net/mac80211/main.c | 7 +- net/mptcp/options.c | 6 +- net/mptcp/pm_netlink.c | 7 + net/mptcp/protocol.c | 16 ++ net/mptcp/subflow.c | 4 + net/rds/ib_frmr.c | 20 +- net/rfkill/rfkill-gpio.c | 4 +- net/tls/tls.h | 1 + net/tls/tls_strp.c | 14 +- net/tls/tls_sw.c | 3 +- sound/firewire/motu/motu-hwdep.c | 2 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/wm8940.c | 9 +- sound/soc/codecs/wm8974.c | 8 +- sound/soc/intel/catpt/pcm.c | 23 ++- sound/soc/qcom/qdsp6/audioreach.c | 1 + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 +- sound/soc/sof/intel/hda-stream.c | 2 +- tools/arch/loongarch/include/asm/inst.h | 12 ++ tools/objtool/arch/loongarch/decode.c | 33 +++- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +- tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 +- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 + tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +- 118 files changed, 1069 insertions(+), 571 deletions(-)

1 month, 1 week

14
118
0 0

[PATCH v3 00/12] media: uvcvideo: Add support for orientation and rotation.

by Ricardo Ribalda

The ACPI has ways to annotate the location of a USB device. Wire that annotation to a v4l2 control. To support all possible devices, add a way to annotate USB devices on DT as well. The original binding discussion happened here: https://lore.kernel.org/linux-devicetree/20241212-usb-orientation-v1-1-0b69… The following patches are needed regardless if we finally add support for orientation and rotation or not: - media: uvcvideo: Always set default_value - media: uvcvideo: Set a function for UVC_EXT_GPIO_UNIT Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v3: - refactor dt bindings - add media: uvcvideo: Use current_value for read-only controls - get_(max|cur|def) = swentity_get_cur - virtual_entity add codestyle - Codestyle - Fix xu get_info and get_len - Drop ACPI_DEVICE_SWNODE_DEV_ROTATION - Add missing select V4L2_FWNODE - Link to v2: https://lore.kernel.org/r/20250605-uvc-orientation-v2-0-5710f9d030aa@chromi… Changes in v2: - Add support for rotation - Rename fwnode to swentity - Remove the patch to move the gpio file - Remove patches already in media-committers - Change priority of data origins - Patch mipi-disco - Link to v1: https://lore.kernel.org/r/20250403-uvc-orientation-v1-0-1a0cc595a62d@chromi… --- Ricardo Ribalda (12): media: uvcvideo: Always set default_value media: uvcvideo: Set a function for UVC_EXT_GPIO_UNIT media: v4l: fwnode: Support ACPI's _PLD for v4l2_fwnode_device_parse ACPI: mipi-disco-img: Do not duplicate rotation info into swnodes media: ipu-bridge: Use v4l2_fwnode_device_parse helper media: ipu-bridge: Use v4l2_fwnode for unknown rotations dt-bindings: media: Add usb-camera-module media: uvcvideo: Add support for V4L2_CID_CAMERA_ORIENTATION media: uvcvideo: Fill ctrl->info.selector earlier media: uvcvideo: Add uvc_ctrl_query_entity helper media: uvcvideo: Use current_value for read-only controls media: uvcvideo: Add support for V4L2_CID_CAMERA_ROTATION .../bindings/media/usb-camera-module.yaml | 46 +++++ MAINTAINERS | 1 + drivers/acpi/mipi-disco-img.c | 15 -- drivers/media/pci/intel/Kconfig | 1 + drivers/media/pci/intel/ipu-bridge.c | 58 +++--- drivers/media/usb/uvc/Kconfig | 1 + drivers/media/usb/uvc/Makefile | 3 +- drivers/media/usb/uvc/uvc_ctrl.c | 201 +++++++++++++++------ drivers/media/usb/uvc/uvc_driver.c | 22 ++- drivers/media/usb/uvc/uvc_entity.c | 3 +- drivers/media/usb/uvc/uvc_swentity.c | 107 +++++++++++ drivers/media/usb/uvc/uvcvideo.h | 22 +++ drivers/media/v4l2-core/v4l2-fwnode.c | 84 ++++++++- include/acpi/acpi_bus.h | 1 - include/linux/usb/uvc.h | 3 + 15 files changed, 441 insertions(+), 127 deletions(-) --- base-commit: afb100a5ea7a13d7e6937dcd3b36b19dc6cc9328 change-id: 20250403-uvc-orientation-5f7f19da5adb Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

1 month, 1 week

1
2
0 0

[PATCH] fix error code overwriting in smb2_get_info_filesystem()

by Matvey Kovalev

If client doesn't negotiate with SMB3.1.1 POSIX Extensions, then proper error code won't be returned due to overwriting. Return error immediately. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e2f34481b24db ("cifsd: add server-side procedures for SMB3") Cc: stable(a)vger.kernel.org Signed-off-by: Matvey Kovalev <matvey.kovalev(a)ispras.ru> --- fs/smb/server/smb2pdu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index a565fc36cee6d..a1db006ab6e92 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -5628,7 +5628,8 @@ static int smb2_get_info_filesystem(struct ksmbd_work *work, if (!work->tcon->posix_extensions) { pr_err("client doesn't negotiate with SMB3.1.1 POSIX Extensions\n"); - rc = -EOPNOTSUPP; + path_put(&path); + return -EOPNOTSUPP; } else { info = (struct filesystem_posix_info *)(rsp->Buffer); info->OptimalTransferSize = cpu_to_le32(stfs.f_bsize); -- 2.43.0.windows.1

1 month, 1 week

3
2
0 0

[PATCH v1] gpio: mpfs: fix setting gpio direction to output

by Conor Dooley

From: Conor Dooley <conor.dooley(a)microchip.com> mpfs_gpio_direction_output() actually sets the line to input mode. Use the correct register settings for output mode so that this function actually works as intended. This was a copy-paste mistake made when converting to regmap during the driver submission process. It went unnoticed because my test for output mode is toggling LEDs on an Icicle kit which functions with the incorrect code. The internal reporter has yet to test the patch, but on their system the incorrect setting may be the reason for failures to drive the GPIO lines on the BeagleV-fire board. CC: stable(a)vger.kernel.org Fixes: a987b78f3615e ("gpio: mpfs: add polarfire soc gpio support") Signed-off-by: Conor Dooley <conor.dooley(a)microchip.com> --- CC: Conor Dooley <conor.dooley(a)microchip.com> CC: Daire McNamara <daire.mcnamara(a)microchip.com> CC: Cyril.Jean(a)microchip.com CC: Linus Walleij <linus.walleij(a)linaro.org> CC: Bartosz Golaszewski <brgl(a)bgdev.pl> CC: linux-riscv(a)lists.infradead.org CC: linux-gpio(a)vger.kernel.org CC: linux-kernel(a)vger.kernel.org --- drivers/gpio/gpio-mpfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpio/gpio-mpfs.c b/drivers/gpio/gpio-mpfs.c index 82d557a7e5d8d..9468795b96348 100644 --- a/drivers/gpio/gpio-mpfs.c +++ b/drivers/gpio/gpio-mpfs.c @@ -69,7 +69,7 @@ static int mpfs_gpio_direction_output(struct gpio_chip *gc, unsigned int gpio_in struct mpfs_gpio_chip *mpfs_gpio = gpiochip_get_data(gc); regmap_update_bits(mpfs_gpio->regs, MPFS_GPIO_CTRL(gpio_index), - MPFS_GPIO_DIR_MASK, MPFS_GPIO_EN_IN); + MPFS_GPIO_DIR_MASK, MPFS_GPIO_EN_OUT | MPFS_GPIO_EN_OUT_BUF); regmap_update_bits(mpfs_gpio->regs, mpfs_gpio->offsets->outp, BIT(gpio_index), value << gpio_index); -- 2.47.3

1 month, 1 week

2
2
0 0

[PATCH v2] wifi: mt76: Fix DTS power-limits on little endian systems

by Sven Eckelmann (Plasma Cloud)

The power-limits for ru and mcs and stored in the devicetree as bytewise array (often with sizes which are not a multiple of 4). These arrays have a prefix which defines for how many modes a line is applied. This prefix is also only a byte - but the code still tried to fix the endianness of this byte with a be32 operation. As result, loading was mostly failing or was sending completely unexpected values to the firmware. Since the other rates are also stored in the devicetree as bytewise arrays, just drop the u32 access + be32_to_cpu conversion and directly access them as bytes arrays. Cc: stable(a)vger.kernel.org Fixes: 22b980badc0f ("mt76: add functions for parsing rate power limits from DT") Fixes: a9627d992b5e ("mt76: extend DT rate power limits to support 11ax devices") Signed-off-by: Sven Eckelmann (Plasma Cloud) <se(a)simonwunderlich.de> --- Changes in v2: - Fix second Fixes line, thanks Zhi-Jun You - Link to v1: https://lore.kernel.org/r/20250917-fix-power-limits-v1-1-616e859a9881@simon… --- drivers/net/wireless/mediatek/mt76/eeprom.c | 37 +++++++++++++++++++---------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/eeprom.c b/drivers/net/wireless/mediatek/mt76/eeprom.c index a987c5e4eff6c6b0a014b4b069dc1259ffa82d31..6ce8e4af18fe53c10a0cb7290bf65962ce9cdde4 100644 --- a/drivers/net/wireless/mediatek/mt76/eeprom.c +++ b/drivers/net/wireless/mediatek/mt76/eeprom.c @@ -253,6 +253,19 @@ mt76_get_of_array(struct device_node *np, char *name, size_t *len, int min) return prop->value; } +static const s8 * +mt76_get_of_array_s8(struct device_node *np, char *name, size_t *len, int min) +{ + struct property *prop = of_find_property(np, name, NULL); + + if (!prop || !prop->value || prop->length < min) + return NULL; + + *len = prop->length; + + return prop->value; +} + struct device_node * mt76_find_channel_node(struct device_node *np, struct ieee80211_channel *chan) { @@ -294,7 +307,7 @@ mt76_get_txs_delta(struct device_node *np, u8 nss) } static void -mt76_apply_array_limit(s8 *pwr, size_t pwr_len, const __be32 *data, +mt76_apply_array_limit(s8 *pwr, size_t pwr_len, const s8 *data, s8 target_power, s8 nss_delta, s8 *max_power) { int i; @@ -303,15 +316,14 @@ mt76_apply_array_limit(s8 *pwr, size_t pwr_len, const __be32 *data, return; for (i = 0; i < pwr_len; i++) { - pwr[i] = min_t(s8, target_power, - be32_to_cpu(data[i]) + nss_delta); + pwr[i] = min_t(s8, target_power, data[i] + nss_delta); *max_power = max(*max_power, pwr[i]); } } static void mt76_apply_multi_array_limit(s8 *pwr, size_t pwr_len, s8 pwr_num, - const __be32 *data, size_t len, s8 target_power, + const s8 *data, size_t len, s8 target_power, s8 nss_delta, s8 *max_power) { int i, cur; @@ -319,8 +331,7 @@ mt76_apply_multi_array_limit(s8 *pwr, size_t pwr_len, s8 pwr_num, if (!data) return; - len /= 4; - cur = be32_to_cpu(data[0]); + cur = data[0]; for (i = 0; i < pwr_num; i++) { if (len < pwr_len + 1) break; @@ -335,7 +346,7 @@ mt76_apply_multi_array_limit(s8 *pwr, size_t pwr_len, s8 pwr_num, if (!len) break; - cur = be32_to_cpu(data[0]); + cur = data[0]; } } @@ -346,7 +357,7 @@ s8 mt76_get_rate_power_limits(struct mt76_phy *phy, { struct mt76_dev *dev = phy->dev; struct device_node *np; - const __be32 *val; + const s8 *val; char name[16]; u32 mcs_rates = dev->drv->mcs_rates; u32 ru_rates = ARRAY_SIZE(dest->ru[0]); @@ -392,21 +403,21 @@ s8 mt76_get_rate_power_limits(struct mt76_phy *phy, txs_delta = mt76_get_txs_delta(np, hweight16(phy->chainmask)); - val = mt76_get_of_array(np, "rates-cck", &len, ARRAY_SIZE(dest->cck)); + val = mt76_get_of_array_s8(np, "rates-cck", &len, ARRAY_SIZE(dest->cck)); mt76_apply_array_limit(dest->cck, ARRAY_SIZE(dest->cck), val, target_power, txs_delta, &max_power); - val = mt76_get_of_array(np, "rates-ofdm", - &len, ARRAY_SIZE(dest->ofdm)); + val = mt76_get_of_array_s8(np, "rates-ofdm", + &len, ARRAY_SIZE(dest->ofdm)); mt76_apply_array_limit(dest->ofdm, ARRAY_SIZE(dest->ofdm), val, target_power, txs_delta, &max_power); - val = mt76_get_of_array(np, "rates-mcs", &len, mcs_rates + 1); + val = mt76_get_of_array_s8(np, "rates-mcs", &len, mcs_rates + 1); mt76_apply_multi_array_limit(dest->mcs[0], ARRAY_SIZE(dest->mcs[0]), ARRAY_SIZE(dest->mcs), val, len, target_power, txs_delta, &max_power); - val = mt76_get_of_array(np, "rates-ru", &len, ru_rates + 1); + val = mt76_get_of_array_s8(np, "rates-ru", &len, ru_rates + 1); mt76_apply_multi_array_limit(dest->ru[0], ARRAY_SIZE(dest->ru[0]), ARRAY_SIZE(dest->ru), val, len, target_power, txs_delta, &max_power); --- base-commit: b36d55610215a976267197ddc914902c494705d7 change-id: 20250917-fix-power-limits-5ce07b993681 Best regards, -- Sven Eckelmann (Plasma Cloud) <se(a)simonwunderlich.de>

1 month, 1 week

1
0
0 0

501K IAA Mobility 2025 Contacts!

by Garnet Conwell

Hi, Access a comprehensive, verified database of 501,853 IAA Mobility 2025 attendees and 750 exhibitors to grow your network and maximize business opportunities. What you’ll get: Contact name, Job Title, Business Name, Physical Address, Phone Numbers, Official Email address and many more. Delivered within 48 hours and 100% opt-in and GDPR compliant. Special Discount: Enjoy 20% off for a limited time! Would you prefer the entire attendee database or a customized segment tailored by geography, job role, or industry? I’ll forward the same to our Business Development Manager, who will provide you with more details about list acquisition. Best regards, Garnet Conwell Sr. Marketing Manager P.S. To opt out of future emails, simply reply “Unfollow.”

1 month, 1 week

1
0
0 0

[PATCH v3] netfs: fix reference leak

by David Howells

From: Max Kellermann <max.kellermann(a)ionos.com> Commit 20d72b00ca81 ("netfs: Fix the request's work item to not require a ref") modified netfs_alloc_request() to initialize the reference counter to 2 instead of 1. The rationale was that the requet's "work" would release the second reference after completion (via netfs_{read,write}_collection_worker()). That works most of the time if all goes well. However, it leaks this additional reference if the request is released before the I/O operation has been submitted: the error code path only decrements the reference counter once and the work item will never be queued because there will never be a completion. This has caused outages of our whole server cluster today because tasks were blocked in netfs_wait_for_outstanding_io(), leading to deadlocks in Ceph (another bug that I will address soon in another patch). This was caused by a netfs_pgpriv2_begin_copy_to_cache() call which failed in fscache_begin_write_operation(). The leaked netfs_io_request was never completed, leaving `netfs_inode.io_count` with a positive value forever. All of this is super-fragile code. Finding out which code paths will lead to an eventual completion and which do not is hard to see: - Some functions like netfs_create_write_req() allocate a request, but will never submit any I/O. - netfs_unbuffered_read_iter_locked() calls netfs_unbuffered_read() and then netfs_put_request(); however, netfs_unbuffered_read() can also fail early before submitting the I/O request, therefore another netfs_put_request() call must be added there. A rule of thumb is that functions that return a `netfs_io_request` do not submit I/O, and all of their callers must be checked. For my taste, the whole netfs code needs an overhaul to make reference counting easier to understand and less fragile & obscure. But to fix this bug here and now and produce a patch that is adequate for a stable backport, I tried a minimal approach that quickly frees the request object upon early failure. I decided against adding a second netfs_put_request() each time because that would cause code duplication which obscures the code further. Instead, I added the function netfs_put_failed_request() which frees such a failed request synchronously under the assumption that the reference count is exactly 2 (as initially set by netfs_alloc_request() and never touched), verified by a WARN_ON_ONCE(). It then deinitializes the request object (without going through the "cleanup_work" indirection) and frees the allocation (with RCU protection to protect against concurrent access by netfs_requests_seq_start()). All code paths that fail early have been changed to call netfs_put_failed_request() instead of netfs_put_request(). Additionally, I have added a netfs_put_request() call to netfs_unbuffered_read() as explained above because the netfs_put_failed_request() approach does not work there. Fixes: 20d72b00ca81 ("netfs: Fix the request's work item to not require a ref") Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> Signed-off-by: David Howells <dhowells(a)redhat.com> cc: Paulo Alcantara <pc(a)manguebit.org> cc: netfs(a)lists.linux.dev, cc: linux-fsdevel(a)vger.kernel.org, cc: stable(a)vger.kernel.org --- Changes ======= ver #3) - Log the refcount in the tracepoint in netfs_put_failed_request(). ver #2) - Fix missing RCU handling in netfs_put_failed_request(). fs/netfs/buffered_read.c | 10 +++++----- fs/netfs/direct_read.c | 7 ++++++- fs/netfs/direct_write.c | 6 +++++- fs/netfs/internal.h | 1 + fs/netfs/objects.c | 28 +++++++++++++++++++++++++--- fs/netfs/read_pgpriv2.c | 2 +- fs/netfs/read_single.c | 2 +- fs/netfs/write_issue.c | 3 +-- 8 files changed, 45 insertions(+), 14 deletions(-) diff --git a/fs/netfs/buffered_read.c b/fs/netfs/buffered_read.c index 18b3dc74c70e..37ab6f28b5ad 100644 --- a/fs/netfs/buffered_read.c +++ b/fs/netfs/buffered_read.c @@ -369,7 +369,7 @@ void netfs_readahead(struct readahead_control *ractl) return netfs_put_request(rreq, netfs_rreq_trace_put_return); cleanup_free: - return netfs_put_request(rreq, netfs_rreq_trace_put_failed); + return netfs_put_failed_request(rreq); } EXPORT_SYMBOL(netfs_readahead); @@ -472,7 +472,7 @@ static int netfs_read_gaps(struct file *file, struct folio *folio) return ret < 0 ? ret : 0; discard: - netfs_put_request(rreq, netfs_rreq_trace_put_discard); + netfs_put_failed_request(rreq); alloc_error: folio_unlock(folio); return ret; @@ -532,7 +532,7 @@ int netfs_read_folio(struct file *file, struct folio *folio) return ret < 0 ? ret : 0; discard: - netfs_put_request(rreq, netfs_rreq_trace_put_discard); + netfs_put_failed_request(rreq); alloc_error: folio_unlock(folio); return ret; @@ -699,7 +699,7 @@ int netfs_write_begin(struct netfs_inode *ctx, return 0; error_put: - netfs_put_request(rreq, netfs_rreq_trace_put_failed); + netfs_put_failed_request(rreq); error: if (folio) { folio_unlock(folio); @@ -754,7 +754,7 @@ int netfs_prefetch_for_write(struct file *file, struct folio *folio, return ret < 0 ? ret : 0; error_put: - netfs_put_request(rreq, netfs_rreq_trace_put_discard); + netfs_put_failed_request(rreq); error: _leave(" = %d", ret); return ret; diff --git a/fs/netfs/direct_read.c b/fs/netfs/direct_read.c index a05e13472baf..a498ee8d6674 100644 --- a/fs/netfs/direct_read.c +++ b/fs/netfs/direct_read.c @@ -131,6 +131,7 @@ static ssize_t netfs_unbuffered_read(struct netfs_io_request *rreq, bool sync) if (rreq->len == 0) { pr_err("Zero-sized read [R=%x]\n", rreq->debug_id); + netfs_put_request(rreq, netfs_rreq_trace_put_discard); return -EIO; } @@ -205,7 +206,7 @@ ssize_t netfs_unbuffered_read_iter_locked(struct kiocb *iocb, struct iov_iter *i if (user_backed_iter(iter)) { ret = netfs_extract_user_iter(iter, rreq->len, &rreq->buffer.iter, 0); if (ret < 0) - goto out; + goto error_put; rreq->direct_bv = (struct bio_vec *)rreq->buffer.iter.bvec; rreq->direct_bv_count = ret; rreq->direct_bv_unpin = iov_iter_extract_will_pin(iter); @@ -238,6 +239,10 @@ ssize_t netfs_unbuffered_read_iter_locked(struct kiocb *iocb, struct iov_iter *i if (ret > 0) orig_count -= ret; return ret; + +error_put: + netfs_put_failed_request(rreq); + return ret; } EXPORT_SYMBOL(netfs_unbuffered_read_iter_locked); diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c index a16660ab7f83..a9d1c3b2c084 100644 --- a/fs/netfs/direct_write.c +++ b/fs/netfs/direct_write.c @@ -57,7 +57,7 @@ ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov_iter * n = netfs_extract_user_iter(iter, len, &wreq->buffer.iter, 0); if (n < 0) { ret = n; - goto out; + goto error_put; } wreq->direct_bv = (struct bio_vec *)wreq->buffer.iter.bvec; wreq->direct_bv_count = n; @@ -101,6 +101,10 @@ ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov_iter * out: netfs_put_request(wreq, netfs_rreq_trace_put_return); return ret; + +error_put: + netfs_put_failed_request(wreq); + return ret; } EXPORT_SYMBOL(netfs_unbuffered_write_iter_locked); diff --git a/fs/netfs/internal.h b/fs/netfs/internal.h index d4f16fefd965..4319611f5354 100644 --- a/fs/netfs/internal.h +++ b/fs/netfs/internal.h @@ -87,6 +87,7 @@ struct netfs_io_request *netfs_alloc_request(struct address_space *mapping, void netfs_get_request(struct netfs_io_request *rreq, enum netfs_rreq_ref_trace what); void netfs_clear_subrequests(struct netfs_io_request *rreq); void netfs_put_request(struct netfs_io_request *rreq, enum netfs_rreq_ref_trace what); +void netfs_put_failed_request(struct netfs_io_request *rreq); struct netfs_io_subrequest *netfs_alloc_subrequest(struct netfs_io_request *rreq); static inline void netfs_see_request(struct netfs_io_request *rreq, diff --git a/fs/netfs/objects.c b/fs/netfs/objects.c index e8c99738b5bb..39d5e13f7248 100644 --- a/fs/netfs/objects.c +++ b/fs/netfs/objects.c @@ -116,10 +116,8 @@ static void netfs_free_request_rcu(struct rcu_head *rcu) netfs_stat_d(&netfs_n_rh_rreq); } -static void netfs_free_request(struct work_struct *work) +static void netfs_deinit_request(struct netfs_io_request *rreq) { - struct netfs_io_request *rreq = - container_of(work, struct netfs_io_request, cleanup_work); struct netfs_inode *ictx = netfs_inode(rreq->inode); unsigned int i; @@ -149,6 +147,14 @@ static void netfs_free_request(struct work_struct *work) if (atomic_dec_and_test(&ictx->io_count)) wake_up_var(&ictx->io_count); +} + +static void netfs_free_request(struct work_struct *work) +{ + struct netfs_io_request *rreq = + container_of(work, struct netfs_io_request, cleanup_work); + + netfs_deinit_request(rreq); call_rcu(&rreq->rcu, netfs_free_request_rcu); } @@ -167,6 +173,22 @@ void netfs_put_request(struct netfs_io_request *rreq, enum netfs_rreq_ref_trace } } +/* + * Free a request (synchronously) that was just allocated but has + * failed before it could be submitted. + */ +void netfs_put_failed_request(struct netfs_io_request *rreq) +{ + /* new requests have two references (see + * netfs_alloc_request(), and this function is only allowed on + * new request objects + */ + WARN_ON_ONCE(refcount_read(&rreq->ref) != 2); + + trace_netfs_rreq_ref(rreq->debug_id, 0, netfs_rreq_trace_put_failed); + netfs_free_request(&rreq->cleanup_work); +} + /* * Allocate and partially initialise an I/O request structure. */ diff --git a/fs/netfs/read_pgpriv2.c b/fs/netfs/read_pgpriv2.c index 8097bc069c1d..a1489aa29f78 100644 --- a/fs/netfs/read_pgpriv2.c +++ b/fs/netfs/read_pgpriv2.c @@ -118,7 +118,7 @@ static struct netfs_io_request *netfs_pgpriv2_begin_copy_to_cache( return creq; cancel_put: - netfs_put_request(creq, netfs_rreq_trace_put_return); + netfs_put_failed_request(creq); cancel: rreq->copy_to_cache = ERR_PTR(-ENOBUFS); clear_bit(NETFS_RREQ_FOLIO_COPY_TO_CACHE, &rreq->flags); diff --git a/fs/netfs/read_single.c b/fs/netfs/read_single.c index fa622a6cd56d..5c0dc4efc792 100644 --- a/fs/netfs/read_single.c +++ b/fs/netfs/read_single.c @@ -189,7 +189,7 @@ ssize_t netfs_read_single(struct inode *inode, struct file *file, struct iov_ite return ret; cleanup_free: - netfs_put_request(rreq, netfs_rreq_trace_put_failed); + netfs_put_failed_request(rreq); return ret; } EXPORT_SYMBOL(netfs_read_single); diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c index 0584cba1a043..dd8743bc8d7f 100644 --- a/fs/netfs/write_issue.c +++ b/fs/netfs/write_issue.c @@ -133,8 +133,7 @@ struct netfs_io_request *netfs_create_write_req(struct address_space *mapping, return wreq; nomem: - wreq->error = -ENOMEM; - netfs_put_request(wreq, netfs_rreq_trace_put_failed); + netfs_put_failed_request(wreq); return ERR_PTR(-ENOMEM); }

1 month, 1 week

2
3
0 0

[PATCH v6 3/4] PCI: dwc: Skip PME_Turn_Off message if there is no endpoint connected

by Richard Zhu

A chip freeze is observed on i.MX7D when PCIe RC kicks off the PM_PME message and no any devices are connected on the port. To workaroud such kind of issue, skip PME_Turn_Off message if there is no endpoint connected. Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Fixes: a528d1a72597 ("PCI: imx6: Use DWC common suspend resume method") Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> --- drivers/pci/controller/dwc/pcie-designware-host.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index 57a1ba08c427..b303a74b0fd7 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1008,12 +1008,15 @@ int dw_pcie_suspend_noirq(struct dw_pcie *pci) u32 val; int ret; - if (pci->pp.ops->pme_turn_off) { - pci->pp.ops->pme_turn_off(&pci->pp); - } else { - ret = dw_pcie_pme_turn_off(pci); - if (ret) - return ret; + /* Skip PME_Turn_Off message if there is no endpoint connected */ + if (dw_pcie_get_ltssm(pci) > DW_PCIE_LTSSM_DETECT_WAIT) { + if (pci->pp.ops->pme_turn_off) { + pci->pp.ops->pme_turn_off(&pci->pp); + } else { + ret = dw_pcie_pme_turn_off(pci); + if (ret) + return ret; + } } if (dwc_quirk(pci, QUIRK_NOL2POLL_IN_PM)) { -- 2.37.1

1 month, 1 week

3
2
0 0

You have a donation of two Million Five Hundred Thousand

by Dr Leonard Valentinovic Blavatnik.

1 month, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/sysfs: do not ignore callback's return value in damon_sysfs_damon_call() has been removed from the -mm tree. Its filename was mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Akinobu Mita <akinobu.mita(a)gmail.com> Subject: mm/damon/sysfs: do not ignore callback's return value in damon_sysfs_damon_call() Date: Sat, 20 Sep 2025 22:25:46 +0900 The callback return value is ignored in damon_sysfs_damon_call(), which means that it is not possible to detect invalid user input when writing commands such as 'commit' to /sys/kernel/mm/damon/admin/kdamonds/<K>/state. Fix it. Link: https://lkml.kernel.org/r/20250920132546.5822-1-akinobu.mita@gmail.com Fixes: f64539dcdb87 ("mm/damon/sysfs: use damon_call() for update_schemes_stats") Signed-off-by: Akinobu Mita <akinobu.mita(a)gmail.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> [6.14+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/sysfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/mm/damon/sysfs.c~mm-damon-sysfs-do-not-ignore-callbacks-return-value-in-damon_sysfs_damon_call +++ a/mm/damon/sysfs.c @@ -1592,12 +1592,14 @@ static int damon_sysfs_damon_call(int (* struct damon_sysfs_kdamond *kdamond) { struct damon_call_control call_control = {}; + int err; if (!kdamond->damon_ctx) return -EINVAL; call_control.fn = fn; call_control.data = kdamond; - return damon_call(kdamond->damon_ctx, &call_control); + err = damon_call(kdamond->damon_ctx, &call_control); + return err ? err : call_control.return_code; } struct damon_sysfs_schemes_walk_data { _ Patches currently in -mm which might be from akinobu.mita(a)gmail.com are

1 month, 1 week

1
0
0 0

[merged mm-hotfixes-stable] fs-proc-task_mmu-check-p-vec_buf-for-null.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: fs/proc/task_mmu: check p->vec_buf for NULL has been removed from the -mm tree. Its filename was fs-proc-task_mmu-check-p-vec_buf-for-null.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jakub Acs <acsjakub(a)amazon.de> Subject: fs/proc/task_mmu: check p->vec_buf for NULL Date: Mon, 22 Sep 2025 08:22:05 +0000 When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 <snip registers, unreliable trace> [ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking p->vec_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Link: https://lkml.kernel.org/r/20250922082206.6889-1-acsjakub@amazon.de Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Reviewed-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: "Micha�� Miros��aw" <mirq-linux(a)rere.qmqm.pl> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/proc/task_mmu.c~fs-proc-task_mmu-check-p-vec_buf-for-null +++ a/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(s { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!p->vec_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else _ Patches currently in -mm which might be from acsjakub(a)amazon.de are

1 month, 1 week

1
0
0 0

[merged mm-hotfixes-stable] kmsan-fix-out-of-bounds-access-to-shadow-memory.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kmsan: fix out-of-bounds access to shadow memory has been removed from the -mm tree. Its filename was kmsan-fix-out-of-bounds-access-to-shadow-memory.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Eric Biggers <ebiggers(a)kernel.org> Subject: kmsan: fix out-of-bounds access to shadow memory Date: Thu, 11 Sep 2025 12:58:58 -0700 Running sha224_kunit on a KMSAN-enabled kernel results in a crash in kmsan_internal_set_shadow_origin(): BUG: unable to handle page fault for address: ffffbc3840291000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0 Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary) Tainted: [N]=TEST Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100 [...] Call Trace: <TASK> __msan_memset+0xee/0x1a0 sha224_final+0x9e/0x350 test_hash_buffer_overruns+0x46f/0x5f0 ? kmsan_get_shadow_origin_ptr+0x46/0xa0 ? __pfx_test_hash_buffer_overruns+0x10/0x10 kunit_try_run_case+0x198/0xa00 This occurs when memset() is called on a buffer that is not 4-byte aligned and extends to the end of a guard page, i.e. the next page is unmapped. The bug is that the loop at the end of kmsan_internal_set_shadow_origin() accesses the wrong shadow memory bytes when the address is not 4-byte aligned. Since each 4 bytes are associated with an origin, it rounds the address and size so that it can access all the origins that contain the buffer. However, when it checks the corresponding shadow bytes for a particular origin, it incorrectly uses the original unrounded shadow address. This results in reads from shadow memory beyond the end of the buffer's shadow memory, which crashes when that memory is not mapped. To fix this, correctly align the shadow address before accessing the 4 shadow bytes corresponding to each origin. Link: https://lkml.kernel.org/r/20250911195858.394235-1-ebiggers@kernel.org Fixes: 2ef3cec44c60 ("kmsan: do not wipe out origin when doing partial unpoisoning") Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Tested-by: Alexander Potapenko <glider(a)google.com> Reviewed-by: Alexander Potapenko <glider(a)google.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kmsan/core.c | 10 +++++++--- mm/kmsan/kmsan_test.c | 16 ++++++++++++++++ 2 files changed, 23 insertions(+), 3 deletions(-) --- a/mm/kmsan/core.c~kmsan-fix-out-of-bounds-access-to-shadow-memory +++ a/mm/kmsan/core.c @@ -195,7 +195,8 @@ void kmsan_internal_set_shadow_origin(vo u32 origin, bool checked) { u64 address = (u64)addr; - u32 *shadow_start, *origin_start; + void *shadow_start; + u32 *aligned_shadow, *origin_start; size_t pad = 0; KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size)); @@ -214,9 +215,12 @@ void kmsan_internal_set_shadow_origin(vo } __memset(shadow_start, b, size); - if (!IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { + if (IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { + aligned_shadow = shadow_start; + } else { pad = address % KMSAN_ORIGIN_SIZE; address -= pad; + aligned_shadow = shadow_start - pad; size += pad; } size = ALIGN(size, KMSAN_ORIGIN_SIZE); @@ -230,7 +234,7 @@ void kmsan_internal_set_shadow_origin(vo * corresponding shadow slot is zero. */ for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) { - if (origin || !shadow_start[i]) + if (origin || !aligned_shadow[i]) origin_start[i] = origin; } } --- a/mm/kmsan/kmsan_test.c~kmsan-fix-out-of-bounds-access-to-shadow-memory +++ a/mm/kmsan/kmsan_test.c @@ -556,6 +556,21 @@ DEFINE_TEST_MEMSETXX(16) DEFINE_TEST_MEMSETXX(32) DEFINE_TEST_MEMSETXX(64) +/* Test case: ensure that KMSAN does not access shadow memory out of bounds. */ +static void test_memset_on_guarded_buffer(struct kunit *test) +{ + void *buf = vmalloc(PAGE_SIZE); + + kunit_info(test, + "memset() on ends of guarded buffer should not crash\n"); + + for (size_t size = 0; size <= 128; size++) { + memset(buf, 0xff, size); + memset(buf + PAGE_SIZE - size, 0xff, size); + } + vfree(buf); +} + static noinline void fibonacci(int *array, int size, int start) { if (start < 2 || (start == size)) @@ -677,6 +692,7 @@ static struct kunit_case kmsan_test_case KUNIT_CASE(test_memset16), KUNIT_CASE(test_memset32), KUNIT_CASE(test_memset64), + KUNIT_CASE(test_memset_on_guarded_buffer), KUNIT_CASE(test_long_origin_chain), KUNIT_CASE(test_stackdepot_roundtrip), KUNIT_CASE(test_unpoison_memory), _ Patches currently in -mm which might be from ebiggers(a)kernel.org are

1 month, 1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/hugetlb: fix folio is still mapped when deleted has been removed from the -mm tree. Its filename was mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jinjiang Tu <tujinjiang(a)huawei.com> Subject: mm/hugetlb: fix folio is still mapped when deleted Date: Fri, 12 Sep 2025 15:41:39 +0800 Migration may be raced with fallocating hole. remove_inode_single_folio will unmap the folio if the folio is still mapped. However, it's called without folio lock. If the folio is migrated and the mapped pte has been converted to migration entry, folio_mapped() returns false, and won't unmap it. Due to extra refcount held by remove_inode_single_folio, migration fails, restores migration entry to normal pte, and the folio is mapped again. As a result, we triggered BUG in filemap_unaccount_folio. The log is as follows: BUG: Bad page cache in process hugetlb pfn:156c00 page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00 head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0 aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file" flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: f4(hugetlb) page dumped because: still mapped when deleted CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x4f/0x70 filemap_unaccount_folio+0xc4/0x1c0 __filemap_remove_folio+0x38/0x1c0 filemap_remove_folio+0x41/0xd0 remove_inode_hugepages+0x142/0x250 hugetlbfs_fallocate+0x471/0x5a0 vfs_fallocate+0x149/0x380 Hold folio lock before checking if the folio is mapped to avold race with migration. Link: https://lkml.kernel.org/r/20250912074139.3575005-1-tujinjiang@huawei.com Fixes: 4aae8d1c051e ("mm/hugetlbfs: unmap pages if page fault raced with hole punch") Signed-off-by: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/hugetlbfs/inode.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/fs/hugetlbfs/inode.c~mm-hugetlb-fix-folio-is-still-mapped-when-deleted +++ a/fs/hugetlbfs/inode.c @@ -517,14 +517,16 @@ static bool remove_inode_single_folio(st /* * If folio is mapped, it was faulted in after being - * unmapped in caller. Unmap (again) while holding - * the fault mutex. The mutex will prevent faults - * until we finish removing the folio. + * unmapped in caller or hugetlb_vmdelete_list() skips + * unmapping it due to fail to grab lock. Unmap (again) + * while holding the fault mutex. The mutex will prevent + * faults until we finish removing the folio. Hold folio + * lock to guarantee no concurrent migration. */ + folio_lock(folio); if (unlikely(folio_mapped(folio))) hugetlb_unmap_file_folio(h, mapping, folio, index); - folio_lock(folio); /* * We must remove the folio from page cache before removing * the region/ reserve map (hugetlb_unreserve_pages). In _ Patches currently in -mm which might be from tujinjiang(a)huawei.com are

1 month, 1 week

1
0
0 0

[failures] hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list has been removed from the -mm tree. Its filename was hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch This patch was dropped because it had testing failures ------------------------------------------------------ From: Deepanshu Kartikey <kartikey406(a)gmail.com> Subject: hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list Date: Thu, 25 Sep 2025 20:19:32 +0530 hugetlb_vmdelete_list() uses trylock to acquire VMA locks during truncate operations. As per the original design in commit 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization"), if the trylock fails or the VMA has no lock, it should skip that VMA. Any remaining mapped pages are handled by remove_inode_hugepages() which is called after hugetlb_vmdelete_list() and uses proper lock ordering to guarantee unmapping success. Currently, when hugetlb_vma_trylock_write() returns success (1) for VMAs without shareable locks, the code proceeds to call unmap_hugepage_range(). This causes assertion failures in huge_pmd_unshare() �� hugetlb_vma_assert_locked() because no lock is actually held: WARNING: CPU: 1 PID: 6594 Comm: syz.0.28 Not tainted Call Trace: hugetlb_vma_assert_locked+0x1dd/0x250 huge_pmd_unshare+0x2c8/0x540 __unmap_hugepage_range+0x6e3/0x1aa0 unmap_hugepage_range+0x32e/0x410 hugetlb_vmdelete_list+0x189/0x1f0 Fix by explicitly skipping VMAs without shareable locks after trylock succeeds, consistent with the original design where such VMAs are deferred to remove_inode_hugepages() for proper handling. Link: https://lkml.kernel.org/r/20250925144934.150299-1-kartikey406@gmail.com Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> Reported-by: syzbot+f26d7c75c26ec19790e7(a)syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=f26d7c75c26ec19790e7 Fixes: 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization") Tested-by: syzbot+f26d7c75c26ec19790e7(a)syzkaller.appspotmail.com Cc: David Hildenbrand <david(a)redhat.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/hugetlbfs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/hugetlbfs/inode.c~hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list +++ a/fs/hugetlbfs/inode.c @@ -487,7 +487,8 @@ hugetlb_vmdelete_list(struct rb_root_cac if (!hugetlb_vma_trylock_write(vma)) continue; - + if (!__vma_shareable_lock(vma)) + continue; v_start = vma_offset_start(vma, start); v_end = vma_offset_end(vma, end); _ Patches currently in -mm which might be from kartikey406(a)gmail.com are

1 month, 1 week

1
0
0 0

[tip: timers/clocksource] clocksource/drivers/clps711x: Fix resource leaks in error paths

by tip-bot2 for Zhen Ni

The following commit has been merged into the timers/clocksource branch of tip: Commit-ID: cd32e596f02fc981674573402c1138f616df1728 Gitweb: https://git.kernel.org/tip/cd32e596f02fc981674573402c1138f616df1728 Author: Zhen Ni <zhen.ni(a)easystack.cn> AuthorDate: Thu, 14 Aug 2025 20:33:24 +08:00 Committer: Daniel Lezcano <daniel.lezcano(a)linaro.org> CommitterDate: Tue, 23 Sep 2025 12:42:27 +02:00 clocksource/drivers/clps711x: Fix resource leaks in error paths The current implementation of clps711x_timer_init() has multiple error paths that directly return without releasing the base I/O memory mapped via of_iomap(). Fix of_iomap leaks in error paths. Fixes: 04410efbb6bc ("clocksource/drivers/clps711x: Convert init function to return error") Fixes: 2a6a8e2d9004 ("clocksource/drivers/clps711x: Remove board support") Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> Signed-off-by: Daniel Lezcano <daniel.lezcano(a)linaro.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250814123324.1516495-1-zhen.ni@easystack.cn --- drivers/clocksource/clps711x-timer.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/drivers/clocksource/clps711x-timer.c b/drivers/clocksource/clps711x-timer.c index e95fdc4..bbceb02 100644 --- a/drivers/clocksource/clps711x-timer.c +++ b/drivers/clocksource/clps711x-timer.c @@ -78,24 +78,33 @@ static int __init clps711x_timer_init(struct device_node *np) unsigned int irq = irq_of_parse_and_map(np, 0); struct clk *clock = of_clk_get(np, 0); void __iomem *base = of_iomap(np, 0); + int ret = 0; if (!base) return -ENOMEM; - if (!irq) - return -EINVAL; - if (IS_ERR(clock)) - return PTR_ERR(clock); + if (!irq) { + ret = -EINVAL; + goto unmap_io; + } + if (IS_ERR(clock)) { + ret = PTR_ERR(clock); + goto unmap_io; + } switch (of_alias_get_id(np, "timer")) { case CLPS711X_CLKSRC_CLOCKSOURCE: clps711x_clksrc_init(clock, base); break; case CLPS711X_CLKSRC_CLOCKEVENT: - return _clps711x_clkevt_init(clock, base, irq); + ret = _clps711x_clkevt_init(clock, base, irq); + break; default: - return -EINVAL; + ret = -EINVAL; + break; } - return 0; +unmap_io: + iounmap(base); + return ret; } TIMER_OF_DECLARE(clps711x, "cirrus,ep7209-timer", clps711x_timer_init);

1 month, 1 week

1
0
0 0

[to-be-updated] mm-memblock-correct-totalram_pages-accounting-with-kmsan.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/memblock: correct totalram_pages accounting with KMSAN has been removed from the -mm tree. Its filename was mm-memblock-correct-totalram_pages-accounting-with-kmsan.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: Alexander Potapenko <glider(a)google.com> Subject: mm/memblock: correct totalram_pages accounting with KMSAN Date: Wed, 24 Sep 2025 12:03:01 +0200 When KMSAN is enabled, `kmsan_memblock_free_pages()` can hold back pages for metadata instead of returning them to the early allocator. The callers, however, would unconditionally increment `totalram_pages`, assuming the pages were always freed. This resulted in an incorrect calculation of the total available RAM, causing the kernel to believe it had more memory than it actually did. This patch refactors `memblock_free_pages()` to return the number of pages it successfully frees. If KMSAN stashes the pages, the function now returns 0; otherwise, it returns the number of pages in the block. The callers in `memblock.c` have been updated to use this return value, ensuring that `totalram_pages` is incremented only by the number of pages actually returned to the allocator. This corrects the total RAM accounting when KMSAN is active. Link: https://lkml.kernel.org/r/20250924100301.1558645-1-glider@google.com Fixes: 3c2065098260 ("init: kmsan: call KMSAN initialization routines") Signed-off-by: Alexander Potapenko <glider(a)google.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Aleksandr Nogikh <nogikh(a)google.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: Markus Elfring <Markus.Elfring(a)web.de> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/internal.h | 4 ++-- mm/memblock.c | 21 +++++++++++---------- mm/mm_init.c | 9 +++++---- 3 files changed, 18 insertions(+), 16 deletions(-) --- a/mm/internal.h~mm-memblock-correct-totalram_pages-accounting-with-kmsan +++ a/mm/internal.h @@ -742,8 +742,8 @@ static inline void clear_zone_contiguous extern int __isolate_free_page(struct page *page, unsigned int order); extern void __putback_isolated_page(struct page *page, unsigned int order, int mt); -extern void memblock_free_pages(struct page *page, unsigned long pfn, - unsigned int order); +unsigned long memblock_free_pages(struct page *page, unsigned long pfn, + unsigned int order); extern void __free_pages_core(struct page *page, unsigned int order, enum meminit_context context); --- a/mm/memblock.c~mm-memblock-correct-totalram_pages-accounting-with-kmsan +++ a/mm/memblock.c @@ -1826,6 +1826,7 @@ void *__init __memblock_alloc_or_panic(p void __init memblock_free_late(phys_addr_t base, phys_addr_t size) { phys_addr_t cursor, end; + unsigned long freed_pages = 0; end = base + size - 1; memblock_dbg("%s: [%pa-%pa] %pS\n", @@ -1834,10 +1835,9 @@ void __init memblock_free_late(phys_addr cursor = PFN_UP(base); end = PFN_DOWN(base + size); - for (; cursor < end; cursor++) { - memblock_free_pages(pfn_to_page(cursor), cursor, 0); - totalram_pages_inc(); - } + for (; cursor < end; cursor++) + freed_pages += memblock_free_pages(pfn_to_page(cursor), cursor, 0); + totalram_pages_add(freed_pages); } /* @@ -2259,9 +2259,11 @@ static void __init free_unused_memmap(vo #endif } -static void __init __free_pages_memory(unsigned long start, unsigned long end) +static unsigned long __init __free_pages_memory(unsigned long start, + unsigned long end) { int order; + unsigned long freed = 0; while (start < end) { /* @@ -2279,14 +2281,15 @@ static void __init __free_pages_memory(u while (start + (1UL << order) > end) order--; - memblock_free_pages(pfn_to_page(start), start, order); + freed += memblock_free_pages(pfn_to_page(start), start, order); start += (1UL << order); } + return freed; } static unsigned long __init __free_memory_core(phys_addr_t start, - phys_addr_t end) + phys_addr_t end) { unsigned long start_pfn = PFN_UP(start); unsigned long end_pfn = PFN_DOWN(end); @@ -2297,9 +2300,7 @@ static unsigned long __init __free_memor if (start_pfn >= end_pfn) return 0; - __free_pages_memory(start_pfn, end_pfn); - - return end_pfn - start_pfn; + return __free_pages_memory(start_pfn, end_pfn); } static void __init memmap_init_reserved_pages(void) --- a/mm/mm_init.c~mm-memblock-correct-totalram_pages-accounting-with-kmsan +++ a/mm/mm_init.c @@ -2547,24 +2547,25 @@ void *__init alloc_large_system_hash(con return table; } -void __init memblock_free_pages(struct page *page, unsigned long pfn, - unsigned int order) +unsigned long __init memblock_free_pages(struct page *page, unsigned long pfn, + unsigned int order) { if (IS_ENABLED(CONFIG_DEFERRED_STRUCT_PAGE_INIT)) { int nid = early_pfn_to_nid(pfn); if (!early_page_initialised(pfn, nid)) - return; + return 0; } if (!kmsan_memblock_free_pages(page, order)) { /* KMSAN will take care of these pages. */ - return; + return 0; } /* pages were reserved and not allocated */ clear_page_tag_ref(page); __free_pages_core(page, order, MEMINIT_EARLY); + return 1UL << order; } DEFINE_STATIC_KEY_MAYBE(CONFIG_INIT_ON_ALLOC_DEFAULT_ON, init_on_alloc); _ Patches currently in -mm which might be from glider(a)google.com are

1 month, 1 week

1
0
0 0

+ hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list has been added to the -mm mm-new branch. Its filename is hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Deepanshu Kartikey <kartikey406(a)gmail.com> Subject: hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list Date: Thu, 25 Sep 2025 20:19:32 +0530 hugetlb_vmdelete_list() uses trylock to acquire VMA locks during truncate operations. As per the original design in commit 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization"), if the trylock fails or the VMA has no lock, it should skip that VMA. Any remaining mapped pages are handled by remove_inode_hugepages() which is called after hugetlb_vmdelete_list() and uses proper lock ordering to guarantee unmapping success. Currently, when hugetlb_vma_trylock_write() returns success (1) for VMAs without shareable locks, the code proceeds to call unmap_hugepage_range(). This causes assertion failures in huge_pmd_unshare() �� hugetlb_vma_assert_locked() because no lock is actually held: WARNING: CPU: 1 PID: 6594 Comm: syz.0.28 Not tainted Call Trace: hugetlb_vma_assert_locked+0x1dd/0x250 huge_pmd_unshare+0x2c8/0x540 __unmap_hugepage_range+0x6e3/0x1aa0 unmap_hugepage_range+0x32e/0x410 hugetlb_vmdelete_list+0x189/0x1f0 Fix by explicitly skipping VMAs without shareable locks after trylock succeeds, consistent with the original design where such VMAs are deferred to remove_inode_hugepages() for proper handling. Link: https://lkml.kernel.org/r/20250925144934.150299-1-kartikey406@gmail.com Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> Reported-by: syzbot+f26d7c75c26ec19790e7(a)syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=f26d7c75c26ec19790e7 Fixes: 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization") Tested-by: syzbot+f26d7c75c26ec19790e7(a)syzkaller.appspotmail.com Cc: David Hildenbrand <david(a)redhat.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/hugetlbfs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/hugetlbfs/inode.c~hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list +++ a/fs/hugetlbfs/inode.c @@ -487,7 +487,8 @@ hugetlb_vmdelete_list(struct rb_root_cac if (!hugetlb_vma_trylock_write(vma)) continue; - + if (!__vma_shareable_lock(vma)) + continue; v_start = vma_offset_start(vma, start); v_end = vma_offset_end(vma, end); _ Patches currently in -mm which might be from kartikey406(a)gmail.com are hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch

1 month, 1 week

1
0
0 0

Gratulujeme, ponuka daru

by Kristine Wellenstein Charity

1 month, 1 week

1
0
0 0

[PATCH v2] fs/proc: check p->vec_buf for NULL

by Jakub Acs

When PAGEMAP_SCAN ioctl invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 <snip registers, unreliable trace> [ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking p->vec_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: "Michał Mirosław" <mirq-linux(a)rere.qmqm.pl> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Cc: linux-kernel(a)vger.kernel.org Cc: linux-fsdevel(a)vger.kernel.org Cc: stable(a)vger.kernel.org --- fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 29cca0e6d0ff..b26ae556b446 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(struct pagemap_scan_private *p, { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!p->vec_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

1 month, 1 week

3
2
0 0

[PATCH] PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock

by Marek Vasut

The tegra_msi_irq_unmask() function may be called from a PCI driver request_threaded_irq() function. This triggers kernel/irq/manage.c __setup_irq() which locks raw spinlock &desc->lock descriptor lock and with that descriptor lock held, calls tegra_msi_irq_unmask(). Since the &desc->lock descriptor lock is a raw spinlock , and the tegra_msi .mask_lock is not a raw spinlock, this setup triggers 'BUG: Invalid wait context' with CONFIG_PROVE_RAW_LOCK_NESTING=y . Use scoped_guard() to simplify the locking. Fixes: 2c99e55f7955 ("PCI: tegra: Convert to MSI domains") Cc: stable(a)vger.kernel.org Reported-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Signed-off-by: Marek Vasut <marek.vasut+renesas(a)mailbox.org> --- Cc: "Krzysztof Wilczyński" <kwilczynski(a)kernel.org> Cc: Bjorn Helgaas <bhelgaas(a)google.com> Cc: Jonathan Hunter <jonathanh(a)nvidia.com> Cc: Lorenzo Pieralisi <lpieralisi(a)kernel.org> Cc: Manivannan Sadhasivam <mani(a)kernel.org> Cc: Rob Herring <robh(a)kernel.org> Cc: Thierry Reding <thierry.reding(a)gmail.com> Cc: linux-kernel(a)vger.kernel.org Cc: linux-pci(a)vger.kernel.org Cc: linux-tegra(a)vger.kernel.org --- NOTE: I don't have tegra hardware to test, this is based on input from Geert https://patchwork.kernel.org/project/linux-pci/patch/20250909162707.13927-2… --- drivers/pci/controller/pci-tegra.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/drivers/pci/controller/pci-tegra.c b/drivers/pci/controller/pci-tegra.c index bb88767a37979..942ddfca3bf6b 100644 --- a/drivers/pci/controller/pci-tegra.c +++ b/drivers/pci/controller/pci-tegra.c @@ -14,6 +14,7 @@ */ #include <linux/clk.h> +#include <linux/cleanup.h> #include <linux/debugfs.h> #include <linux/delay.h> #include <linux/export.h> @@ -270,7 +271,7 @@ struct tegra_msi { DECLARE_BITMAP(used, INT_PCI_MSI_NR); struct irq_domain *domain; struct mutex map_lock; - spinlock_t mask_lock; + raw_spinlock_t mask_lock; void *virt; dma_addr_t phys; int irq; @@ -1581,14 +1582,13 @@ static void tegra_msi_irq_mask(struct irq_data *d) struct tegra_msi *msi = irq_data_get_irq_chip_data(d); struct tegra_pcie *pcie = msi_to_pcie(msi); unsigned int index = d->hwirq / 32; - unsigned long flags; u32 value; - spin_lock_irqsave(&msi->mask_lock, flags); - value = afi_readl(pcie, AFI_MSI_EN_VEC(index)); - value &= ~BIT(d->hwirq % 32); - afi_writel(pcie, value, AFI_MSI_EN_VEC(index)); - spin_unlock_irqrestore(&msi->mask_lock, flags); + scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) { + value = afi_readl(pcie, AFI_MSI_EN_VEC(index)); + value &= ~BIT(d->hwirq % 32); + afi_writel(pcie, value, AFI_MSI_EN_VEC(index)); + } } static void tegra_msi_irq_unmask(struct irq_data *d) @@ -1596,14 +1596,13 @@ static void tegra_msi_irq_unmask(struct irq_data *d) struct tegra_msi *msi = irq_data_get_irq_chip_data(d); struct tegra_pcie *pcie = msi_to_pcie(msi); unsigned int index = d->hwirq / 32; - unsigned long flags; u32 value; - spin_lock_irqsave(&msi->mask_lock, flags); - value = afi_readl(pcie, AFI_MSI_EN_VEC(index)); - value |= BIT(d->hwirq % 32); - afi_writel(pcie, value, AFI_MSI_EN_VEC(index)); - spin_unlock_irqrestore(&msi->mask_lock, flags); + scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) { + value = afi_readl(pcie, AFI_MSI_EN_VEC(index)); + value |= BIT(d->hwirq % 32); + afi_writel(pcie, value, AFI_MSI_EN_VEC(index)); + } } static void tegra_compose_msi_msg(struct irq_data *data, struct msi_msg *msg) @@ -1711,7 +1710,7 @@ static int tegra_pcie_msi_setup(struct tegra_pcie *pcie) int err; mutex_init(&msi->map_lock); - spin_lock_init(&msi->mask_lock); + raw_spin_lock_init(&msi->mask_lock); if (IS_ENABLED(CONFIG_PCI_MSI)) { err = tegra_allocate_domains(msi); -- 2.51.0

1 month, 1 week

2
1
0 0

[PATCH v3] nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()

by Guangshuo Li

devm_kcalloc() may fail. ndtest_probe() allocates three DMA address arrays (dcr_dma, label_dma, dimm_dma) and later unconditionally uses them in ndtest_nvdimm_init(), which can lead to a NULL pointer dereference under low-memory conditions. Check all three allocations and return -ENOMEM if any allocation fails, jumping to the common error path. Do not emit an extra error message since the allocator already warns on allocation failure. Fixes: 9399ab61ad82 ("ndtest: Add dimms to the two buses") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- changelog: v3: - Add NULL checks for all three devm_kcalloc() calls and goto the common error label on failure. v2: - Drop pr_err() on allocation failure; only NULL-check and return -ENOMEM. - No other changes. --- tools/testing/nvdimm/test/ndtest.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tools/testing/nvdimm/test/ndtest.c b/tools/testing/nvdimm/test/ndtest.c index 68a064ce598c..8e3b6be53839 100644 --- a/tools/testing/nvdimm/test/ndtest.c +++ b/tools/testing/nvdimm/test/ndtest.c @@ -850,11 +850,22 @@ static int ndtest_probe(struct platform_device *pdev) p->dcr_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, sizeof(dma_addr_t), GFP_KERNEL); + if (!p->dcr_dma) { + rc = -ENOMEM; + goto err; + } p->label_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, sizeof(dma_addr_t), GFP_KERNEL); + if (!p->label_dma) { + rc = -ENOMEM; + goto err; + } p->dimm_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, sizeof(dma_addr_t), GFP_KERNEL); - + if (!p->dimm_dma) { + rc = -ENOMEM; + goto err; + } rc = ndtest_nvdimm_init(p); if (rc) goto err; -- 2.43.0

1 month, 1 week

4
3
0 0

[GIT PULL] virtio,vhost: last minute fixes

by Michael S. Tsirkin

I have a couple more fixes I'm testing but the issues have been with us for a long time, and they come from code review not from the field IIUC so no rush I think. The following changes since commit 76eeb9b8de9880ca38696b2fb56ac45ac0a25c6c: Linux 6.17-rc5 (2025-09-07 14:22:57 -0700) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git tags/for_linus for you to fetch changes up to cde7e7c3f8745a61458cea61aa28f37c3f5ae2b4: MAINTAINERS, mailmap: Update address for Peter Hilber (2025-09-21 17:44:20 -0400) ---------------------------------------------------------------- virtio,vhost: last minute fixes More small fixes. Most notably this fixes crashes and hangs in vhost-net. Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> ---------------------------------------------------------------- Alok Tiwari (1): vhost-scsi: fix argument order in tport allocation error message Alyssa Ross (1): virtio_config: clarify output parameters Ashwini Sahu (1): uapi: vduse: fix typo in comment Jason Wang (2): vhost-net: unbreak busy polling vhost-net: flush batched before enabling notifications Michael S. Tsirkin (1): Revert "vhost/net: Defer TX queue re-enable until after sendmsg" Peter Hilber (1): MAINTAINERS, mailmap: Update address for Peter Hilber Sebastian Andrzej Siewior (1): vhost: Take a reference on the task in struct vhost_task. .mailmap | 1 + MAINTAINERS | 2 +- drivers/vhost/net.c | 40 +++++++++++++++++----------------------- drivers/vhost/scsi.c | 2 +- include/linux/virtio_config.h | 11 ++++++----- include/uapi/linux/vduse.h | 2 +- kernel/vhost_task.c | 3 ++- 7 files changed, 29 insertions(+), 32 deletions(-)

1 month, 1 week

2
1
0 0

[PATCH v6 1/4] PCI: dwc: Remove the L1SS check before putting the link into L2

by Richard Zhu

The ASPM configuration shouldn't leak out here. Remove the L1SS check during L2 entry. Cc: stable(a)vger.kernel.org Fixes: 4774faf854f5 ("PCI: dwc: Implement generic suspend/resume functionality") Suggested-by: Bjorn Helgaas <helgaas(a)kernel.org> Signed-off-by: Richard Zhu <hongxing.zhu(a)nxp.com> --- drivers/pci/controller/dwc/pcie-designware-host.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-designware-host.c b/drivers/pci/controller/dwc/pcie-designware-host.c index 952f8594b501..9d46d1f0334b 100644 --- a/drivers/pci/controller/dwc/pcie-designware-host.c +++ b/drivers/pci/controller/dwc/pcie-designware-host.c @@ -1005,17 +1005,9 @@ static int dw_pcie_pme_turn_off(struct dw_pcie *pci) int dw_pcie_suspend_noirq(struct dw_pcie *pci) { - u8 offset = dw_pcie_find_capability(pci, PCI_CAP_ID_EXP); u32 val; int ret; - /* - * If L1SS is supported, then do not put the link into L2 as some - * devices such as NVMe expect low resume latency. - */ - if (dw_pcie_readw_dbi(pci, offset + PCI_EXP_LNKCTL) & PCI_EXP_LNKCTL_ASPM_L1) - return 0; - if (pci->pp.ops->pme_turn_off) { pci->pp.ops->pme_turn_off(&pci->pp); } else { -- 2.37.1

1 month, 1 week

3
4
0 0

[PATCH v2 1/3] PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()

by Niklas Cassel

The pci_epc_raise_irq() supplies a MSI or MSI-X interrupt number in range (1-N), see kdoc for pci_epc_raise_irq(). Thus, for MSI pci_epc_raise_irq() will supply interrupt number 1-32. Convert the interrupt number to an MSI vector. With this, the PCI endpoint kselftest test case MSI_TEST passes. Also, set msi_capable to true, as the driver obviously supports MSI. This helps pci_endpoint_test to use the optimal IRQ type when using PCITEST_IRQ_TYPE_AUTO. Cc: stable(a)vger.kernel.org Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194") Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/pci/controller/dwc/pcie-tegra194.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c index 7c295ec6f0f16..63d310e5335f4 100644 --- a/drivers/pci/controller/dwc/pcie-tegra194.c +++ b/drivers/pci/controller/dwc/pcie-tegra194.c @@ -1969,10 +1969,10 @@ static int tegra_pcie_ep_raise_intx_irq(struct tegra_pcie_dw *pcie, u16 irq) static int tegra_pcie_ep_raise_msi_irq(struct tegra_pcie_dw *pcie, u16 irq) { - if (unlikely(irq > 31)) + if (unlikely(irq > 32)) return -EINVAL; - appl_writel(pcie, BIT(irq), APPL_MSI_CTRL_1); + appl_writel(pcie, BIT(irq - 1), APPL_MSI_CTRL_1); return 0; } @@ -2012,6 +2012,7 @@ static int tegra_pcie_ep_raise_irq(struct dw_pcie_ep *ep, u8 func_no, static const struct pci_epc_features tegra_pcie_epc_features = { .linkup_notifier = true, + .msi_capable = true, .bar[BAR_0] = { .type = BAR_FIXED, .fixed_size = SZ_1M, .only_64bit = true, }, .bar[BAR_1] = { .type = BAR_RESERVED, }, -- 2.51.0

1 month, 1 week

2
3
0 0

Re: Patch "firewire: core: fix overlooked update of subsystem ABI version" has been added to the 6.1/5.15/5.10/5.4-stable tree

by Takashi Sakamoto

Hi Sasha, As the commit message notice, this patch should not be applied to kernel v6.4 or before. I would like you to exclude this from your queue for the following versions: * Patch "firewire: core: fix overlooked update of subsystem ABI version" has been added to the 5.4-stable tree * Patch "firewire: core: fix overlooked update of subsystem ABI version" has been added to the 5.10-stable tree * Patch "firewire: core: fix overlooked update of subsystem ABI version" has been added to the 5.15-stable tree * Patch "firewire: core: fix overlooked update of subsystem ABI version" has been added to the 6.1-stable tree Thankss Takashi Sakamoto On Thu, Sep 25, 2025 at 07:33:23AM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > firewire: core: fix overlooked update of subsystem ABI version > > to the 6.1-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > firewire-core-fix-overlooked-update-of-subsystem-abi.patch > and it can be found in the queue-6.1 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit bbb4ab1d7b1ad7fff7a85aa9144d0edc5a70bacc > Author: Takashi Sakamoto <o-takashi(a)sakamocchi.jp> > Date: Sat Sep 20 11:51:48 2025 +0900 > > firewire: core: fix overlooked update of subsystem ABI version > > [ Upstream commit 853a57ba263adfecf4430b936d6862bc475b4bb5 ] > > In kernel v6.5, several functions were added to the cdev layer. This > required updating the default version of subsystem ABI up to 6, but > this requirement was overlooked. > > This commit updates the version accordingly. > > Fixes: 6add87e9764d ("firewire: cdev: add new version of ABI to notify time stamp at request/response subaction of transaction#") > Link: https://lore.kernel.org/r/20250920025148.163402-1-o-takashi@sakamocchi.jp > Signed-off-by: Takashi Sakamoto <o-takashi(a)sakamocchi.jp> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c > index 958aa4662ccb0..5cb0059f57e6b 100644 > --- a/drivers/firewire/core-cdev.c > +++ b/drivers/firewire/core-cdev.c > @@ -39,7 +39,7 @@ > /* > * ABI version history is documented in linux/firewire-cdev.h. > */ > -#define FW_CDEV_KERNEL_VERSION 5 > +#define FW_CDEV_KERNEL_VERSION 6 > #define FW_CDEV_VERSION_EVENT_REQUEST2 4 > #define FW_CDEV_VERSION_ALLOCATE_REGION_END 4 > #define FW_CDEV_VERSION_AUTO_FLUSH_ISO_OVERFLOW 5

1 month, 1 week

2
1
0 0

[PATCH] i2c: microchip: pci1xxxx: bound-check SMBus block read length

by Guangshuo Li

The SMBus block read path trusts the device-provided count byte and copies that many bytes from the master buffer: buf[0] = readb(p3); read_count = buf[0]; memcpy_fromio(&buf[1], p3 + 1, read_count); Without validating 'read_count', a malicious or misbehaving device can cause an out-of-bounds write to the caller's buffer and may also trigger out-of-range MMIO reads beyond the controller's buffer window. SMBus Block Read returns up to 32 data bytes as per the kernel documentation, so clamp the length to [1, I2C_SMBUS_BLOCK_MAX], verify the caller's buffer has at least 'read_count + 1' bytes available, and defensively ensure it does not exceed the controller buffer. Also break out of the chunking loop after a successful SMBus read. Return -EPROTO for invalid counts and -EMSGSIZE when the provided buffer is too small. Fixes: 361693697249 ("i2c: microchip: pci1xxxx: Add driver for I2C host controller in multifunction endpoint of pci1xxxx switch") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- drivers/i2c/busses/i2c-mchp-pci1xxxx.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/drivers/i2c/busses/i2c-mchp-pci1xxxx.c b/drivers/i2c/busses/i2c-mchp-pci1xxxx.c index 5ef136c3ecb1..2307c8ec2dc7 100644 --- a/drivers/i2c/busses/i2c-mchp-pci1xxxx.c +++ b/drivers/i2c/busses/i2c-mchp-pci1xxxx.c @@ -880,7 +880,22 @@ static int pci1xxxx_i2c_read(struct pci1xxxx_i2c *i2c, u8 slaveaddr, } if (i2c->flags & I2C_FLAGS_SMB_BLK_READ) { - buf[0] = readb(p3); + u8 cnt = readb(p3); + + if (!cnt || cnt > I2C_SMBUS_BLOCK_MAX) { + retval = -EPROTO; + goto cleanup; + } + if (cnt > total_len - 1) { + retval = -EMSGSIZE; + goto cleanup; + } + if (cnt > (SMBUS_BUF_MAX_SIZE - 1)) { + retval = -EOVERFLOW; + goto cleanup; + } + + buf[0] = cnt; read_count = buf[0]; memcpy_fromio(&buf[1], p3 + 1, read_count); } else { -- 2.43.0

1 month, 1 week

1
0
0 0

[PATCH 6.1 000/132] 6.1.143-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.143 release. There are 132 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 05 Jul 2025 14:39:10 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.143-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.143-rc1 Dev Jain <dev.jain(a)arm.com> arm64: Restrict pagetable teardown to avoid false warning Sibi Sankar <quic_sibis(a)quicinc.com> firmware: arm_scmi: Ensure that the message-id supports fastchannel Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Add a common helper to check if a message is supported Pavel Begunkov <asml.silence(a)gmail.com> io_uring/kbuf: account ring io_buffer_list memory Jens Axboe <axboe(a)kernel.dk> nvme: always punt polled uring_cmd end_io work to task_work Brett A C Sheffield (Librecast) <bacs(a)librecast.net> Revert "ipv6: save dontfrag in cork" Nathan Chancellor <nathan(a)kernel.org> x86/tools: Drop duplicate unlikely() definition in insn_decoder_test.c Sergio González Collado <sergio.collado(a)gmail.com> Kunit to check the longest symbol length Heiko Carstens <hca(a)linux.ibm.com> s390/entry: Fix last breaking event handling in case of stack corruption Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Rollback non processed entities on error Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix W=stringop-overflow warning in bnxt_dcb.c Michael Chan <michael.chan(a)broadcom.com> bnxt_en: Fix W=1 warning in bnxt_dcb.c from fortify memcpy() Jakub Kicinski <kuba(a)kernel.org> eth: bnxt: fix one of the W=1 warnings about fortified memcpy() Chen Ni <nichen(a)iscas.ac.cn> fbdev: hyperv_fb: Convert comma to semicolon Gustavo A. R. Silva <gustavoars(a)kernel.org> fs: omfs: Use flexible-array member in struct omfs_extent Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: remove unsafe_memcpy use in session setup Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: Use unsafe_memcpy() for ntlm_negotiate Frank Min <Frank.Min(a)amd.com> drm/amdgpu: Add kicker device detection John Olender <john.olender(a)gmail.com> drm/amdgpu: amdgpu_vram_mgr_new(): Clamp lpfn to total vram Wentao Liang <vulab(a)iscas.ac.cn> drm/amd/display: Add null pointer check for get_first_active_display() Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Check return value when getting default PHY config Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix connecting to next bridge Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix phy de-init and flag it so Aradhya Bhatia <a-bhatia1(a)ti.com> drm/bridge: cdns-dsi: Fix the clock variable for mode_valid() Jay Cornwall <jay.cornwall(a)amd.com> drm/amdkfd: Fix race in GWS queue scheduling Stephan Gerhold <stephan.gerhold(a)linaro.org> drm/msm/gpu: Fix crash when throttling GPU immediately during boot Thomas Zimmermann <tzimmermann(a)suse.de> drm/udl: Unregister device before cleaning up on disconnect Qiu-ji Chen <chenqiuji666(a)gmail.com> drm/tegra: Fix a possible null pointer dereference Thierry Reding <treding(a)nvidia.com> drm/tegra: Assign plane type before registration Maíra Canal <mcanal(a)igalia.com> drm/etnaviv: Protect the scheduler's pending list with its lock Chen Yu <yu.c.chen(a)intel.com> scsi: megaraid_sas: Fix invalid node index Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix kobject reference count leak Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on sysfs attribute creation failure Qasim Ijaz <qasdev00(a)gmail.com> HID: wacom: fix memory leak on kobject creation failure Iusico Maxim <iusico.maxim(a)libero.it> HID: lenovo: Restrict F7/9/11 mode to compact keyboards only Mark Harmstone <maharmstone(a)fb.com> btrfs: update superblock's device bytes_used when dropping chunk Filipe Manana <fdmanana(a)suse.com> btrfs: fix a race between renames and directory logging Heinz Mauelshagen <heinzm(a)redhat.com> dm-raid: fix variable in journal device check Frédéric Danis <frederic.danis(a)collabora.com> Bluetooth: L2CAP: Fix L2CAP MTU negotiation Fabio Estevam <festevam(a)gmail.com> serial: imx: Restore original RXTL for console to fix data loss Yao Zi <ziyao(a)disroot.org> dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive Nathan Chancellor <nathan(a)kernel.org> staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() Jayesh Choudhary <j-choudhary(a)ti.com> drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type Wolfram Sang <wsa+renesas(a)sang-engineering.com> drm/bridge: ti-sn65dsi86: make use of debugfs_init callback Jakub Kicinski <kuba(a)kernel.org> net: selftests: fix TCP packet checksum Salvatore Bonaccorso <carnil(a)debian.org> ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X507UAR Kuniyuki Iwashima <kuniyu(a)google.com> atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). Simon Horman <horms(a)kernel.org> net: enetc: Correct endianness handling in _enetc_rd_reg64 Tiwei Bie <tiwei.btw(a)antgroup.com> um: ubd: Add missing error check in start_io_thread() Stefano Garzarella <sgarzare(a)redhat.com> vsock/uapi: fix linux/vm_sockets.h userspace compilation errors Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Don't set -ECONNRESET for consumed OOB skb. Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: fix beacon interval calculation overflow Yuan Chen <chenyuan(a)kylinos.cn> libbpf: Fix null pointer dereference in btf_dump__free on allocation failure Al Viro <viro(a)zeniv.linux.org.uk> attach_recursive_mnt(): do not lock the covering tree when sliding something under it Youngjun Lee <yjjuny.lee(a)samsung.com> ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() Eric Dumazet <edumazet(a)google.com> atm: clip: prevent NULL deref in clip_push() Imre Deak <imre.deak(a)intel.com> drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS Fedor Pchelkin <pchelkin(a)ispras.ru> s390/pkey: Prevent overflow in size calculation for memdup_user() Oliver Schramm <oliver.schramm97(a)gmail.com> ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: robotfuzz-osif: disable zero-length read messages Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: tiny-usb: disable zero-length read messages Kuniyuki Iwashima <kuniyu(a)google.com> af_unix: Don't leave consecutive consumed OOB skbs. Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Don't call skb_get() for OOB skb. Thomas Zimmermann <tzimmermann(a)suse.de> dummycon: Trigger redraw when switching consoles with deferred takeover Jiri Slaby (SUSE) <jirislaby(a)kernel.org> tty: vt: make consw::con_switch() return a bool Jiri Slaby (SUSE) <jirislaby(a)kernel.org> tty: vt: sanitize arguments of consw::con_clear() Jiri Slaby (SUSE) <jirislaby(a)kernel.org> tty: vt: make init parameter of consw::con_init() a bool Jiri Slaby (SUSE) <jirislaby(a)kernel.org> vgacon: remove unneeded forward declarations Jiri Slaby (SUSE) <jirislaby(a)kernel.org> vgacon: switch vgacon_scrolldelta() and vgacon_restore_screen() Janne Grunau <j(a)jannau.net> PCI: apple: Set only available ports up Zhang Zekun <zhangzekun11(a)huawei.com> PCI: apple: Use helper function for_each_child_of_node_scoped() Long Li <longli(a)microsoft.com> uio_hv_generic: Align ring size to system page Saurabh Sengar <ssengar(a)linux.microsoft.com> uio_hv_generic: Query the ringbuffer size for device Saurabh Sengar <ssengar(a)linux.microsoft.com> Drivers: hv: vmbus: Add utility function for querying ring size Long Li <longli(a)microsoft.com> Drivers: hv: Allocate interrupt and monitor pages aligned to system page boundary Rick Edgecombe <rick.p.edgecombe(a)intel.com> Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails Kameron Carr <kameroncarr(a)linux.microsoft.com> Drivers: hv: Change hv_free_hyperv_page() to take void * argument Long Li <longli(a)microsoft.com> Drivers: hv: move panic report code from vmbus to hv early init code Michael Kelley <mikelley(a)microsoft.com> Drivers: hv: vmbus: Remove second mapping of VMBus monitor pages Guilherme G. Piccoli <gpiccoli(a)igalia.com> drivers: hv, hyperv_fb: Untangle and refactor Hyper-V panic notifiers Murad Masimov <m.masimov(a)mt-integration.ru> fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var Chao Yu <chao(a)kernel.org> f2fs: don't over-report free space or inodes in statvfs Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wcd9335: Fix missing free of regulator supplies Peng Fan <peng.fan(a)nxp.com> ASoC: codec: wcd9335: Convert to GPIO descriptors Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: codecs: wcd9335: Handle nicer probe deferral and simplify with dev_err_probe() Ming Qian <ming.qian(a)oss.nxp.com> media: imx-jpeg: Cleanup after an allocation error Ming Qian <ming.qian(a)oss.nxp.com> media: imx-jpeg: Reset slot data pointers when freed Ming Qian <ming.qian(a)oss.nxp.com> media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead Ming Qian <ming.qian(a)nxp.com> media: imx-jpeg: Support to assign slot for encoder/decoder Ming Qian <ming.qian(a)nxp.com> media: imx-jpeg: Add a timeout mechanism for each frame Jason Wang <wangborong(a)cdjrlc.com> media: imx-jpeg: Remove unnecessary memset() after dma_alloc_coherent() Vasiliy Kovalev <kovalev(a)altlinux.org> jfs: validate AG parameters in dbMount() to prevent crashes Dave Kleikamp <dave.kleikamp(a)oracle.com> fs/jfs: consolidate sanity checking in dbMount Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 Qu Wenruo <wqu(a)suse.com> btrfs: handle csum tree error with rescue=ibadroots correctly Kees Cook <kees(a)kernel.org> ovl: Check for NULL d_inode() in ovl_dentry_upper() Dmitry Kandybka <d.kandybka(a)gmail.com> ceph: fix possible integer overflow in ceph_zero_objects() Mario Limonciello <mario.limonciello(a)amd.com> ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ALSA: hda: Add new pci id for AMD GPU display HD audio controller Cezary Rojewski <cezary.rojewski(a)intel.com> ALSA: hda: Ignore unsol events for cards being shut down Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set Jos Wang <joswang(a)lenovo.com> usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Robert Hodaszi <robert.hodaszi(a)digi.com> usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> usb: Add checks for snprintf() calls in usb_alloc_dev() Chance Yang <chance.yang(a)kneron.us> usb: common: usb-conn-gpio: use a unique name for usb connector device Jakub Lewalski <jakub.lewalski(a)nokia.com> tty: serial: uartlite: register uart driver in init Chen Yufeng <chenyufeng(a)iie.ac.cn> usb: potential integer overflow in usbg_make_tpg() Purva Yeshi <purvayeshi550(a)gmail.com> iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: dwc2: also exit clock_gating when stopping udc while suspended James Clark <james.clark(a)linaro.org> coresight: Only check bottom two claim bits Benjamin Berg <benjamin.berg(a)intel.com> um: use proper care when taking mmap lock during segfault Sami Tolvanen <samitolvanen(a)google.com> um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: pressure: zpa2326: Use aligned_s64 for the timestamp Linggang Zeng <linggang.zeng(a)easystack.cn> bcache: fix NULL pointer in cache_set_flush() Yifan Zhang <yifan1.zhang(a)amd.com> amd/amdkfd: fix a kfd_process ref leak Yu Kuai <yukuai3(a)huawei.com> md/md-bitmap: fix dm-raid max_write_behind setting Hector Martin <marcan(a)marcan.st> PCI: apple: Fix missing OF node reference in apple_pcie_setup_port Thomas Gessler <thomas.gessler(a)brueckmann-gmbh.de> dmaengine: xilinx_dma: Set dma_device directions Lukas Wunner <lukas(a)wunner.de> Revert "iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices" FUJITA Tomonori <fujita.tomonori(a)gmail.com> rust: module: place cleanup_module() in .exit.text section Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: allow a filename to contain special characters on SMB3.1.1 posix extension Alexis Czezar Torreno <alexisczezar.torreno(a)analog.com> hwmon: (pmbus/max34440) Fix support for max34451 Scott Mayhew <smayhew(a)redhat.com> NFSv4: xattr handlers should check for absent nfs filehandles Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> leds: multicolor: Fix intensity setting while SW blinking Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> mfd: max14577: Fix wakeup source leaks on device unbind Peng Fan <peng.fan(a)nxp.com> mailbox: Not protect module_put with spin_lock_irqsave Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: fix listxattr to return selinux security label Han Young <hanyang.tony(a)bytedance.com> NFSv4: Always set NLINK even if the server doesn't support it Pali Rohár <pali(a)kernel.org> cifs: Fix cifs_query_path_info() for Windows NT servers Pali Rohár <pali(a)kernel.org> cifs: Correctly set SMB1 SessionKey field in Session Setup Request ------------- Diffstat: Documentation/devicetree/bindings/serial/8250.yaml | 2 +- Makefile | 4 +- arch/arm64/mm/mmu.c | 3 +- arch/s390/kernel/entry.S | 2 +- arch/um/drivers/ubd_user.c | 2 +- arch/um/include/asm/asm-prototypes.h | 5 + arch/um/kernel/trap.c | 129 ++++- arch/x86/tools/insn_decoder_test.c | 5 +- arch/x86/um/asm/checksum.h | 3 + drivers/dma/xilinx/xilinx_dma.c | 2 + drivers/firmware/arm_scmi/driver.c | 44 ++ drivers/firmware/arm_scmi/protocols.h | 6 + drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.c | 17 + drivers/gpu/drm/amd/amdgpu/amdgpu_ucode.h | 6 + drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_events.c | 1 + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +- .../gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 + drivers/gpu/drm/bridge/cdns-dsi.c | 32 +- drivers/gpu/drm/bridge/ti-sn65dsi86.c | 109 ++-- drivers/gpu/drm/display/drm_dp_helper.c | 2 +- drivers/gpu/drm/etnaviv/etnaviv_sched.c | 5 +- drivers/gpu/drm/msm/msm_gpu_devfreq.c | 1 + drivers/gpu/drm/tegra/dc.c | 17 +- drivers/gpu/drm/tegra/hub.c | 4 +- drivers/gpu/drm/tegra/hub.h | 3 +- drivers/gpu/drm/udl/udl_drv.c | 2 +- drivers/hid/hid-lenovo.c | 11 +- drivers/hid/wacom_sys.c | 6 +- drivers/hv/channel_mgmt.c | 15 +- drivers/hv/connection.c | 134 ++--- drivers/hv/hv.c | 36 -- drivers/hv/hv_common.c | 231 ++++++++ drivers/hv/hyperv_vmbus.h | 7 +- drivers/hv/vmbus_drv.c | 206 +------ drivers/hwmon/pmbus/max34440.c | 48 +- drivers/hwtracing/coresight/coresight-core.c | 3 +- drivers/hwtracing/coresight/coresight-priv.h | 2 + drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 + drivers/i2c/busses/i2c-tiny-usb.c | 6 + drivers/iio/adc/ad_sigma_delta.c | 4 + drivers/iio/pressure/zpa2326.c | 2 +- drivers/iommu/amd/init.c | 3 - drivers/leds/led-class-multicolor.c | 3 +- drivers/mailbox/mailbox.c | 2 +- drivers/md/bcache/super.c | 7 +- drivers/md/dm-raid.c | 2 +- drivers/md/md-bitmap.c | 2 +- drivers/media/platform/nxp/imx-jpeg/mxc-jpeg-hw.h | 1 - drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 216 ++++--- drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.h | 6 +- drivers/media/usb/uvc/uvc_ctrl.c | 42 +- drivers/mfd/max14577.c | 1 + drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 26 +- drivers/net/ethernet/broadcom/bnxt/bnxt_hsi.h | 644 +++------------------ drivers/net/ethernet/freescale/enetc/enetc_hw.h | 2 +- drivers/nvme/host/ioctl.c | 15 +- drivers/pci/controller/pcie-apple.c | 7 +- drivers/s390/crypto/pkey_api.c | 2 +- drivers/scsi/megaraid/megaraid_sas_base.c | 6 +- drivers/staging/rtl8723bs/core/rtw_security.c | 44 +- drivers/tty/serial/imx.c | 17 +- drivers/tty/serial/uartlite.c | 25 +- drivers/tty/vt/vt.c | 12 +- drivers/uio/uio_hv_generic.c | 10 +- drivers/usb/class/cdc-wdm.c | 23 +- drivers/usb/common/usb-conn-gpio.c | 25 +- drivers/usb/core/usb.c | 14 +- drivers/usb/dwc2/gadget.c | 6 + drivers/usb/gadget/function/f_tcm.c | 4 +- drivers/usb/typec/altmodes/displayport.c | 4 + drivers/usb/typec/mux.c | 4 +- drivers/video/console/dummycon.c | 24 +- drivers/video/console/mdacon.c | 21 +- drivers/video/console/newport_con.c | 12 +- drivers/video/console/sticon.c | 14 +- drivers/video/console/vgacon.c | 34 +- drivers/video/fbdev/core/fbcon.c | 40 +- drivers/video/fbdev/core/fbmem.c | 18 +- drivers/video/fbdev/hyperv_fb.c | 8 + fs/btrfs/disk-io.c | 3 +- fs/btrfs/inode.c | 83 ++- fs/btrfs/volumes.c | 6 + fs/ceph/file.c | 2 +- fs/f2fs/super.c | 30 +- fs/jfs/jfs_dmap.c | 41 +- fs/namespace.c | 8 +- fs/nfs/inode.c | 2 + fs/nfs/nfs4proc.c | 17 +- fs/omfs/file.c | 12 +- fs/omfs/omfs_fs.h | 2 +- fs/overlayfs/util.c | 4 +- fs/smb/client/cifsglob.h | 1 + fs/smb/client/cifspdu.h | 6 +- fs/smb/client/cifssmb.c | 1 + fs/smb/client/misc.c | 8 + fs/smb/client/sess.c | 1 + fs/smb/server/smb2pdu.c | 62 +- include/asm-generic/mshyperv.h | 2 +- include/linux/console.h | 13 +- include/linux/hyperv.h | 2 + include/linux/ipv6.h | 1 - include/uapi/linux/vm_sockets.h | 4 + io_uring/kbuf.c | 2 +- lib/Kconfig.debug | 9 + lib/Makefile | 2 + lib/longest_symbol_kunit.c | 82 +++ net/atm/clip.c | 11 +- net/atm/resources.c | 3 +- net/bluetooth/l2cap_core.c | 9 +- net/core/selftests.c | 5 +- net/ipv6/ip6_output.c | 9 +- net/mac80211/util.c | 2 +- net/unix/af_unix.c | 58 +- net/unix/garbage.c | 24 +- rust/macros/module.rs | 1 + sound/pci/hda/hda_bind.c | 2 +- sound/pci/hda/hda_intel.c | 3 + sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/wcd9335.c | 62 +- sound/usb/quirks.c | 2 + sound/usb/stream.c | 2 + tools/lib/bpf/btf_dump.c | 3 + 124 files changed, 1597 insertions(+), 1489 deletions(-)

1 month, 1 week

14
153
0 0

[PATCH 5.15 1/1] af_unix: Don't leave consecutive consumed OOB skbs.

by Lee Jones

From: Kuniyuki Iwashima <kuniyu(a)google.com> Jann Horn reported a use-after-free in unix_stream_read_generic(). The following sequences reproduce the issue: $ python3 from socket import * s1, s2 = socketpair(AF_UNIX, SOCK_STREAM) s1.send(b'x', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'y', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'z', MSG_OOB) s2.recv(1) # recv 'z' illegally s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free) Even though a user reads OOB data, the skb holding the data stays on the recv queue to mark the OOB boundary and break the next recv(). After the last send() in the scenario above, the sk2's recv queue has 2 leading consumed OOB skbs and 1 real OOB skb. Then, the following happens during the next recv() without MSG_OOB 1. unix_stream_read_generic() peeks the first consumed OOB skb 2. manage_oob() returns the next consumed OOB skb 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb 4. unix_stream_read_generic() reads and frees the OOB skb , and the last recv(MSG_OOB) triggers KASAN splat. The 3. above occurs because of the SO_PEEK_OFF code, which does not expect unix_skb_len(skb) to be 0, but this is true for such consumed OOB skbs. while (skip >= unix_skb_len(skb)) { skip -= unix_skb_len(skb); skb = skb_peek_next(skb, &sk->sk_receive_queue); ... } In addition to this use-after-free, there is another issue that ioctl(SIOCATMARK) does not function properly with consecutive consumed OOB skbs. So, nothing good comes out of such a situation. Instead of complicating manage_oob(), ioctl() handling, and the next ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs, let's not leave such consecutive OOB unnecessarily. Now, while receiving an OOB skb in unix_stream_recv_urg(), if its previous skb is a consumed OOB skb, it is freed. [0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027) Read of size 4 at addr ffff888106ef2904 by task python3/315 CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:636) unix_stream_read_actor (net/unix/af_unix.c:3027) unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847) unix_stream_recvmsg (net/unix/af_unix.c:3048) sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20)) __sys_recvfrom (net/socket.c:2278) __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f8911fcea06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06 RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006 RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20 R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 315: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:348) kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249) __alloc_skb (net/core/skbuff.c:660 (discriminator 4)) alloc_skb_with_frags (./include/linux/skbuff.h:1336 net/core/skbuff.c:6668) sock_alloc_send_pskb (net/core/sock.c:2993) unix_stream_sendmsg (./include/net/sock.h:1847 net/unix/af_unix.c:2256 net/unix/af_unix.c:2418) __sys_sendto (net/socket.c:712 (discriminator 20) net/socket.c:727 (discriminator 20) net/socket.c:2226 (discriminator 20)) __x64_sys_sendto (net/socket.c:2233 (discriminator 1) net/socket.c:2229 (discriminator 1) net/socket.c:2229 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Freed by task 315: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) kasan_save_free_info (mm/kasan/generic.c:579 (discriminator 1)) __kasan_slab_free (mm/kasan/common.c:271) kmem_cache_free (mm/slub.c:4643 (discriminator 3) mm/slub.c:4745 (discriminator 3)) unix_stream_read_generic (net/unix/af_unix.c:3010) unix_stream_recvmsg (net/unix/af_unix.c:3048) sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20)) __sys_recvfrom (net/socket.c:2278) __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) The buggy address belongs to the object at ffff888106ef28c0 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 68 bytes inside of freed 224-byte region [ffff888106ef28c0, ffff888106ef29a0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888106ef3cc0 pfn:0x106ef2 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x200000000000040(head|node=0|zone=2) page_type: f5(slab) raw: 0200000000000040 ffff8881001d28c0 ffffea000422fe00 0000000000000004 raw: ffff888106ef3cc0 0000000080190010 00000000f5000000 0000000000000000 head: 0200000000000040 ffff8881001d28c0 ffffea000422fe00 0000000000000004 head: ffff888106ef3cc0 0000000080190010 00000000f5000000 0000000000000000 head: 0200000000000001 ffffea00041bbc81 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888106ef2800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff888106ef2880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff888106ef2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106ef2980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff888106ef2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 314001f0bf92 ("af_unix: Add OOB support") Reported-by: Jann Horn <jannh(a)google.com> Signed-off-by: Kuniyuki Iwashima <kuniyu(a)google.com> Reviewed-by: Jann Horn <jannh(a)google.com> Link: https://patch.msgid.link/20250619041457.1132791-2-kuni1840@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> (cherry picked from commit 32ca245464e1479bfea8592b9db227fdc1641705) [Lee: Shifted hunk inside the if() statement and surrounded the else with {}'s) Signed-off-by: Lee Jones <lee(a)kernel.org> --- net/unix/af_unix.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 12c4a27e1655..1676bffe7259 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -2504,11 +2504,11 @@ struct unix_stream_read_state { #if IS_ENABLED(CONFIG_AF_UNIX_OOB) static int unix_stream_recv_urg(struct unix_stream_read_state *state) { + struct sk_buff *oob_skb, *read_skb = NULL; struct socket *sock = state->socket; struct sock *sk = sock->sk; struct unix_sock *u = unix_sk(sk); int chunk = 1; - struct sk_buff *oob_skb; mutex_lock(&u->iolock); unix_state_lock(sk); @@ -2523,10 +2523,17 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state) oob_skb = u->oob_skb; - if (!(state->flags & MSG_PEEK)) + if (!(state->flags & MSG_PEEK)) { WRITE_ONCE(u->oob_skb, NULL); - else + + if (oob_skb->prev != (struct sk_buff *)&sk->sk_receive_queue && + !unix_skb_len(oob_skb->prev)) { + read_skb = oob_skb->prev; + __skb_unlink(read_skb, &sk->sk_receive_queue); + } + } else { skb_get(oob_skb); + } spin_unlock(&sk->sk_receive_queue.lock); unix_state_unlock(sk); @@ -2540,6 +2547,8 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state) mutex_unlock(&u->iolock); + consume_skb(read_skb); + if (chunk < 0) return -EFAULT; -- 2.51.0.570.gb178f27e6d-goog

1 month, 1 week

1
0
0 0

[PATCH 1/2] PCI: rcar-host: Drop PMSR spinlock

by Marek Vasut

The pmsr_lock spinlock used to be necessary to synchronize access to the PMSR register, because that access could have been triggered from either config space access in rcar_pcie_config_access() or an exception handler rcar_pcie_aarch32_abort_handler(). The rcar_pcie_aarch32_abort_handler() case is no longer applicable since commit 6e36203bc14c ("PCI: rcar: Use PCI_SET_ERROR_RESPONSE after read which triggered an exception"), which performs more accurate, controlled invocation of the exception, and a fixup. This leaves rcar_pcie_config_access() as the only call site from which rcar_pcie_wakeup() is called. The rcar_pcie_config_access() can only be called from the controller struct pci_ops .read and .write callbacks, and those are serialized in drivers/pci/access.c using raw spinlock 'pci_lock' . CONFIG_PCI_LOCKLESS_CONFIG is never set on this platform. Since the 'pci_lock' is a raw spinlock , and the 'pmsr_lock' is not a raw spinlock, this constellation triggers 'BUG: Invalid wait context' with CONFIG_PROVE_RAW_LOCK_NESTING=y . Remove the pmsr_lock to fix the locking. Fixes: a115b1bd3af0 ("PCI: rcar: Add L1 link state fix into data abort hook") Reported-by: Duy Nguyen <duy.nguyen.rh(a)renesas.com> Reported-by: Thuan Nguyen <thuan.nguyen-hong(a)banvien.com.vn> Cc: stable(a)vger.kernel.org Signed-off-by: Marek Vasut <marek.vasut+renesas(a)mailbox.org> --- ============================= [ BUG: Invalid wait context ] 6.17.0-rc4-next-20250905-00048-ga08e553145e7-dirty #1116 Not tainted ----------------------------- swapper/0/1 is trying to lock: ffffffd92cf69c30 (pmsr_lock){....}-{3:3}, at: rcar_pcie_config_access+0x48/0x260 other info that might help us debug this: context-{5:5} 3 locks held by swapper/0/1: #0: ffffff84c0f890f8 (&dev->mutex){....}-{4:4}, at: device_lock+0x14/0x1c #1: ffffffd92cf675b0 (pci_rescan_remove_lock){+.+.}-{4:4}, at: pci_lock_rescan_remove+0x18/0x20 #2: ffffffd92cf674a0 (pci_lock){....}-{2:2}, at: pci_bus_read_config_dword+0x54/0xd8 stack backtrace: CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-next-20250905-00048-ga08e553145e7-dirty #1116 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT) Call trace: dump_backtrace+0x6c/0x7c (C) show_stack+0x14/0x1c dump_stack_lvl+0x68/0x8c dump_stack+0x14/0x1c __lock_acquire+0x3e8/0x1064 lock_acquire+0x17c/0x2ac _raw_spin_lock_irqsave+0x54/0x70 rcar_pcie_config_access+0x48/0x260 rcar_pcie_read_conf+0x44/0xd8 pci_bus_read_config_dword+0x78/0xd8 pci_bus_generic_read_dev_vendor_id+0x30/0x138 pci_bus_read_dev_vendor_id+0x60/0x68 pci_scan_single_device+0x11c/0x1ec pci_scan_slot+0x7c/0x170 pci_scan_child_bus_extend+0x5c/0x29c pci_scan_child_bus+0x10/0x18 pci_scan_root_bus_bridge+0x90/0xc8 pci_host_probe+0x24/0xc4 rcar_pcie_probe+0x5e8/0x650 platform_probe+0x58/0x88 really_probe+0x190/0x350 __driver_probe_device+0x120/0x138 driver_probe_device+0x38/0xec __driver_attach+0x158/0x168 bus_for_each_dev+0x7c/0xd0 driver_attach+0x20/0x28 bus_add_driver+0xe0/0x1d8 driver_register+0xac/0xe8 __platform_driver_register+0x1c/0x24 rcar_pcie_driver_init+0x18/0x20 do_one_initcall+0xd4/0x220 kernel_init_freeable+0x308/0x30c kernel_init+0x20/0x11c ret_from_fork+0x10/0x20 --- Cc: "Krzysztof Wilczyński" <kwilczynski(a)kernel.org> Cc: Bjorn Helgaas <bhelgaas(a)google.com> Cc: Geert Uytterhoeven <geert+renesas(a)glider.be> Cc: Lorenzo Pieralisi <lpieralisi(a)kernel.org> Cc: Magnus Damm <magnus.damm(a)gmail.com> Cc: Manivannan Sadhasivam <mani(a)kernel.org> Cc: Marc Zyngier <maz(a)kernel.org> Cc: Rob Herring <robh(a)kernel.org> Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Cc: linux-pci(a)vger.kernel.org Cc: linux-renesas-soc(a)vger.kernel.org --- drivers/pci/controller/pcie-rcar-host.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/drivers/pci/controller/pcie-rcar-host.c b/drivers/pci/controller/pcie-rcar-host.c index 4780e0109e583..625a00f3b2230 100644 --- a/drivers/pci/controller/pcie-rcar-host.c +++ b/drivers/pci/controller/pcie-rcar-host.c @@ -52,20 +52,13 @@ struct rcar_pcie_host { int (*phy_init_fn)(struct rcar_pcie_host *host); }; -static DEFINE_SPINLOCK(pmsr_lock); - static int rcar_pcie_wakeup(struct device *pcie_dev, void __iomem *pcie_base) { - unsigned long flags; u32 pmsr, val; int ret = 0; - spin_lock_irqsave(&pmsr_lock, flags); - - if (!pcie_base || pm_runtime_suspended(pcie_dev)) { - ret = -EINVAL; - goto unlock_exit; - } + if (!pcie_base || pm_runtime_suspended(pcie_dev)) + return -EINVAL; pmsr = readl(pcie_base + PMSR); @@ -87,8 +80,6 @@ static int rcar_pcie_wakeup(struct device *pcie_dev, void __iomem *pcie_base) writel(L1FAEG | PMEL1RX, pcie_base + PMSR); } -unlock_exit: - spin_unlock_irqrestore(&pmsr_lock, flags); return ret; } -- 2.51.0

1 month, 1 week

5
8
0 0

[PATCH] media: platform: mtk-mdp3: fix device leaks at probe

by Johan Hovold

Make sure to drop the references taken when looking up the subsys devices during probe on probe failure (e.g. probe deferral) and on driver unbind. Similarly, drop the SCP device reference after retrieving its platform data during probe to avoid leaking it. Note that holding a reference to a device does not prevent its driver data from going away. Fixes: 61890ccaefaf ("media: platform: mtk-mdp3: add MediaTek MDP3 driver") Cc: stable(a)vger.kernel.org # 6.1 Cc: Moudy Ho <moudy.ho(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- .../media/platform/mediatek/mdp3/mtk-mdp3-core.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c index 8de2c8e4d333..fc117a6a822c 100644 --- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c +++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c @@ -157,10 +157,18 @@ void mdp_video_device_release(struct video_device *vdev) kfree(mdp); } +static void mdp_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static int mdp_mm_subsys_deploy(struct mdp_dev *mdp, enum mdp_infra_id id) { struct platform_device *mm_pdev = NULL; struct device **dev; + int ret; int i; if (!mdp) @@ -194,6 +202,11 @@ static int mdp_mm_subsys_deploy(struct mdp_dev *mdp, enum mdp_infra_id id) if (WARN_ON(!mm_pdev)) return -ENODEV; + ret = devm_add_action_or_reset(&mdp->pdev->dev, mdp_put_device, + &mm_pdev->dev); + if (ret) + return ret; + *dev = &mm_pdev->dev; } @@ -279,6 +292,7 @@ static int mdp_probe(struct platform_device *pdev) goto err_destroy_clock_wq; } mdp->scp = platform_get_drvdata(mm_pdev); + put_device(&mm_pdev->dev); } mdp->rproc_handle = scp_get_rproc(mdp->scp); -- 2.49.1

1 month, 1 week

2
1
0 0

Gratulujeme, ponuka daru

by Kristine Charity Services

1 month, 1 week

1
0
0 0

[PATCH 14/14] iommu/tegra: fix device leak on probe_device()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during probe_device(). Fixes: 891846516317 ("memory: Add NVIDIA Tegra memory controller support") Cc: stable(a)vger.kernel.org # 3.19 Cc: Thierry Reding <treding(a)nvidia.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/tegra-smmu.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/iommu/tegra-smmu.c b/drivers/iommu/tegra-smmu.c index 36cdd5fbab07..f6f26a072820 100644 --- a/drivers/iommu/tegra-smmu.c +++ b/drivers/iommu/tegra-smmu.c @@ -830,10 +830,9 @@ static struct tegra_smmu *tegra_smmu_find(struct device_node *np) return NULL; mc = platform_get_drvdata(pdev); - if (!mc) { - put_device(&pdev->dev); + put_device(&pdev->dev); + if (!mc) return NULL; - } return mc->smmu; } -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH 13/14] iommu/sun50i: fix device leak on of_xlate()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during of_xlate(). Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver") Cc: stable(a)vger.kernel.org # 5.8 Cc: Maxime Ripard <mripard(a)kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/sun50i-iommu.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c index de10b569d9a9..6306570d57db 100644 --- a/drivers/iommu/sun50i-iommu.c +++ b/drivers/iommu/sun50i-iommu.c @@ -839,6 +839,8 @@ static int sun50i_iommu_of_xlate(struct device *dev, dev_iommu_priv_set(dev, platform_get_drvdata(iommu_pdev)); + put_device(&iommu_pdev->dev); + return iommu_fwspec_add_ids(dev, &id, 1); } -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH 09/14] iommu/mediatek-v1: fix device leaks on probe()

by Johan Hovold

Make sure to drop the references taken to the larb devices during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW") Cc: stable(a)vger.kernel.org # 4.8 Cc: Honghui Zhang <honghui.zhang(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/mtk_iommu_v1.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/drivers/iommu/mtk_iommu_v1.c b/drivers/iommu/mtk_iommu_v1.c index de9153c0a82f..44b965a2db92 100644 --- a/drivers/iommu/mtk_iommu_v1.c +++ b/drivers/iommu/mtk_iommu_v1.c @@ -648,8 +648,10 @@ static int mtk_iommu_v1_probe(struct platform_device *pdev) struct platform_device *plarbdev; larbnode = of_parse_phandle(dev->of_node, "mediatek,larbs", i); - if (!larbnode) - return -EINVAL; + if (!larbnode) { + ret = -EINVAL; + goto out_put_larbs; + } if (!of_device_is_available(larbnode)) { of_node_put(larbnode); @@ -659,11 +661,14 @@ static int mtk_iommu_v1_probe(struct platform_device *pdev) plarbdev = of_find_device_by_node(larbnode); if (!plarbdev) { of_node_put(larbnode); - return -ENODEV; + ret = -ENODEV; + goto out_put_larbs; } if (!plarbdev->dev.driver) { of_node_put(larbnode); - return -EPROBE_DEFER; + put_device(&plarbdev->dev); + ret = -EPROBE_DEFER; + goto out_put_larbs; } data->larb_imu[i].dev = &plarbdev->dev; @@ -675,7 +680,7 @@ static int mtk_iommu_v1_probe(struct platform_device *pdev) ret = mtk_iommu_v1_hw_init(data); if (ret) - return ret; + goto out_put_larbs; ret = iommu_device_sysfs_add(&data->iommu, &pdev->dev, NULL, dev_name(&pdev->dev)); @@ -697,12 +702,17 @@ static int mtk_iommu_v1_probe(struct platform_device *pdev) iommu_device_sysfs_remove(&data->iommu); out_clk_unprepare: clk_disable_unprepare(data->bclk); +out_put_larbs: + for (i = 0; i < MTK_LARB_NR_MAX; i++) + put_device(data->larb_imu[i].dev); + return ret; } static void mtk_iommu_v1_remove(struct platform_device *pdev) { struct mtk_iommu_v1_data *data = platform_get_drvdata(pdev); + int i; iommu_device_sysfs_remove(&data->iommu); iommu_device_unregister(&data->iommu); @@ -710,6 +720,9 @@ static void mtk_iommu_v1_remove(struct platform_device *pdev) clk_disable_unprepare(data->bclk); devm_free_irq(&pdev->dev, data->irq, data); component_master_del(&pdev->dev, &mtk_iommu_v1_com_ops); + + for (i = 0; i < MTK_LARB_NR_MAX; i++) + put_device(data->larb_imu[i].dev); } static int __maybe_unused mtk_iommu_v1_suspend(struct device *dev) -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH 08/14] iommu/mediatek-v1: fix device leak on probe_device()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during probe_device(). Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW") Cc: stable(a)vger.kernel.org # 4.8 Cc: Honghui Zhang <honghui.zhang(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/mtk_iommu_v1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/mtk_iommu_v1.c b/drivers/iommu/mtk_iommu_v1.c index 10cc0b1197e8..de9153c0a82f 100644 --- a/drivers/iommu/mtk_iommu_v1.c +++ b/drivers/iommu/mtk_iommu_v1.c @@ -435,6 +435,8 @@ static int mtk_iommu_v1_create_mapping(struct device *dev, return -EINVAL; dev_iommu_priv_set(dev, platform_get_drvdata(m4updev)); + + put_device(&m4updev->dev); } ret = iommu_fwspec_add_ids(dev, args->args, 1); -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH 06/14] iommu/mediatek: fix device leaks on probe()

by Johan Hovold

Make sure to drop the references taken to the larb devices during probe on probe failure (e.g. probe deferral) and on driver unbind. Note that commit 26593928564c ("iommu/mediatek: Add error path for loop of mm_dts_parse") fixed the leaks in a couple of error paths, but the references are still leaking on success and late failures. Fixes: 0df4fabe208d ("iommu/mediatek: Add mt8173 IOMMU driver") Cc: stable(a)vger.kernel.org # 4.6 Cc: Yong Wu <yong.wu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/mtk_iommu.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c index 8d8e85186188..20a5ba80f983 100644 --- a/drivers/iommu/mtk_iommu.c +++ b/drivers/iommu/mtk_iommu.c @@ -1216,13 +1216,17 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m platform_device_put(plarbdev); } - if (!frst_avail_smicomm_node) - return -EINVAL; + if (!frst_avail_smicomm_node) { + ret = -EINVAL; + goto err_larbdev_put; + } pcommdev = of_find_device_by_node(frst_avail_smicomm_node); of_node_put(frst_avail_smicomm_node); - if (!pcommdev) - return -ENODEV; + if (!pcommdev) { + ret = -ENODEV; + goto err_larbdev_put; + } data->smicomm_dev = &pcommdev->dev; link = device_link_add(data->smicomm_dev, dev, @@ -1230,7 +1234,8 @@ static int mtk_iommu_mm_dts_parse(struct device *dev, struct component_match **m platform_device_put(pcommdev); if (!link) { dev_err(dev, "Unable to link %s.\n", dev_name(data->smicomm_dev)); - return -EINVAL; + ret = -EINVAL; + goto err_larbdev_put; } return 0; @@ -1402,8 +1407,12 @@ static int mtk_iommu_probe(struct platform_device *pdev) iommu_device_sysfs_remove(&data->iommu); out_list_del: list_del(&data->list); - if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) + if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) { device_link_remove(data->smicomm_dev, dev); + + for (i = 0; i < MTK_LARB_NR_MAX; i++) + put_device(data->larb_imu[i].dev); + } out_runtime_disable: pm_runtime_disable(dev); return ret; @@ -1423,6 +1432,9 @@ static void mtk_iommu_remove(struct platform_device *pdev) if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) { device_link_remove(data->smicomm_dev, &pdev->dev); component_master_del(&pdev->dev, &mtk_iommu_com_ops); + + for (i = 0; i < MTK_LARB_NR_MAX; i++) + put_device(data->larb_imu[i].dev); } pm_runtime_disable(&pdev->dev); for (i = 0; i < data->plat_data->banks_num; i++) { -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH 05/14] iommu/mediatek: fix device leak on of_xlate()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during of_xlate(). Fixes: 0df4fabe208d ("iommu/mediatek: Add mt8173 IOMMU driver") Cc: stable(a)vger.kernel.org # 4.6 Cc: Yong Wu <yong.wu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/mtk_iommu.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c index 0e0285348d2b..8d8e85186188 100644 --- a/drivers/iommu/mtk_iommu.c +++ b/drivers/iommu/mtk_iommu.c @@ -974,6 +974,8 @@ static int mtk_iommu_of_xlate(struct device *dev, return -EINVAL; dev_iommu_priv_set(dev, platform_get_drvdata(m4updev)); + + put_device(&m4updev->dev); } return iommu_fwspec_add_ids(dev, args->args, 1); -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH 04/14] iommu/ipmmu-vmsa: fix device leak on of_xlate()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during of_xlate(). Fixes: 7b2d59611fef ("iommu/ipmmu-vmsa: Replace local utlb code with fwspec ids") Cc: stable(a)vger.kernel.org # 4.14 Cc: Magnus Damm <damm+renesas(a)opensource.se> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/ipmmu-vmsa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/ipmmu-vmsa.c b/drivers/iommu/ipmmu-vmsa.c index ffa892f65714..02a2a55ffa0a 100644 --- a/drivers/iommu/ipmmu-vmsa.c +++ b/drivers/iommu/ipmmu-vmsa.c @@ -720,6 +720,8 @@ static int ipmmu_init_platform_device(struct device *dev, dev_iommu_priv_set(dev, platform_get_drvdata(ipmmu_pdev)); + put_device(&ipmmu_pdev->dev); + return 0; } -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH 03/14] iommu/exynos: fix device leak on of_xlate()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during of_xlate(). Fixes: aa759fd376fb ("iommu/exynos: Add callback for initializing devices from device tree") Cc: stable(a)vger.kernel.org # 4.2 Cc: Marek Szyprowski <m.szyprowski(a)samsung.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/exynos-iommu.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/drivers/iommu/exynos-iommu.c b/drivers/iommu/exynos-iommu.c index b6edd178fe25..ce9e935cb84c 100644 --- a/drivers/iommu/exynos-iommu.c +++ b/drivers/iommu/exynos-iommu.c @@ -1446,17 +1446,14 @@ static int exynos_iommu_of_xlate(struct device *dev, return -ENODEV; data = platform_get_drvdata(sysmmu); - if (!data) { - put_device(&sysmmu->dev); + put_device(&sysmmu->dev); + if (!data) return -ENODEV; - } if (!owner) { owner = kzalloc(sizeof(*owner), GFP_KERNEL); - if (!owner) { - put_device(&sysmmu->dev); + if (!owner) return -ENOMEM; - } INIT_LIST_HEAD(&owner->controllers); mutex_init(&owner->rpm_lock); -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH 02/14] iommu/qcom: fix device leak on of_xlate()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during of_xlate(). Note that commit e2eae09939a8 ("iommu/qcom: add missing put_device() call in qcom_iommu_of_xlate()") fixed the leak in a couple of error paths, but the reference is still leaking on success and late failures. Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu") Cc: stable(a)vger.kernel.org # 4.14: e2eae09939a8 Cc: Rob Clark <robin.clark(a)oss.qualcomm.com> Cc: Yu Kuai <yukuai3(a)huawei.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/arm/arm-smmu/qcom_iommu.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/iommu/arm/arm-smmu/qcom_iommu.c b/drivers/iommu/arm/arm-smmu/qcom_iommu.c index c5be95e56031..9c1166a3af6c 100644 --- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c +++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c @@ -565,14 +565,14 @@ static int qcom_iommu_of_xlate(struct device *dev, qcom_iommu = platform_get_drvdata(iommu_pdev); + put_device(&iommu_pdev->dev); + /* make sure the asid specified in dt is valid, so we don't have * to sanity check this elsewhere: */ if (WARN_ON(asid > qcom_iommu->max_asid) || - WARN_ON(qcom_iommu->ctxs[asid] == NULL)) { - put_device(&iommu_pdev->dev); + WARN_ON(qcom_iommu->ctxs[asid] == NULL)) return -EINVAL; - } if (!dev_iommu_priv_get(dev)) { dev_iommu_priv_set(dev, qcom_iommu); @@ -581,10 +581,8 @@ static int qcom_iommu_of_xlate(struct device *dev, * multiple different iommu devices. Multiple context * banks are ok, but multiple devices are not: */ - if (WARN_ON(qcom_iommu != dev_iommu_priv_get(dev))) { - put_device(&iommu_pdev->dev); + if (WARN_ON(qcom_iommu != dev_iommu_priv_get(dev))) return -EINVAL; - } } return iommu_fwspec_add_ids(dev, &asid, 1); -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH 01/14] iommu/apple-dart: fix device leak on of_xlate()

by Johan Hovold

Make sure to drop the reference taken to the iommu platform device when looking up its driver data during of_xlate(). Fixes: 46d1fb072e76 ("iommu/dart: Add DART iommu driver") Cc: stable(a)vger.kernel.org # 5.15 Cc: Sven Peter <sven(a)kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/iommu/apple-dart.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/iommu/apple-dart.c b/drivers/iommu/apple-dart.c index 190f28d76615..1aa7c10262a8 100644 --- a/drivers/iommu/apple-dart.c +++ b/drivers/iommu/apple-dart.c @@ -790,6 +790,8 @@ static int apple_dart_of_xlate(struct device *dev, struct apple_dart *cfg_dart; int i, sid; + put_device(&iommu_pdev->dev); + if (args->args_count != 1) return -EINVAL; sid = args->args[0]; -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH v2] cpufreq: Handle CPUFREQ_ETERNAL with a default transition latency

by Shawn Guo

From: Shawn Guo <shawnguo(a)kernel.org> A regression is seen with 6.6 -> 6.12 kernel upgrade on platforms where cpufreq-dt driver sets cpuinfo.transition_latency as CPUFREQ_ETERNAL (-1), due to that platform's DT doesn't provide the optional property 'clock-latency-ns'. The dbs sampling_rate was 10000 us on 6.6 and suddently becomes 6442450 us (4294967295 / 1000 * 1.5) on 6.12 for these platforms, because the default transition delay was dropped by the commits below. commit 37c6dccd6837 ("cpufreq: Remove LATENCY_MULTIPLIER") commit a755d0e2d41b ("cpufreq: Honour transition_latency over transition_delay_us") commit e13aa799c2a6 ("cpufreq: Change default transition delay to 2ms") It slows down dbs governor's reacting to CPU loading change dramatically. Also, as transition_delay_us is used by schedutil governor as rate_limit_us, it shows a negative impact on device idle power consumption, because the device gets slightly less time in the lowest OPP. Fix the regressions by defining a default transition latency for handling the case of CPUFREQ_ETERNAL. Cc: stable(a)vger.kernel.org Fixes: 37c6dccd6837 ("cpufreq: Remove LATENCY_MULTIPLIER") Signed-off-by: Shawn Guo <shawnguo(a)kernel.org> --- Changes for v2: - Follow Rafael's suggestion to define a default transition latency for handling CPUFREQ_ETERNAL, and pave the way to get rid of CPUFREQ_ETERNAL completely later. v1: https://lkml.org/lkml/2025/9/10/294 drivers/cpufreq/cpufreq.c | 3 +++ include/linux/cpufreq.h | 2 ++ 2 files changed, 5 insertions(+) diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c index fc7eace8b65b..c69d10f0e8ec 100644 --- a/drivers/cpufreq/cpufreq.c +++ b/drivers/cpufreq/cpufreq.c @@ -549,6 +549,9 @@ unsigned int cpufreq_policy_transition_delay_us(struct cpufreq_policy *policy) if (policy->transition_delay_us) return policy->transition_delay_us; + if (policy->cpuinfo.transition_latency == CPUFREQ_ETERNAL) + policy->cpuinfo.transition_latency = CPUFREQ_DEFAULT_TANSITION_LATENCY_NS; + latency = policy->cpuinfo.transition_latency / NSEC_PER_USEC; if (latency) /* Give a 50% breathing room between updates */ diff --git a/include/linux/cpufreq.h b/include/linux/cpufreq.h index 95f3807c8c55..935e9a660039 100644 --- a/include/linux/cpufreq.h +++ b/include/linux/cpufreq.h @@ -36,6 +36,8 @@ /* Print length for names. Extra 1 space for accommodating '\n' in prints */ #define CPUFREQ_NAME_PLEN (CPUFREQ_NAME_LEN + 1) +#define CPUFREQ_DEFAULT_TANSITION_LATENCY_NS NSEC_PER_MSEC + struct cpufreq_governor; enum cpufreq_table_sorting { -- 2.43.0

1 month, 1 week

3
4
0 0

Linux 6.16.9

by Greg Kroah-Hartman

I'm announcing the release of the 6.16.9 kernel. All users of the 6.16 kernel series must upgrade. The updated 6.16.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.16.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/8250.yaml | 77 +++-- Documentation/netlink/specs/conntrack.yaml | 9 Documentation/netlink/specs/mptcp_pm.yaml | 4 Makefile | 2 arch/loongarch/Kconfig | 12 arch/loongarch/Makefile | 15 arch/loongarch/include/asm/acenv.h | 7 arch/loongarch/include/asm/kvm_mmu.h | 20 + arch/loongarch/kernel/env.c | 2 arch/loongarch/kernel/stacktrace.c | 3 arch/loongarch/kernel/vdso.c | 3 arch/loongarch/kvm/intc/eiointc.c | 87 +++-- arch/loongarch/kvm/intc/pch_pic.c | 21 - arch/loongarch/kvm/mmu.c | 8 arch/s390/include/asm/pci_insn.h | 10 arch/um/drivers/virtio_uml.c | 6 arch/um/os-Linux/file.c | 2 arch/x86/include/asm/sev.h | 38 +- arch/x86/kvm/svm/svm.c | 3 crypto/af_alg.c | 10 drivers/block/zram/zram_drv.c | 8 drivers/clk/sunxi-ng/ccu_mp.c | 2 drivers/crypto/ccp/sev-dev.c | 2 drivers/dpll/dpll_netlink.c | 4 drivers/gpio/gpiolib-acpi-core.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 16 - drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 12 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 24 - drivers/gpu/drm/amd/amdkfd/kfd_device.c | 36 ++ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 39 ++ drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 2 drivers/gpu/drm/bridge/analogix/anx7625.c | 6 drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 drivers/gpu/drm/xe/abi/guc_actions_abi.h | 5 drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 40 ++ drivers/gpu/drm/xe/xe_exec_queue.c | 22 - drivers/gpu/drm/xe/xe_exec_queue_types.h | 8 drivers/gpu/drm/xe/xe_execlist.c | 25 + drivers/gpu/drm/xe/xe_execlist_types.h | 2 drivers/gpu/drm/xe/xe_gt.c | 3 drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 1 drivers/gpu/drm/xe/xe_guc.c | 62 +++- drivers/gpu/drm/xe/xe_guc.h | 1 drivers/gpu/drm/xe/xe_guc_exec_queue_types.h | 4 drivers/gpu/drm/xe/xe_guc_submit.c | 139 +++++++-- drivers/gpu/drm/xe/xe_guc_submit.h | 2 drivers/gpu/drm/xe/xe_tile_sysfs.c | 12 drivers/gpu/drm/xe/xe_uc.c | 4 drivers/gpu/drm/xe/xe_vm.c | 4 drivers/iommu/amd/amd_iommu_types.h | 1 drivers/iommu/amd/init.c | 9 drivers/iommu/amd/io_pgtable.c | 25 + drivers/iommu/intel/iommu.c | 7 drivers/iommu/s390-iommu.c | 29 + drivers/md/dm-raid.c | 6 drivers/md/dm-stripe.c | 10 drivers/mmc/host/mvsdio.c | 2 drivers/mmc/host/sdhci-pci-gli.c | 68 ++++ drivers/mmc/host/sdhci-uhs2.c | 3 drivers/mmc/host/sdhci.c | 34 +- drivers/net/bonding/bond_main.c | 2 drivers/net/ethernet/broadcom/cnic.c | 3 drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 drivers/net/ethernet/intel/ice/ice_txrx.c | 80 ++--- drivers/net/ethernet/intel/ice/ice_txrx.h | 1 drivers/net/ethernet/intel/igc/igc.h | 1 drivers/net/ethernet/intel/igc/igc_main.c | 12 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 22 - drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 16 + drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c | 3 drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 1 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h | 1 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 + drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 4 drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 drivers/net/ethernet/mellanox/mlx5/core/port.c | 6 drivers/net/ethernet/natsemi/ns83820.c | 13 drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 drivers/net/wireless/mediatek/mt76/mac80211.c | 2 drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 37 +- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 drivers/nvme/host/core.c | 18 - drivers/pcmcia/omap_cf.c | 8 drivers/platform/x86/asus-nb-wmi.c | 25 + drivers/platform/x86/asus-wmi.h | 3 drivers/power/supply/bq27xxx_battery.c | 4 fs/btrfs/delayed-inode.c | 3 fs/btrfs/inode.c | 11 fs/btrfs/tree-checker.c | 4 fs/btrfs/tree-log.c | 2 fs/btrfs/zoned.c | 2 fs/nilfs2/sysfs.c | 4 fs/nilfs2/sysfs.h | 8 fs/smb/client/cifsproto.h | 4 fs/smb/client/inode.c | 23 + fs/smb/client/misc.c | 38 +- fs/smb/client/smbdirect.c | 132 +++++--- fs/smb/client/smbdirect.h | 23 - fs/smb/common/smbdirect/smbdirect_socket.h | 29 + fs/smb/server/transport_rdma.c | 183 ++++++++---- include/crypto/if_alg.h | 10 include/linux/io_uring_types.h | 3 include/linux/mlx5/driver.h | 1 include/linux/swap.h | 10 include/net/dst_metadata.h | 11 include/net/sock.h | 5 include/sound/sdca.h | 1 include/uapi/linux/mptcp.h | 2 include/uapi/linux/mptcp_pm.h | 4 io_uring/io-wq.c | 6 io_uring/io_uring.c | 10 io_uring/io_uring.h | 4 io_uring/msg_ring.c | 24 - io_uring/notif.c | 2 io_uring/poll.c | 2 io_uring/timeout.c | 2 io_uring/uring_cmd.c | 2 kernel/cgroup/cgroup.c | 43 ++ kernel/sched/ext.c | 6 mm/gup.c | 52 ++- mm/mlock.c | 6 mm/swap.c | 50 +-- mm/vmscan.c | 2 net/ipv4/tcp.c | 5 net/ipv4/tcp_ao.c | 4 net/mac80211/driver-ops.h | 2 net/mac80211/main.c | 7 net/mptcp/options.c | 6 net/mptcp/pm_netlink.c | 7 net/mptcp/protocol.c | 16 + net/mptcp/subflow.c | 4 net/rds/ib_frmr.c | 20 - net/rfkill/rfkill-gpio.c | 4 net/rxrpc/rxgk.c | 18 - net/rxrpc/rxgk_app.c | 29 + net/rxrpc/rxgk_common.h | 14 net/tls/tls.h | 1 net/tls/tls_strp.c | 14 net/tls/tls_sw.c | 3 samples/damon/mtier.c | 25 - samples/damon/prcl.c | 31 +- samples/damon/wsse.c | 22 - sound/firewire/motu/motu-hwdep.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/acp/acp-i2s.c | 11 sound/soc/codecs/sma1307.c | 7 sound/soc/codecs/wm8940.c | 9 sound/soc/codecs/wm8974.c | 8 sound/soc/intel/catpt/pcm.c | 23 + sound/soc/qcom/qdsp6/audioreach.c | 1 sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 sound/soc/sdca/sdca_device.c | 20 + sound/soc/sdca/sdca_functions.c | 13 sound/soc/sdca/sdca_regmap.c | 2 sound/soc/sof/intel/hda-stream.c | 2 sound/usb/qcom/qc_audio_offload.c | 92 +++--- tools/arch/loongarch/include/asm/inst.h | 12 tools/objtool/arch/loongarch/decode.c | 33 +- tools/perf/util/maps.c | 9 tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 - tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 169 files changed, 1794 insertions(+), 821 deletions(-) Ajay.Kathat(a)microchip.com (1): wifi: wilc1000: avoid buffer overflow in WID string configuration Alex Deucher (2): drm/amdkfd: add proper handling for S0ix drm/amdgpu: suspend KFD and KGD user queues for S0ix Alex Elder (1): dt-bindings: serial: 8250: move a constraint Alexey Nepomnyashih (1): net: liquidio: fix overflow in octeon_init_instr_queue() Amadeusz Sławiński (1): ASoC: Intel: catpt: Expose correct bit depth to userspace Anderson Nascimento (1): net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR Andrea Righi (1): Revert "sched_ext: Skip per-CPU tasks in scx_bpf_reenqueue_local()" Antheas Kapenekakis (2): platform/x86: asus-wmi: Fix ROG button mapping, tablet mode on ASUS ROG Z13 platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk Ben Chuang (3): mmc: sdhci: Move the code related to setting the clock from sdhci_set_ios_common() into sdhci_set_ios() mmc: sdhci-pci-gli: GL9767: Fix initializing the UHS-II interface during a power-on mmc: sdhci-uhs2: Fix calling incorrect sdhci_set_clock() function Bibo Mao (5): LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_ctrl_access() LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_regs_access() LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_sw_status_access() LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_pch_pic_regs_access() LoongArch: KVM: Fix VM migration failure with PTW enabled Borislav Petkov (AMD) (1): crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() Charles Keepax (4): ASoC: wm8940: Correct PLL rate rounding ASoC: wm8940: Correct typo in control name ASoC: wm8974: Correct PLL rate rounding ASoC: SDCA: Fix return value in sdca_regmap_mbq_size() Chen Ridong (1): cgroup: split cgroup_destroy_wq into 3 workqueues Chen-Yu Tsai (1): clk: sunxi-ng: mp: Fix dual-divider clock rate readback Christoph Hellwig (1): nvme: fix PI insert on write Colin Ian King (1): ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Dan Carpenter (2): ASoC: codec: sma1307: Fix memory corruption in sma1307_setting_loaded() drm/xe: Fix a NULL vs IS_ERR() in xe_vm_add_compute_exec_queue() Daniele Ceraolo Spurio (3): drm/xe: Fix error handling if PXP fails to start drm/xe/guc: Enable extended CAT error reporting drm/xe/guc: Set RCS/CCS yield policy David Howells (2): rxrpc: Fix unhandled errors in rxgk_verify_packet_integrity() rxrpc: Fix untrusted unsigned subtract Duoming Zhou (2): cnic: Fix use-after-free bugs in cnic_delete_task octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Eric Dumazet (1): net: clear sk->sk_ino in sk_set_socket(sk, NULL) Eugene Koira (1): iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Felix Fietkau (1): wifi: mt76: do not add non-sta wcid entries to the poll list Filipe Manana (1): btrfs: fix invalid extref key setup when replaying dentry Frank Li (1): dt-bindings: serial: 8250: allow clock 'uartclk' and 'reg' for nxp,lpc1850-uart Geert Uytterhoeven (1): pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Geliang Tang (1): selftests: mptcp: sockopt: fix error messages Greg Kroah-Hartman (1): Linux 6.16.9 Guangshuo Li (1): LoongArch: vDSO: Check kcalloc() result in init_vdso() H. Nikolaus Schaller (2): power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery power: supply: bq27xxx: restrict no-battery detection to bq27000 Hangbin Liu (2): bonding: set random address only when slaves already exist bonding: don't set oif to bond dev when getting NS target destination Hans de Goede (1): net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Herbert Xu (2): crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg crypto: af_alg - Set merge to zero early in af_alg_sendmsg Honggyu Kim (1): samples/damon: change enable parameters to enabled Huacai Chen (1): LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Hugh Dickins (5): mm/gup: check ref_count instead of lru before migration mm: revert "mm/gup: clear the LRU flag of a page before adding to LRU batch" mm/gup: local lru_add_drain() to avoid lru_add_drain_all() mm: revert "mm: vmscan.c: fix OOM on swap stress test" mm: folio_may_be_lru_cached() unless folio_test_large() Håkon Bugge (1): rds: ib: Increment i_fastreg_wrs before bailing out Ian Rogers (1): perf maps: Ensure kmap is set up for all inserts Ilya Maximets (1): net: dst_metadata: fix IP_DF bit not extracted from tunnel headers Ioana Ciornei (1): dpaa2-switch: fix buffer pool seeding for control traffic Ivan Lipski (1): drm/amd/display: Allow RX6xxx & RX7700 to invoke amdgpu_irq_get/put Ivan Vecera (1): dpll: fix clock quality level reporting Jacob Keller (1): ice: fix Rx page leak on multi-buffer frames Jakub Kicinski (1): tls: make sure to abort the stream if headers are bogus Jamie Bainbridge (1): qed: Don't collect too many protection override GRC elements Jedrzej Jagielski (2): ixgbe: initialize aci.lock before it's used ixgbe: destroy aci.lock later within ixgbe_remove path Jens Axboe (2): io_uring: include dying ring in task_work "should cancel" state io_uring/msg_ring: kill alloc_cache for io_kiocb allocations Jianbo Liu (1): net/mlx5e: Harden uplink netdev access against device unbind Johannes Thumshirn (1): btrfs: zoned: fix incorrect ASSERT in btrfs_zoned_reserve_data_reloc_bg() Kamal Heib (1): octeon_ep: Validate the VF ID Kohei Enju (1): igc: don't fail igc_probe() on LED setup error Krzysztof Kozlowski (1): ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Kuniyuki Iwashima (1): tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Lachlan Hodges (1): wifi: mac80211: increase scan_ies_len for S1G Lama Kayal (1): net/mlx5e: Add a miss level for ipsec crypto offload Li Tian (1): net/mlx5: Not returning mlx5_link_info table when speed is unknown Li Zhe (1): gup: optimize longterm pin_user_pages() for large folio Liao Yuanhong (1): wifi: mac80211: fix incorrect type for ret Loic Poulain (1): drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Maciej Fijalkowski (1): i40e: remove redundant memory barrier when cleaning Tx descs Maciej S. Szmigiero (1): KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Maciej Strozek (1): ASoC: SDCA: Add quirk for incorrect function types for 3 systems Mario Limonciello (1): drm/amd: Only restore cached manual clock settings in restore if OD enabled Matthew Rosato (1): iommu/s390: Fix memory corruption when using identity domain Matthieu Baerts (NGI0) (7): mptcp: set remote_deny_join_id0 on SYN recv selftests: mptcp: userspace pm: validate deny-join-id0 flag mptcp: tfo: record 'deny join id0' info mptcp: propagate shutdown to subflows when possible selftests: mptcp: connect: catch IO errors on listen side selftests: mptcp: avoid spurious errors on TCP disconnect mptcp: pm: nl: announce deny-join-id0 flag Max Kellermann (1): io_uring/io-wq: fix `max_workers` breakage and `nr_workers` underflow Miaoqian Lin (1): um: virtio_uml: Fix use-after-free after put_device in probe Michal Wajdeczko (1): drm/xe/pf: Drop rounddown_pow_of_two fair LMEM limitation Mikulas Patocka (2): dm-raid: don't set io_min and io_opt for raid1 dm-stripe: fix a possible integer overflow Mohammad Rafi Shaik (2): ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Namjae Jeon (1): ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Nathan Chancellor (1): nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Niklas Schnelle (1): iommu/s390: Make attach succeed when the device was surprise removed Paulo Alcantara (2): smb: client: fix filename matching of deferred files smb: client: fix file open check in __cifs_unlink() Praful Adiga (1): ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Qi Xi (1): drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Qu Wenruo (1): btrfs: tree-checker: fix the incorrect inode ref size check Remy D. Farley (1): doc/netlink: Fix typos in operation attributes Sathesh B Edara (1): octeon_ep: fix VF MAC address lifecycle handling SeongJae Park (3): samples/damon/prcl: fix boot time enable crash samples/damon/mtier: avoid starting DAMON before initialization samples/damon/prcl: avoid starting DAMON before initialization Sergey Senozhatsky (1): zram: fix slot write race condition Shuicheng Lin (1): drm/xe/tile: Release kobject for the failure path Stefan Metzmacher (10): smb: server: let smb_direct_writev() respect SMB_DIRECT_MAX_SEND_SGES ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size smb: smbdirect: introduce smbdirect_socket.recv_io.expected smb: client: make use of smbdirect_socket->recv_io.expected smb: smbdirect: introduce struct smbdirect_recv_io smb: client: make use of struct smbdirect_recv_io smb: client: let recv_done verify data_offset, data_length and remaining_data_length smb: client: use disable[_delayed]_work_sync in smbdirect.c smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Sébastien Szymanski (1): gpiolib: acpi: initialize acpi_gpio_info struct Takashi Iwai (1): ALSA: usb: qcom: Fix false-positive address space check Takashi Sakamoto (1): ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Tao Cui (1): LoongArch: Check the return value when creating kobj Tariq Toukan (1): Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Thomas Fourier (1): mmc: mvsdio: Fix dma_unmap_sg() nents value Tiezhu Yang (6): LoongArch: Update help info of ARCH_STRICT_ALIGN objtool/LoongArch: Mark types based on break immediate code objtool/LoongArch: Mark special atomic instruction as INSN_BUG type LoongArch: Fix unreliable stack for live patching LoongArch: Make LTO case independent in Makefile LoongArch: Handle jump tables options for RUST Tiwei Bie (1): um: Fix FD copy size in os_rcv_fd_msg() Tom Lendacky (1): x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT Vasant Hegde (2): iommu/amd/pgtbl: Fix possible race while increase page table level iommu/amd: Fix alias device DTE setting Venkata Prasad Potturu (1): ASoC: amd: acp: Fix incorrect retrival of acp_chip_info Yang Xiuwei (1): io_uring: fix incorrect io_kiocb reference in io_link_skb Yeounsu Moon (1): net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Yixun Lan (1): dt-bindings: serial: 8250: spacemit: set clocks property as required Zhen Ni (1): iommu/amd: Fix ivrs_base memleak in early_amd_iommu_init() austinchang (1): btrfs: initialize inode::file_extent_tree after i_mode has been set

1 month, 1 week

1
1
0 0

Linux 6.12.49

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.49 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/admin-guide/hw-vuln/srso.rst | 13 Documentation/netlink/specs/mptcp_pm.yaml | 4 Makefile | 2 arch/loongarch/Kconfig | 8 arch/loongarch/include/asm/acenv.h | 7 arch/loongarch/kernel/env.c | 2 arch/loongarch/kernel/stacktrace.c | 3 arch/loongarch/kernel/vdso.c | 3 arch/um/drivers/virtio_uml.c | 6 arch/um/os-Linux/file.c | 2 arch/x86/events/intel/core.c | 2 arch/x86/include/asm/cpufeatures.h | 5 arch/x86/include/asm/msr-index.h | 1 arch/x86/kernel/cpu/bugs.c | 28 +- arch/x86/kvm/svm/svm.c | 68 ++++ arch/x86/kvm/svm/svm.h | 2 arch/x86/lib/msr.c | 2 crypto/af_alg.c | 10 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 39 ++ drivers/gpu/drm/bridge/analogix/anx7625.c | 6 drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 drivers/gpu/drm/xe/xe_tile_sysfs.c | 12 drivers/gpu/drm/xe/xe_vm.c | 4 drivers/iommu/amd/amd_iommu_types.h | 1 drivers/iommu/amd/io_pgtable.c | 25 + drivers/iommu/intel/iommu.c | 7 drivers/md/dm-raid.c | 6 drivers/md/dm-stripe.c | 10 drivers/mmc/host/mvsdio.c | 2 drivers/net/bonding/bond_main.c | 2 drivers/net/ethernet/broadcom/cnic.c | 3 drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 drivers/net/ethernet/intel/ice/ice.h | 3 drivers/net/ethernet/intel/ice/ice_base.c | 34 +- drivers/net/ethernet/intel/ice/ice_txrx.c | 80 ++--- drivers/net/ethernet/intel/ice/ice_txrx.h | 4 drivers/net/ethernet/intel/ice/ice_virtchnl.c | 7 drivers/net/ethernet/intel/igc/igc.h | 1 drivers/net/ethernet/intel/igc/igc_main.c | 12 drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c | 3 drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 + drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 + drivers/net/ethernet/natsemi/ns83820.c | 13 drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 drivers/net/vmxnet3/vmxnet3_drv.c | 10 drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 37 +- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 drivers/nvme/host/core.c | 18 - drivers/pcmcia/omap_cf.c | 8 drivers/platform/x86/asus-nb-wmi.c | 25 + drivers/platform/x86/asus-wmi.h | 3 drivers/power/supply/bq27xxx_battery.c | 4 drivers/rtc/rtc-pcf2127.c | 10 drivers/usb/host/xhci-dbgcap.c | 94 ++++-- drivers/usb/host/xhci-debugfs.c | 5 drivers/usb/host/xhci-mem.c | 74 ++--- drivers/usb/host/xhci.c | 24 - drivers/usb/host/xhci.h | 9 fs/btrfs/tree-checker.c | 4 fs/btrfs/tree-log.c | 2 fs/nilfs2/sysfs.c | 4 fs/nilfs2/sysfs.h | 8 fs/smb/client/cifsproto.h | 4 fs/smb/client/inode.c | 6 fs/smb/client/misc.c | 38 +- fs/smb/client/smbdirect.c | 7 fs/smb/server/transport_rdma.c | 26 + include/crypto/if_alg.h | 10 include/linux/io_uring_types.h | 4 include/linux/minmax.h | 205 ++++++--------- include/linux/mlx5/driver.h | 1 include/linux/mm.h | 55 ++++ include/uapi/linux/mptcp.h | 2 include/uapi/linux/mptcp_pm.h | 4 io_uring/io_uring.c | 12 io_uring/io_uring.h | 13 io_uring/kbuf.h | 2 io_uring/msg_ring.c | 24 - io_uring/notif.c | 2 io_uring/poll.c | 3 io_uring/timeout.c | 2 io_uring/uring_cmd.c | 6 kernel/cgroup/cgroup.c | 43 ++- mm/gup.c | 41 ++- mm/migrate.c | 22 - mm/vmscan.c | 2 net/ipv4/tcp.c | 5 net/ipv4/tcp_ao.c | 4 net/mac80211/driver-ops.h | 2 net/mac80211/main.c | 7 net/mptcp/options.c | 6 net/mptcp/pm_netlink.c | 7 net/mptcp/protocol.c | 16 + net/mptcp/subflow.c | 4 net/rds/ib_frmr.c | 20 - net/rfkill/rfkill-gpio.c | 4 net/tls/tls.h | 1 net/tls/tls_strp.c | 14 - net/tls/tls_sw.c | 3 sound/firewire/motu/motu-hwdep.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/soc/codecs/wm8940.c | 9 sound/soc/codecs/wm8974.c | 8 sound/soc/intel/catpt/pcm.c | 23 + sound/soc/qcom/qdsp6/audioreach.c | 1 sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 sound/soc/sof/intel/hda-stream.c | 2 tools/arch/loongarch/include/asm/inst.h | 12 tools/objtool/arch/loongarch/decode.c | 33 ++ tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 - tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 - 118 files changed, 1062 insertions(+), 564 deletions(-) Ajay.Kathat(a)microchip.com (1): wifi: wilc1000: avoid buffer overflow in WID string configuration Alexey Nepomnyashih (1): net: liquidio: fix overflow in octeon_init_instr_queue() Amadeusz Sławiński (1): ASoC: Intel: catpt: Expose correct bit depth to userspace Anderson Nascimento (1): net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR Antheas Kapenekakis (2): platform/x86: asus-wmi: Fix ROG button mapping, tablet mode on ASUS ROG Z13 platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk Borislav Petkov (1): x86/bugs: KVM: Add support for SRSO_MSR_FIX Borislav Petkov (AMD) (1): x86/bugs: Add SRSO_USER_KERNEL_NO support Bruno Thomsen (1): rtc: pcf2127: fix SPI command byte for PCF2131 backport Charles Keepax (3): ASoC: wm8940: Correct PLL rate rounding ASoC: wm8940: Correct typo in control name ASoC: wm8974: Correct PLL rate rounding Chen Ridong (1): cgroup: split cgroup_destroy_wq into 3 workqueues Christoph Hellwig (1): nvme: fix PI insert on write Colin Ian King (1): ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Dan Carpenter (1): drm/xe: Fix a NULL vs IS_ERR() in xe_vm_add_compute_exec_queue() David Laight (7): minmax.h: add whitespace around operators and after commas minmax.h: update some comments minmax.h: reduce the #define expansion of min(), max() and clamp() minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() minmax.h: move all the clamp() definitions after the min/max() ones minmax.h: simplify the variants of clamp() minmax.h: remove some #defines that are only expanded once Duoming Zhou (2): cnic: Fix use-after-free bugs in cnic_delete_task octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Eugene Koira (1): iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Filipe Manana (1): btrfs: fix invalid extref key setup when replaying dentry Geert Uytterhoeven (1): pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Geliang Tang (1): selftests: mptcp: sockopt: fix error messages Greg Kroah-Hartman (1): Linux 6.12.49 Guangshuo Li (1): LoongArch: vDSO: Check kcalloc() result in init_vdso() H. Nikolaus Schaller (2): power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery power: supply: bq27xxx: restrict no-battery detection to bq27000 Hangbin Liu (2): bonding: set random address only when slaves already exist bonding: don't set oif to bond dev when getting NS target destination Hans de Goede (1): net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Herbert Xu (2): crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg crypto: af_alg - Set merge to zero early in af_alg_sendmsg Huacai Chen (1): LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Hugh Dickins (2): mm: revert "mm: vmscan.c: fix OOM on swap stress test" mm/gup: check ref_count instead of lru before migration Håkon Bugge (1): rds: ib: Increment i_fastreg_wrs before bailing out Ioana Ciornei (1): dpaa2-switch: fix buffer pool seeding for control traffic Ivan Lipski (1): drm/amd/display: Allow RX6xxx & RX7700 to invoke amdgpu_irq_get/put Jacob Keller (2): ice: store max_frame and rx_buf_len only in ice_rx_ring ice: fix Rx page leak on multi-buffer frames Jakub Kicinski (1): tls: make sure to abort the stream if headers are bogus Jamie Bainbridge (1): qed: Don't collect too many protection override GRC elements Jens Axboe (4): io_uring: backport io_should_terminate_tw() io_uring: include dying ring in task_work "should cancel" state io_uring/msg_ring: kill alloc_cache for io_kiocb allocations io_uring/kbuf: drop WARN_ON_ONCE() from incremental length check Jianbo Liu (1): net/mlx5e: Harden uplink netdev access against device unbind Kan Liang (1): perf/x86/intel: Fix crash in icl_update_topdown_event() Kohei Enju (1): igc: don't fail igc_probe() on LED setup error Krzysztof Kozlowski (1): ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Kuniyuki Iwashima (1): tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Lachlan Hodges (1): wifi: mac80211: increase scan_ies_len for S1G Li Zhe (1): gup: optimize longterm pin_user_pages() for large folio Liao Yuanhong (1): wifi: mac80211: fix incorrect type for ret Loic Poulain (1): drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Maciej Fijalkowski (1): i40e: remove redundant memory barrier when cleaning Tx descs Maciej S. Szmigiero (1): KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Mathias Nyman (2): xhci: dbc: decouple endpoint allocation from initialization xhci: dbc: Fix full DbC transfer ring after several reconnects Matthieu Baerts (NGI0) (7): mptcp: set remote_deny_join_id0 on SYN recv selftests: mptcp: userspace pm: validate deny-join-id0 flag mptcp: tfo: record 'deny join id0' info mptcp: propagate shutdown to subflows when possible selftests: mptcp: connect: catch IO errors on listen side selftests: mptcp: avoid spurious errors on TCP disconnect mptcp: pm: nl: announce deny-join-id0 flag Miaoqian Lin (1): um: virtio_uml: Fix use-after-free after put_device in probe Mikulas Patocka (2): dm-raid: don't set io_min and io_opt for raid1 dm-stripe: fix a possible integer overflow Mohammad Rafi Shaik (2): ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Namjae Jeon (1): ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Nathan Chancellor (1): nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Niklas Neronin (2): usb: xhci: introduce macro for ring segment list iteration usb: xhci: remove option to change a default ring's TRB cycle bit Paulo Alcantara (1): smb: client: fix filename matching of deferred files Pavel Begunkov (1): io_uring/cmd: let cmds to know about dying task Praful Adiga (1): ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Qi Xi (1): drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Qu Wenruo (1): btrfs: tree-checker: fix the incorrect inode ref size check Sankararaman Jayaraman (1): vmxnet3: unregister xdp rxq info in the reset path Sathesh B Edara (1): octeon_ep: fix VF MAC address lifecycle handling Sean Christopherson (1): KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions Shivank Garg (1): mm: add folio_expected_ref_count() for reference count calculation Shuicheng Lin (1): drm/xe/tile: Release kobject for the failure path Stefan Metzmacher (3): ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Takashi Sakamoto (1): ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Tao Cui (1): LoongArch: Check the return value when creating kobj Tariq Toukan (1): Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Thomas Fourier (1): mmc: mvsdio: Fix dma_unmap_sg() nents value Tiezhu Yang (4): LoongArch: Update help info of ARCH_STRICT_ALIGN objtool/LoongArch: Mark types based on break immediate code objtool/LoongArch: Mark special atomic instruction as INSN_BUG type LoongArch: Fix unreliable stack for live patching Tiwei Bie (1): um: Fix FD copy size in os_rcv_fd_msg() Vasant Hegde (1): iommu/amd/pgtbl: Fix possible race while increase page table level Yang Xiuwei (1): io_uring: fix incorrect io_kiocb reference in io_link_skb Yeounsu Moon (1): net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure

1 month, 1 week

1
1
0 0

Linux 6.6.108

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.108 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/loongarch/Kconfig | 8 + arch/loongarch/include/asm/acenv.h | 7 - arch/loongarch/kernel/env.c | 2 arch/um/drivers/virtio_uml.c | 6 - arch/x86/kvm/svm/svm.c | 3 arch/x86/mm/pgtable.c | 2 crypto/af_alg.c | 10 + drivers/block/loop.c | 38 +----- drivers/edac/sb_edac.c | 4 drivers/gpu/drm/bridge/analogix/anx7625.c | 6 - drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 - drivers/gpu/drm/drm_color_mgmt.c | 2 drivers/iommu/amd/amd_iommu_types.h | 1 drivers/iommu/amd/io_pgtable.c | 26 +++- drivers/iommu/intel/iommu.c | 7 + drivers/md/dm-integrity.c | 6 - drivers/mmc/host/mvsdio.c | 2 drivers/net/bonding/bond_main.c | 2 drivers/net/ethernet/broadcom/cnic.c | 3 drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 +++- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 85 +++++++++++++-- drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 ++ drivers/net/ethernet/natsemi/ns83820.c | 13 +- drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 - drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 drivers/net/vmxnet3/vmxnet3_drv.c | 10 - drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 37 ++++-- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 drivers/pcmcia/omap_cf.c | 8 + drivers/phy/broadcom/phy-bcm-ns-usb3.c | 9 - drivers/phy/marvell/phy-berlin-usb.c | 7 - drivers/phy/ralink/phy-ralink-usb.c | 10 - drivers/phy/rockchip/phy-rockchip-pcie.c | 11 - drivers/phy/rockchip/phy-rockchip-usb.c | 10 - drivers/phy/ti/phy-omap-control.c | 9 - drivers/phy/ti/phy-omap-usb2.c | 24 +++- drivers/phy/ti/phy-ti-pipe3.c | 14 -- drivers/power/supply/bq27xxx_battery.c | 4 drivers/rtc/rtc-pcf2127.c | 10 - drivers/usb/host/xhci-dbgcap.c | 94 ++++++++++++----- fs/btrfs/tree-checker.c | 4 fs/btrfs/tree-log.c | 2 fs/nilfs2/sysfs.c | 4 fs/nilfs2/sysfs.h | 8 - fs/smb/client/smbdirect.c | 4 fs/smb/server/transport_rdma.c | 26 +++- include/crypto/if_alg.h | 10 + include/linux/minmax.h | 26 +++- include/linux/mlx5/driver.h | 1 include/linux/pageblock-flags.h | 2 include/uapi/linux/mptcp.h | 6 - io_uring/io_uring.c | 7 - io_uring/io_uring.h | 13 ++ io_uring/poll.c | 3 io_uring/timeout.c | 2 kernel/cgroup/cgroup.c | 43 ++++++- net/ipv4/proc.c | 2 net/ipv4/tcp.c | 5 net/ipv6/proc.c | 2 net/mac80211/driver-ops.h | 2 net/mac80211/main.c | 7 + net/mptcp/options.c | 6 - net/mptcp/pm_netlink.c | 7 + net/mptcp/protocol.c | 16 ++ net/mptcp/subflow.c | 4 net/rds/ib_frmr.c | 20 ++- net/rfkill/rfkill-gpio.c | 4 net/tls/tls.h | 1 net/tls/tls_strp.c | 14 +- net/tls/tls_sw.c | 3 sound/firewire/motu/motu-hwdep.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/soc/codecs/wm8940.c | 9 + sound/soc/codecs/wm8974.c | 8 + sound/soc/qcom/qdsp6/audioreach.c | 1 sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 - sound/soc/sof/intel/hda-stream.c | 2 tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 + tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 +- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 + tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +- 87 files changed, 599 insertions(+), 298 deletions(-) Ajay.Kathat(a)microchip.com (1): wifi: wilc1000: avoid buffer overflow in WID string configuration Alexey Nepomnyashih (1): net: liquidio: fix overflow in octeon_init_instr_queue() Bruno Thomsen (1): rtc: pcf2127: fix SPI command byte for PCF2131 backport Charles Keepax (3): ASoC: wm8940: Correct PLL rate rounding ASoC: wm8940: Correct typo in control name ASoC: wm8974: Correct PLL rate rounding Chen Ridong (1): cgroup: split cgroup_destroy_wq into 3 workqueues Colin Ian King (1): ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Duoming Zhou (2): cnic: Fix use-after-free bugs in cnic_delete_task octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Eric Hagberg (1): Revert "loop: Avoid updating block size under exclusive owner" Eugene Koira (1): iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Filipe Manana (1): btrfs: fix invalid extref key setup when replaying dentry Geert Uytterhoeven (1): pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Geliang Tang (1): selftests: mptcp: sockopt: fix error messages Greg Kroah-Hartman (1): Linux 6.6.108 H. Nikolaus Schaller (2): power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery power: supply: bq27xxx: restrict no-battery detection to bq27000 Hangbin Liu (2): bonding: set random address only when slaves already exist bonding: don't set oif to bond dev when getting NS target destination Hans de Goede (1): net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Herbert Xu (2): crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg crypto: af_alg - Set merge to zero early in af_alg_sendmsg Huacai Chen (1): LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Håkon Bugge (1): rds: ib: Increment i_fastreg_wrs before bailing out Ioana Ciornei (1): dpaa2-switch: fix buffer pool seeding for control traffic Jakub Kicinski (1): tls: make sure to abort the stream if headers are bogus Jamie Bainbridge (1): qed: Don't collect too many protection override GRC elements Jens Axboe (2): io_uring: backport io_should_terminate_tw() io_uring: include dying ring in task_work "should cancel" state Jianbo Liu (2): net/mlx5e: Consider aggregated port speed during rate configuration net/mlx5e: Harden uplink netdev access against device unbind Johan Hovold (1): phy: ti: omap-usb2: fix device leak at unbind Krzysztof Kozlowski (1): ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Kuniyuki Iwashima (1): tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Lachlan Hodges (1): wifi: mac80211: increase scan_ies_len for S1G Liao Yuanhong (1): wifi: mac80211: fix incorrect type for ret Linus Torvalds (3): minmax: avoid overly complicated constant expressions in VM code minmax: simplify and clarify min_t()/max_t() implementation minmax: add a few more MIN_T/MAX_T users Loic Poulain (1): drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Maciej Fijalkowski (1): i40e: remove redundant memory barrier when cleaning Tx descs Maciej S. Szmigiero (1): KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Mathias Nyman (2): xhci: dbc: decouple endpoint allocation from initialization xhci: dbc: Fix full DbC transfer ring after several reconnects Matthieu Baerts (NGI0) (7): mptcp: set remote_deny_join_id0 on SYN recv mptcp: tfo: record 'deny join id0' info selftests: mptcp: connect: catch IO errors on listen side selftests: mptcp: avoid spurious errors on TCP disconnect mptcp: pm: nl: announce deny-join-id0 flag selftests: mptcp: userspace pm: validate deny-join-id0 flag mptcp: propagate shutdown to subflows when possible Miaoqian Lin (1): um: virtio_uml: Fix use-after-free after put_device in probe Mohammad Rafi Shaik (2): ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Namjae Jeon (1): ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Nathan Chancellor (1): nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Praful Adiga (1): ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Qi Xi (1): drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Qu Wenruo (1): btrfs: tree-checker: fix the incorrect inode ref size check Rob Herring (1): phy: Use device_get_match_data() Sankararaman Jayaraman (1): vmxnet3: unregister xdp rxq info in the reset path Stefan Metzmacher (2): ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Takashi Sakamoto (1): ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Tao Cui (1): LoongArch: Check the return value when creating kobj Tariq Toukan (1): Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Thomas Fourier (1): mmc: mvsdio: Fix dma_unmap_sg() nents value Tiezhu Yang (1): LoongArch: Update help info of ARCH_STRICT_ALIGN Vasant Hegde (1): iommu/amd/pgtbl: Fix possible race while increase page table level Yeounsu Moon (1): net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure

1 month, 1 week

1
1
0 0

Linux 6.1.154

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.154 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/loongarch/include/asm/acenv.h | 7 - arch/loongarch/kernel/env.c | 2 arch/um/drivers/virtio_uml.c | 6 arch/x86/kvm/svm/svm.c | 3 crypto/af_alg.c | 112 ++++++----------- drivers/gpu/drm/bridge/analogix/anx7625.c | 6 drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 drivers/iommu/intel/iommu.c | 7 - drivers/mmc/host/mvsdio.c | 2 drivers/net/bonding/bond_main.c | 1 drivers/net/ethernet/broadcom/cnic.c | 3 drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 drivers/net/ethernet/natsemi/ns83820.c | 13 - drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 - drivers/pcmcia/omap_cf.c | 8 + drivers/phy/broadcom/phy-bcm-ns-usb3.c | 9 - drivers/phy/marvell/phy-berlin-usb.c | 7 - drivers/phy/ralink/phy-ralink-usb.c | 10 - drivers/phy/rockchip/phy-rockchip-pcie.c | 11 - drivers/phy/rockchip/phy-rockchip-usb.c | 10 - drivers/phy/ti/phy-omap-control.c | 9 - drivers/phy/ti/phy-omap-usb2.c | 24 ++- drivers/phy/ti/phy-ti-pipe3.c | 14 -- drivers/power/supply/bq27xxx_battery.c | 4 drivers/usb/host/xhci-dbgcap.c | 94 ++++++++++---- fs/btrfs/tree-checker.c | 4 fs/btrfs/tree-log.c | 2 fs/nilfs2/sysfs.c | 4 fs/nilfs2/sysfs.h | 8 - fs/smb/client/smbdirect.c | 4 fs/smb/server/transport_rdma.c | 26 ++- include/crypto/if_alg.h | 10 - include/uapi/linux/mptcp.h | 6 io_uring/io_uring.c | 13 + io_uring/io_uring.h | 13 + io_uring/poll.c | 3 io_uring/timeout.c | 2 kernel/cgroup/cgroup.c | 43 +++++- net/ipv4/tcp.c | 5 net/mac80211/driver-ops.h | 2 net/mac80211/main.c | 7 - net/mptcp/pm_netlink.c | 7 + net/mptcp/protocol.c | 15 ++ net/mptcp/subflow.c | 4 net/rds/ib_frmr.c | 20 +-- net/rfkill/rfkill-gpio.c | 22 ++- net/tls/tls.h | 1 net/tls/tls_strp.c | 14 +- net/tls/tls_sw.c | 3 sound/firewire/motu/motu-hwdep.c | 2 sound/pci/hda/patch_realtek.c | 1 sound/soc/codecs/wm8940.c | 2 sound/soc/codecs/wm8974.c | 8 - sound/soc/qcom/qdsp6/audioreach.c | 1 sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 38 +++-- sound/soc/sof/intel/hda-stream.c | 2 tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 - tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 + tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +- 64 files changed, 440 insertions(+), 272 deletions(-) Alexey Nepomnyashih (1): net: liquidio: fix overflow in octeon_init_instr_queue() Charles Keepax (2): ASoC: wm8940: Correct typo in control name ASoC: wm8974: Correct PLL rate rounding Chen Ridong (1): cgroup: split cgroup_destroy_wq into 3 workqueues Colin Ian King (1): ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message David Howells (2): crypto: af_alg: Indent the loop in af_alg_sendmsg() crypto: af_alg: Convert af_alg_sendpage() to use MSG_SPLICE_PAGES Duoming Zhou (2): cnic: Fix use-after-free bugs in cnic_delete_task octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Eugene Koira (1): iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Filipe Manana (1): btrfs: fix invalid extref key setup when replaying dentry Geert Uytterhoeven (1): pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Greg Kroah-Hartman (1): Linux 6.1.154 H. Nikolaus Schaller (2): power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery power: supply: bq27xxx: restrict no-battery detection to bq27000 Hangbin Liu (1): bonding: don't set oif to bond dev when getting NS target destination Hans de Goede (1): net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Herbert Xu (2): crypto: af_alg - Set merge to zero early in af_alg_sendmsg crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Huacai Chen (1): LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Håkon Bugge (1): rds: ib: Increment i_fastreg_wrs before bailing out Ioana Ciornei (1): dpaa2-switch: fix buffer pool seeding for control traffic Jakub Kicinski (1): tls: make sure to abort the stream if headers are bogus Jamie Bainbridge (1): qed: Don't collect too many protection override GRC elements Jens Axboe (2): io_uring: backport io_should_terminate_tw() io_uring: include dying ring in task_work "should cancel" state Johan Hovold (1): phy: ti: omap-usb2: fix device leak at unbind Krzysztof Kozlowski (2): phy: broadcom: ns-usb3: fix Wvoid-pointer-to-enum-cast warning ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Kuniyuki Iwashima (1): tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Lachlan Hodges (1): wifi: mac80211: increase scan_ies_len for S1G Liao Yuanhong (1): wifi: mac80211: fix incorrect type for ret Loic Poulain (1): drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Maciej Fijalkowski (1): i40e: remove redundant memory barrier when cleaning Tx descs Maciej S. Szmigiero (1): KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Mathias Nyman (2): xhci: dbc: decouple endpoint allocation from initialization xhci: dbc: Fix full DbC transfer ring after several reconnects Matthieu Baerts (NGI0) (6): mptcp: set remote_deny_join_id0 on SYN recv selftests: mptcp: avoid spurious errors on TCP disconnect mptcp: pm: nl: announce deny-join-id0 flag selftests: mptcp: userspace pm: validate deny-join-id0 flag mptcp: propagate shutdown to subflows when possible selftests: mptcp: connect: catch IO errors on listen side Miaoqian Lin (1): um: virtio_uml: Fix use-after-free after put_device in probe Mohammad Rafi Shaik (2): ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Namjae Jeon (1): ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Nathan Chancellor (1): nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Philipp Zabel (1): net: rfkill: gpio: add DT support Praful Adiga (1): ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Qi Xi (1): drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Qu Wenruo (1): btrfs: tree-checker: fix the incorrect inode ref size check Rob Herring (1): phy: Use device_get_match_data() Srinivas Kandagatla (2): ASoC: qcom: q6apm-lpass-dai: close graphs before opening a new one ASoC: q6apm-lpass-dai: close graph on prepare errors Stefan Metzmacher (2): ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Takashi Sakamoto (1): ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Tao Cui (1): LoongArch: Check the return value when creating kobj Tariq Toukan (1): Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Thomas Fourier (1): mmc: mvsdio: Fix dma_unmap_sg() nents value Yeounsu Moon (1): net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure

1 month, 1 week

1
1
0 0

[PATCH v2] fs/netfs: fix reference leak

by Max Kellermann

Commit 20d72b00ca81 ("netfs: Fix the request's work item to not require a ref") modified netfs_alloc_request() to initialize the reference counter to 2 instead of 1. The rationale was that the requet's "work" would release the second reference after completion (via netfs_{read,write}_collection_worker()). That works most of the time if all goes well. However, it leaks this additional reference if the request is released before the I/O operation has been submitted: the error code path only decrements the reference counter once and the work item will never be queued because there will never be a completion. This has caused outages of our whole server cluster today because tasks were blocked in netfs_wait_for_outstanding_io(), leading to deadlocks in Ceph (another bug that I will address soon in another patch). This was caused by a netfs_pgpriv2_begin_copy_to_cache() call which failed in fscache_begin_write_operation(). The leaked netfs_io_request was never completed, leaving `netfs_inode.io_count` with a positive value forever. All of this is super-fragile code. Finding out which code paths will lead to an eventual completion and which do not is hard to see: - Some functions like netfs_create_write_req() allocate a request, but will never submit any I/O. - netfs_unbuffered_read_iter_locked() calls netfs_unbuffered_read() and then netfs_put_request(); however, netfs_unbuffered_read() can also fail early before submitting the I/O request, therefore another netfs_put_request() call must be added there. A rule of thumb is that functions that return a `netfs_io_request` do not submit I/O, and all of their callers must be checked. For my taste, the whole netfs code needs an overhaul to make reference counting easier to understand and less fragile & obscure. But to fix this bug here and now and produce a patch that is adequate for a stable backport, I tried a minimal approach that quickly frees the request object upon early failure. I decided against adding a second netfs_put_request() each time because that would cause code duplication which obscures the code further. Instead, I added the function netfs_put_failed_request() which frees such a failed request synchronously under the assumption that the reference count is exactly 2 (as initially set by netfs_alloc_request() and never touched), verified by a WARN_ON_ONCE(). It then deinitializes the request object (without going through the "cleanup_work" indirection) and frees the allocation (with RCU protection to protect against concurrent access by netfs_requests_seq_start()). All code paths that fail early have been changed to call netfs_put_failed_request() instead of netfs_put_request(). Additionally, I have added a netfs_put_request() call to netfs_unbuffered_read() as explained above because the netfs_put_failed_request() approach does not work there. Fixes: 20d72b00ca81 ("netfs: Fix the request's work item to not require a ref") Cc: stable(a)vger.kernel.org Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> --- v1->v2: free the request with call_rcu() because a proc reader might be accessing it (suggested by David Howells) --- fs/netfs/buffered_read.c | 10 +++++----- fs/netfs/direct_read.c | 7 ++++++- fs/netfs/direct_write.c | 6 +++++- fs/netfs/internal.h | 1 + fs/netfs/objects.c | 28 +++++++++++++++++++++++++--- fs/netfs/read_pgpriv2.c | 2 +- fs/netfs/read_single.c | 2 +- fs/netfs/write_issue.c | 3 +-- 8 files changed, 45 insertions(+), 14 deletions(-) diff --git a/fs/netfs/buffered_read.c b/fs/netfs/buffered_read.c index 18b3dc74c70e..37ab6f28b5ad 100644 --- a/fs/netfs/buffered_read.c +++ b/fs/netfs/buffered_read.c @@ -369,7 +369,7 @@ void netfs_readahead(struct readahead_control *ractl) return netfs_put_request(rreq, netfs_rreq_trace_put_return); cleanup_free: - return netfs_put_request(rreq, netfs_rreq_trace_put_failed); + return netfs_put_failed_request(rreq); } EXPORT_SYMBOL(netfs_readahead); @@ -472,7 +472,7 @@ static int netfs_read_gaps(struct file *file, struct folio *folio) return ret < 0 ? ret : 0; discard: - netfs_put_request(rreq, netfs_rreq_trace_put_discard); + netfs_put_failed_request(rreq); alloc_error: folio_unlock(folio); return ret; @@ -532,7 +532,7 @@ int netfs_read_folio(struct file *file, struct folio *folio) return ret < 0 ? ret : 0; discard: - netfs_put_request(rreq, netfs_rreq_trace_put_discard); + netfs_put_failed_request(rreq); alloc_error: folio_unlock(folio); return ret; @@ -699,7 +699,7 @@ int netfs_write_begin(struct netfs_inode *ctx, return 0; error_put: - netfs_put_request(rreq, netfs_rreq_trace_put_failed); + netfs_put_failed_request(rreq); error: if (folio) { folio_unlock(folio); @@ -754,7 +754,7 @@ int netfs_prefetch_for_write(struct file *file, struct folio *folio, return ret < 0 ? ret : 0; error_put: - netfs_put_request(rreq, netfs_rreq_trace_put_discard); + netfs_put_failed_request(rreq); error: _leave(" = %d", ret); return ret; diff --git a/fs/netfs/direct_read.c b/fs/netfs/direct_read.c index a05e13472baf..a498ee8d6674 100644 --- a/fs/netfs/direct_read.c +++ b/fs/netfs/direct_read.c @@ -131,6 +131,7 @@ static ssize_t netfs_unbuffered_read(struct netfs_io_request *rreq, bool sync) if (rreq->len == 0) { pr_err("Zero-sized read [R=%x]\n", rreq->debug_id); + netfs_put_request(rreq, netfs_rreq_trace_put_discard); return -EIO; } @@ -205,7 +206,7 @@ ssize_t netfs_unbuffered_read_iter_locked(struct kiocb *iocb, struct iov_iter *i if (user_backed_iter(iter)) { ret = netfs_extract_user_iter(iter, rreq->len, &rreq->buffer.iter, 0); if (ret < 0) - goto out; + goto error_put; rreq->direct_bv = (struct bio_vec *)rreq->buffer.iter.bvec; rreq->direct_bv_count = ret; rreq->direct_bv_unpin = iov_iter_extract_will_pin(iter); @@ -238,6 +239,10 @@ ssize_t netfs_unbuffered_read_iter_locked(struct kiocb *iocb, struct iov_iter *i if (ret > 0) orig_count -= ret; return ret; + +error_put: + netfs_put_failed_request(rreq); + return ret; } EXPORT_SYMBOL(netfs_unbuffered_read_iter_locked); diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c index a16660ab7f83..a9d1c3b2c084 100644 --- a/fs/netfs/direct_write.c +++ b/fs/netfs/direct_write.c @@ -57,7 +57,7 @@ ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov_iter * n = netfs_extract_user_iter(iter, len, &wreq->buffer.iter, 0); if (n < 0) { ret = n; - goto out; + goto error_put; } wreq->direct_bv = (struct bio_vec *)wreq->buffer.iter.bvec; wreq->direct_bv_count = n; @@ -101,6 +101,10 @@ ssize_t netfs_unbuffered_write_iter_locked(struct kiocb *iocb, struct iov_iter * out: netfs_put_request(wreq, netfs_rreq_trace_put_return); return ret; + +error_put: + netfs_put_failed_request(wreq); + return ret; } EXPORT_SYMBOL(netfs_unbuffered_write_iter_locked); diff --git a/fs/netfs/internal.h b/fs/netfs/internal.h index d4f16fefd965..4319611f5354 100644 --- a/fs/netfs/internal.h +++ b/fs/netfs/internal.h @@ -87,6 +87,7 @@ struct netfs_io_request *netfs_alloc_request(struct address_space *mapping, void netfs_get_request(struct netfs_io_request *rreq, enum netfs_rreq_ref_trace what); void netfs_clear_subrequests(struct netfs_io_request *rreq); void netfs_put_request(struct netfs_io_request *rreq, enum netfs_rreq_ref_trace what); +void netfs_put_failed_request(struct netfs_io_request *rreq); struct netfs_io_subrequest *netfs_alloc_subrequest(struct netfs_io_request *rreq); static inline void netfs_see_request(struct netfs_io_request *rreq, diff --git a/fs/netfs/objects.c b/fs/netfs/objects.c index e8c99738b5bb..39d5e13f7248 100644 --- a/fs/netfs/objects.c +++ b/fs/netfs/objects.c @@ -116,10 +116,8 @@ static void netfs_free_request_rcu(struct rcu_head *rcu) netfs_stat_d(&netfs_n_rh_rreq); } -static void netfs_free_request(struct work_struct *work) +static void netfs_deinit_request(struct netfs_io_request *rreq) { - struct netfs_io_request *rreq = - container_of(work, struct netfs_io_request, cleanup_work); struct netfs_inode *ictx = netfs_inode(rreq->inode); unsigned int i; @@ -149,6 +147,14 @@ static void netfs_free_request(struct work_struct *work) if (atomic_dec_and_test(&ictx->io_count)) wake_up_var(&ictx->io_count); +} + +static void netfs_free_request(struct work_struct *work) +{ + struct netfs_io_request *rreq = + container_of(work, struct netfs_io_request, cleanup_work); + + netfs_deinit_request(rreq); call_rcu(&rreq->rcu, netfs_free_request_rcu); } @@ -167,6 +173,22 @@ void netfs_put_request(struct netfs_io_request *rreq, enum netfs_rreq_ref_trace } } +/* + * Free a request (synchronously) that was just allocated but has + * failed before it could be submitted. + */ +void netfs_put_failed_request(struct netfs_io_request *rreq) +{ + /* new requests have two references (see + * netfs_alloc_request(), and this function is only allowed on + * new request objects + */ + WARN_ON_ONCE(refcount_read(&rreq->ref) != 2); + + trace_netfs_rreq_ref(rreq->debug_id, 0, netfs_rreq_trace_put_failed); + netfs_free_request(&rreq->cleanup_work); +} + /* * Allocate and partially initialise an I/O request structure. */ diff --git a/fs/netfs/read_pgpriv2.c b/fs/netfs/read_pgpriv2.c index 8097bc069c1d..a1489aa29f78 100644 --- a/fs/netfs/read_pgpriv2.c +++ b/fs/netfs/read_pgpriv2.c @@ -118,7 +118,7 @@ static struct netfs_io_request *netfs_pgpriv2_begin_copy_to_cache( return creq; cancel_put: - netfs_put_request(creq, netfs_rreq_trace_put_return); + netfs_put_failed_request(creq); cancel: rreq->copy_to_cache = ERR_PTR(-ENOBUFS); clear_bit(NETFS_RREQ_FOLIO_COPY_TO_CACHE, &rreq->flags); diff --git a/fs/netfs/read_single.c b/fs/netfs/read_single.c index fa622a6cd56d..5c0dc4efc792 100644 --- a/fs/netfs/read_single.c +++ b/fs/netfs/read_single.c @@ -189,7 +189,7 @@ ssize_t netfs_read_single(struct inode *inode, struct file *file, struct iov_ite return ret; cleanup_free: - netfs_put_request(rreq, netfs_rreq_trace_put_failed); + netfs_put_failed_request(rreq); return ret; } EXPORT_SYMBOL(netfs_read_single); diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c index 0584cba1a043..dd8743bc8d7f 100644 --- a/fs/netfs/write_issue.c +++ b/fs/netfs/write_issue.c @@ -133,8 +133,7 @@ struct netfs_io_request *netfs_create_write_req(struct address_space *mapping, return wreq; nomem: - wreq->error = -ENOMEM; - netfs_put_request(wreq, netfs_rreq_trace_put_failed); + netfs_put_failed_request(wreq); return ERR_PTR(-ENOMEM); } -- 2.47.3

1 month, 1 week

2
2
0 0

Re: it's Seven again for PCBA One-stop Service

by Seven

Hi , What would it mean to you if your business was able to reduce Expenses by 20% (Clients: Littelfuse, Corsair, BMB, Mercedes-Benz, Fantac) We are a PCBA factory with an area of 6,000 square meters. We have been in this industry for 18 years and have an experienced team of engineers. Help you reduce BOM Expenses Fast delivery (15 days for Demo) Competitive prices (10% lower than peers) Real factory processing fees are Fees Complete quality management system (ISO9001,ISO14001,ISO13485,IATF16949,UL)Given how well our pcba service suits your needs, I think we could do some Excellent work together. Seven LeeChief Technology Officer Business Department | Shenzhen STHL Technology Co,Ltd +8618569002840 Seven(a)pcba-china.com 在2025-06-04，Seven <seven(a)ems-sthi.com> 写道:-----原始邮件----- 发件人： Seven <seven(a)ems-sthi.com> 发件时间: 2025年06月04日周三收件人： [Linux-stable-mirror <linux-stable-mirror(a)lists.linaro.org>] 主题： Re:Jordan recommend me get in touch Hi, Glad to know you and your company from Jordan. I‘m Seven CTO of STHL We are a one-stop service provider for PCBA. We can help you with production from PCB to finished product assembly. Why Partner With Us? ✅ One-Stop Expertise: From PCB fabrication, PCBA (SMT & Through-Hole), custom cable harnesses, , to final product assembly – we eliminate multi-vendor coordination risks. ✅ Cost Efficiency: 40%+ clients reduce logistics/QC costs through our integrated service model (ISO 9001:2015 certified). ✅ Speed-to-Market: Average 15% faster lead times achieved via in-house vertical integration. Recent Success Case: Helped a German IoT startup scale from prototype to 50K-unit/month production within 6 months through our: PCB Design-for-Manufacturing (DFM) optimization Automated PCBA with 99.98% first-pass yield Mechanical housing CNC machining & IP67-rated assembly Seven Marcus CTO Shenzhen STHL Technology Co,Ltd +8618569002840 Seven(a)pcba-china.com

1 month, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm/migrate_device: don't add folio to be freed to LRU in" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 41cddf83d8b00f29fd105e7a0777366edc69a5cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025022407-amplifier-catnip-6e14@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Mon, 10 Feb 2025 17:13:17 +0100 Subject: [PATCH] mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, remove migration ptes, unlock and unref dst. Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Jérôme Glisse <jglisse(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/migrate_device.c b/mm/migrate_device.c index 9cf26592ac93..5bd888223cc8 100644 --- a/mm/migrate_device.c +++ b/mm/migrate_device.c @@ -840,20 +840,15 @@ void migrate_device_finalize(unsigned long *src_pfns, dst = src; } + if (!folio_is_zone_device(dst)) + folio_add_lru(dst); remove_migration_ptes(src, dst, 0); folio_unlock(src); - - if (folio_is_zone_device(src)) - folio_put(src); - else - folio_putback_lru(src); + folio_put(src); if (dst != src) { folio_unlock(dst); - if (folio_is_zone_device(dst)) - folio_put(dst); - else - folio_putback_lru(dst); + folio_put(dst); } } }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] mm/migrate_device: don't add folio to be freed to LRU in" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 41cddf83d8b00f29fd105e7a0777366edc69a5cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025022405-surpass-stipend-ca02@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Mon, 10 Feb 2025 17:13:17 +0100 Subject: [PATCH] mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, remove migration ptes, unlock and unref dst. Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Jérôme Glisse <jglisse(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/migrate_device.c b/mm/migrate_device.c index 9cf26592ac93..5bd888223cc8 100644 --- a/mm/migrate_device.c +++ b/mm/migrate_device.c @@ -840,20 +840,15 @@ void migrate_device_finalize(unsigned long *src_pfns, dst = src; } + if (!folio_is_zone_device(dst)) + folio_add_lru(dst); remove_migration_ptes(src, dst, 0); folio_unlock(src); - - if (folio_is_zone_device(src)) - folio_put(src); - else - folio_putback_lru(src); + folio_put(src); if (dst != src) { folio_unlock(dst); - if (folio_is_zone_device(dst)) - folio_put(dst); - else - folio_putback_lru(dst); + folio_put(dst); } } }

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] mm/migrate_device: don't add folio to be freed to LRU in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 41cddf83d8b00f29fd105e7a0777366edc69a5cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025022404-rebuttal-laundry-1cf8@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Mon, 10 Feb 2025 17:13:17 +0100 Subject: [PATCH] mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, remove migration ptes, unlock and unref dst. Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Jérôme Glisse <jglisse(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/migrate_device.c b/mm/migrate_device.c index 9cf26592ac93..5bd888223cc8 100644 --- a/mm/migrate_device.c +++ b/mm/migrate_device.c @@ -840,20 +840,15 @@ void migrate_device_finalize(unsigned long *src_pfns, dst = src; } + if (!folio_is_zone_device(dst)) + folio_add_lru(dst); remove_migration_ptes(src, dst, 0); folio_unlock(src); - - if (folio_is_zone_device(src)) - folio_put(src); - else - folio_putback_lru(src); + folio_put(src); if (dst != src) { folio_unlock(dst); - if (folio_is_zone_device(dst)) - folio_put(dst); - else - folio_putback_lru(dst); + folio_put(dst); } } }

1 month, 1 week

2
1
0 0

[PATCH RESEND net v3] net: nfc: nci: Add parameter validation for packet data

by Deepak Sharma

Syzbot reported an uninitialized value bug in nci_init_req, which was introduced by commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools"). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers). Reported-by: syzbot+740e04c2a93467a0f8c8(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8 Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation") Tested-by: syzbot+740e04c2a93467a0f8c8(a)syzkaller.appspotmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Deepak Sharma <deepak.sharma.472935(a)gmail.com> Reviewed-by: Vadim Fedorenko <vadim.fedorenko(a)linux.dev> --- v3: - Move the checks inside the packet data handlers - Improvements to the commit message v2: - Fix the release of skb in case of the early return v1: - Add checks in `nci_ntf_packet` on the skb->len and do early return on failure net/nfc/nci/ntf.c | 139 +++++++++++++++++++++++++++++++++------------- 1 file changed, 101 insertions(+), 38 deletions(-) diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index a818eff27e6b..c0edf8242e22 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c @@ -27,11 +27,16 @@ /* Handle NCI Notification packets */ -static void nci_core_reset_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_core_reset_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { /* Handle NCI 2.x core reset notification */ - const struct nci_core_reset_ntf *ntf = (void *)skb->data; + const struct nci_core_reset_ntf *ntf; + + if (skb->len < sizeof(struct nci_core_reset_ntf)) + return -EINVAL; + + ntf = (struct nci_core_reset_ntf *)skb->data; ndev->nci_ver = ntf->nci_ver; pr_debug("nci_ver 0x%x, config_status 0x%x\n", @@ -42,15 +47,22 @@ static void nci_core_reset_ntf_packet(struct nci_dev *ndev, __le32_to_cpu(ntf->manufact_specific_info); nci_req_complete(ndev, NCI_STATUS_OK); + + return 0; } -static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, - struct sk_buff *skb) +static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, + struct sk_buff *skb) { - struct nci_core_conn_credit_ntf *ntf = (void *) skb->data; + struct nci_core_conn_credit_ntf *ntf; struct nci_conn_info *conn_info; int i; + if (skb->len < sizeof(struct nci_core_conn_credit_ntf)) + return -EINVAL; + + ntf = (struct nci_core_conn_credit_ntf *)skb->data; + pr_debug("num_entries %d\n", ntf->num_entries); if (ntf->num_entries > NCI_MAX_NUM_CONN) @@ -68,7 +80,7 @@ static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, conn_info = nci_get_conn_info_by_conn_id(ndev, ntf->conn_entries[i].conn_id); if (!conn_info) - return; + return 0; atomic_add(ntf->conn_entries[i].credits, &conn_info->credits_cnt); @@ -77,12 +89,19 @@ static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, /* trigger the next tx */ if (!skb_queue_empty(&ndev->tx_q)) queue_work(ndev->tx_wq, &ndev->tx_work); + + return 0; } -static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_core_generic_error_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { - __u8 status = skb->data[0]; + __u8 status; + + if (skb->len < 1) + return -EINVAL; + + status = skb->data[0]; pr_debug("status 0x%x\n", status); @@ -91,12 +110,19 @@ static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, (the state remains the same) */ nci_req_complete(ndev, status); } + + return 0; } -static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, - struct sk_buff *skb) +static int nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, + struct sk_buff *skb) { - struct nci_core_intf_error_ntf *ntf = (void *) skb->data; + struct nci_core_intf_error_ntf *ntf; + + if (skb->len < sizeof(struct nci_core_intf_error_ntf)) + return -EINVAL; + + ntf = (struct nci_core_intf_error_ntf *)skb->data; ntf->conn_id = nci_conn_id(&ntf->conn_id); @@ -105,6 +131,8 @@ static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, /* complete the data exchange transaction, if exists */ if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags)) nci_data_exchange_complete(ndev, NULL, ntf->conn_id, -EIO); + + return 0; } static const __u8 * @@ -329,13 +357,18 @@ void nci_clear_target_list(struct nci_dev *ndev) ndev->n_targets = 0; } -static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_discover_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { struct nci_rf_discover_ntf ntf; - const __u8 *data = skb->data; + const __u8 *data; bool add_target = true; + if (skb->len < sizeof(struct nci_rf_discover_ntf)) + return -EINVAL; + + data = skb->data; + ntf.rf_discovery_id = *data++; ntf.rf_protocol = *data++; ntf.rf_tech_and_mode = *data++; @@ -390,6 +423,8 @@ static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, nfc_targets_found(ndev->nfc_dev, ndev->targets, ndev->n_targets); } + + return 0; } static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev, @@ -501,7 +536,7 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev, case NCI_NFC_A_PASSIVE_POLL_MODE: case NCI_NFC_F_PASSIVE_POLL_MODE: ndev->remote_gb_len = min_t(__u8, - (ntf->activation_params.poll_nfc_dep.atr_res_len + (ntf->activation_params.poll_nfc_dep.atr_res_len - NFC_ATR_RES_GT_OFFSET), NFC_ATR_RES_GB_MAXSIZE); memcpy(ndev->remote_gb, @@ -513,7 +548,7 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev, case NCI_NFC_A_PASSIVE_LISTEN_MODE: case NCI_NFC_F_PASSIVE_LISTEN_MODE: ndev->remote_gb_len = min_t(__u8, - (ntf->activation_params.listen_nfc_dep.atr_req_len + (ntf->activation_params.listen_nfc_dep.atr_req_len - NFC_ATR_REQ_GT_OFFSET), NFC_ATR_REQ_GB_MAXSIZE); memcpy(ndev->remote_gb, @@ -553,14 +588,19 @@ static int nci_store_ats_nfc_iso_dep(struct nci_dev *ndev, return NCI_STATUS_OK; } -static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { struct nci_conn_info *conn_info; struct nci_rf_intf_activated_ntf ntf; - const __u8 *data = skb->data; + const __u8 *data; int err = NCI_STATUS_OK; + if (skb->len < sizeof(struct nci_rf_intf_activated_ntf)) + return -EINVAL; + + data = skb->data; + ntf.rf_discovery_id = *data++; ntf.rf_interface = *data++; ntf.rf_protocol = *data++; @@ -667,7 +707,7 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, if (err == NCI_STATUS_OK) { conn_info = ndev->rf_conn_info; if (!conn_info) - return; + return 0; conn_info->max_pkt_payload_len = ntf.max_data_pkt_payload_size; conn_info->initial_num_credits = ntf.initial_num_credits; @@ -721,19 +761,26 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, pr_err("error when signaling tm activation\n"); } } + + return 0; } -static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { const struct nci_conn_info *conn_info; - const struct nci_rf_deactivate_ntf *ntf = (void *)skb->data; + const struct nci_rf_deactivate_ntf *ntf; + + if (skb->len < sizeof(struct nci_rf_deactivate_ntf)) + return -EINVAL; + + ntf = (struct nci_rf_deactivate_ntf *)skb->data; pr_debug("entry, type 0x%x, reason 0x%x\n", ntf->type, ntf->reason); conn_info = ndev->rf_conn_info; if (!conn_info) - return; + return 0; /* drop tx data queue */ skb_queue_purge(&ndev->tx_q); @@ -765,14 +812,20 @@ static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, } nci_req_complete(ndev, NCI_STATUS_OK); + + return 0; } -static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { u8 status = NCI_STATUS_OK; - const struct nci_nfcee_discover_ntf *nfcee_ntf = - (struct nci_nfcee_discover_ntf *)skb->data; + const struct nci_nfcee_discover_ntf *nfcee_ntf; + + if (skb->len < sizeof(struct nci_nfcee_discover_ntf)) + return -EINVAL; + + nfcee_ntf = (struct nci_nfcee_discover_ntf *)skb->data; /* NFCForum NCI 9.2.1 HCI Network Specific Handling * If the NFCC supports the HCI Network, it SHALL return one, @@ -783,6 +836,8 @@ static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, ndev->cur_params.id = nfcee_ntf->nfcee_id; nci_req_complete(ndev, status); + + return 0; } void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) @@ -809,35 +864,43 @@ void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) switch (ntf_opcode) { case NCI_OP_CORE_RESET_NTF: - nci_core_reset_ntf_packet(ndev, skb); + if (nci_core_reset_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_CONN_CREDITS_NTF: - nci_core_conn_credits_ntf_packet(ndev, skb); + if (nci_core_conn_credits_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_GENERIC_ERROR_NTF: - nci_core_generic_error_ntf_packet(ndev, skb); + if (nci_core_generic_error_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_INTF_ERROR_NTF: - nci_core_conn_intf_error_ntf_packet(ndev, skb); + if (nci_core_conn_intf_error_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_DISCOVER_NTF: - nci_rf_discover_ntf_packet(ndev, skb); + if (nci_rf_discover_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_INTF_ACTIVATED_NTF: - nci_rf_intf_activated_ntf_packet(ndev, skb); + if (nci_rf_intf_activated_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_DEACTIVATE_NTF: - nci_rf_deactivate_ntf_packet(ndev, skb); + if (nci_rf_deactivate_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_NFCEE_DISCOVER_NTF: - nci_nfcee_discover_ntf_packet(ndev, skb); + if (nci_nfcee_discover_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_NFCEE_ACTION_NTF: -- 2.51.0

1 month, 1 week

2
1
0 0

FAILED: patch "[PATCH] mm/migrate_device: don't add folio to be freed to LRU in" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 41cddf83d8b00f29fd105e7a0777366edc69a5cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025022402-footprint-usher-aa6e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Mon, 10 Feb 2025 17:13:17 +0100 Subject: [PATCH] mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, remove migration ptes, unlock and unref dst. Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Jérôme Glisse <jglisse(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/migrate_device.c b/mm/migrate_device.c index 9cf26592ac93..5bd888223cc8 100644 --- a/mm/migrate_device.c +++ b/mm/migrate_device.c @@ -840,20 +840,15 @@ void migrate_device_finalize(unsigned long *src_pfns, dst = src; } + if (!folio_is_zone_device(dst)) + folio_add_lru(dst); remove_migration_ptes(src, dst, 0); folio_unlock(src); - - if (folio_is_zone_device(src)) - folio_put(src); - else - folio_putback_lru(src); + folio_put(src); if (dst != src) { folio_unlock(dst); - if (folio_is_zone_device(dst)) - folio_put(dst); - else - folio_putback_lru(dst); + folio_put(dst); } } }

1 month, 1 week

2
3
0 0

FAILED: patch "[PATCH] mm/migrate_device: don't add folio to be freed to LRU in" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 41cddf83d8b00f29fd105e7a0777366edc69a5cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025022401-batting-december-cf51@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Mon, 10 Feb 2025 17:13:17 +0100 Subject: [PATCH] mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LRU, making memcg code unhappy. Running the hmm selftests: # ./hmm-tests ... # RUN hmm.hmm_device_private.migrate ... [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00 [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff) [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9 [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000 [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled()) [ 102.087230][T14893] ------------[ cut here ]------------ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.090478][T14893] Modules linked in: [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151 [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.096104][T14893] Code: ... [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293 [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426 [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880 [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000 [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8 [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000 [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000 [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0 [ 102.113478][T14893] PKRU: 55555554 [ 102.114172][T14893] Call Trace: [ 102.114805][T14893] <TASK> [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.116547][T14893] ? __warn.cold+0x110/0x210 [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.118667][T14893] ? report_bug+0x1b9/0x320 [ 102.119571][T14893] ? handle_bug+0x54/0x90 [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50 [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20 [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0 [ 102.123506][T14893] ? dump_page+0x4f/0x60 [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170 [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200 [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720 [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10 [ 102.129550][T14893] folio_putback_lru+0x16/0x80 [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530 [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0 [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80 Likely, nothing else goes wrong: putting the last folio reference will remove the folio from the LRU again. So besides memcg complaining, adding the folio to be freed to the LRU is just an unnecessary step. The new flow resembles what we have in migrate_folio_move(): add the dst to the lru, remove migration ptes, unlock and unref dst. Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory") Signed-off-by: David Hildenbrand <david(a)redhat.com> Cc: Jérôme Glisse <jglisse(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/migrate_device.c b/mm/migrate_device.c index 9cf26592ac93..5bd888223cc8 100644 --- a/mm/migrate_device.c +++ b/mm/migrate_device.c @@ -840,20 +840,15 @@ void migrate_device_finalize(unsigned long *src_pfns, dst = src; } + if (!folio_is_zone_device(dst)) + folio_add_lru(dst); remove_migration_ptes(src, dst, 0); folio_unlock(src); - - if (folio_is_zone_device(src)) - folio_put(src); - else - folio_putback_lru(src); + folio_put(src); if (dst != src) { folio_unlock(dst); - if (folio_is_zone_device(dst)) - folio_put(dst); - else - folio_putback_lru(dst); + folio_put(dst); } } }

1 month, 1 week

2
3
0 0

[PATCH 6.16 1/2] wifi: iwlwifi: fix byte count table for old devices

by Johannes Berg

From: Johannes Berg <johannes.berg(a)intel.com> commit 586e3cb33ba6890054b95aa0ade0a165890efabd upstream. For devices handled by iwldvm, bc_table_dword was never set, but I missed that during the removal thereof. Change the logic to not treat the byte count table as dwords for devices older than 9000 series to fix that. Fixes: 6570ea227826 ("wifi: iwlwifi: remove bc_table_dword transport config") Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> Link: https://patch.msgid.link/20250828095500.eccd7d3939f1.Ibaffa06d0b3aa5f35a945… --- drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c index eee55428749c..5ca9712dd7f0 100644 --- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c +++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c @@ -2093,7 +2093,8 @@ static void iwl_txq_gen1_update_byte_cnt_tbl(struct iwl_trans *trans, break; } - if (trans->mac_cfg->device_family < IWL_DEVICE_FAMILY_AX210) + if (trans->mac_cfg->device_family >= IWL_DEVICE_FAMILY_9000 && + trans->mac_cfg->device_family < IWL_DEVICE_FAMILY_AX210) len = DIV_ROUND_UP(len, 4); if (WARN_ON(len > 0xFFF || write_ptr >= TFD_QUEUE_SIZE_MAX)) -- 2.51.0

1 month, 1 week

1
1
0 0

[PATCH] afs: Fix potential null pointer dereference in afs_put_server

by Zhen Ni

afs_put_server() accessed server->debug_id before the NULL check, which could lead to a null pointer dereference. Move the debug_id assignment, ensuring we never dereference a NULL server pointer. Fixes: 2757a4dc1849 ("afs: Fix access after dec in put functions") Cc: stable(a)vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> --- fs/afs/server.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/afs/server.c b/fs/afs/server.c index a97562f831eb..c4428ebddb1d 100644 --- a/fs/afs/server.c +++ b/fs/afs/server.c @@ -331,13 +331,14 @@ struct afs_server *afs_use_server(struct afs_server *server, bool activate, void afs_put_server(struct afs_net *net, struct afs_server *server, enum afs_server_trace reason) { - unsigned int a, debug_id = server->debug_id; + unsigned int a, debug_id; bool zero; int r; if (!server) return; + debug_id = server->debug_id; a = atomic_read(&server->active); zero = __refcount_dec_and_test(&server->ref, &r); trace_afs_server(debug_id, r - 1, a, reason); -- 2.20.1

1 month, 1 week

4
3
0 0

Re: Confirmation on EOL for Linux 5.4 Stable Kernel

by Joseph Salisbury

On 9/24/25 13:41, Joseph Salisbury wrote: > Hi Greg/Sasha, > > I am reaching out to confirm the projected EOL for the Linux 5.4 > stable kernel. > > According to the information listed on kernel.org [0], the EOL is > currently slated for December 2025. We are using this projection for > planning, so we would be grateful if you could confirm it is still > accurate. > > Thank you very much for your time and for all the work you do in > maintaining the stable kernel releases! > > Thanks, > > Joe Salisbury > > > [0] https://www.kernel.org/category/releases.html Sorry, I forgot to CC stable for the wider audience. Doing that now.

1 month, 1 week

2
1
0 0

[PATCH v2] crypto: af_alg - Fix incorrect boolean values in af_alg_ctx

by Eric Biggers

Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of type u32. However, some assignments to these fields, specifically 'more' and 'merge', assign values greater than 1. These relied on C's implicit conversion to bool, such that zero becomes false and nonzero becomes true. With a 1-bit bitfields of type u32 instead, mod 2 of the value is taken instead, resulting in 0 being assigned in some cases when 1 was intended. Fix this by restoring the bool type. Fixes: 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- v2: keep the bitfields and just change the type, as suggested by Linus include/crypto/if_alg.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index 0c70f3a555750..107b797c33ecf 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -150,11 +150,11 @@ struct af_alg_ctx { struct crypto_wait wait; size_t used; atomic_t rcvused; - u32 more:1, + bool more:1, merge:1, enc:1, write:1, init:1; base-commit: cec1e6e5d1ab33403b809f79cd20d6aff124ccfe -- 2.51.0

1 month, 1 week

3
2
0 0

[PATCH RESEND] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()

by Thorsten Blum

Replace kmalloc() followed by copy_from_user() with memdup_user() to fix a memory leak that occurs when copy_from_user(buff[sg_used],,) fails and the 'cleanup1:' path does not free the memory for 'buff[sg_used]'. Using memdup_user() avoids this by freeing the memory internally. Since memdup_user() already allocates memory, use kzalloc() in the else branch instead of manually zeroing 'buff[sg_used]' using memset(0). Cc: stable(a)vger.kernel.org Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.") Signed-off-by: Thorsten Blum <thorsten.blum(a)linux.dev> --- drivers/scsi/hpsa.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index c73a71ac3c29..1c6161d0b85c 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -6522,18 +6522,21 @@ static int hpsa_big_passthru_ioctl(struct ctlr_info *h, while (left) { sz = (left > ioc->malloc_size) ? ioc->malloc_size : left; buff_size[sg_used] = sz; - buff[sg_used] = kmalloc(sz, GFP_KERNEL); - if (buff[sg_used] == NULL) { - status = -ENOMEM; - goto cleanup1; - } + if (ioc->Request.Type.Direction & XFER_WRITE) { - if (copy_from_user(buff[sg_used], data_ptr, sz)) { - status = -EFAULT; + buff[sg_used] = memdup_user(data_ptr, sz); + if (IS_ERR(buff[sg_used])) { + status = PTR_ERR(buff[sg_used]); goto cleanup1; } - } else - memset(buff[sg_used], 0, sz); + } else { + buff[sg_used] = kzalloc(sz, GFP_KERNEL); + if (!buff[sg_used]) { + status = -ENOMEM; + goto cleanup1; + } + } + left -= sz; data_ptr += sz; sg_used++; -- 2.51.0

1 month, 1 week

3
2
0 0

WTF: patch "[PATCH] LoongArch: KVM: Remove unused returns and semicolons" was seriously submitted to be applied to the 6.16-stable tree?

by gregkh＠linuxfoundation.org

The patch below was submitted to be applied to the 6.16-stable tree. I fail to see how this patch meets the stable kernel rules as found at Documentation/process/stable-kernel-rules.rst. I could be totally wrong, and if so, please respond to <stable(a)vger.kernel.org> and let me know why this patch should be applied. Otherwise, it is now dropped from my patch queues, never to be seen again. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 091b29d53fe645781c5c1f405bc9fcd50ce5792b Mon Sep 17 00:00:00 2001 From: Tao Cui <cuitao(a)kylinos.cn> Date: Thu, 18 Sep 2025 19:44:22 +0800 Subject: [PATCH] LoongArch: KVM: Remove unused returns and semicolons The default branch has already handled all undefined cases, so the final return statement is redundant. Redundant semicolons are removed, too. Cc: stable(a)vger.kernel.org Reviewed-by: Bibo Mao <maobibo(a)loongson.cn> Signed-off-by: Tao Cui <cuitao(a)kylinos.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> diff --git a/arch/loongarch/kvm/exit.c b/arch/loongarch/kvm/exit.c index 2ce41f93b2a4..6c9c7de7226b 100644 --- a/arch/loongarch/kvm/exit.c +++ b/arch/loongarch/kvm/exit.c @@ -778,10 +778,8 @@ static long kvm_save_notify(struct kvm_vcpu *vcpu) return 0; default: return KVM_HCALL_INVALID_CODE; - }; - - return KVM_HCALL_INVALID_CODE; -}; + } +} /* * kvm_handle_lsx_disabled() - Guest used LSX while disabled in root.

1 month, 1 week

2
1
0 0

[PATCH AUTOSEL 6.16-6.1] btrfs: ref-verify: handle damaged extent root tree

by Sasha Levin

From: David Sterba <dsterba(a)suse.com> [ Upstream commit ed4e6b5d644c4dd2bc2872ffec036b7da0ec2e27 ] Syzbot hits a problem with enabled ref-verify, ignorebadroots and a fuzzed/damaged extent tree. There's no fallback option like in other places that can deal with it so disable the whole ref-verify as it is just a debugging feature. Reported-by: syzbot+9c3e0cdfbfe351b0bc0e(a)syzkaller.appspotmail.com Link: https://lore.kernel.org/all/0000000000001b6052062139be1c@google.com/ Reviewed-by: Qu Wenruo <wqu(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my exhaustive analysis of the commit, code changes, and extensive research through multiple specialized agents, here is my determination: ## **Backport Status: YES** This commit should be backported to stable kernel trees v5.11 and later. ## Detailed Explanation ### Nature of the Fix The commit fixes a **NULL pointer dereference** that occurs when mounting a corrupted BTRFS filesystem with both `rescue=ignorebadroots` and `ref_verify` options enabled. The code change adds a critical IS_ERR() check: ```c + extent_root = btrfs_extent_root(fs_info, 0); + /* If the extent tree is damaged we cannot ignore it (IGNOREBADROOTS). */ + if (IS_ERR(extent_root)) { + btrfs_warn(fs_info, "ref-verify: extent tree not available, disabling"); + btrfs_clear_opt(fs_info->mount_opt, REF_VERIFY); + return 0; + } ``` Previously, the code immediately used `extent_root` without checking if it was valid, causing a crash at line `eb = btrfs_read_lock_root_node(extent_root)`. ### Why It Qualifies for Stable Backport 1. **Fixes a Real Bug**: Prevents kernel panic during filesystem mount operations 2. **Small and Contained**: Only 7 lines of defensive code added 3. **No Side Effects**: Simply disables the debug feature gracefully instead of crashing 4. **Follows Stable Rules**: - Important bugfix (prevents crashes) - Minimal risk (simple NULL check) - Confined to subsystem (BTRFS ref-verify) ### Specific Code Analysis The fix properly handles the interaction between two features introduced at different times: - **ref-verify**: Debug feature from v4.15 (2017) - **IGNOREBADROOTS**: Recovery option from v5.11 (2020) The incompatibility wasn't caught until syzbot fuzzing discovered it. The fix: - Checks if `btrfs_extent_root()` returns an error (damaged extent tree) - Gracefully disables ref-verify with a warning message - Allows mount to proceed for recovery purposes - Returns success (0) to continue mounting ### Risk Assessment **Extremely Low Risk**: - Pattern already exists in 7+ other places in BTRFS for IGNOREBADROOTS handling - ref-verify is a debug feature (`CONFIG_BTRFS_FS_REF_VERIFY=n` by default) - Not enabled in production kernels (Ubuntu, RHEL, SUSE) - Clean cherry-pick expected to v5.11+ - Syzbot tested and verified the fix ### Comparison with Similar Commits My research found similar BTRFS NULL-check fixes routinely backported: - Commit 6aecd91a5c5b: Similar fix for scrub with IGNOREBADROOTS - Multiple IS_ERR() checks added throughout disk-io.c for root tree handling - Pattern of "disable debug feature on error" is established in ref- verify.c ### Conclusion While this primarily affects debug configurations, it meets all criteria for stable backporting: - Prevents kernel crashes (primary stable criterion) - Simple, obviously correct fix - Helps filesystem recovery operations - Zero regression risk - Follows established BTRFS error handling patterns The commit should be backported to **stable kernels v5.11 through v6.5** (kernels where both IGNOREBADROOTS and ref-verify coexist). fs/btrfs/ref-verify.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/ref-verify.c b/fs/btrfs/ref-verify.c index 2928abf7eb827..fc46190d26c8e 100644 --- a/fs/btrfs/ref-verify.c +++ b/fs/btrfs/ref-verify.c @@ -998,11 +998,18 @@ int btrfs_build_ref_tree(struct btrfs_fs_info *fs_info) if (!btrfs_test_opt(fs_info, REF_VERIFY)) return 0; + extent_root = btrfs_extent_root(fs_info, 0); + /* If the extent tree is damaged we cannot ignore it (IGNOREBADROOTS). */ + if (IS_ERR(extent_root)) { + btrfs_warn(fs_info, "ref-verify: extent tree not available, disabling"); + btrfs_clear_opt(fs_info->mount_opt, REF_VERIFY); + return 0; + } + path = btrfs_alloc_path(); if (!path) return -ENOMEM; - extent_root = btrfs_extent_root(fs_info, 0); eb = btrfs_read_lock_root_node(extent_root); level = btrfs_header_level(eb); path->nodes[level] = eb; -- 2.51.0

1 month, 1 week

2
13
0 0

+ lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch added to mm-nonmm-unstable branch

by Andrew Morton

The patch titled Subject: lib/genalloc: fix device leak in of_gen_pool_get() has been added to the -mm mm-nonmm-unstable branch. Its filename is lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-nonmm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Johan Hovold <johan(a)kernel.org> Subject: lib/genalloc: fix device leak in of_gen_pool_get() Date: Wed, 24 Sep 2025 10:02:07 +0200 Make sure to drop the reference taken when looking up the genpool platform device in of_gen_pool_get() before returning the pool. Note that holding a reference to a device does typically not prevent its devres managed resources from being released so there is no point in keeping the reference. Link: https://lkml.kernel.org/r/20250924080207.18006-1-johan@kernel.org Fixes: 9375db07adea ("genalloc: add devres support, allow to find a managed pool by device") Signed-off-by: Johan Hovold <johan(a)kernel.org> Cc: Philipp Zabel <p.zabel(a)pengutronix.de> Cc: Vladimir Zapolskiy <vz(a)mleia.com> Cc: <stable(a)vger.kernel.org> [3.10+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/genalloc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/lib/genalloc.c~lib-genalloc-fix-device-leak-in-of_gen_pool_get +++ a/lib/genalloc.c @@ -899,8 +899,11 @@ struct gen_pool *of_gen_pool_get(struct if (!name) name = of_node_full_name(np_pool); } - if (pdev) + if (pdev) { pool = gen_pool_get(&pdev->dev, name); + put_device(&pdev->dev); + } + of_node_put(np_pool); return pool; _ Patches currently in -mm which might be from johan(a)kernel.org are lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch

1 month, 1 week

1
0
0 0

+ mm-memblock-correct-totalram_pages-accounting-with-kmsan.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm/memblock: correct totalram_pages accounting with KMSAN has been added to the -mm mm-new branch. Its filename is mm-memblock-correct-totalram_pages-accounting-with-kmsan.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Alexander Potapenko <glider(a)google.com> Subject: mm/memblock: correct totalram_pages accounting with KMSAN Date: Wed, 24 Sep 2025 12:03:01 +0200 When KMSAN is enabled, `kmsan_memblock_free_pages()` can hold back pages for metadata instead of returning them to the early allocator. The callers, however, would unconditionally increment `totalram_pages`, assuming the pages were always freed. This resulted in an incorrect calculation of the total available RAM, causing the kernel to believe it had more memory than it actually did. This patch refactors `memblock_free_pages()` to return the number of pages it successfully frees. If KMSAN stashes the pages, the function now returns 0; otherwise, it returns the number of pages in the block. The callers in `memblock.c` have been updated to use this return value, ensuring that `totalram_pages` is incremented only by the number of pages actually returned to the allocator. This corrects the total RAM accounting when KMSAN is active. Link: https://lkml.kernel.org/r/20250924100301.1558645-1-glider@google.com Fixes: 3c2065098260 ("init: kmsan: call KMSAN initialization routines") Signed-off-by: Alexander Potapenko <glider(a)google.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: Aleksandr Nogikh <nogikh(a)google.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: Markus Elfring <Markus.Elfring(a)web.de> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/internal.h | 4 ++-- mm/memblock.c | 21 +++++++++++---------- mm/mm_init.c | 9 +++++---- 3 files changed, 18 insertions(+), 16 deletions(-) --- a/mm/internal.h~mm-memblock-correct-totalram_pages-accounting-with-kmsan +++ a/mm/internal.h @@ -742,8 +742,8 @@ static inline void clear_zone_contiguous extern int __isolate_free_page(struct page *page, unsigned int order); extern void __putback_isolated_page(struct page *page, unsigned int order, int mt); -extern void memblock_free_pages(struct page *page, unsigned long pfn, - unsigned int order); +unsigned long memblock_free_pages(struct page *page, unsigned long pfn, + unsigned int order); extern void __free_pages_core(struct page *page, unsigned int order, enum meminit_context context); --- a/mm/memblock.c~mm-memblock-correct-totalram_pages-accounting-with-kmsan +++ a/mm/memblock.c @@ -1826,6 +1826,7 @@ void *__init __memblock_alloc_or_panic(p void __init memblock_free_late(phys_addr_t base, phys_addr_t size) { phys_addr_t cursor, end; + unsigned long freed_pages = 0; end = base + size - 1; memblock_dbg("%s: [%pa-%pa] %pS\n", @@ -1834,10 +1835,9 @@ void __init memblock_free_late(phys_addr cursor = PFN_UP(base); end = PFN_DOWN(base + size); - for (; cursor < end; cursor++) { - memblock_free_pages(pfn_to_page(cursor), cursor, 0); - totalram_pages_inc(); - } + for (; cursor < end; cursor++) + freed_pages += memblock_free_pages(pfn_to_page(cursor), cursor, 0); + totalram_pages_add(freed_pages); } /* @@ -2259,9 +2259,11 @@ static void __init free_unused_memmap(vo #endif } -static void __init __free_pages_memory(unsigned long start, unsigned long end) +static unsigned long __init __free_pages_memory(unsigned long start, + unsigned long end) { int order; + unsigned long freed = 0; while (start < end) { /* @@ -2279,14 +2281,15 @@ static void __init __free_pages_memory(u while (start + (1UL << order) > end) order--; - memblock_free_pages(pfn_to_page(start), start, order); + freed += memblock_free_pages(pfn_to_page(start), start, order); start += (1UL << order); } + return freed; } static unsigned long __init __free_memory_core(phys_addr_t start, - phys_addr_t end) + phys_addr_t end) { unsigned long start_pfn = PFN_UP(start); unsigned long end_pfn = PFN_DOWN(end); @@ -2297,9 +2300,7 @@ static unsigned long __init __free_memor if (start_pfn >= end_pfn) return 0; - __free_pages_memory(start_pfn, end_pfn); - - return end_pfn - start_pfn; + return __free_pages_memory(start_pfn, end_pfn); } static void __init memmap_init_reserved_pages(void) --- a/mm/mm_init.c~mm-memblock-correct-totalram_pages-accounting-with-kmsan +++ a/mm/mm_init.c @@ -2547,24 +2547,25 @@ void *__init alloc_large_system_hash(con return table; } -void __init memblock_free_pages(struct page *page, unsigned long pfn, - unsigned int order) +unsigned long __init memblock_free_pages(struct page *page, unsigned long pfn, + unsigned int order) { if (IS_ENABLED(CONFIG_DEFERRED_STRUCT_PAGE_INIT)) { int nid = early_pfn_to_nid(pfn); if (!early_page_initialised(pfn, nid)) - return; + return 0; } if (!kmsan_memblock_free_pages(page, order)) { /* KMSAN will take care of these pages. */ - return; + return 0; } /* pages were reserved and not allocated */ clear_page_tag_ref(page); __free_pages_core(page, order, MEMINIT_EARLY); + return 1UL << order; } DEFINE_STATIC_KEY_MAYBE(CONFIG_INIT_ON_ALLOC_DEFAULT_ON, init_on_alloc); _ Patches currently in -mm which might be from glider(a)google.com are mm-memblock-correct-totalram_pages-accounting-with-kmsan.patch

1 month, 1 week

1
0
0 0

+ mm-swap-check-for-stable-address-space-before-operating-on-the-vma.patch added to mm-new branch

by Andrew Morton

The patch titled Subject: mm: swap: check for stable address space before operating on the VMA has been added to the -mm mm-new branch. Its filename is mm-swap-check-for-stable-address-space-before-operating-on-the-vma.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Charan Teja Kalla <charan.kalla(a)oss.qualcomm.com> Subject: mm: swap: check for stable address space before operating on the VMA Date: Wed, 24 Sep 2025 23:41:38 +0530 It is possible to hit a zero entry while traversing the vmas in unuse_mm() called from swapoff path and accessing it causes the OOPS: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000446--> Loading the memory from offset 0x40 on the XA_ZERO_ENTRY as address. Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault The issue is manifested from the below race between the fork() on a process and swapoff: fork(dup_mmap()) swapoff(unuse_mm) --------------- ----------------- 1) Identical mtree is built using __mt_dup(). 2) copy_pte_range()--> copy_nonpresent_pte(): The dst mm is added into the mmlist to be visible to the swapoff operation. 3) Fatal signal is sent to the parent process(which is the current during the fork) thus skip the duplication of the vmas and mark the vma range with XA_ZERO_ENTRY as a marker for this process that helps during exit_mmap(). 4) swapoff is tried on the 'mm' added to the 'mmlist' as part of the 2. 5) unuse_mm(), that iterates through the vma's of this 'mm' will hit the non-NULL zero entry and operating on this zero entry as a vma is resulting into the oops. The proper fix would be around not exposing this partially-valid tree to others when droping the mmap lock, which is being solved with [1]. A simpler solution would be checking for MMF_UNSTABLE, as it is set if mm_struct is not fully initialized in dup_mmap(). Thanks to Liam/Lorenzo/David for all the suggestions in fixing this issue. Link: https://lkml.kernel.org/r/20250924181138.1762750-1-charan.kalla@oss.qualcom… Link: https://lore.kernel.org/all/20250815191031.3769540-1-Liam.Howlett@oracle.co… [1] Fixes: d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()") Signed-off-by: Charan Teja Kalla <charan.kalla(a)oss.qualcomm.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Barry Song <baohua(a)kernel.org> Cc: Chris Li <chrisl(a)kernel.org> Cc: Kairui Song <kasong(a)tencent.com> Cc: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: Peng Zhang <zhangpeng.00(a)bytedance.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 3 +++ 1 file changed, 3 insertions(+) --- a/mm/swapfile.c~mm-swap-check-for-stable-address-space-before-operating-on-the-vma +++ a/mm/swapfile.c @@ -2389,6 +2389,8 @@ static int unuse_mm(struct mm_struct *mm VMA_ITERATOR(vmi, mm, 0); mmap_read_lock(mm); + if (check_stable_address_space(mm)) + goto unlock; for_each_vma(vmi, vma) { if (vma->anon_vma && !is_vm_hugetlb_page(vma)) { ret = unuse_vma(vma, type); @@ -2398,6 +2400,7 @@ static int unuse_mm(struct mm_struct *mm cond_resched(); } +unlock: mmap_read_unlock(mm); return ret; } _ Patches currently in -mm which might be from charan.kalla(a)oss.qualcomm.com are mm-swap-check-for-stable-address-space-before-operating-on-the-vma.patch

1 month, 1 week

1
0
0 0

[PATCH] crypto: af_alg - Fix incorrect boolean values in af_alg_ctx

by Eric Biggers

Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") changed some fields from bool to 1-bit bitfields. However, some assignments to these fields, specifically 'more' and 'merge', assign values greater than 1. These relied on C's implicit conversion to bool, such that zero becomes false and nonzero becomes true. With a 1-bit bitfield instead, mod 2 of the value is taken instead, resulting in 0 being assigned in some cases when 1 was intended. Fix this by restoring the bool type. Fixes: 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- include/crypto/if_alg.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index 0c70f3a55575..02fb7c1d9ef7 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -150,15 +150,15 @@ struct af_alg_ctx { struct crypto_wait wait; size_t used; atomic_t rcvused; - u32 more:1, - merge:1, - enc:1, - write:1, - init:1; + bool more; + bool merge; + bool enc; + bool write; + bool init; unsigned int len; unsigned int inflight; }; base-commit: cec1e6e5d1ab33403b809f79cd20d6aff124ccfe -- 2.51.0.536.g15c5d4f767-goog

1 month, 1 week

2
3
0 0

[PATCH CANDIDATE 5.15, 6.1, 6.6] xfs: Increase XFS_QM_TRANS_MAXDQS to 5

by Amir Goldstein

From: Allison Henderson <allison.henderson(a)oracle.com> [ Upstream commit f103df763563ad6849307ed5985d1513acc586dd ] With parent pointers enabled, a rename operation can update up to 5 inodes: src_dp, target_dp, src_ip, target_ip and wip. This causes their dquots to a be attached to the transaction chain, so we need to increase XFS_QM_TRANS_MAXDQS. This patch also add a helper function xfs_dqlockn to lock an arbitrary number of dquots. Signed-off-by: Allison Henderson <allison.henderson(a)oracle.com> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Reviewed-by: Christoph Hellwig <hch(a)lst.de> [amir: backport to kernels prior to parent pointers to fix an old bug] A rename operation of a directory (i.e. mv A/C/ B/) may end up changing three different dquot accounts under the following conditions: 1. user (or group) quotas are enabled 2. A/ B/ and C/ have different owner uids (or gids) 3. A/ blocks shrinks after remove of entry C/ 4. B/ blocks grows before adding of entry C/ 5. A/ ino <= XFS_DIR2_MAX_SHORT_INUM 6. B/ ino > XFS_DIR2_MAX_SHORT_INUM 7. C/ is converted from sf to block format, because its parent entry needs to be stored as 8 bytes (see xfs_dir2_sf_replace_needblock) When all conditions are met (observed in the wild) we get this assertion: XFS: Assertion failed: qtrx, file: fs/xfs/xfs_trans_dquot.c, line: 207 The upstream commit fixed this bug as a side effect, so decided to apply it as is rather than changing XFS_QM_TRANS_MAXDQS to 3 in stable kernels. The Fixes commit below is NOT the commit that introduced the bug, but for some reason, which is not explained in the commit message, it fixes the comment to state that highest number of dquots of one type is 3 and not 2 (which leads to the assertion), without actually fixing it. The change of wording from "usr, grp OR prj" to "usr, grp and prj" suggests that there may have been a confusion between "the number of dquote of one type" and "the number of dquot types" (which is also 3), so the comment change was only accidentally correct. Fixes: 10f73d27c8e9 ("xfs: fix the comment explaining xfs_trans_dqlockedjoin") Cc: stable(a)vger.kernel.org Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> --- Christoph, This is a cognitive challenge. can you say what you where thinking in 2013 when making the comment change in the Fixes commit? Is my speculation above correct? Catherine and Leah, I decided that cherry-pick this upstream commit as is with a commit message addendum was the best stable tree strategy. The commit applies cleanly to 5.15.y, so I assume it does for 6.6 and 6.1 as well. I ran my tests on 5.15.y and nothing fell out, but did not try to reproduce these complex assertion in a test. Could you take this candidate backport patch to a spin on your test branch? What do you all think about this? Thanks, Amir. fs/xfs/xfs_dquot.c | 41 ++++++++++++++++++++++++++++++++++++++++ fs/xfs/xfs_dquot.h | 1 + fs/xfs/xfs_qm.h | 2 +- fs/xfs/xfs_trans_dquot.c | 15 ++++++++++----- 4 files changed, 53 insertions(+), 6 deletions(-) diff --git a/fs/xfs/xfs_dquot.c b/fs/xfs/xfs_dquot.c index c15d61d47a06..6b05d47aa19b 100644 --- a/fs/xfs/xfs_dquot.c +++ b/fs/xfs/xfs_dquot.c @@ -1360,6 +1360,47 @@ xfs_dqlock2( } } +static int +xfs_dqtrx_cmp( + const void *a, + const void *b) +{ + const struct xfs_dqtrx *qa = a; + const struct xfs_dqtrx *qb = b; + + if (qa->qt_dquot->q_id > qb->qt_dquot->q_id) + return 1; + if (qa->qt_dquot->q_id < qb->qt_dquot->q_id) + return -1; + return 0; +} + +void +xfs_dqlockn( + struct xfs_dqtrx *q) +{ + unsigned int i; + + BUILD_BUG_ON(XFS_QM_TRANS_MAXDQS > MAX_LOCKDEP_SUBCLASSES); + + /* Sort in order of dquot id, do not allow duplicates */ + for (i = 0; i < XFS_QM_TRANS_MAXDQS && q[i].qt_dquot != NULL; i++) { + unsigned int j; + + for (j = 0; j < i; j++) + ASSERT(q[i].qt_dquot != q[j].qt_dquot); + } + if (i == 0) + return; + + sort(q, i, sizeof(struct xfs_dqtrx), xfs_dqtrx_cmp, NULL); + + mutex_lock(&q[0].qt_dquot->q_qlock); + for (i = 1; i < XFS_QM_TRANS_MAXDQS && q[i].qt_dquot != NULL; i++) + mutex_lock_nested(&q[i].qt_dquot->q_qlock, + XFS_QLOCK_NESTED + i - 1); +} + int __init xfs_qm_init(void) { diff --git a/fs/xfs/xfs_dquot.h b/fs/xfs/xfs_dquot.h index 6b5e3cf40c8b..0e954f88811f 100644 --- a/fs/xfs/xfs_dquot.h +++ b/fs/xfs/xfs_dquot.h @@ -231,6 +231,7 @@ int xfs_qm_dqget_uncached(struct xfs_mount *mp, void xfs_qm_dqput(struct xfs_dquot *dqp); void xfs_dqlock2(struct xfs_dquot *, struct xfs_dquot *); +void xfs_dqlockn(struct xfs_dqtrx *q); void xfs_dquot_set_prealloc_limits(struct xfs_dquot *); diff --git a/fs/xfs/xfs_qm.h b/fs/xfs/xfs_qm.h index 442a0f97a9d4..f75c12c4c6a0 100644 --- a/fs/xfs/xfs_qm.h +++ b/fs/xfs/xfs_qm.h @@ -121,7 +121,7 @@ enum { XFS_QM_TRANS_PRJ, XFS_QM_TRANS_DQTYPES }; -#define XFS_QM_TRANS_MAXDQS 2 +#define XFS_QM_TRANS_MAXDQS 5 struct xfs_dquot_acct { struct xfs_dqtrx dqs[XFS_QM_TRANS_DQTYPES][XFS_QM_TRANS_MAXDQS]; }; diff --git a/fs/xfs/xfs_trans_dquot.c b/fs/xfs/xfs_trans_dquot.c index 955c457e585a..99a03acd4488 100644 --- a/fs/xfs/xfs_trans_dquot.c +++ b/fs/xfs/xfs_trans_dquot.c @@ -268,24 +268,29 @@ xfs_trans_mod_dquot( /* * Given an array of dqtrx structures, lock all the dquots associated and join - * them to the transaction, provided they have been modified. We know that the - * highest number of dquots of one type - usr, grp and prj - involved in a - * transaction is 3 so we don't need to make this very generic. + * them to the transaction, provided they have been modified. */ STATIC void xfs_trans_dqlockedjoin( struct xfs_trans *tp, struct xfs_dqtrx *q) { + unsigned int i; ASSERT(q[0].qt_dquot != NULL); if (q[1].qt_dquot == NULL) { xfs_dqlock(q[0].qt_dquot); xfs_trans_dqjoin(tp, q[0].qt_dquot); - } else { - ASSERT(XFS_QM_TRANS_MAXDQS == 2); + } else if (q[2].qt_dquot == NULL) { xfs_dqlock2(q[0].qt_dquot, q[1].qt_dquot); xfs_trans_dqjoin(tp, q[0].qt_dquot); xfs_trans_dqjoin(tp, q[1].qt_dquot); + } else { + xfs_dqlockn(q); + for (i = 0; i < XFS_QM_TRANS_MAXDQS; i++) { + if (q[i].qt_dquot == NULL) + break; + xfs_trans_dqjoin(tp, q[i].qt_dquot); + } } } -- 2.47.1

1 month, 1 week

4
7
0 0

[PATCH v2] PCI/sysfs: Ensure devices are powered for config reads

by Brian Norris

From: Brian Norris <briannorris(a)google.com> max_link_width, current_link_speed, current_link_width, secondary_bus_number, and subordinate_bus_number all access config registers, but they don't check the runtime PM state. If the device is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus values, or worse, depending on implementation details. Wrap these access in pci_config_pm_runtime_{get,put}() like most of the rest of the similar sysfs attributes. Notably, max_link_speed does not access config registers; it returns a cached value [1]. So it needs no changes. [1] Caching was added to pcie_get_speed_cap() in v6.13 via commit d2bd39c0456b ("PCI: Store all PCIe Supported Link Speeds"). Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc") Cc: stable(a)vger.kernel.org Signed-off-by: Brian Norris <briannorris(a)google.com> Signed-off-by: Brian Norris <briannorris(a)chromium.org> --- Changes in v2: * Don't touch max_link_speed; it's cached, so we don't actually touch the hardware * Improve commit message drivers/pci/pci-sysfs.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index f28fdf6dfa02..af74cf02bb90 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -209,8 +209,14 @@ static ssize_t max_link_width_show(struct device *dev, struct device_attribute *attr, char *buf) { struct pci_dev *pdev = to_pci_dev(dev); + ssize_t ret; - return sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); + /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */ + pci_config_pm_runtime_get(pdev); + ret = sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev)); + pci_config_pm_runtime_put(pdev); + + return ret; } static DEVICE_ATTR_RO(max_link_width); @@ -222,7 +228,10 @@ static ssize_t current_link_speed_show(struct device *dev, int err; enum pci_bus_speed speed; + pci_config_pm_runtime_get(pci_dev); err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -239,7 +248,10 @@ static ssize_t current_link_width_show(struct device *dev, u16 linkstat; int err; + pci_config_pm_runtime_get(pci_dev); err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -255,7 +267,10 @@ static ssize_t secondary_bus_number_show(struct device *dev, u8 sec_bus; int err; + pci_config_pm_runtime_get(pci_dev); err = pci_read_config_byte(pci_dev, PCI_SECONDARY_BUS, &sec_bus); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; @@ -271,7 +286,10 @@ static ssize_t subordinate_bus_number_show(struct device *dev, u8 sub_bus; int err; + pci_config_pm_runtime_get(pci_dev); err = pci_read_config_byte(pci_dev, PCI_SUBORDINATE_BUS, &sub_bus); + pci_config_pm_runtime_put(pci_dev); + if (err) return -EINVAL; -- 2.51.0.536.g15c5d4f767-goog

1 month, 1 week

2
1
0 0

ETIHAD PARTNERSHIP VENDOR REGISTRATION 2025/2026.

by Ahmad - Etihad Aviation Group

1 month, 1 week

1
0
0 0

[PATCH] xen: take system_transition_mutex on suspend

by Marek Marczykowski-Górecki

Xen's do_suspend() calls dpm_suspend_start() without taking required system_transition_mutex. Since 12ffc3b1513eb moved the pm_restrict_gfp_mask() call, not taking that mutex results in a WARN. Take the mutex in do_suspend(), and use mutex_trylock() to follow how enter_state() does this. Suggested-by: Jürgen Groß <jgross(a)suse.com> Fixes: 12ffc3b1513eb "PM: Restrict swap use to later in the suspend sequence" Link: https://lore.kernel.org/xen-devel/aKiBJeqsYx_4Top5@mail-itl/ Signed-off-by: Marek Marczykowski-Górecki <marmarek(a)invisiblethingslab.com> Cc: stable(a)vger.kernel.org # v6.16+ --- drivers/xen/manage.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/xen/manage.c b/drivers/xen/manage.c index b4b4ebed68daf..f78d970949c0a 100644 --- a/drivers/xen/manage.c +++ b/drivers/xen/manage.c @@ -11,6 +11,7 @@ #include <linux/reboot.h> #include <linux/sysrq.h> #include <linux/stop_machine.h> +#include <linux/suspend.h> #include <linux/freezer.h> #include <linux/syscore_ops.h> #include <linux/export.h> @@ -101,10 +102,16 @@ static void do_suspend(void) shutting_down = SHUTDOWN_SUSPEND; + if (!mutex_trylock(&system_transition_mutex)) + { + pr_err("%s: failed to take system_transition_mutex\n", __func__); + goto out; + } + err = freeze_processes(); if (err) { pr_err("%s: freeze processes failed %d\n", __func__, err); - goto out; + goto out_unlock; } err = freeze_kernel_threads(); @@ -160,6 +167,8 @@ static void do_suspend(void) out_thaw: thaw_processes(); +out_unlock: + mutex_unlock(&system_transition_mutex); out: shutting_down = SHUTDOWN_INVALID; } -- 2.51.0

1 month, 1 week

3
2
0 0

Re: [PATCH v2] nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()

by Ira Weiny

Guangshuo Li wrote: > Hi Alison, Dave, and all, > > Thanks for the feedback. I’ve adopted your suggestions. Below is what I > plan to take in v3. I would just post v3. The review tags given on that version will be picked up when the patch is merged if it is ok. Thanks, Ira [snip]

1 month, 1 week

1
0
0 0

[PATCH 01/15] serial: sc16is7xx: remove useless enable of enhanced features

by Hugo Villeneuve

From: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Commit 43c51bb573aa ("sc16is7xx: make sure device is in suspend once probed") permanently enabled access to the enhanced features in sc16is7xx_probe(), and it is never disabled after that. Therefore, remove useless re-enable of enhanced features in sc16is7xx_set_baud(). Fixes: 43c51bb573aa ("sc16is7xx: make sure device is in suspend once probed") Cc: stable(a)vger.kernel.org Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> --- drivers/tty/serial/sc16is7xx.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c index 1a2c4c14f6aac..c7435595dce13 100644 --- a/drivers/tty/serial/sc16is7xx.c +++ b/drivers/tty/serial/sc16is7xx.c @@ -588,13 +588,6 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) div /= prescaler; } - /* Enable enhanced features */ - sc16is7xx_efr_lock(port); - sc16is7xx_port_update(port, SC16IS7XX_EFR_REG, - SC16IS7XX_EFR_ENABLE_BIT, - SC16IS7XX_EFR_ENABLE_BIT); - sc16is7xx_efr_unlock(port); - /* If bit MCR_CLKSEL is set, the divide by 4 prescaler is activated. */ sc16is7xx_port_update(port, SC16IS7XX_MCR_REG, SC16IS7XX_MCR_CLKSEL_BIT, -- 2.39.5

1 month, 1 week

1
0
0 0

Re: [PATCH v2] nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()

by Dave Jiang

On 9/24/25 12:42 AM, Guangshuo Li wrote: > Hi Alison, Dave, and all, > > Thanks for the feedback. I’ve adopted your suggestions. Below is what I plan to take in v3. > > - p->dcr_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > - sizeof(dma_addr_t), GFP_KERNEL); > - p->label_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > - sizeof(dma_addr_t), GFP_KERNEL); > - p->dimm_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > - sizeof(dma_addr_t), GFP_KERNEL); > > + p->dcr_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > + sizeof(dma_addr_t), GFP_KERNEL); > + if (!p->dcr_dma) { > + rc = -ENOMEM; > + goto err; > + } > + > + p->label_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > + sizeof(dma_addr_t), GFP_KERNEL); > + if (!p->label_dma) { > + rc = -ENOMEM; > + goto err; > + } > + > + p->dimm_dma = devm_kcalloc(&p->pdev.dev <http://pdev.dev>, NUM_DCR, > + sizeof(dma_addr_t), GFP_KERNEL); > + if (!p->dimm_dma) { > + rc = -ENOMEM; > + goto err; > + } You'll need to create new goto labels because you'll have to free previously allocated memory in the error path. Diff below is uncompiled and untested. diff --git a/tools/testing/nvdimm/test/ndtest.c b/tools/testing/nvdimm/test/ndtest.c index 68a064ce598c..49d326819ea9 100644 --- a/tools/testing/nvdimm/test/ndtest.c +++ b/tools/testing/nvdimm/test/ndtest.c @@ -841,6 +841,7 @@ static void ndtest_remove(struct platform_device *pdev) static int ndtest_probe(struct platform_device *pdev) { + struct device *dev = &pdev->dev; struct ndtest_priv *p; int rc; @@ -848,12 +849,23 @@ static int ndtest_probe(struct platform_device *pdev) if (ndtest_bus_register(p)) return -ENOMEM; - p->dcr_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, - sizeof(dma_addr_t), GFP_KERNEL); - p->label_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, - sizeof(dma_addr_t), GFP_KERNEL); - p->dimm_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, - sizeof(dma_addr_t), GFP_KERNEL); + p->dcr_dma = devm_kcalloc(dev, NUM_DCR, sizeof(dma_addr_t), GFP_KERNEL); + if (!p->dcr_dma) + return -ENOMEM; + + p->label_dma = devm_kcalloc(dev, NUM_DCR, sizeof(dma_addr_t), + GFP_KERNEL); + if (!p->label_dma) { + rc = -ENOMEM; + goto err_label_dma; + } + + p->dimm_dma = devm_kcalloc(dev, NUM_DCR, sizeof(dma_addr_t), + GFP_KERNEL); + if (!p->dimm_dma) { + rc = -ENOMEM; + goto err_dimm_dma; + } rc = ndtest_nvdimm_init(p); if (rc) @@ -863,7 +875,7 @@ static int ndtest_probe(struct platform_device *pdev) if (rc) goto err; - rc = devm_add_action_or_reset(&pdev->dev, put_dimms, p); + rc = devm_add_action_or_reset(dev, put_dimms, p); if (rc) goto err; @@ -872,6 +884,11 @@ static int ndtest_probe(struct platform_device *pdev) return 0; err: + devm_kfree(dev, p->dimm_dma); +err_dimm_dma: + devm_kfree(dev, p->label_dma); +err_label_dma: + devm_kfree(dev, p->dcr_dma); pr_err("%s:%d Failed nvdimm init\n", __func__, __LINE__); return rc; } > > If this looks good, I’ll send v3 accordingly. Also, if you’re comfortable with the changes, may I add your Reviewed-by tags? Please don't add review tags until they are given. > > Best regards, > Guangshuo

1 month, 1 week

1
0
0 0

[PATCH v4 1/7] efi: Add missing static initializer for efi_mm::cpus_allowed_lock

by Ard Biesheuvel

From: Ard Biesheuvel <ardb(a)kernel.org> Initialize the cpus_allowed_lock struct member of efi_mm. Cc: <stable(a)vger.kernel.org> Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/efi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 1ce428e2ac8a..fc407d891348 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -74,6 +74,9 @@ struct mm_struct efi_mm = { .page_table_lock = __SPIN_LOCK_UNLOCKED(efi_mm.page_table_lock), .mmlist = LIST_HEAD_INIT(efi_mm.mmlist), .cpu_bitmap = { [BITS_TO_LONGS(NR_CPUS)] = 0}, +#ifdef CONFIG_SCHED_MM_CID + .cpus_allowed_lock = __RAW_SPIN_LOCK_UNLOCKED(efi_mm.cpus_allowed_lock), +#endif }; struct workqueue_struct *efi_rts_wq; -- 2.51.0.534.gc79095c0ca-goog

1 month, 1 week

1
0
0 0

[PATCH] asm-generic/io.h: Skip trace helpers if rwmmio events are disabled

by Varad Gautam

With `CONFIG_TRACE_MMIO_ACCESS=y`, the `{read,write}{b,w,l,q}{_relaxed}()` mmio accessors unconditionally call `log_{post_}{read,write}_mmio()` helpers, which in turn call the ftrace ops for `rwmmio` trace events This adds a performance penalty per mmio accessor call, even when `rwmmio` events are disabled at runtime (~80% overhead on local measurement). Guard these with `tracepoint_enabled()`. Signed-off-by: Varad Gautam <varadgautam(a)google.com> Fixes: 210031971cdd ("asm-generic/io: Add logging support for MMIO accessors") Cc: <stable(a)vger.kernel.org> --- include/asm-generic/io.h | 98 +++++++++++++++++++++++++++------------- 1 file changed, 66 insertions(+), 32 deletions(-) diff --git a/include/asm-generic/io.h b/include/asm-generic/io.h index 3c61c29ff6ab..a9b5da547523 100644 --- a/include/asm-generic/io.h +++ b/include/asm-generic/io.h @@ -75,6 +75,7 @@ #if IS_ENABLED(CONFIG_TRACE_MMIO_ACCESS) && !(defined(__DISABLE_TRACE_MMIO__)) #include <linux/tracepoint-defs.h> +#define rwmmio_tracepoint_enabled(tracepoint) tracepoint_enabled(tracepoint) DECLARE_TRACEPOINT(rwmmio_write); DECLARE_TRACEPOINT(rwmmio_post_write); DECLARE_TRACEPOINT(rwmmio_read); @@ -91,6 +92,7 @@ void log_post_read_mmio(u64 val, u8 width, const volatile void __iomem *addr, #else +#define rwmmio_tracepoint_enabled(tracepoint) false static inline void log_write_mmio(u64 val, u8 width, volatile void __iomem *addr, unsigned long caller_addr, unsigned long caller_addr0) {} static inline void log_post_write_mmio(u64 val, u8 width, volatile void __iomem *addr, @@ -189,11 +191,13 @@ static inline u8 readb(const volatile void __iomem *addr) { u8 val; - log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __raw_readb(addr); __io_ar(val); - log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -204,11 +208,13 @@ static inline u16 readw(const volatile void __iomem *addr) { u16 val; - log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __le16_to_cpu((__le16 __force)__raw_readw(addr)); __io_ar(val); - log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -219,11 +225,13 @@ static inline u32 readl(const volatile void __iomem *addr) { u32 val; - log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __le32_to_cpu((__le32 __force)__raw_readl(addr)); __io_ar(val); - log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -235,11 +243,13 @@ static inline u64 readq(const volatile void __iomem *addr) { u64 val; - log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); __io_br(); val = __le64_to_cpu((__le64 __force)__raw_readq(addr)); __io_ar(val); - log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -249,11 +259,13 @@ static inline u64 readq(const volatile void __iomem *addr) #define writeb writeb static inline void writeb(u8 value, volatile void __iomem *addr) { - log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writeb(value, addr); __io_aw(); - log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); } #endif @@ -261,11 +273,13 @@ static inline void writeb(u8 value, volatile void __iomem *addr) #define writew writew static inline void writew(u16 value, volatile void __iomem *addr) { - log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writew((u16 __force)cpu_to_le16(value), addr); __io_aw(); - log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); } #endif @@ -273,11 +287,13 @@ static inline void writew(u16 value, volatile void __iomem *addr) #define writel writel static inline void writel(u32 value, volatile void __iomem *addr) { - log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writel((u32 __force)__cpu_to_le32(value), addr); __io_aw(); - log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); } #endif @@ -286,11 +302,13 @@ static inline void writel(u32 value, volatile void __iomem *addr) #define writeq writeq static inline void writeq(u64 value, volatile void __iomem *addr) { - log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); __io_bw(); __raw_writeq((u64 __force)__cpu_to_le64(value), addr); __io_aw(); - log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); } #endif #endif /* CONFIG_64BIT */ @@ -306,9 +324,11 @@ static inline u8 readb_relaxed(const volatile void __iomem *addr) { u8 val; - log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(8, addr, _THIS_IP_, _RET_IP_); val = __raw_readb(addr); - log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 8, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -319,9 +339,11 @@ static inline u16 readw_relaxed(const volatile void __iomem *addr) { u16 val; - log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(16, addr, _THIS_IP_, _RET_IP_); val = __le16_to_cpu((__le16 __force)__raw_readw(addr)); - log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 16, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -332,9 +354,11 @@ static inline u32 readl_relaxed(const volatile void __iomem *addr) { u32 val; - log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(32, addr, _THIS_IP_, _RET_IP_); val = __le32_to_cpu((__le32 __force)__raw_readl(addr)); - log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 32, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -345,9 +369,11 @@ static inline u64 readq_relaxed(const volatile void __iomem *addr) { u64 val; - log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_read)) + log_read_mmio(64, addr, _THIS_IP_, _RET_IP_); val = __le64_to_cpu((__le64 __force)__raw_readq(addr)); - log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_read)) + log_post_read_mmio(val, 64, addr, _THIS_IP_, _RET_IP_); return val; } #endif @@ -356,9 +382,11 @@ static inline u64 readq_relaxed(const volatile void __iomem *addr) #define writeb_relaxed writeb_relaxed static inline void writeb_relaxed(u8 value, volatile void __iomem *addr) { - log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); __raw_writeb(value, addr); - log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 8, addr, _THIS_IP_, _RET_IP_); } #endif @@ -366,9 +394,11 @@ static inline void writeb_relaxed(u8 value, volatile void __iomem *addr) #define writew_relaxed writew_relaxed static inline void writew_relaxed(u16 value, volatile void __iomem *addr) { - log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); __raw_writew((u16 __force)cpu_to_le16(value), addr); - log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 16, addr, _THIS_IP_, _RET_IP_); } #endif @@ -376,9 +406,11 @@ static inline void writew_relaxed(u16 value, volatile void __iomem *addr) #define writel_relaxed writel_relaxed static inline void writel_relaxed(u32 value, volatile void __iomem *addr) { - log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); __raw_writel((u32 __force)__cpu_to_le32(value), addr); - log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 32, addr, _THIS_IP_, _RET_IP_); } #endif @@ -386,9 +418,11 @@ static inline void writel_relaxed(u32 value, volatile void __iomem *addr) #define writeq_relaxed writeq_relaxed static inline void writeq_relaxed(u64 value, volatile void __iomem *addr) { - log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_write)) + log_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); __raw_writeq((u64 __force)__cpu_to_le64(value), addr); - log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); + if (rwmmio_tracepoint_enabled(rwmmio_post_write)) + log_post_write_mmio(value, 64, addr, _THIS_IP_, _RET_IP_); } #endif -- 2.49.0.472.ge94155a9ec-goog

1 month, 1 week

2
7
0 0

[PATCH 6.16 000/149] 6.16.9-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.16.9 release. There are 149 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 24 Sep 2025 19:23:52 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.16.9-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.16.9-rc1 SeongJae Park <sj(a)kernel.org> samples/damon/prcl: avoid starting DAMON before initialization Chen-Yu Tsai <wens(a)csie.org> clk: sunxi-ng: mp: Fix dual-divider clock rate readback SeongJae Park <sj(a)kernel.org> samples/damon/mtier: avoid starting DAMON before initialization Honggyu Kim <honggyu.kim(a)sk.com> samples/damon: change enable parameters to enabled SeongJae Park <sj(a)kernel.org> samples/damon/prcl: fix boot time enable crash Alex Elder <elder(a)riscstar.com> dt-bindings: serial: 8250: move a constraint Yixun Lan <dlan(a)gentoo.org> dt-bindings: serial: 8250: spacemit: set clocks property as required Frank Li <Frank.Li(a)nxp.com> dt-bindings: serial: 8250: allow clock 'uartclk' and 'reg' for nxp,lpc1850-uart Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: nl: announce deny-join-id0 flag Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: asus-wmi: Fix ROG button mapping, tablet mode on ASUS ROG Z13 Yang Xiuwei <yangxiuwei(a)kylinos.cn> io_uring: fix incorrect io_kiocb reference in io_link_skb Stefan Metzmacher <metze(a)samba.org> smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Paulo Alcantara <pc(a)manguebit.org> smb: client: fix file open check in __cifs_unlink() Jens Axboe <axboe(a)kernel.dk> io_uring/msg_ring: kill alloc_cache for io_kiocb allocations Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Set merge to zero early in af_alg_sendmsg Stefan Metzmacher <metze(a)samba.org> smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) Stefan Metzmacher <metze(a)samba.org> smb: client: use disable[_delayed]_work_sync in smbdirect.c Paulo Alcantara <pc(a)manguebit.org> smb: client: fix filename matching of deferred files Stefan Metzmacher <metze(a)samba.org> smb: client: let recv_done verify data_offset, data_length and remaining_data_length Stefan Metzmacher <metze(a)samba.org> smb: client: make use of struct smbdirect_recv_io Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: introduce struct smbdirect_recv_io Stefan Metzmacher <metze(a)samba.org> smb: client: make use of smbdirect_socket->recv_io.expected Stefan Metzmacher <metze(a)samba.org> smb: smbdirect: introduce smbdirect_socket.recv_io.expected Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe/guc: Set RCS/CCS yield policy Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe/guc: Enable extended CAT error reporting Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe: Fix error handling if PXP fails to start Takashi Iwai <tiwai(a)suse.de> ALSA: usb: qcom: Fix false-positive address space check Dan Carpenter <dan.carpenter(a)linaro.org> drm/xe: Fix a NULL vs IS_ERR() in xe_vm_add_compute_exec_queue() Qi Xi <xiqi2(a)huawei.com> drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Loic Poulain <loic.poulain(a)oss.qualcomm.com> drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/pf: Drop rounddown_pow_of_two fair LMEM limitation Shuicheng Lin <shuicheng.lin(a)intel.com> drm/xe/tile: Release kobject for the failure path Venkata Prasad Potturu <venkataprasad.potturu(a)amd.com> ASoC: amd: acp: Fix incorrect retrival of acp_chip_info Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd: Fix alias device DTE setting Amadeusz Sławiński <amadeuszx.slawinski(a)linux.intel.com> ASoC: Intel: catpt: Expose correct bit depth to userspace Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: SDCA: Fix return value in sdca_regmap_mbq_size() Colin Ian King <colin.i.king(a)gmail.com> ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Dan Carpenter <dan.carpenter(a)linaro.org> ASoC: codec: sma1307: Fix memory corruption in sma1307_setting_loaded() Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8974: Correct PLL rate rounding Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct typo in control name Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct PLL rate rounding Praful Adiga <praful.adiga(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: avoid spurious errors on TCP disconnect Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: catch IO errors on listen side Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: propagate shutdown to subflows when possible Håkon Bugge <haakon.bugge(a)oracle.com> rds: ib: Increment i_fastreg_wrs before bailing out Borislav Petkov (AMD) <bp(a)alien8.de> crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> gpiolib: acpi: initialize acpi_gpio_info struct Hans de Goede <hansg(a)kernel.org> net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Jens Axboe <axboe(a)kernel.dk> io_uring: include dying ring in task_work "should cancel" state Max Kellermann <max.kellermann(a)ionos.com> io_uring/io-wq: fix `max_workers` breakage and `nr_workers` underflow Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Only restore cached manual clock settings in restore if OD enabled Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Allow RX6xxx & RX7700 to invoke amdgpu_irq_get/put Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: suspend KFD and KGD user queues for S0ix Alex Deucher <alexander.deucher(a)amd.com> drm/amdkfd: add proper handling for S0ix Maciej S. Szmigiero <maciej.szmigiero(a)oracle.com> KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Tom Lendacky <thomas.lendacky(a)amd.com> x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci-uhs2: Fix calling incorrect sdhci_set_clock() function Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: GL9767: Fix initializing the UHS-II interface during a power-on Ben Chuang <ben.chuang(a)genesyslogic.com.tw> mmc: sdhci: Move the code related to setting the clock from sdhci_set_ios_common() into sdhci_set_ios() Thomas Fourier <fourier.thomas(a)gmail.com> mmc: mvsdio: Fix dma_unmap_sg() nents value Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface Maciej Strozek <mstrozek(a)opensource.cirrus.com> ASoC: SDCA: Add quirk for incorrect function types for 3 systems Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: fix the incorrect inode ref size check Niklas Schnelle <schnelle(a)linux.ibm.com> iommu/s390: Make attach succeed when the device was surprise removed Matthew Rosato <mjrosato(a)linux.ibm.com> iommu/s390: Fix memory corruption when using identity domain Vasant Hegde <vasant.hegde(a)amd.com> iommu/amd/pgtbl: Fix possible race while increase page table level Zhen Ni <zhen.ni(a)easystack.cn> iommu/amd: Fix ivrs_base memleak in early_amd_iommu_init() Eugene Koira <eugkoira(a)amazon.com> iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Fix VM migration failure with PTW enabled Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_pch_pic_regs_access() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_sw_status_access() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_regs_access() Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Avoid copy_*_user() with lock hold in kvm_eiointc_ctrl_access() Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Handle jump tables options for RUST Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Make LTO case independent in Makefile Tao Cui <cuitao(a)kylinos.cn> LoongArch: Check the return value when creating kobj Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled Guangshuo Li <202321181(a)mail.sdu.edu.cn> LoongArch: vDSO: Check kcalloc() result in init_vdso() Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Fix unreliable stack for live patching Tiezhu Yang <yangtiezhu(a)loongson.cn> objtool/LoongArch: Mark special atomic instruction as INSN_BUG type Tiezhu Yang <yangtiezhu(a)loongson.cn> objtool/LoongArch: Mark types based on break immediate code Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Update help info of ARCH_STRICT_ALIGN Hugh Dickins <hughd(a)google.com> mm: folio_may_be_lru_cached() unless folio_test_large() Hugh Dickins <hughd(a)google.com> mm: revert "mm: vmscan.c: fix OOM on swap stress test" Hugh Dickins <hughd(a)google.com> mm/gup: local lru_add_drain() to avoid lru_add_drain_all() Li Zhe <lizhe.67(a)bytedance.com> gup: optimize longterm pin_user_pages() for large folio Hugh Dickins <hughd(a)google.com> mm: revert "mm/gup: clear the LRU flag of a page before adding to LRU batch" Hugh Dickins <hughd(a)google.com> mm/gup: check ref_count instead of lru before migration Mikulas Patocka <mpatocka(a)redhat.com> dm-stripe: fix a possible integer overflow Mikulas Patocka <mpatocka(a)redhat.com> dm-raid: don't set io_min and io_opt for raid1 austinchang <austinchang(a)synology.com> btrfs: initialize inode::file_extent_tree after i_mode has been set Andrea Righi <arighi(a)nvidia.com> Revert "sched_ext: Skip per-CPU tasks in scx_bpf_reenqueue_local()" H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: restrict no-battery detection to bq27000 H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Nathan Chancellor <nathan(a)kernel.org> nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Sergey Senozhatsky <senozhatsky(a)chromium.org> zram: fix slot write race condition Stefan Metzmacher <metze(a)samba.org> ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Duoming Zhou <duoming(a)zju.edu.cn> octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Duoming Zhou <duoming(a)zju.edu.cn> cnic: Fix use-after-free bugs in cnic_delete_task Alexey Nepomnyashih <sdl(a)nppct.ru> net: liquidio: fix overflow in octeon_init_instr_queue() Eric Dumazet <edumazet(a)google.com> net: clear sk->sk_ino in sk_set_socket(sk, NULL) Tariq Toukan <tariqt(a)nvidia.com> Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Jakub Kicinski <kuba(a)kernel.org> tls: make sure to abort the stream if headers are bogus Kuniyuki Iwashima <kuniyu(a)google.com> tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Sathesh B Edara <sedara(a)marvell.com> octeon_ep: fix VF MAC address lifecycle handling Hangbin Liu <liuhangbin(a)gmail.com> bonding: don't set oif to bond dev when getting NS target destination Lama Kayal <lkayal(a)nvidia.com> net/mlx5e: Add a miss level for ipsec crypto offload Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Harden uplink netdev access against device unbind Remy D. Farley <one-d-wide(a)protonmail.com> doc/netlink: Fix typos in operation attributes Kohei Enju <enjuk(a)amazon.com> igc: don't fail igc_probe() on LED setup error Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbe: destroy aci.lock later within ixgbe_remove path Jedrzej Jagielski <jedrzej.jagielski(a)intel.com> ixgbe: initialize aci.lock before it's used Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> i40e: remove redundant memory barrier when cleaning Tx descs Jacob Keller <jacob.e.keller(a)intel.com> ice: fix Rx page leak on multi-buffer frames Yeounsu Moon <yyyynoom(a)gmail.com> net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Geliang Tang <geliang(a)kernel.org> selftests: mptcp: sockopt: fix error messages Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: tfo: record 'deny join id0' info Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: userspace pm: validate deny-join-id0 flag Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: set remote_deny_join_id0 on SYN recv Hangbin Liu <liuhangbin(a)gmail.com> bonding: set random address only when slaves already exist Ilya Maximets <i.maximets(a)ovn.org> net: dst_metadata: fix IP_DF bit not extracted from tunnel headers Jamie Bainbridge <jamie.bainbridge(a)gmail.com> qed: Don't collect too many protection override GRC elements Kamal Heib <kheib(a)redhat.com> octeon_ep: Validate the VF ID David Howells <dhowells(a)redhat.com> rxrpc: Fix untrusted unsigned subtract David Howells <dhowells(a)redhat.com> rxrpc: Fix unhandled errors in rxgk_verify_packet_integrity() Ivan Vecera <ivecera(a)redhat.com> dpll: fix clock quality level reporting Anderson Nascimento <anderson(a)allelesecurity.com> net/tcp: Fix a NULL pointer dereference when using TCP-AO with TCP_REPAIR Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-switch: fix buffer pool seeding for control traffic Li Tian <litian(a)redhat.com> net/mlx5: Not returning mlx5_link_info table when speed is unknown Tiwei Bie <tiwei.btw(a)antgroup.com> um: Fix FD copy size in os_rcv_fd_msg() Miaoqian Lin <linmq006(a)gmail.com> um: virtio_uml: Fix use-after-free after put_device in probe Stefan Metzmacher <metze(a)samba.org> smb: server: let smb_direct_writev() respect SMB_DIRECT_MAX_SEND_SGES Geert Uytterhoeven <geert+renesas(a)glider.be> pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Liao Yuanhong <liaoyuanhong(a)vivo.com> wifi: mac80211: fix incorrect type for ret Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: increase scan_ies_len for S1G Felix Fietkau <nbd(a)nbd.name> wifi: mt76: do not add non-sta wcid entries to the poll list Takashi Sakamoto <o-takashi(a)sakamocchi.jp> ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported Christoph Hellwig <hch(a)lst.de> nvme: fix PI insert on write Ajay.Kathat(a)microchip.com <Ajay.Kathat(a)microchip.com> wifi: wilc1000: avoid buffer overflow in WID string configuration Ian Rogers <irogers(a)google.com> perf maps: Ensure kmap is set up for all inserts Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: fix incorrect ASSERT in btrfs_zoned_reserve_data_reloc_bg() Filipe Manana <fdmanana(a)suse.com> btrfs: fix invalid extref key setup when replaying dentry Chen Ridong <chenridong(a)huawei.com> cgroup: split cgroup_destroy_wq into 3 workqueues ------------- Diffstat: Documentation/devicetree/bindings/serial/8250.yaml | 77 ++++++--- Documentation/netlink/specs/conntrack.yaml | 9 +- Documentation/netlink/specs/mptcp_pm.yaml | 4 +- Makefile | 4 +- arch/loongarch/Kconfig | 12 +- arch/loongarch/Makefile | 15 +- arch/loongarch/include/asm/acenv.h | 7 +- arch/loongarch/include/asm/kvm_mmu.h | 20 ++- arch/loongarch/kernel/env.c | 2 + arch/loongarch/kernel/stacktrace.c | 3 +- arch/loongarch/kernel/vdso.c | 3 + arch/loongarch/kvm/intc/eiointc.c | 87 ++++++---- arch/loongarch/kvm/intc/pch_pic.c | 21 ++- arch/loongarch/kvm/mmu.c | 8 +- arch/s390/include/asm/pci_insn.h | 10 +- arch/um/drivers/virtio_uml.c | 6 +- arch/um/os-Linux/file.c | 2 +- arch/x86/include/asm/sev.h | 38 ++--- arch/x86/kvm/svm/svm.c | 3 +- crypto/af_alg.c | 10 +- drivers/block/zram/zram_drv.c | 8 +- drivers/clk/sunxi-ng/ccu_mp.c | 2 +- drivers/crypto/ccp/sev-dev.c | 2 +- drivers/dpll/dpll_netlink.c | 4 +- drivers/gpio/gpiolib-acpi-core.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 16 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 12 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 24 ++- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 36 ++++ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 39 ++++- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 2 +- drivers/gpu/drm/bridge/analogix/anx7625.c | 6 +- .../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 +- drivers/gpu/drm/xe/abi/guc_actions_abi.h | 5 + drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 40 +++++ drivers/gpu/drm/xe/xe_exec_queue.c | 22 ++- drivers/gpu/drm/xe/xe_exec_queue_types.h | 8 +- drivers/gpu/drm/xe/xe_execlist.c | 25 ++- drivers/gpu/drm/xe/xe_execlist_types.h | 2 +- drivers/gpu/drm/xe/xe_gt.c | 3 +- drivers/gpu/drm/xe/xe_gt_sriov_pf_config.c | 1 - drivers/gpu/drm/xe/xe_guc.c | 62 ++++++- drivers/gpu/drm/xe/xe_guc.h | 1 + drivers/gpu/drm/xe/xe_guc_exec_queue_types.h | 4 +- drivers/gpu/drm/xe/xe_guc_submit.c | 141 +++++++++++++--- drivers/gpu/drm/xe/xe_guc_submit.h | 2 + drivers/gpu/drm/xe/xe_tile_sysfs.c | 12 +- drivers/gpu/drm/xe/xe_uc.c | 4 + drivers/gpu/drm/xe/xe_vm.c | 4 +- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/init.c | 9 +- drivers/iommu/amd/io_pgtable.c | 25 ++- drivers/iommu/intel/iommu.c | 7 +- drivers/iommu/s390-iommu.c | 29 +++- drivers/md/dm-raid.c | 6 +- drivers/md/dm-stripe.c | 10 +- drivers/mmc/host/mvsdio.c | 2 +- drivers/mmc/host/sdhci-pci-gli.c | 68 +++++++- drivers/mmc/host/sdhci-uhs2.c | 3 +- drivers/mmc/host/sdhci.c | 34 ++-- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/broadcom/cnic.c | 3 +- .../net/ethernet/cavium/liquidio/request_manager.c | 2 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 - drivers/net/ethernet/intel/ice/ice_txrx.c | 80 ++++----- drivers/net/ethernet/intel/ice/ice_txrx.h | 1 - drivers/net/ethernet/intel/igc/igc.h | 1 + drivers/net/ethernet/intel/igc/igc_main.c | 12 +- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 22 +-- .../net/ethernet/marvell/octeon_ep/octep_main.c | 16 ++ .../ethernet/marvell/octeon_ep/octep_pfvf_mbox.c | 3 + .../net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 1 + .../ethernet/mellanox/mlx5/core/en_accel/ipsec.h | 1 + .../mellanox/mlx5/core/en_accel/ipsec_fs.c | 3 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 - drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 27 ++- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 +- drivers/net/ethernet/mellanox/mlx5/core/port.c | 6 +- drivers/net/ethernet/natsemi/ns83820.c | 13 +- drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 +- drivers/net/wireless/mediatek/mt76/mac80211.c | 2 +- drivers/net/wireless/microchip/wilc1000/wlan_cfg.c | 39 +++-- drivers/net/wireless/microchip/wilc1000/wlan_cfg.h | 5 +- drivers/nvme/host/core.c | 18 +- drivers/pcmcia/omap_cf.c | 8 +- drivers/platform/x86/asus-nb-wmi.c | 25 ++- drivers/platform/x86/asus-wmi.h | 3 +- drivers/power/supply/bq27xxx_battery.c | 4 +- fs/btrfs/delayed-inode.c | 3 - fs/btrfs/inode.c | 11 +- fs/btrfs/tree-checker.c | 4 +- fs/btrfs/tree-log.c | 2 +- fs/btrfs/zoned.c | 2 +- fs/nilfs2/sysfs.c | 4 +- fs/nilfs2/sysfs.h | 8 +- fs/smb/client/cifsproto.h | 4 +- fs/smb/client/inode.c | 23 ++- fs/smb/client/misc.c | 36 ++-- fs/smb/client/smbdirect.c | 132 +++++++++------ fs/smb/client/smbdirect.h | 23 --- fs/smb/common/smbdirect/smbdirect_socket.h | 29 ++++ fs/smb/server/transport_rdma.c | 185 ++++++++++++++------- include/crypto/if_alg.h | 10 +- include/linux/io_uring_types.h | 3 - include/linux/mlx5/driver.h | 1 + include/linux/swap.h | 10 ++ include/net/dst_metadata.h | 11 +- include/net/sock.h | 5 +- include/sound/sdca.h | 1 + include/uapi/linux/mptcp.h | 2 + include/uapi/linux/mptcp_pm.h | 4 +- io_uring/io-wq.c | 6 +- io_uring/io_uring.c | 10 +- io_uring/io_uring.h | 4 +- io_uring/msg_ring.c | 24 +-- io_uring/notif.c | 2 +- io_uring/poll.c | 2 +- io_uring/timeout.c | 2 +- io_uring/uring_cmd.c | 2 +- kernel/cgroup/cgroup.c | 43 ++++- kernel/sched/ext.c | 6 +- mm/gup.c | 52 ++++-- mm/mlock.c | 6 +- mm/swap.c | 50 +++--- mm/vmscan.c | 2 +- net/ipv4/tcp.c | 5 + net/ipv4/tcp_ao.c | 4 +- net/mac80211/driver-ops.h | 2 +- net/mac80211/main.c | 7 +- net/mptcp/options.c | 6 +- net/mptcp/pm_netlink.c | 7 + net/mptcp/protocol.c | 16 ++ net/mptcp/subflow.c | 4 + net/rds/ib_frmr.c | 20 ++- net/rfkill/rfkill-gpio.c | 4 +- net/rxrpc/rxgk.c | 18 +- net/rxrpc/rxgk_app.c | 29 +++- net/rxrpc/rxgk_common.h | 14 +- net/tls/tls.h | 1 + net/tls/tls_strp.c | 14 +- net/tls/tls_sw.c | 3 +- samples/damon/mtier.c | 25 +-- samples/damon/prcl.c | 31 +++- samples/damon/wsse.c | 22 +-- sound/firewire/motu/motu-hwdep.c | 2 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/acp/acp-i2s.c | 11 +- sound/soc/codecs/sma1307.c | 7 +- sound/soc/codecs/wm8940.c | 9 +- sound/soc/codecs/wm8974.c | 8 +- sound/soc/intel/catpt/pcm.c | 23 ++- sound/soc/qcom/qdsp6/audioreach.c | 1 + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 7 +- sound/soc/sdca/sdca_device.c | 20 +++ sound/soc/sdca/sdca_functions.c | 13 +- sound/soc/sdca/sdca_regmap.c | 2 +- sound/soc/sof/intel/hda-stream.c | 2 +- sound/usb/qcom/qc_audio_offload.c | 92 +++++----- tools/arch/loongarch/include/asm/inst.h | 12 ++ tools/objtool/arch/loongarch/decode.c | 33 +++- tools/perf/util/maps.c | 9 +- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +- tools/testing/selftests/net/mptcp/mptcp_sockopt.c | 16 +- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 + tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +- 169 files changed, 1797 insertions(+), 824 deletions(-)

1 month, 1 week

17
165
0 0

[PATCH 2/3] media: mediatek: mdp: fix device leak on probe

by Johan Hovold

Make sure to drop the reference taken when looking up the VPU firmware device during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: c8eb2d7e8202 ("[media] media: Add Mediatek MDP Driver") Cc: stable(a)vger.kernel.org # 4.10 Cc: Minghsiu Tsai <minghsiu.tsai(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/media/platform/mediatek/mdp/mtk_mdp_core.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c b/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c index 80fdc6ff57e0..5c7dcf4090f4 100644 --- a/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c +++ b/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c @@ -198,7 +198,7 @@ static int mtk_mdp_probe(struct platform_device *pdev) VPU_RST_MDP); if (ret) { dev_err(&pdev->dev, "Failed to register reset handler\n"); - goto err_m2m_register; + goto err_put_vpu; } platform_set_drvdata(pdev, mdp); @@ -206,7 +206,7 @@ static int mtk_mdp_probe(struct platform_device *pdev) ret = vb2_dma_contig_set_max_seg_size(&pdev->dev, DMA_BIT_MASK(32)); if (ret) { dev_err(&pdev->dev, "Failed to set vb2 dma mag seg size\n"); - goto err_m2m_register; + goto err_put_vpu; } pm_runtime_enable(dev); @@ -214,6 +214,8 @@ static int mtk_mdp_probe(struct platform_device *pdev) return 0; +err_put_vpu: + put_device(&mdp->vpu_dev->dev); err_m2m_register: v4l2_device_unregister(&mdp->v4l2_dev); @@ -241,6 +243,7 @@ static void mtk_mdp_remove(struct platform_device *pdev) struct mtk_mdp_comp *comp, *comp_temp; pm_runtime_disable(&pdev->dev); + put_device(&mdp->vpu_dev->dev); vb2_dma_contig_clear_max_seg_size(&pdev->dev); mtk_mdp_unregister_m2m_device(mdp); v4l2_device_unregister(&mdp->v4l2_dev); -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH 1/3] media: mediatek: vcodec: fix device leak on codec init

by Johan Hovold

Make sure to drop the reference taken when looking up the VPU firmware device during codec init on probe failure (e.g. probe deferral) and on driver unbind. Fixes: 590577a4e525 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver") Fixes: 4e855a6efa54 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver") Cc: stable(a)vger.kernel.org # 4.8 Cc: Tiffany Lin <tiffany.lin(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- .../mediatek/vcodec/common/mtk_vcodec_fw_vpu.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c index d7027d600208..9237738d7632 100644 --- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c +++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c @@ -83,12 +83,20 @@ static const struct mtk_vcodec_fw_ops mtk_vcodec_vpu_msg = { .release = mtk_vcodec_vpu_release, }; +static void mtk_vcodec_vpu_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_init(void *priv, enum mtk_vcodec_fw_use fw_use) { struct platform_device *fw_pdev; struct platform_device *plat_dev; struct mtk_vcodec_fw *fw; enum rst_id rst_id; + int ret; if (fw_use == ENCODER) { struct mtk_vcodec_enc_dev *enc_dev = priv; @@ -111,6 +119,11 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_init(void *priv, enum mtk_vcodec_fw_use return ERR_PTR(-EINVAL); } + ret = devm_add_action_or_reset(&plat_dev->dev, mtk_vcodec_vpu_put_device, + &fw_pdev->dev); + if (ret) + return ERR_PTR(ret); + if (fw_use == DECODER) vpu_wdt_reg_handler(fw_pdev, mtk_vcodec_vpu_reset_dec_handler, priv, rst_id); else -- 2.49.1

1 month, 1 week

1
0
0 0

[PATCH 6.12.y 1/3] drm/sched: Optimise drm_sched_entity_push_job

by Jules Maselbas

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> commit d42a254633c773921884a19e8a1a0f53a31150c3 upstream. In FIFO mode (which is the default), both drm_sched_entity_push_job() and drm_sched_rq_update_fifo(), where the latter calls the former, are currently taking and releasing the same entity->rq_lock. We can avoid that design inelegance, and also have a miniscule efficiency improvement on the submit from idle path, by introducing a new drm_sched_rq_update_fifo_locked() helper and pulling up the lock taking to its callers. v2: * Remove drm_sched_rq_update_fifo() altogether. (Christian) v3: * Improved commit message. (Philipp) Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Cc: Christian König <christian.koenig(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Luben Tuikov <ltuikov89(a)gmail.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Philipp Stanner <pstanner(a)redhat.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Philipp Stanner <pstanner(a)redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241016122013.7857-2-tursuli… (cherry picked from commit d42a254633c773921884a19e8a1a0f53a31150c3) Signed-off-by: Jules Maselbas <jmaselbas(a)zdiv.net> --- drivers/gpu/drm/scheduler/sched_entity.c | 13 +++++++++---- drivers/gpu/drm/scheduler/sched_main.c | 6 +++--- include/drm/gpu_scheduler.h | 2 +- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c index 3e75fc1f6607..9dbae7b08bc9 100644 --- a/drivers/gpu/drm/scheduler/sched_entity.c +++ b/drivers/gpu/drm/scheduler/sched_entity.c @@ -505,8 +505,12 @@ struct drm_sched_job *drm_sched_entity_pop_job(struct drm_sched_entity *entity) struct drm_sched_job *next; next = to_drm_sched_job(spsc_queue_peek(&entity->job_queue)); - if (next) - drm_sched_rq_update_fifo(entity, next->submit_ts); + if (next) { + spin_lock(&entity->rq_lock); + drm_sched_rq_update_fifo_locked(entity, + next->submit_ts); + spin_unlock(&entity->rq_lock); + } } /* Jobs and entities might have different lifecycles. Since we're @@ -606,10 +610,11 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) sched = rq->sched; drm_sched_rq_add_entity(rq, entity); - spin_unlock(&entity->rq_lock); if (drm_sched_policy == DRM_SCHED_POLICY_FIFO) - drm_sched_rq_update_fifo(entity, submit_ts); + drm_sched_rq_update_fifo_locked(entity, submit_ts); + + spin_unlock(&entity->rq_lock); drm_sched_wakeup(sched); } diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c index 416590ea0dc3..3609d5a8fecd 100644 --- a/drivers/gpu/drm/scheduler/sched_main.c +++ b/drivers/gpu/drm/scheduler/sched_main.c @@ -169,14 +169,15 @@ static inline void drm_sched_rq_remove_fifo_locked(struct drm_sched_entity *enti } } -void drm_sched_rq_update_fifo(struct drm_sched_entity *entity, ktime_t ts) +void drm_sched_rq_update_fifo_locked(struct drm_sched_entity *entity, ktime_t ts) { /* * Both locks need to be grabbed, one to protect from entity->rq change * for entity from within concurrent drm_sched_entity_select_rq and the * other to update the rb tree structure. */ - spin_lock(&entity->rq_lock); + lockdep_assert_held(&entity->rq_lock); + spin_lock(&entity->rq->lock); drm_sched_rq_remove_fifo_locked(entity); @@ -187,7 +188,6 @@ void drm_sched_rq_update_fifo(struct drm_sched_entity *entity, ktime_t ts) drm_sched_entity_compare_before); spin_unlock(&entity->rq->lock); - spin_unlock(&entity->rq_lock); } /** diff --git a/include/drm/gpu_scheduler.h b/include/drm/gpu_scheduler.h index 9c437a057e5d..346a3c261b43 100644 --- a/include/drm/gpu_scheduler.h +++ b/include/drm/gpu_scheduler.h @@ -593,7 +593,7 @@ void drm_sched_rq_add_entity(struct drm_sched_rq *rq, void drm_sched_rq_remove_entity(struct drm_sched_rq *rq, struct drm_sched_entity *entity); -void drm_sched_rq_update_fifo(struct drm_sched_entity *entity, ktime_t ts); +void drm_sched_rq_update_fifo_locked(struct drm_sched_entity *entity, ktime_t ts); int drm_sched_entity_init(struct drm_sched_entity *entity, enum drm_sched_priority priority, -- 2.51.0

1 month, 1 week

4
11
0 0

[PATCH v2] comedi: fix divide-by-zero in comedi_buf_munge()

by Deepanshu Kartikey

The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands. Reported-by: syzbot+f6c3c066162d2c43a66c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f6c3c066162d2c43a66c Cc: stable(a)vger.kernel.org Signed-off-by: Deepanshu Kartikey <kartikey406(a)gmail.com> --- v2: Merged the chanlist_len check with existing early return check as suggested by Ian Abbott --- drivers/comedi/comedi_buf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/comedi/comedi_buf.c b/drivers/comedi/comedi_buf.c index 002c0e76baff..c7c262a2d8ca 100644 --- a/drivers/comedi/comedi_buf.c +++ b/drivers/comedi/comedi_buf.c @@ -317,7 +317,7 @@ static unsigned int comedi_buf_munge(struct comedi_subdevice *s, unsigned int count = 0; const unsigned int num_sample_bytes = comedi_bytes_per_sample(s); - if (!s->munge || (async->cmd.flags & CMDF_RAWDATA)) { + if (!s->munge || (async->cmd.flags & CMDF_RAWDATA) || async->cmd.chanlist_len == 0) { async->munge_count += num_bytes; return num_bytes; } -- 2.43.0

1 month, 2 weeks

2
1
0 0

دعوة لنشر الأبحاث والمقالات العلمية

by journal

###**🌟 فرصتك للنشر في مجلات علمية محكمة دوليًا – دعوة مفتوحة للباحثين والأكاديميين** **انضم إلى النخبة العلمية… وانشر أبحاثك معنا.** **انطلاقًا من إيماننا بأن البحث العلمي هو الركيزة الأساسية لنهضة المجتمعات وتقدمها،** يسر*فكر للدراسات والتطوير* أن تتشرف بدعوتكم للنشر في مجلاتها العلمية المحكمة، التي تمثل منبرًا أكاديميًا رصينًا لاحتضان الأفكار الأصيلة، والمشاريع البحثية الجادة، والرؤى التي تسهم في إنتاج معرفة تطبيقية تخدم قضايا الإنسان والمجتمع. إن دعوتنا هذه تأتي ضمن رؤيتنا في تمكين الباحثين والكتّاب في العالم العربي والإسلامي من إيصال أبحاثهم إلى أوسع نطاق، والمساهمة الفاعلة في الحراك العلمي محليًا ودوليًا، عبر منصات نشر معتمدة وموثوقة. ➡️ **قدّم مخطوطتك الآن:** [https://7m8ue.r.ag.d.sendibm3.com/mk/cl/f/sh/WCPzyXJTZ7nvI8YYc4qB1knr1PmTmi… ####عامل تأثير عربي=2.7 مجلة ريحان للنشر العلمي ----------------------- (Rihan Journal for Scientific Publishing) ###$50 *مجلة علمية دولية، محكّمة، شهرية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN-E: 2709-2097** تستقبل المجلة الأبحاث والمقالات العلمية بثلاث لغات: **العربية، الإنجليزية، والتركية**، في مختلف التخصصات، وتخضع جميع المواد المقدمة لعملية تحكيم علمي صارمة، تضمن جودة المحتوى وموثوقيته الأكاديمية. ####عامل تأثير عربي=1.7 مجلة ايبرس للنشر الطبي ---------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN-E: 2959-5371** تأسست مجلة إيبرس للنشر الطبي عام 2022، لتكون منصة علمية رصينة في مجال العلوم الطبية والصحية، ووجهة موثوقة للباحثين والطلبة وأعضاء الهيئات التدريسية والأكاديميين لنشر أبحاثهم الأصيلة، ومراجعاتهم العلمية، ومشاركتهم في تطوير المعرفة الطبية الحديثة. تستقبل المجلة الدراسات والأبحاث باللغة **العربية، الإنجليزية، والتركية**، وتخضع جميع المواد لعملية تحكيم علمي دقيقة، وفق أعلى المعايير الأكاديمية الدولية. مجلة طُوى للعلوم الاجتماعية --------------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN: 3104-7211** **مجلة طُوى** هي منصة أكاديمية تُعنى بنشر البحوث والدراسات الأصيلة في **مجالات العلوم الاجتماعية المتداخلة**، بما يسهم في إنتاج معرفة تحليلية معمقة حول قضايا الإنسان والمجتمع. تلتزم المجلة بمعايير **التحكيم العلمي الرصين**، وتُرحّب بالأعمال المقدّمة باللغات: **العربية، الإنجليزية، والتركية**. جاء اختيار اسم "طُوى" استلهامًا من **الوادي المقدّس طُوى**، تعبيرًا عن قدسية المعرفة، وإيمانًا بأن الفكر العلمي رسالة إنسانية لا تقل أثرًا وعمقًا عن أي رسالة تغيير أو بناء مجتمعي. مجلة زنوبيا لدراسات المرأة والطفل والاسرة ----------------------------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير* بالتعاون مع **المنتدى الثقافي النسائي السوري** رقم التسلسل المعياري الدولي: **ISSN: 3104-7874** تُعنى **مجلة زنوبيا** بنشر البحوث والدراسات الأكاديمية التي تتناول قضايا **المرأة، والطفل، والأسرة** من زوايا علمية، اجتماعية، وثقافية متعددة، مع التركيز على التحديات والتحولات المعاصرة التي تمس هذه الفئات داخل السياقات العربية والعالمية. وتوفّر المجلة منبرًا أكاديميًا موثوقًا يعزز التفكير النقدي والتحليل العلمي البنّاء، ويسعى لإبراز التجارب والرؤى التي تدعم التمكين المجتمعي. مجلة زكا للعلوم المالية والاقتصادية والإدارية --------------------------------------------- ###$50 *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي **ISSN: 3104-7289** تُعنى **مجلة زكا** بنشر أبحاث علمية أصيلة وعالية الجودة في مجالات: **إدارة الأعمال، الاقتصاد، المحاسبة، العلوم المالية، التسويق، الاقتصاد الإسلامي، الإدارة العامة، والتمويل**. وتمثل المجلة منصة أكاديمية رصينة تستهدف الباحثين، الأكاديميين، وطلبة الدراسات العليا في التخصصات المالية والإدارية، وتسعى إلى الإسهام الفعّال في تطوير المعرفة الاقتصادية والإدارية، وفقًا لأحدث المعايير العلمية والمنهجيات البحثية الحديثة. مجلة روح للعلوم الإنسانية ------------------------- ###$50 **(RUH Journal of Humanities)** *مجلة علمية دولية، محكّمة، فصلية، مفتوحة الوصول، تصدر عن مركز فكر للدراسات والتطوير.* رقم التسلسل المعياري الدولي: **ISSN: 3105-2436** تهدف **مجلة روح للعلوم الإنسانية** إلى نشر الأبحاث العلمية المتميزة في مختلف مجالات العلوم الإنسانية، وتعزيز الفكر الأكاديمي والنقاش العلمي المتخصص في القضايا الإنسانية المعاصرة على المستويين العربي والعالمي. تُعد المجلة منصة أكاديمية رصينة تجمع الباحثين من تخصصات متعددة لتبادل المعرفة، وتحفيز الدراسات الرصينة ذات الأثر المجتمعي والثقافي، وتوسيع دائرة الحوار العلمي حول الإنسان والمجتمع. جاء اختيار اسم **"روح"** ليعكس جوهر العلوم الإنسانية، التي تنطلق من فهم الإنسان: مشاعره، ثقافته، سلوكه، وتاريخه. تشير الكلمة إلى **العنصر الحيوي** الذي يمنح الإنسان والمجتمع معناهما، مما يرسّخ رؤية المجلة في أن **العلوم الإنسانية هي الروح النابضة لفهم المجتمعات وتطورها**. دعوة للتبرع ------------ ###$10 ###🎓 ساهم في نهضة العلم في سوريا – كن جزءًا من التغيير الحقيقي! إذا كنت تؤمن بقوة المعرفة وأهمية دعم البحث العلمي في سوريا، فقد حان الوقت لتشارك في صناعة الأمل. **تبرعك اليوم لا يُقدَّر بثمن…** إنه استثمار في العقول، وفي جيل جديد من الباحثين والمفكرين الذين يسعون لإعادة بناء المجتمع على أسس علمية وإنسانية. 📢 **ساهم في صناعة الأمل… تبرعك اليوم يصنع فرقاً حقيقياً غداً!** المؤتمرات العلمية ----------------- ###$100 ###🏛️ **مركز فكر للمؤتمرات العلمية** **مركز فكر للمؤتمرات العلمية** هو أحد برامج مركز فكر للدراسات والتطوير، يُعنى بتنظيم المؤتمرات والملتقيات العلمية المتخصصة، بهدف دعم البحث الأكاديمي وتوسيع دائرة الحوار المعرفي حول القضايا المعاصرة التي تهم المجتمعات العربية والعالمية. ينطلق المركز من رؤية تؤمن بأن **المؤتمر العلمي ليس مجرد حدث أكاديمي، بل هو منصة استراتيجية لإنتاج المعرفة، وتبادل الخبرات، وصياغة حلول مستندة إلى البحث العلمي**. ###📚 **مجالات المؤتمرات:** العلوم الإنسانية والاجتماعية العلوم الطبية والصحية الدراسات الاقتصادية والمالية دراسات المرأة والطفل والأسرة البيئة والتنمية المستدامة التكنولوجيا والتحول الرقمي التعليم والتربية **مع خالص الشكر والتقدير،** ============================ **نثمّن وقتكم واهتمامكم، ونتطلع إلى تعاون مثمر يجمعنا في خدمة البحث العلمي والمجتمع.** ====================================================================================== **نؤمن أن العمل المشترك هو مفتاح التغيير الحقيقي، ونرحّب بكم دائمًا ضمن شبكتنا العلمية والمجتمعية.** ==================================================================================================== ➡️ **قدّم مخطوطتك الآن:** [https://forms.gle/g7McfPrkaYYDFC2N6](https://forms.gle/g7McfPrkaYYDFC2N6) Maria Abdel Rahim [pr@rjsp.org](mailto:ahmet@rjsp.org) rihanjournal(a)gmail.com [00905306359001](https://) gazimuhtarpas 29600,gazantap [Unsubscribe](https://7m8ue.r.ag.d.sendibm3.com/mk/un/v2/sh/7nVTPdbLJ2bPbEmD…

1 month, 2 weeks

1
0
0 0

[PATCH 1/1] mm/thp: fix MTE tag mismatch when replacing zero-filled subpages

by Lance Yang

From: Lance Yang <lance.yang(a)linux.dev> When both THP and MTE are enabled, splitting a THP and replacing its zero-filled subpages with the shared zeropage can cause MTE tag mismatch faults in userspace. Remapping zero-filled subpages to the shared zeropage is unsafe, as the zeropage has a fixed tag of zero, which may not match the tag expected by the userspace pointer. KSM already avoids this problem by using memcmp_pages(), which on arm64 intentionally reports MTE-tagged pages as non-identical to prevent unsafe merging. As suggested by David[1], this patch adopts the same pattern, replacing the memchr_inv() byte-level check with a call to pages_identical(). This leverages existing architecture-specific logic to determine if a page is truly identical to the shared zeropage. Having both the THP shrinker and KSM rely on pages_identical() makes the design more future-proof, IMO. Instead of handling quirks in generic code, we just let the architecture decide what makes two pages identical. [1] https://lore.kernel.org/all/ca2106a3-4bb2-4457-81af-301fd99fbef4@redhat.com Cc: <stable(a)vger.kernel.org> Reported-by: Qun-wei Lin <Qun-wei.Lin(a)mediatek.com> Closes: https://lore.kernel.org/all/a7944523fcc3634607691c35311a5d59d1a3f8d4.camel@… Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") Suggested-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Lance Yang <lance.yang(a)linux.dev> --- Tested on x86_64 and on QEMU for arm64 (with and without MTE support), and the fix works as expected. mm/huge_memory.c | 15 +++------------ mm/migrate.c | 8 +------- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 32e0ec2dde36..28d4b02a1aa5 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -4104,29 +4104,20 @@ static unsigned long deferred_split_count(struct shrinker *shrink, static bool thp_underused(struct folio *folio) { int num_zero_pages = 0, num_filled_pages = 0; - void *kaddr; int i; for (i = 0; i < folio_nr_pages(folio); i++) { - kaddr = kmap_local_folio(folio, i * PAGE_SIZE); - if (!memchr_inv(kaddr, 0, PAGE_SIZE)) { - num_zero_pages++; - if (num_zero_pages > khugepaged_max_ptes_none) { - kunmap_local(kaddr); + if (pages_identical(folio_page(folio, i), ZERO_PAGE(0))) { + if (++num_zero_pages > khugepaged_max_ptes_none) return true; - } } else { /* * Another path for early exit once the number * of non-zero filled pages exceeds threshold. */ - num_filled_pages++; - if (num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) { - kunmap_local(kaddr); + if (++num_filled_pages >= HPAGE_PMD_NR - khugepaged_max_ptes_none) return false; - } } - kunmap_local(kaddr); } return false; } diff --git a/mm/migrate.c b/mm/migrate.c index aee61a980374..ce83c2c3c287 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -300,9 +300,7 @@ static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, unsigned long idx) { struct page *page = folio_page(folio, idx); - bool contains_data; pte_t newpte; - void *addr; if (PageCompound(page)) return false; @@ -319,11 +317,7 @@ static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, * this subpage has been non present. If the subpage is only zero-filled * then map it to the shared zeropage. */ - addr = kmap_local_page(page); - contains_data = memchr_inv(addr, 0, PAGE_SIZE); - kunmap_local(addr); - - if (contains_data) + if (!pages_identical(page, ZERO_PAGE(0))) return false; newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address), -- 2.49.0

1 month, 2 weeks

6
21
0 0

Check this out at Amazon

by Votre Expert

THE HOUSEMAID UNDER CONTRACT https://rb.gy/2xfnv3

1 month, 2 weeks

1
0
0 0

Undelivered Mail Returned to Sender

by MAILER-DAEMON＠zihnyunrui.com

This is the mail system at host zihnyunrui.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <linux-stable-mirror(a)lists.linaro.org>: host lists.linaro.org[3.208.193.21] said: 554 5.7.1 Spam message rejected (in reply to end of DATA command)

1 month, 2 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror