- Linux-stable-mirror - lists.linaro.org

[PATCH v3] sparc: fix error handling in scan_one_device()

by Ma Ke

Once of_device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(). Calling path: of_device_register() -> of_device_add() -> device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v3: - also fixed the same problem in arch/sparc/kernel/of_device_32.c as suggestions. Changes in v2: - retained kfree() manually due to the lack of a release callback function. --- arch/sparc/kernel/of_device_32.c | 1 + arch/sparc/kernel/of_device_64.c | 1 + 2 files changed, 2 insertions(+) diff --git a/arch/sparc/kernel/of_device_32.c b/arch/sparc/kernel/of_device_32.c index 06012e68bdca..284a4cafa432 100644 --- a/arch/sparc/kernel/of_device_32.c +++ b/arch/sparc/kernel/of_device_32.c @@ -387,6 +387,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); + put_device(&op->dev); kfree(op); op = NULL; } diff --git a/arch/sparc/kernel/of_device_64.c b/arch/sparc/kernel/of_device_64.c index f98c2901f335..f53092b07b9e 100644 --- a/arch/sparc/kernel/of_device_64.c +++ b/arch/sparc/kernel/of_device_64.c @@ -677,6 +677,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); + put_device(&op->dev); kfree(op); op = NULL; } -- 2.17.1

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] ksmbd: smbdirect: verify remaining_data_length respects" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e1868ba37fd27c6a68e31565402b154beaa65df0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092135-estate-gander-564d@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e1868ba37fd27c6a68e31565402b154beaa65df0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze(a)samba.org> Date: Thu, 11 Sep 2025 10:05:23 +0900 Subject: [PATCH] ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size This is inspired by the check for data_offset + data_length. Cc: Steve French <smfrench(a)gmail.com> Cc: Tom Talpey <tom(a)talpey.com> Cc: linux-cifs(a)vger.kernel.org Cc: samba-technical(a)lists.samba.org Cc: stable(a)vger.kernel.org Fixes: 2ea086e35c3d ("ksmbd: add buffer validation for smb direct") Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Stefan Metzmacher <metze(a)samba.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c index d52f37578276..6550bd9f002c 100644 --- a/fs/smb/server/transport_rdma.c +++ b/fs/smb/server/transport_rdma.c @@ -554,7 +554,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) case SMB_DIRECT_MSG_DATA_TRANSFER: { struct smb_direct_data_transfer *data_transfer = (struct smb_direct_data_transfer *)recvmsg->packet; - unsigned int data_offset, data_length; + u32 remaining_data_length, data_offset, data_length; int avail_recvmsg_count, receive_credits; if (wc->byte_len < @@ -564,6 +564,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) return; } + remaining_data_length = le32_to_cpu(data_transfer->remaining_data_length); data_length = le32_to_cpu(data_transfer->data_length); data_offset = le32_to_cpu(data_transfer->data_offset); if (wc->byte_len < data_offset || @@ -572,6 +573,14 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) smb_direct_disconnect_rdma_connection(t); return; } + if (remaining_data_length > t->max_fragmented_recv_size || + data_length > t->max_fragmented_recv_size || + (u64)remaining_data_length + (u64)data_length > + (u64)t->max_fragmented_recv_size) { + put_recvmsg(t, recvmsg); + smb_direct_disconnect_rdma_connection(t); + return; + } if (data_length) { if (t->full_packet_received)

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mptcp: propagate shutdown to subflows when possible" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f755be0b1ff429a2ecf709beeb1bcd7abc111c2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092143-trench-expiring-9a2f@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f755be0b1ff429a2ecf709beeb1bcd7abc111c2b Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 12 Sep 2025 14:25:50 +0200 Subject: [PATCH] mptcp: propagate shutdown to subflows when possible When the MPTCP DATA FIN have been ACKed, there is no more MPTCP related metadata to exchange, and all subflows can be safely shutdown. Before this patch, the subflows were actually terminated at 'close()' time. That's certainly fine most of the time, but not when the userspace 'shutdown()' a connection, without close()ing it. When doing so, the subflows were staying in LAST_ACK state on one side -- and consequently in FIN_WAIT2 on the other side -- until the 'close()' of the MPTCP socket. Now, when the DATA FIN have been ACKed, all subflows are shutdown. A consequence of this is that the TCP 'FIN' flag can be set earlier now, but the end result is the same. This affects the packetdrill tests looking at the end of the MPTCP connections, but for a good reason. Note that tcp_shutdown() will check the subflow state, so no need to do that again before calling it. Fixes: 3721b9b64676 ("mptcp: Track received DATA_FIN sequence number and add related helpers") Cc: stable(a)vger.kernel.org Fixes: 16a9a9da1723 ("mptcp: Add helper to process acks of DATA_FIN") Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-1-d40e77cbbf… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e6fd97b21e9e..5e497a83e967 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -371,6 +371,20 @@ static void mptcp_close_wake_up(struct sock *sk) sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN); } +static void mptcp_shutdown_subflows(struct mptcp_sock *msk) +{ + struct mptcp_subflow_context *subflow; + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + bool slow; + + slow = lock_sock_fast(ssk); + tcp_shutdown(ssk, SEND_SHUTDOWN); + unlock_sock_fast(ssk, slow); + } +} + /* called under the msk socket lock */ static bool mptcp_pending_data_fin_ack(struct sock *sk) { @@ -395,6 +409,7 @@ static void mptcp_check_data_fin_ack(struct sock *sk) break; case TCP_CLOSING: case TCP_LAST_ACK: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; } @@ -563,6 +578,7 @@ static bool mptcp_check_data_fin(struct sock *sk) mptcp_set_state(sk, TCP_CLOSING); break; case TCP_FIN_WAIT2: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; default:

1 month, 2 weeks

2
1
0 0

[PATCH rtw-next v5 2/4] wifi: rtw89: avoid possible TX wait initialization race

by Fedor Pchelkin

The value of skb_data->wait indicates whether skb is passed on to the core mac80211 stack or released by the driver itself. Make sure that by the time skb is added to txwd queue and becomes visible to the completing side, it has already allocated and initialized TX wait related data (in case it's needed). This is found by code review and addresses a possible race scenario described below: Waiting thread Completing thread rtw89_core_send_nullfunc() rtw89_core_tx_write_link() ... rtw89_pci_txwd_submit() skb_data->wait = NULL /* add skb to the queue */ skb_queue_tail(&txwd->queue, skb) /* another thread (e.g. rtw89_ops_tx) performs TX kick off for the same queue */ rtw89_pci_napi_poll() ... rtw89_pci_release_txwd_skb() /* get skb from the queue */ skb_unlink(skb, &txwd->queue) rtw89_pci_tx_status() rtw89_core_tx_wait_complete() /* use incorrect skb_data->wait */ rtw89_core_tx_kick_off_and_wait() /* assign skb_data->wait but too late */ Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- v5: - update the changelog to reflect that the potential race scenario was found by code review - pass wait as an argument to rtw89_core_tx_kick_off_and_wait() v4: - use wiphy_dereference (Zong-Zhe) - move wait->skb assignment place drivers/net/wireless/realtek/rtw89/core.c | 39 +++++++++++++---------- drivers/net/wireless/realtek/rtw89/core.h | 3 +- drivers/net/wireless/realtek/rtw89/pci.c | 2 -- 3 files changed, 24 insertions(+), 20 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index ec467ae0e9e6..1f44c7fc1c5e 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1153,25 +1153,14 @@ void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel) } int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *skb, - int qsel, unsigned int timeout) + struct rtw89_tx_wait_info *wait, int qsel, + unsigned int timeout) { - struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); - struct rtw89_tx_wait_info *wait; unsigned long time_left; int ret = 0; lockdep_assert_wiphy(rtwdev->hw->wiphy); - wait = kzalloc(sizeof(*wait), GFP_KERNEL); - if (!wait) { - rtw89_core_tx_kick_off(rtwdev, qsel); - return 0; - } - - init_completion(&wait->completion); - wait->skb = skb; - rcu_assign_pointer(skb_data->wait, wait); - rtw89_core_tx_kick_off(rtwdev, qsel); time_left = wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); @@ -1234,10 +1223,12 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rtwvif_link, struct rtw89_sta_link *rtwsta_link, - struct sk_buff *skb, int *qsel, bool sw_mld) + struct sk_buff *skb, int *qsel, bool sw_mld, + struct rtw89_tx_wait_info *wait) { struct ieee80211_sta *sta = rtwsta_link_to_sta_safe(rtwsta_link); struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); + struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); struct rtw89_vif *rtwvif = rtwvif_link->rtwvif; struct rtw89_core_tx_request tx_req = {}; int ret; @@ -1254,6 +1245,8 @@ static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, rtw89_core_tx_update_desc_info(rtwdev, &tx_req); rtw89_core_tx_wake(rtwdev, &tx_req); + rcu_assign_pointer(skb_data->wait, wait); + ret = rtw89_hci_tx_write(rtwdev, &tx_req); if (ret) { rtw89_err(rtwdev, "failed to transmit skb to HCI\n"); @@ -1290,7 +1283,8 @@ int rtw89_core_tx_write(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif, } } - return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false); + return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false, + NULL); } static __le32 rtw89_build_txwd_body0(struct rtw89_tx_desc_info *desc_info) @@ -3928,6 +3922,7 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); int link_id = ieee80211_vif_is_mld(vif) ? rtwvif_link->link_id : -1; struct rtw89_sta_link *rtwsta_link; + struct rtw89_tx_wait_info *wait; struct ieee80211_sta *sta; struct ieee80211_hdr *hdr; struct rtw89_sta *rtwsta; @@ -3937,6 +3932,12 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt if (vif->type != NL80211_IFTYPE_STATION || !vif->cfg.assoc) return 0; + wait = kzalloc(sizeof(*wait), GFP_KERNEL); + if (!wait) + return -ENOMEM; + + init_completion(&wait->completion); + rcu_read_lock(); sta = ieee80211_find_sta(vif, vif->cfg.ap_addr); if (!sta) { @@ -3951,6 +3952,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } + wait->skb = skb; + hdr = (struct ieee80211_hdr *)skb->data; if (ps) hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM); @@ -3961,7 +3964,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } - ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true); + ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true, + wait); if (ret) { rtw89_warn(rtwdev, "nullfunc transmit failed: %d\n", ret); dev_kfree_skb_any(skb); @@ -3970,10 +3974,11 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt rcu_read_unlock(); - return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, qsel, + return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, wait, qsel, timeout); out: rcu_read_unlock(); + kfree(wait); return ret; } diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h index d15fa70eb4dc..928c8c84c964 100644 --- a/drivers/net/wireless/realtek/rtw89/core.h +++ b/drivers/net/wireless/realtek/rtw89/core.h @@ -7476,7 +7476,8 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, struct sk_buff *skb, bool fwdl); void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel); int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *skb, - int qsel, unsigned int timeout); + struct rtw89_tx_wait_info *wait, int qsel, + unsigned int timeout); void rtw89_core_fill_txdesc(struct rtw89_dev *rtwdev, struct rtw89_tx_desc_info *desc_info, void *txdesc); diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index 8dd91d867ea6..0ee5f8579447 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -1494,7 +1494,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, struct pci_dev *pdev = rtwpci->pdev; struct sk_buff *skb = tx_req->skb; struct rtw89_pci_tx_data *tx_data = RTW89_PCI_TX_SKB_CB(skb); - struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); bool en_wd_info = desc_info->en_wd_info; u32 txwd_len; u32 txwp_len; @@ -1510,7 +1509,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, } tx_data->dma = dma; - rcu_assign_pointer(skb_data->wait, NULL); txwp_len = sizeof(*txwp_info); txwd_len = chip->txwd_body_size; -- 2.51.0

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mptcp: propagate shutdown to subflows when possible" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f755be0b1ff429a2ecf709beeb1bcd7abc111c2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092143-detonator-snowcap-57d7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f755be0b1ff429a2ecf709beeb1bcd7abc111c2b Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 12 Sep 2025 14:25:50 +0200 Subject: [PATCH] mptcp: propagate shutdown to subflows when possible When the MPTCP DATA FIN have been ACKed, there is no more MPTCP related metadata to exchange, and all subflows can be safely shutdown. Before this patch, the subflows were actually terminated at 'close()' time. That's certainly fine most of the time, but not when the userspace 'shutdown()' a connection, without close()ing it. When doing so, the subflows were staying in LAST_ACK state on one side -- and consequently in FIN_WAIT2 on the other side -- until the 'close()' of the MPTCP socket. Now, when the DATA FIN have been ACKed, all subflows are shutdown. A consequence of this is that the TCP 'FIN' flag can be set earlier now, but the end result is the same. This affects the packetdrill tests looking at the end of the MPTCP connections, but for a good reason. Note that tcp_shutdown() will check the subflow state, so no need to do that again before calling it. Fixes: 3721b9b64676 ("mptcp: Track received DATA_FIN sequence number and add related helpers") Cc: stable(a)vger.kernel.org Fixes: 16a9a9da1723 ("mptcp: Add helper to process acks of DATA_FIN") Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-1-d40e77cbbf… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e6fd97b21e9e..5e497a83e967 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -371,6 +371,20 @@ static void mptcp_close_wake_up(struct sock *sk) sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN); } +static void mptcp_shutdown_subflows(struct mptcp_sock *msk) +{ + struct mptcp_subflow_context *subflow; + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + bool slow; + + slow = lock_sock_fast(ssk); + tcp_shutdown(ssk, SEND_SHUTDOWN); + unlock_sock_fast(ssk, slow); + } +} + /* called under the msk socket lock */ static bool mptcp_pending_data_fin_ack(struct sock *sk) { @@ -395,6 +409,7 @@ static void mptcp_check_data_fin_ack(struct sock *sk) break; case TCP_CLOSING: case TCP_LAST_ACK: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; } @@ -563,6 +578,7 @@ static bool mptcp_check_data_fin(struct sock *sk) mptcp_set_state(sk, TCP_CLOSING); break; case TCP_FIN_WAIT2: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; default:

1 month, 2 weeks

2
1
0 0

WTF: patch "[PATCH] LoongArch: Replace sprintf() with sysfs_emit()" was seriously submitted to be applied to the 6.16-stable tree?

by gregkh＠linuxfoundation.org

The patch below was submitted to be applied to the 6.16-stable tree. I fail to see how this patch meets the stable kernel rules as found at Documentation/process/stable-kernel-rules.rst. I could be totally wrong, and if so, please respond to <stable(a)vger.kernel.org> and let me know why this patch should be applied. Otherwise, it is now dropped from my patch queues, never to be seen again. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d6d69f0edde63b553345d4efaceb7daed89fe04c Mon Sep 17 00:00:00 2001 From: Tao Cui <cuitao(a)kylinos.cn> Date: Thu, 18 Sep 2025 19:44:04 +0800 Subject: [PATCH] LoongArch: Replace sprintf() with sysfs_emit() As Documentation/filesystems/sysfs.rst suggested, show() should only use sysfs_emit() or sysfs_emit_at() when formatting the value to be returned to user space. No functional change intended. Cc: stable(a)vger.kernel.org Signed-off-by: Tao Cui <cuitao(a)kylinos.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> diff --git a/arch/loongarch/kernel/env.c b/arch/loongarch/kernel/env.c index be309a71f204..23bd5ae2212c 100644 --- a/arch/loongarch/kernel/env.c +++ b/arch/loongarch/kernel/env.c @@ -86,7 +86,7 @@ late_initcall(fdt_cpu_clk_init); static ssize_t boardinfo_show(struct kobject *kobj, struct kobj_attribute *attr, char *buf) { - return sprintf(buf, + return sysfs_emit(buf, "BIOS Information\n" "Vendor\t\t\t: %s\n" "Version\t\t\t: %s\n"

1 month, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] mptcp: propagate shutdown to subflows when possible" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f755be0b1ff429a2ecf709beeb1bcd7abc111c2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092142-stingily-broadside-f761@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f755be0b1ff429a2ecf709beeb1bcd7abc111c2b Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 12 Sep 2025 14:25:50 +0200 Subject: [PATCH] mptcp: propagate shutdown to subflows when possible When the MPTCP DATA FIN have been ACKed, there is no more MPTCP related metadata to exchange, and all subflows can be safely shutdown. Before this patch, the subflows were actually terminated at 'close()' time. That's certainly fine most of the time, but not when the userspace 'shutdown()' a connection, without close()ing it. When doing so, the subflows were staying in LAST_ACK state on one side -- and consequently in FIN_WAIT2 on the other side -- until the 'close()' of the MPTCP socket. Now, when the DATA FIN have been ACKed, all subflows are shutdown. A consequence of this is that the TCP 'FIN' flag can be set earlier now, but the end result is the same. This affects the packetdrill tests looking at the end of the MPTCP connections, but for a good reason. Note that tcp_shutdown() will check the subflow state, so no need to do that again before calling it. Fixes: 3721b9b64676 ("mptcp: Track received DATA_FIN sequence number and add related helpers") Cc: stable(a)vger.kernel.org Fixes: 16a9a9da1723 ("mptcp: Add helper to process acks of DATA_FIN") Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-1-d40e77cbbf… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e6fd97b21e9e..5e497a83e967 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -371,6 +371,20 @@ static void mptcp_close_wake_up(struct sock *sk) sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN); } +static void mptcp_shutdown_subflows(struct mptcp_sock *msk) +{ + struct mptcp_subflow_context *subflow; + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + bool slow; + + slow = lock_sock_fast(ssk); + tcp_shutdown(ssk, SEND_SHUTDOWN); + unlock_sock_fast(ssk, slow); + } +} + /* called under the msk socket lock */ static bool mptcp_pending_data_fin_ack(struct sock *sk) { @@ -395,6 +409,7 @@ static void mptcp_check_data_fin_ack(struct sock *sk) break; case TCP_CLOSING: case TCP_LAST_ACK: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; } @@ -563,6 +578,7 @@ static bool mptcp_check_data_fin(struct sock *sk) mptcp_set_state(sk, TCP_CLOSING); break; case TCP_FIN_WAIT2: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; default:

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] selftests: mptcp: connect: catch IO errors on listen side" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 14e22b43df25dbd4301351b882486ea38892ae4f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092157-mullets-tweed-dee4@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 14e22b43df25dbd4301351b882486ea38892ae4f Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 12 Sep 2025 14:25:51 +0200 Subject: [PATCH] selftests: mptcp: connect: catch IO errors on listen side IO errors were correctly printed to stderr, and propagated up to the main loop for the server side, but the returned value was ignored. As a consequence, the program for the listener side was no longer exiting with an error code in case of IO issues. Because of that, some issues might not have been seen. But very likely, most issues either had an effect on the client side, or the file transfer was not the expected one, e.g. the connection got reset before the end. Still, it is better to fix this. The main consequence of this issue is the error that was reported by the selftests: the received and sent files were different, and the MIB counters were not printed. Also, when such errors happened during the 'disconnect' tests, the program tried to continue until the timeout. Now when an IO error is detected, the program exits directly with an error. Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-2-d40e77cbbf… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/tools/testing/selftests/net/mptcp/mptcp_connect.c b/tools/testing/selftests/net/mptcp/mptcp_connect.c index 4f07ac9fa207..1408698df099 100644 --- a/tools/testing/selftests/net/mptcp/mptcp_connect.c +++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c @@ -1093,6 +1093,7 @@ int main_loop_s(int listensock) struct pollfd polls; socklen_t salen; int remotesock; + int err = 0; int fd = 0; again: @@ -1125,7 +1126,7 @@ int main_loop_s(int listensock) SOCK_TEST_TCPULP(remotesock, 0); memset(&winfo, 0, sizeof(winfo)); - copyfd_io(fd, remotesock, 1, true, &winfo); + err = copyfd_io(fd, remotesock, 1, true, &winfo); } else { perror("accept"); return 1; @@ -1134,10 +1135,10 @@ int main_loop_s(int listensock) if (cfg_input) close(fd); - if (--cfg_repeat > 0) + if (!err && --cfg_repeat > 0) goto again; - return 0; + return err; } static void init_rng(void)

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 225d1ee0f5ba3218d1814d36564fdb5f37b50474 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092125-thigh-immerse-6abd@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 225d1ee0f5ba3218d1814d36564fdb5f37b50474 Mon Sep 17 00:00:00 2001 From: Antheas Kapenekakis <lkml(a)antheas.dev> Date: Tue, 16 Sep 2025 09:28:18 +0200 Subject: [PATCH] platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It turns out that the dual screen models use 0x5E for attaching and detaching the keyboard instead of 0x5F. So, re-add the codes by reverting commit cf3940ac737d ("platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk"). For our future reference, add a comment next to 0x5E indicating that it is used for that purpose. Fixes: cf3940ac737d ("platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk") Reported-by: Rahul Chandra <rahul(a)chandra.net> Closes: https://lore.kernel.org/all/10020-68c90c80-d-4ac6c580@106290038/ Cc: stable(a)kernel.org Signed-off-by: Antheas Kapenekakis <lkml(a)antheas.dev> Link: https://patch.msgid.link/20250916072818.196462-1-lkml@antheas.dev Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c index 3a488cf9ca06..6a62bc5b02fd 100644 --- a/drivers/platform/x86/asus-nb-wmi.c +++ b/drivers/platform/x86/asus-nb-wmi.c @@ -673,6 +673,8 @@ static void asus_nb_wmi_key_filter(struct asus_wmi_driver *asus_wmi, int *code, if (atkbd_reports_vol_keys) *code = ASUS_WMI_KEY_IGNORE; break; + case 0x5D: /* Wireless console Toggle */ + case 0x5E: /* Wireless console Enable / Keyboard Attach, Detach */ case 0x5F: /* Wireless console Disable / Special Key */ if (quirks->key_wlan_event) *code = quirks->key_wlan_event;

1 month, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] mptcp: propagate shutdown to subflows when possible" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f755be0b1ff429a2ecf709beeb1bcd7abc111c2b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092141-slashing-postal-be15@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f755be0b1ff429a2ecf709beeb1bcd7abc111c2b Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Fri, 12 Sep 2025 14:25:50 +0200 Subject: [PATCH] mptcp: propagate shutdown to subflows when possible When the MPTCP DATA FIN have been ACKed, there is no more MPTCP related metadata to exchange, and all subflows can be safely shutdown. Before this patch, the subflows were actually terminated at 'close()' time. That's certainly fine most of the time, but not when the userspace 'shutdown()' a connection, without close()ing it. When doing so, the subflows were staying in LAST_ACK state on one side -- and consequently in FIN_WAIT2 on the other side -- until the 'close()' of the MPTCP socket. Now, when the DATA FIN have been ACKed, all subflows are shutdown. A consequence of this is that the TCP 'FIN' flag can be set earlier now, but the end result is the same. This affects the packetdrill tests looking at the end of the MPTCP connections, but for a good reason. Note that tcp_shutdown() will check the subflow state, so no need to do that again before calling it. Fixes: 3721b9b64676 ("mptcp: Track received DATA_FIN sequence number and add related helpers") Cc: stable(a)vger.kernel.org Fixes: 16a9a9da1723 ("mptcp: Add helper to process acks of DATA_FIN") Reviewed-by: Mat Martineau <martineau(a)kernel.org> Reviewed-by: Geliang Tang <geliang(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-fix-sft-connect-v1-1-d40e77cbbf… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index e6fd97b21e9e..5e497a83e967 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -371,6 +371,20 @@ static void mptcp_close_wake_up(struct sock *sk) sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN); } +static void mptcp_shutdown_subflows(struct mptcp_sock *msk) +{ + struct mptcp_subflow_context *subflow; + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); + bool slow; + + slow = lock_sock_fast(ssk); + tcp_shutdown(ssk, SEND_SHUTDOWN); + unlock_sock_fast(ssk, slow); + } +} + /* called under the msk socket lock */ static bool mptcp_pending_data_fin_ack(struct sock *sk) { @@ -395,6 +409,7 @@ static void mptcp_check_data_fin_ack(struct sock *sk) break; case TCP_CLOSING: case TCP_LAST_ACK: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; } @@ -563,6 +578,7 @@ static bool mptcp_check_data_fin(struct sock *sk) mptcp_set_state(sk, TCP_CLOSING); break; case TCP_FIN_WAIT2: + mptcp_shutdown_subflows(msk); mptcp_set_state(sk, TCP_CLOSE); break; default:

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x d02e48830e3fce9701265f6c5a58d9bdaf906a76 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092122-popper-small-d970@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d02e48830e3fce9701265f6c5a58d9bdaf906a76 Mon Sep 17 00:00:00 2001 From: "Maciej S. Szmigiero" <maciej.szmigiero(a)oracle.com> Date: Mon, 25 Aug 2025 18:44:28 +0200 Subject: [PATCH] KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Commit 3bbf3565f48c ("svm: Do not intercept CR8 when enable AVIC") inhibited pre-VMRUN sync of TPR from LAPIC into VMCB::V_TPR in sync_lapic_to_cr8() when AVIC is active. AVIC does automatically sync between these two fields, however it does so only on explicit guest writes to one of these fields, not on a bare VMRUN. This meant that when AVIC is enabled host changes to TPR in the LAPIC state might not get automatically copied into the V_TPR field of VMCB. This is especially true when it is the userspace setting LAPIC state via KVM_SET_LAPIC ioctl() since userspace does not have access to the guest VMCB. Practice shows that it is the V_TPR that is actually used by the AVIC to decide whether to issue pending interrupts to the CPU (not TPR in TASKPRI), so any leftover value in V_TPR will cause serious interrupt delivery issues in the guest when AVIC is enabled. Fix this issue by doing pre-VMRUN TPR sync from LAPIC into VMCB::V_TPR even when AVIC is enabled. Fixes: 3bbf3565f48c ("svm: Do not intercept CR8 when enable AVIC") Cc: stable(a)vger.kernel.org Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero(a)oracle.com> Reviewed-by: Naveen N Rao (AMD) <naveen(a)kernel.org> Link: https://lore.kernel.org/r/c231be64280b1461e854e1ce3595d70cde3a2e9d.17561396… [sean: tag for stable@] Signed-off-by: Sean Christopherson <seanjc(a)google.com> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index d9931c6c4bc6..1bfebe40854f 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -4046,8 +4046,7 @@ static inline void sync_lapic_to_cr8(struct kvm_vcpu *vcpu) struct vcpu_svm *svm = to_svm(vcpu); u64 cr8; - if (nested_svm_virtualize_tpr(vcpu) || - kvm_vcpu_apicv_active(vcpu)) + if (nested_svm_virtualize_tpr(vcpu)) return; cr8 = kvm_get_cr8(vcpu);

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] net: rfkill: gpio: Fix crash due to dereferencering" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x b6f56a44e4c1014b08859dcf04ed246500e310e5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092157-imagines-darkroom-e5c5@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6f56a44e4c1014b08859dcf04ed246500e310e5 Mon Sep 17 00:00:00 2001 From: Hans de Goede <hansg(a)kernel.org> Date: Sat, 13 Sep 2025 13:35:15 +0200 Subject: [PATCH] net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkill_find_type() gets called with the possibly uninitialized "const char *type_name;" local variable. On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: rfkill->type = (unsigned)id->driver_data; and there is no "type" property so device_property_read_string() will fail and leave type_name uninitialized, leading to a potential crash. rfkill_find_type() does accept a NULL pointer, fix the potential crash by initializing type_name to NULL. Note likely sofar this has not been caught because: 1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device 2. The stack happened to contain NULL where type_name is stored Fixes: 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") Cc: stable(a)vger.kernel.org Cc: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Signed-off-by: Hans de Goede <hansg(a)kernel.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://patch.msgid.link/20250913113515.21698-1-hansg@kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c index 41e657e97761..cf2dcec6ce5a 100644 --- a/net/rfkill/rfkill-gpio.c +++ b/net/rfkill/rfkill-gpio.c @@ -94,10 +94,10 @@ static const struct dmi_system_id rfkill_gpio_deny_table[] = { static int rfkill_gpio_probe(struct platform_device *pdev) { struct rfkill_gpio_data *rfkill; - struct gpio_desc *gpio; + const char *type_name = NULL; const char *name_property; const char *type_property; - const char *type_name; + struct gpio_desc *gpio; int ret; if (dmi_check_system(rfkill_gpio_deny_table))

1 month, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] net: rfkill: gpio: Fix crash due to dereferencering" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x b6f56a44e4c1014b08859dcf04ed246500e310e5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092156-postal-sappiness-e1ac@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6f56a44e4c1014b08859dcf04ed246500e310e5 Mon Sep 17 00:00:00 2001 From: Hans de Goede <hansg(a)kernel.org> Date: Sat, 13 Sep 2025 13:35:15 +0200 Subject: [PATCH] net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkill_find_type() gets called with the possibly uninitialized "const char *type_name;" local variable. On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: rfkill->type = (unsigned)id->driver_data; and there is no "type" property so device_property_read_string() will fail and leave type_name uninitialized, leading to a potential crash. rfkill_find_type() does accept a NULL pointer, fix the potential crash by initializing type_name to NULL. Note likely sofar this has not been caught because: 1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device 2. The stack happened to contain NULL where type_name is stored Fixes: 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") Cc: stable(a)vger.kernel.org Cc: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Signed-off-by: Hans de Goede <hansg(a)kernel.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://patch.msgid.link/20250913113515.21698-1-hansg@kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c index 41e657e97761..cf2dcec6ce5a 100644 --- a/net/rfkill/rfkill-gpio.c +++ b/net/rfkill/rfkill-gpio.c @@ -94,10 +94,10 @@ static const struct dmi_system_id rfkill_gpio_deny_table[] = { static int rfkill_gpio_probe(struct platform_device *pdev) { struct rfkill_gpio_data *rfkill; - struct gpio_desc *gpio; + const char *type_name = NULL; const char *name_property; const char *type_property; - const char *type_name; + struct gpio_desc *gpio; int ret; if (dmi_check_system(rfkill_gpio_deny_table))

1 month, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] net: rfkill: gpio: Fix crash due to dereferencering" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x b6f56a44e4c1014b08859dcf04ed246500e310e5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092155-familiar-divisible-9535@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6f56a44e4c1014b08859dcf04ed246500e310e5 Mon Sep 17 00:00:00 2001 From: Hans de Goede <hansg(a)kernel.org> Date: Sat, 13 Sep 2025 13:35:15 +0200 Subject: [PATCH] net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkill_find_type() gets called with the possibly uninitialized "const char *type_name;" local variable. On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: rfkill->type = (unsigned)id->driver_data; and there is no "type" property so device_property_read_string() will fail and leave type_name uninitialized, leading to a potential crash. rfkill_find_type() does accept a NULL pointer, fix the potential crash by initializing type_name to NULL. Note likely sofar this has not been caught because: 1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device 2. The stack happened to contain NULL where type_name is stored Fixes: 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") Cc: stable(a)vger.kernel.org Cc: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Signed-off-by: Hans de Goede <hansg(a)kernel.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://patch.msgid.link/20250913113515.21698-1-hansg@kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c index 41e657e97761..cf2dcec6ce5a 100644 --- a/net/rfkill/rfkill-gpio.c +++ b/net/rfkill/rfkill-gpio.c @@ -94,10 +94,10 @@ static const struct dmi_system_id rfkill_gpio_deny_table[] = { static int rfkill_gpio_probe(struct platform_device *pdev) { struct rfkill_gpio_data *rfkill; - struct gpio_desc *gpio; + const char *type_name = NULL; const char *name_property; const char *type_property; - const char *type_name; + struct gpio_desc *gpio; int ret; if (dmi_check_system(rfkill_gpio_deny_table))

1 month, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] net: rfkill: gpio: Fix crash due to dereferencering" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x b6f56a44e4c1014b08859dcf04ed246500e310e5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092155-evacuate-condition-525e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b6f56a44e4c1014b08859dcf04ed246500e310e5 Mon Sep 17 00:00:00 2001 From: Hans de Goede <hansg(a)kernel.org> Date: Sat, 13 Sep 2025 13:35:15 +0200 Subject: [PATCH] net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkill_find_type() gets called with the possibly uninitialized "const char *type_name;" local variable. On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752" acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: rfkill->type = (unsigned)id->driver_data; and there is no "type" property so device_property_read_string() will fail and leave type_name uninitialized, leading to a potential crash. rfkill_find_type() does accept a NULL pointer, fix the potential crash by initializing type_name to NULL. Note likely sofar this has not been caught because: 1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device 2. The stack happened to contain NULL where type_name is stored Fixes: 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") Cc: stable(a)vger.kernel.org Cc: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Signed-off-by: Hans de Goede <hansg(a)kernel.org> Reviewed-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> Link: https://patch.msgid.link/20250913113515.21698-1-hansg@kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c index 41e657e97761..cf2dcec6ce5a 100644 --- a/net/rfkill/rfkill-gpio.c +++ b/net/rfkill/rfkill-gpio.c @@ -94,10 +94,10 @@ static const struct dmi_system_id rfkill_gpio_deny_table[] = { static int rfkill_gpio_probe(struct platform_device *pdev) { struct rfkill_gpio_data *rfkill; - struct gpio_desc *gpio; + const char *type_name = NULL; const char *name_property; const char *type_property; - const char *type_name; + struct gpio_desc *gpio; int ret; if (dmi_check_system(rfkill_gpio_deny_table))

1 month, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 7f830e126dc357fc086905ce9730140fd4528d66 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092125-resurface-hypertext-5ca5@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f830e126dc357fc086905ce9730140fd4528d66 Mon Sep 17 00:00:00 2001 From: Tom Lendacky <thomas.lendacky(a)amd.com> Date: Mon, 15 Sep 2025 11:04:12 -0500 Subject: [PATCH] x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT The sev_evict_cache() is guest-related code and should be guarded by CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV. CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub function of sev_evict_cache() instead of the version that performs the actual eviction. Move the function declarations under the appropriate #ifdef. Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation") Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)kernel.org # 6.16.x Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.17577089… diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index 02236962fdb1..465b19fd1a2d 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -562,6 +562,24 @@ enum es_result sev_es_ghcb_hv_call(struct ghcb *ghcb, extern struct ghcb *boot_ghcb; +static inline void sev_evict_cache(void *va, int npages) +{ + volatile u8 val __always_unused; + u8 *bytes = va; + int page_idx; + + /* + * For SEV guests, a read from the first/last cache-lines of a 4K page + * using the guest key is sufficient to cause a flush of all cache-lines + * associated with that 4K page without incurring all the overhead of a + * full CLFLUSH sequence. + */ + for (page_idx = 0; page_idx < npages; page_idx++) { + val = bytes[page_idx * PAGE_SIZE]; + val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; + } +} + #else /* !CONFIG_AMD_MEM_ENCRYPT */ #define snp_vmpl 0 @@ -605,6 +623,7 @@ static inline int snp_send_guest_request(struct snp_msg_desc *mdesc, static inline int snp_svsm_vtpm_send_command(u8 *buffer) { return -ENODEV; } static inline void __init snp_secure_tsc_prepare(void) { } static inline void __init snp_secure_tsc_init(void) { } +static inline void sev_evict_cache(void *va, int npages) {} #endif /* CONFIG_AMD_MEM_ENCRYPT */ @@ -619,24 +638,6 @@ int rmp_make_shared(u64 pfn, enum pg_level level); void snp_leak_pages(u64 pfn, unsigned int npages); void kdump_sev_callback(void); void snp_fixup_e820_tables(void); - -static inline void sev_evict_cache(void *va, int npages) -{ - volatile u8 val __always_unused; - u8 *bytes = va; - int page_idx; - - /* - * For SEV guests, a read from the first/last cache-lines of a 4K page - * using the guest key is sufficient to cause a flush of all cache-lines - * associated with that 4K page without incurring all the overhead of a - * full CLFLUSH sequence. - */ - for (page_idx = 0; page_idx < npages; page_idx++) { - val = bytes[page_idx * PAGE_SIZE]; - val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; - } -} #else static inline bool snp_probe_rmptable_info(void) { return false; } static inline int snp_rmptable_init(void) { return -ENOSYS; } @@ -652,7 +653,6 @@ static inline int rmp_make_shared(u64 pfn, enum pg_level level) { return -ENODEV static inline void snp_leak_pages(u64 pfn, unsigned int npages) {} static inline void kdump_sev_callback(void) { } static inline void snp_fixup_e820_tables(void) {} -static inline void sev_evict_cache(void *va, int npages) {} #endif #endif

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 68f27f7c7708183e7873c585ded2f1b057ac5b97 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092104-booting-overstate-c9cf@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 68f27f7c7708183e7873c585ded2f1b057ac5b97 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Date: Thu, 4 Sep 2025 12:18:50 +0200 Subject: [PATCH] ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed If earlier opening of source graph fails (e.g. ADSP rejects due to incorrect audioreach topology), the graph is closed and "dai_data->graph[dai->id]" is assigned NULL. Preparing the DAI for sink graph continues though and next call to q6apm_lpass_dai_prepare() receives dai_data->graph[dai->id]=NULL leading to NULL pointer exception: qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1 q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: fail to start APM port 78 q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: ASoC: error at snd_soc_pcm_dai_prepare on TX_CODEC_DMA_TX_3: -22 Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8 ... Call trace: q6apm_graph_media_format_pcm+0x48/0x120 (P) q6apm_lpass_dai_prepare+0x110/0x1b4 snd_soc_pcm_dai_prepare+0x74/0x108 __soc_pcm_prepare+0x44/0x160 dpcm_be_dai_prepare+0x124/0x1c0 Fixes: 30ad723b93ad ("ASoC: qdsp6: audioreach: add q6apm lpass dai support") Cc: stable(a)vger.kernel.org Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> Message-ID: <20250904101849.121503-2-krzysztof.kozlowski(a)linaro.org> Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c index a0d90462fd6a..20974f10406b 100644 --- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c +++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c @@ -213,8 +213,10 @@ static int q6apm_lpass_dai_prepare(struct snd_pcm_substream *substream, struct s return 0; err: - q6apm_graph_close(dai_data->graph[dai->id]); - dai_data->graph[dai->id] = NULL; + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { + q6apm_graph_close(dai_data->graph[dai->id]); + dai_data->graph[dai->id] = NULL; + } return rc; }

1 month, 2 weeks

2
3
0 0

FAILED: patch "[PATCH] btrfs: tree-checker: fix the incorrect inode ref size check" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 96fa515e70f3e4b98685ef8cac9d737fc62f10e1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092135-stinky-correct-5051@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 96fa515e70f3e4b98685ef8cac9d737fc62f10e1 Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Tue, 16 Sep 2025 07:54:06 +0930 Subject: [PATCH] btrfs: tree-checker: fix the incorrect inode ref size check [BUG] Inside check_inode_ref(), we need to make sure every structure, including the btrfs_inode_extref header, is covered by the item. But our code is incorrectly using "sizeof(iref)", where @iref is just a pointer. This means "sizeof(iref)" will always be "sizeof(void *)", which is much smaller than "sizeof(struct btrfs_inode_extref)". This will allow some bad inode extrefs to sneak in, defeating tree-checker. [FIX] Fix the typo by calling "sizeof(*iref)", which is the same as "sizeof(struct btrfs_inode_extref)", and will be the correct behavior we want. Fixes: 71bf92a9b877 ("btrfs: tree-checker: Add check for INODE_REF") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c index 0f556f4de3f9..a997c7cc35a2 100644 --- a/fs/btrfs/tree-checker.c +++ b/fs/btrfs/tree-checker.c @@ -1756,10 +1756,10 @@ static int check_inode_ref(struct extent_buffer *leaf, while (ptr < end) { u16 namelen; - if (unlikely(ptr + sizeof(iref) > end)) { + if (unlikely(ptr + sizeof(*iref) > end)) { inode_ref_err(leaf, slot, "inode ref overflow, ptr %lu end %lu inode_ref_size %zu", - ptr, end, sizeof(iref)); + ptr, end, sizeof(*iref)); return -EUCLEAN; }

1 month, 2 weeks

2
1
0 0

[PATCH v2 1/9] btrfs: fix the incorrect @max_bytes value for find_lock_delalloc_range()

by Qu Wenruo

[BUG] With my local branch to enable bs > ps support for btrfs, sometimes I hit the following ASSERT() inside submit_one_sector(): ASSERT(block_start != EXTENT_MAP_HOLE); Please note that it's not yet possible to hit this ASSERT() in the wild yet, as it requires btrfs bs > ps support, which is not even in the development branch. But on the other hand, there is also a very low chance to hit above ASSERT() with bs < ps cases, so this is an existing bug affect not only the incoming bs > ps support but also the existing bs < ps support. [CAUSE] Firstly that ASSERT() means we're trying to submit a dirty block but without a real extent map nor ordered extent map backing it. Furthermore with extra debugging, the folio triggering such ASSERT() is always larger than the fs block size in my bs > ps case. (8K block size, 4K page size) After some more debugging, the ASSERT() is trigger by the following sequence: extent_writepage() | We got a 32K folio (4 fs blocks) at file offset 0, and the fs block | size is 8K, page size is 4K. | And there is another 8K folio at file offset 32K, which is also | dirty. | So the filemap layout looks like the following: | | "||" is the filio boundary in the filemap. | "//| is the dirty range. | | 0 8K 16K 24K 32K 40K | |////////| |//////////////////////||////////| | |- writepage_delalloc() | |- find_lock_delalloc_range() for [0, 8K) | | Now range [0, 8K) is properly locked. | | | |- find_lock_delalloc_range() for [16K, 40K) | | |- btrfs_find_delalloc_range() returned range [0, 8K) | | |- lock_delalloc_folios() succeeded. | | | | | | The filemap range [32K, 40K) got dropped from filemap. | | | | | |- lock_delalloc_folios() failed with -EAGAIN. | | | As it failed to lock the folio at [32K, 40K). | | | | | |- loops = 1; | | |- max_bytes = PAGE_SIZE; | | |- goto again; | | | This will re-do the lookup for dirty delalloc ranges. | | | | | |- btrfs_find_delalloc_range() called with @max_bytes == 4K | | | This is smaller than block size, so | | | btrfs_find_delalloc_range() is unable to return any range. | | \- return false; | | | \- Now only range [0, 8K) has an OE for it, but for dirty range | [16K, 32K) it's dirty without an OE. | This breaks the assumption that writepage_delalloc() will find | and lock all dirty ranges inside the folio. | |- extent_writepage_io() |- submit_one_sector() for [0, 8K) | Succeeded | |- submit_one_sector() for [16K, 24K) Triggering the ASSERT(), as there is no OE, and the original extent map is a hole. Please note that, this also exposed the same problem for bs < ps support. E.g. with 64K page size and 4K block size. If we failed to lock a folio, and falls back into the "loops = 1;" branch, we will re-do the search using 64K as max_bytes. Which may fail again to lock the next folio, and exit early without handling all dirty blocks inside the folio. [FIX] Instead of using the fixed size PAGE_SIZE as @max_bytes, use @sectorsize, so that we are ensured to find and lock any remaining blocks inside the folio. And since we're here, add an extra ASSERT() to before calling btrfs_find_delalloc_range() to make sure the @max_bytes is at least no smaller than a block to avoid false negative. Cc: stable(a)vger.kernel.org #5.15+ Signed-off-by: Qu Wenruo <wqu(a)suse.com> --- fs/btrfs/extent_io.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index ca7174fa0240..2fd82055a779 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -393,6 +393,13 @@ noinline_for_stack bool find_lock_delalloc_range(struct inode *inode, /* step one, find a bunch of delalloc bytes starting at start */ delalloc_start = *start; delalloc_end = 0; + + /* + * If @max_bytes is smaller than a block, btrfs_find_delalloc_range() can + * return early without handling any dirty ranges. + */ + ASSERT(max_bytes >= fs_info->sectorsize); + found = btrfs_find_delalloc_range(tree, &delalloc_start, &delalloc_end, max_bytes, &cached_state); if (!found || delalloc_end <= *start || delalloc_start > orig_end) { @@ -423,13 +430,14 @@ noinline_for_stack bool find_lock_delalloc_range(struct inode *inode, delalloc_end); ASSERT(!ret || ret == -EAGAIN); if (ret == -EAGAIN) { - /* some of the folios are gone, lets avoid looping by - * shortening the size of the delalloc range we're searching + /* + * Some of the folios are gone, lets avoid looping by + * shortening the size of the delalloc range we're searching. */ btrfs_free_extent_state(cached_state); cached_state = NULL; if (!loops) { - max_bytes = PAGE_SIZE; + max_bytes = fs_info->sectorsize; loops = 1; goto again; } else { -- 2.50.1

1 month, 2 weeks

1
1
0 0

[merged mm-stable] mm-damon-lru_sort-use-param_ctx-for-damon_attrs-staging.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/lru_sort: use param_ctx for damon_attrs staging has been removed from the -mm tree. Its filename was mm-damon-lru_sort-use-param_ctx-for-damon_attrs-staging.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: mm/damon/lru_sort: use param_ctx for damon_attrs staging Date: Mon, 15 Sep 2025 20:15:49 -0700 damon_lru_sort_apply_parameters() allocates a new DAMON context, stages user-specified DAMON parameters on it, and commits to running DAMON context at once, using damon_commit_ctx(). The code is, however, directly updating the monitoring attributes of the running context. And the attributes are over-written by later damon_commit_ctx() call. This means that the monitoring attributes parameters are not really working. Fix the wrong use of the parameter context. Link: https://lkml.kernel.org/r/20250916031549.115326-1-sj@kernel.org Fixes: a30969436428 ("mm/damon/lru_sort: use damon_commit_ctx()") Signed-off-by: SeongJae Park <sj(a)kernel.org> Reviewed-by: Joshua Hahn <joshua.hahnjy(a)gmail.com> Cc: Joshua Hahn <joshua.hahnjy(a)gmail.com> Cc: <stable(a)vger.kernel.org> [6.11+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/lru_sort.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/damon/lru_sort.c~mm-damon-lru_sort-use-param_ctx-for-damon_attrs-staging +++ a/mm/damon/lru_sort.c @@ -219,7 +219,7 @@ static int damon_lru_sort_apply_paramete goto out; } - err = damon_set_attrs(ctx, &damon_lru_sort_mon_attrs); + err = damon_set_attrs(param_ctx, &damon_lru_sort_mon_attrs); if (err) goto out; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-sysfs-set-damon_ctx-min_sz_region-only-for-paddr-use-case.patch

1 month, 2 weeks

1
0
0 0

[PATCH] rtc: pcf2127: fix SPI command byte for PCF2131 backport

by Bruno Thomsen

When commit fa78e9b606a472495ef5b6b3d8b45c37f7727f9d upstream was backported to LTS branches linux-6.12.y and linux-6.6.y, the SPI regmap config fix got applied to the I2C regmap config. Most likely due to a new RTC get/set parm feature introduced in 6.14 causing regmap config sections in the buttom of the driver to move. LTS branch linux-6.1.y and earlier does not have PCF2131 device support. Issue can be seen in buttom of this diff in stable/linux.git tree: git diff master..linux-6.12.y -- drivers/rtc/rtc-pcf2127.c Fixes: ee61aec8529e ("rtc: pcf2127: fix SPI command byte for PCF2131") Fixes: 5cdd1f73401d ("rtc: pcf2127: fix SPI command byte for PCF2131") Cc: stable(a)vger.kernel.org Cc: Alexandre Belloni <alexandre.belloni(a)bootlin.com> Cc: Elena Popa <elena.popa(a)nxp.com> Cc: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Signed-off-by: Bruno Thomsen <bruno.thomsen(a)gmail.com> --- drivers/rtc/rtc-pcf2127.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/rtc/rtc-pcf2127.c b/drivers/rtc/rtc-pcf2127.c index fc079b9dcf71..502571f0c203 100644 --- a/drivers/rtc/rtc-pcf2127.c +++ b/drivers/rtc/rtc-pcf2127.c @@ -1383,11 +1383,6 @@ static int pcf2127_i2c_probe(struct i2c_client *client) variant = &pcf21xx_cfg[type]; } - if (variant->type == PCF2131) { - config.read_flag_mask = 0x0; - config.write_flag_mask = 0x0; - } - config.max_register = variant->max_register, regmap = devm_regmap_init(&client->dev, &pcf2127_i2c_regmap, @@ -1461,6 +1456,11 @@ static int pcf2127_spi_probe(struct spi_device *spi) variant = &pcf21xx_cfg[type]; } + if (variant->type == PCF2131) { + config.read_flag_mask = 0x0; + config.write_flag_mask = 0x0; + } + config.max_register = variant->max_register; regmap = devm_regmap_init_spi(spi, &config); base-commit: 880e4ff5d6c8dc6b660f163a0e9b68b898cc6310 -- 2.50.1

1 month, 2 weeks

3
3
0 0

[PATCH 0/7 5.10.y] Cherry pick of minmax.h commits from 5.15.y

by Eliav Farber

This series backports seven commits from v5.15.y that update minmax.h and related code: - ed6e37e30826 ("tracing: Define the is_signed_type() macro once") - 998f03984e25 ("minmax: sanity check constant bounds when clamping") - d470787b25e6 ("minmax: clamp more efficiently by avoiding extra comparison") - 1c2ee5bc9f11 ("minmax: fix header inclusions") - d53b5d862acd ("minmax: allow min()/max()/clamp() if the arguments have the same signedness.") - 7ed91c5560df ("minmax: allow comparisons of 'int' against 'unsigned char/short'") - 22f7794ef5a3 ("minmax: relax check to allow comparison between unsigned arguments and signed constants") The main motivation is commit d53b5d862acd, which removes the strict type check in min()/max() when both arguments have the same signedness. Without this, kernel 5.10 builds can emit warnings that become build failures when -Werror is used. Additionally, commit ed6e37e30826 from tracing is required as a dependency; without it, compilation fails. Andy Shevchenko (1): minmax: fix header inclusions Bart Van Assche (1): tracing: Define the is_signed_type() macro once David Laight (3): minmax: allow min()/max()/clamp() if the arguments have the same signedness. minmax: allow comparisons of 'int' against 'unsigned char/short' minmax: relax check to allow comparison between unsigned arguments and signed constants Jason A. Donenfeld (2): minmax: sanity check constant bounds when clamping minmax: clamp more efficiently by avoiding extra comparison include/linux/compiler.h | 6 +++ include/linux/minmax.h | 89 ++++++++++++++++++++++++++---------- include/linux/overflow.h | 1 - include/linux/trace_events.h | 2 - 4 files changed, 70 insertions(+), 28 deletions(-) -- 2.47.3

1 month, 2 weeks

4
9
0 0

[PATCH 6.1 000/198] 6.1.132-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.132 release. There are 198 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 27 Mar 2025 12:21:27 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.132-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.132-rc1 Acs, Jakub <acsjakub(a)amazon.de> block, bfq: fix re-introduced UAF in bic_set_bfqq() Zi Yan <ziy(a)nvidia.com> mm/migrate: fix shmem xarray update during migration Benjamin Berg <benjamin.berg(a)intel.com> wifi: iwlwifi: mvm: ensure offloading TID queue exists Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Change new sparse cluster processing Vitaly Prosyak <vitaly.prosyak(a)amd.com> drm/amdgpu: fix use-after-free bug Justin Klaassen <justin(a)tidylabs.net> arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S Yunfei Dong <yunfei.dong(a)mediatek.com> media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning Jason-JH.Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Fix coverity issue with unintentional integer overflow Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_counter: Use u64_stats_t for statistic. Arthur Mongodin <amongodin(a)randorisec.fr> mptcp: Fix data stream corruption in the address announcement Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Use HW lock mgr for PSR1 when only one eDP Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix incorrect validation for num_aces field of smb_acl David Rosca <david.rosca(a)amd.com> drm/amdgpu: Fix JPEG video caps max size for navi1x and raven Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() Saranya R <quic_sarar(a)quicinc.com> soc: qcom: pdr: Fix the potential deadlock Sven Eckelmann <sven(a)narfation.org> batman-adv: Ignore own maximum aggregation size during RX Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> xsk: fix an integer overflow in xp_create_and_assign_umem() Ard Biesheuvel <ardb(a)kernel.org> efi/libstub: Avoid physical address 0x0 when doing random allocation Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: shmobile: smp: Enforce shmobile_smp_* alignment Shakeel Butt <shakeel.butt(a)linux.dev> memcg: drain obj stock on cpu hotplug teardown Ye Bin <yebin10(a)huawei.com> proc: fix UAF in proc_get_inode() Gu Bowen <gubowen5(a)huawei.com> mmc: atmel-mci: Add missing clk_disable_unprepare() Kamal Dasu <kamal.dasu(a)broadcom.com> mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board dtsi Stefan Eichenberger <stefan.eichenberger(a)toradex.com> arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card Christian Eggers <ceggers(a)arri.de> regulator: check that dummy regulator has been probed before using it Maíra Canal <mcanal(a)igalia.com> drm/v3d: Don't run jobs that have errors flagged in its fence Haibo Chen <haibo.chen(a)nxp.com> can: flexcan: disable transceiver during system PM Haibo Chen <haibo.chen(a)nxp.com> can: flexcan: only change CAN state when link up in system PM Biju Das <biju.das.jz(a)bp.renesas.com> can: rcar_canfd: Fix page entries in the AFL list Andreas Kemnade <andreas(a)kemnade.info> i2c: omap: fix IRQ storms Guillaume Nault <gnault(a)redhat.com> Revert "gre: Fix IPv6 link-local address generation." Lin Ma <linma(a)zju.edu.cn> net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES Justin Iurman <justin.iurman(a)uliege.be> net: lwtunnel: fix recursion loops Dan Carpenter <dan.carpenter(a)linaro.org> net: atm: fix use after free in lec_send() Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create(). Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). Dan Carpenter <dan.carpenter(a)linaro.org> Bluetooth: Fix error code in chan_alloc_skb_cb() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix wrong value of max_sge_rd Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix a missing rollback in error path of hns_roce_create_qp_common() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix soft lockup during bt pages loop Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path Phil Elwell <phil(a)raspberrypi.com> ARM: dts: bcm2711: Don't mark timer regs unconfigured Arnd Bergmann <arnd(a)arndb.de> ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx Phil Elwell <phil(a)raspberrypi.com> ARM: dts: bcm2711: PL011 UARTs are actually r1p5 Peng Fan <peng.fan(a)nxp.com> soc: imx8m: Unregister cpufreq and soc dev in cleanup path Marek Vasut <marex(a)denx.de> soc: imx8m: Use devm_* to simplify probe failure handling Marek Vasut <marex(a)denx.de> soc: imx8m: Remove global soc_uid Cosmin Ratiu <cratiu(a)nvidia.com> xfrm_output: Force software GSO only in tunnel mode Alexander Stein <alexander.stein(a)ew.tq-group.com> arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> firmware: imx-scu: fix OF node leak in .probe() Paulo Alcantara <pc(a)manguebit.com> smb: client: fix potential UAF in cifs_dump_full_key() Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: Fix a C2HTermReq error message Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: disable Fn key handling on the Omoton KB066 Henrique Carvalho <henrique.carvalho(a)suse.com> smb: client: Fix match_session bug preventing session reuse Steve French <stfrench(a)microsoft.com> smb3: add support for IAKerb Zhenhua Huang <quic_zhenhuah(a)quicinc.com> arm64: mm: Populate vmemmap at the page level if not section aligned Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: sis630: Fix an error handling path in sis630_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali15x3: Fix an error handling path in ali15x3_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: ali1535: Fix an error handling path in ali1535_probe() Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing closetimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing actimeo mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acdirmax mount option Murad Masimov <m.masimov(a)mt-integration.ru> cifs: Fix integer overflow while processing acregmax mount option Tamir Duberstein <tamird(a)gmail.com> scripts: generate_rust_analyzer: add missing macros deps Martin Rodriguez Reboredo <yakoyoku(a)gmail.com> scripts: generate_rust_analyzer: provide `cfg`s for `core` and `alloc` Vinay Varma <varmavinaym(a)gmail.com> scripts: `make rust-analyzer` for out-of-tree modules Asahi Lina <lina(a)asahilina.net> scripts: generate_rust_analyzer: Handle sub-modules with no Makefile Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe() Ivan Abramov <i.abramov(a)mt-integration.ru> drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data() Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: ops: Consistently treat platform_max as control value George Stark <gnstark(a)salutedevices.com> leds: mlxreg: Use devm_mutex_init() for mutex initialization Xueming Feng <kuro(a)kuroa.me> tcp: fix forever orphan socket caused by tcp_abort Eric Dumazet <edumazet(a)google.com> tcp: fix races in tcp_abort() Andrii Nakryiko <andrii(a)kernel.org> lib/buildid: Handle memfd_secret() files in build_id_parse() Matthew Maurer <mmaurer(a)google.com> rust: Disallow BTF generation with Rust + LTO Haoxiang Li <haoxiang_li2024(a)163.com> qlcnic: fix memory leak issues in qlcnic_sriov_common.c Thomas Mizrahi <thomasmizra(a)gmail.com> ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model Varada Pavani <v.pavani(a)samsung.com> clk: samsung: update PLL locktime for PLL142XX used on FSD platform Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Fix slab-use-after-free on hdcp_work Alex Hung <alex.hung(a)amd.com> drm/amd/display: Assign normalized_pix_clk when color depth = 14 Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Restore correct backlight brightness after a GPU reset Imre Deak <imre.deak(a)intel.com> drm/dp_mst: Fix locking when skipping CSN before topology probing Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Filter out redundant DPMS calls Florent Revest <revest(a)chromium.org> x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Johan Hovold <johan(a)kernel.org> USB: serial: option: match on interface class for Telit FN990B Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: fix Telit Cinterion FE990A name Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FE990B compositions Boon Khai Ng <boon.khai.ng(a)intel.com> USB: serial: ftdi_sio: add support for Altera USB Blaster 3 Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for more devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for several devices Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add required quirks for missing old boardnames Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ Darrick J. Wong <djwong(a)kernel.org> xfs: remove conditional building of rt geometry validator functions Andrey Albershteyn <aalbersh(a)redhat.com> xfs: reset XFS_ATTR_INCOMPLETE filter on node removal Zhang Tianci <zhangtianci.1997(a)bytedance.com> xfs: update dir3 leaf block metadata after swap Jiachen Zhang <zhangjiachen.jaycee(a)bytedance.com> xfs: ensure logflagsp is initialized in xfs_bmap_del_extent_real Long Li <leo.lilong(a)huawei.com> xfs: fix perag leak when growfs fails Long Li <leo.lilong(a)huawei.com> xfs: add lock protection when remove perag from radix tree Dave Chinner <dchinner(a)redhat.com> xfs: initialise di_crc in xfs_log_dinode Darrick J. Wong <djwong(a)kernel.org> xfs: force all buffers to be written during btree bulk load Darrick J. Wong <djwong(a)kernel.org> xfs: recompute growfsrtfree transaction reservation while growing rt volume Darrick J. Wong <djwong(a)kernel.org> xfs: remove unused fields from struct xbtree_ifakeroot Darrick J. Wong <djwong(a)kernel.org> xfs: don't allow overly small or large realtime volumes Darrick J. Wong <djwong(a)kernel.org> xfs: fix 32-bit truncation in xfs_compute_rextslog Darrick J. Wong <djwong(a)kernel.org> xfs: make rextslog computation consistent with mkfs Darrick J. Wong <djwong(a)kernel.org> xfs: don't leak recovered attri intent items Christoph Hellwig <hch(a)lst.de> xfs: consider minlen sized extents in xfs_rtallocate_extent_block Darrick J. Wong <djwong(a)kernel.org> xfs: convert rt bitmap extent lengths to xfs_rtbxlen_t Darrick J. Wong <djwong(a)kernel.org> xfs: move the xfs_rtbitmap.c declarations to xfs_rtbitmap.h Darrick J. Wong <djwong(a)kernel.org> xfs: reserve less log space when recovering log intent items Dave Chinner <dchinner(a)redhat.com> xfs: use deferred frees for btree block freeing Dave Chinner <dchinner(a)redhat.com> xfs: fix bounds check in xfs_defer_agfl_block() Dave Chinner <dchinner(a)redhat.com> xfs: validate block number being freed before adding to xefi Darrick J. Wong <djwong(a)kernel.org> xfs: pass per-ag references to xfs_free_extent Darrick J. Wong <djwong(a)kernel.org> xfs: pass the xfs_bmbt_irec directly through the log intent code Darrick J. Wong <djwong(a)kernel.org> xfs: fix confusing xfs_extent_item variable names Darrick J. Wong <djwong(a)kernel.org> xfs: pass xfs_extent_free_item directly through the log intent code Darrick J. Wong <djwong(a)kernel.org> xfs: pass refcount intent directly through the log intent code Pavel Begunkov <asml.silence(a)gmail.com> io_uring: fix corner case forgetting to vunmap Jens Axboe <axboe(a)kernel.dk> io_uring: don't attempt to mmap larger than what the user asks for Jens Axboe <axboe(a)kernel.dk> io_uring: get rid of remap_pfn_range() for mapping rings/sqes Jens Axboe <axboe(a)kernel.dk> mm: add nommu variant of vm_insert_pages() Jens Axboe <axboe(a)kernel.dk> io_uring: add ring freeing helper Jens Axboe <axboe(a)kernel.dk> io_uring: return error pointer from io_mem_alloc() Ming Lei <ming.lei(a)redhat.com> block: fix 'kmem_cache of name 'bio-108' already exists' Thomas Zimmermann <tzimmermann(a)suse.de> drm/nouveau: Do not override forced connector status Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: safety check before fallback Arnd Bergmann <arnd(a)arndb.de> x86/irq: Define trace events conditionally Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Use better start period for frequency mode Miklos Szeredi <mszeredi(a)redhat.com> fuse: don't truncate cached, mutated symlink Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Set the SDOUT polarity correctly Hector Martin <marcan(a)marcan.st> ASoC: tas2764: Fix power control mask Hector Martin <marcan(a)marcan.st> ASoC: tas2770: Fix volume scale Daniel Wagner <wagi(a)kernel.org> nvme: only allow entering LIVE from CONNECTING state Yu-Chun Lin <eleanor15x(a)gmail.com> sctp: Fix undefined behavior in left shift operation Ruozhu Li <david.li(a)jaguarmicro.com> nvmet-rdma: recheck queue state is LIVE in state lock in recv done Maurizio Lombardi <mlombard(a)redhat.com> nvme-tcp: add basic support for the C2HTermReq PDU Christopher Lentocha <christopherericlentocha(a)gmail.com> nvme-pci: quirk Acer FA100 for non-uniqueue identifiers Stephan Gerhold <stephan.gerhold(a)linaro.org> net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors Terry Cheong <htcheong(a)chromium.org> ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module Vitaly Rodionov <vitalyr(a)opensource.cirrus.com> ASoC: arizona/madera: use fsleep() in up/down DAPM event delays. Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: adjust convert rate limitation Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime() Edson Juliano Drosdeck <edson.drosdeck(a)gmail.com> ALSA: hda/realtek: Limit mic boost on Positivo ARN50 Jan Beulich <jbeulich(a)suse.com> Xen/swiotlb: mark xen_swiotlb_fixup() __init Daniel Lezcano <daniel.lezcano(a)linaro.org> thermal/cpufreq_cooling: Remove structure member documentation Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/cio: Fix CHPID "configure" attribute caching Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles Sybil Isabel Dorsett <sybdorsett(a)proton.me> platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e Jann Horn <jannh(a)google.com> sched: Clarify wake_up_q()'s write to task->wake_q.next Alex Henrie <alexhenrie24(a)gmail.com> HID: apple: fix up the F6 key on the Omoton KB066 keyboard Ievgen Vovk <YevgenVovk(a)ukr.net> HID: hid-apple: Apple Magic Keyboard a3203 USB-C support Chia-Lin Kao (AceLan) <acelan.kao(a)canonical.com> HID: ignore non-functional sensor in HP 5MP Camera Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: Send clock sync message immediately after reset Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell Brahmajit Das <brahmajit.xyz(a)gmail.com> vboxsf: fix building with GCC 15 Eric W. Biederman <ebiederm(a)xmission.com> alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support Paulo Alcantara <pc(a)manguebit.com> smb: client: fix noisy when tree connecting to DFS interlink targets Gannon Kolding <gannon.kolding(a)gmail.com> ACPI: resource: IRQ override for Eluktronics MECH-17 Magnus Lindholm <linmag7(a)gmail.com> scsi: qla1280: Fix kernel oops when debug level > 2 Rik van Riel <riel(a)surriel.com> scsi: core: Use GFP_NOIO to avoid circular locking dependency Chengen Du <chengen.du(a)canonical.com> iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> powercap: call put_device() on an error path in powercap_register_control_type() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> hrtimers: Mark is_migration_base() with __always_inline Daniel Wagner <wagi(a)kernel.org> nvme-fc: go straight to connecting state when initializing Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices Jianbo Liu <jianbol(a)nvidia.com> net/mlx5: Bridge, fix the crash caused by LAG state check Ilya Maximets <i.maximets(a)ovn.org> net: openvswitch: remove misbehaving actions length check Guillaume Nault <gnault(a)redhat.com> gre: Fix IPv6 link-local address generation. Alexey Kashavkin <akashavkin(a)gmail.com> netfilter: nft_exthdr: fix offset with ipv4_find_option() Cong Wang <xiyou.wangcong(a)gmail.com> net_sched: Prevent creation of classes with TC_H_ROOT Dan Carpenter <dan.carpenter(a)linaro.org> ipvs: prevent integer overflow in do_ip_vs_get_ctl() Kohei Enju <enjuk(a)amazon.com> netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Hangbin Liu <liuhangbin(a)gmail.com> bonding: fix incorrect MAC address setting to receive NS messages Amit Cohen <amcohen(a)nvidia.com> net: switchdev: Convert blocking notification chain to a raw one Taehee Yoo <ap420073(a)gmail.com> eth: bnxt: do not update checksum in bnxt_xdp_build_skb() Wentao Liang <vulab(a)iscas.ac.cn> net/mlx5: handle errors in mlx5_chains_create_table() Michael Kelley <mhklinux(a)outlook.com> Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio() Michael Kelley <mhklinux(a)outlook.com> drm/hyperv: Fix address space leak when Hyper-V DRM device is removed Breno Leitao <leitao(a)debian.org> netpoll: hold rcu read lock in __netpoll_send_skb() Matt Johnston <matt(a)codeconstruct.com.au> net: mctp i2c: Copy headers if cloned Joseph Huang <Joseph.Huang(a)garmin.com> net: dsa: mv88e6xxx: Verify after ATU Load ops Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Revert "Bluetooth: hci_core: Fix sleeping function called from invalid context" Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix enabling passive scanning Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: cfg80211: cancel wiphy_work before freeing wiphy Jun Yang <juny24602(a)gmail.com> sched: address a potential NULL pointer dereference in the GRED scheduler. Nicklas Bo Jensen <njensen(a)akamai.com> netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Grzegorz Nitka <grzegorz.nitka(a)intel.com> ice: fix memory leak in aRFS after reset Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. Artur Weber <aweber.kernel(a)gmail.com> pinctrl: bcm281xx: Fix incorrect regmap max_registers value Michael Kelley <mhklinux(a)outlook.com> fbdev: hyperv_fb: iounmap() the correct memory when removing a device Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super Felix Moessbauer <felix.moessbauer(a)siemens.com> hrtimer: Use and report correct timerslack values for realtime tasks Oleg Nesterov <oleg(a)redhat.com> sched/isolation: Prevent boot crash when the boot CPU is nohz_full David Woodhouse <dwmw(a)amazon.co.uk> clockevents/drivers/i8253: Fix stop sequence for timer 0 ------------- Diffstat: Documentation/timers/no_hz.rst | 7 +- Makefile | 15 +- arch/alpha/include/asm/elf.h | 6 +- arch/alpha/include/asm/pgtable.h | 2 +- arch/alpha/include/asm/processor.h | 8 +- arch/alpha/kernel/osf_sys.c | 11 +- arch/arm/boot/dts/bcm2711.dtsi | 11 +- arch/arm/mach-omap1/Kconfig | 1 + arch/arm/mach-shmobile/headsmp.S | 1 + .../boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 +- .../arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 16 +- arch/arm64/boot/dts/rockchip/rk3399-nanopi-r4s.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi | 2 + arch/arm64/mm/mmu.c | 5 +- arch/x86/events/intel/core.c | 85 ++++++++++ arch/x86/kernel/cpu/microcode/amd.c | 2 +- arch/x86/kernel/cpu/mshyperv.c | 11 -- arch/x86/kernel/irq.c | 2 + block/bfq-cgroup.c | 2 +- block/bio.c | 2 +- drivers/acpi/resource.c | 6 + drivers/clk/samsung/clk-pll.c | 7 +- drivers/clocksource/i8253.c | 36 +++-- drivers/firmware/efi/libstub/randomalloc.c | 4 + drivers/firmware/imx/imx-scu.c | 1 + drivers/firmware/iscsi_ibft.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_mn.c | 20 ++- drivers/gpu/drm/amd/amdgpu/nv.c | 2 +- drivers/gpu/drm/amd/amdgpu/soc15.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 ++ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_hdcp.c | 1 + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 +- .../gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 12 ++ drivers/gpu/drm/display/drm_dp_mst_topology.c | 40 +++-- drivers/gpu/drm/drm_atomic_uapi.c | 4 + drivers/gpu/drm/drm_connector.c | 4 + drivers/gpu/drm/gma500/mid_bios.c | 5 + drivers/gpu/drm/hyperv/hyperv_drm_drv.c | 2 + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 9 +- drivers/gpu/drm/mediatek/mtk_drm_plane.c | 13 +- drivers/gpu/drm/nouveau/nouveau_connector.c | 1 - drivers/gpu/drm/radeon/radeon_vce.c | 2 +- drivers/gpu/drm/v3d/v3d_sched.c | 9 +- drivers/hid/hid-apple.c | 13 +- drivers/hid/hid-ids.h | 2 + drivers/hid/hid-quirks.c | 1 + drivers/hid/intel-ish-hid/ipc/ipc.c | 15 +- drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 2 + drivers/hv/vmbus_drv.c | 13 ++ drivers/i2c/busses/i2c-ali1535.c | 12 +- drivers/i2c/busses/i2c-ali15x3.c | 12 +- drivers/i2c/busses/i2c-omap.c | 26 +-- drivers/i2c/busses/i2c-sis630.c | 12 +- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 2 - drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 3 +- drivers/infiniband/hw/hns/hns_roce_hem.c | 16 +- drivers/infiniband/hw/hns/hns_roce_main.c | 2 +- drivers/infiniband/hw/hns/hns_roce_qp.c | 10 +- drivers/input/serio/i8042-acpipnpio.h | 111 +++++++------ drivers/leds/leds-mlxreg.c | 16 +- .../mediatek/vcodec/vdec/vdec_vp8_req_if.c | 10 +- drivers/mmc/host/atmel-mci.c | 4 +- drivers/mmc/host/sdhci-brcmstb.c | 10 ++ drivers/net/bonding/bond_options.c | 55 ++++++- drivers/net/can/flexcan/flexcan-core.c | 18 ++- drivers/net/can/rcar/rcar_canfd.c | 28 ++-- drivers/net/dsa/mv88e6xxx/chip.c | 59 +++++-- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 11 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.h | 3 +- drivers/net/ethernet/intel/ice/ice_arfs.c | 2 +- .../ethernet/mellanox/mlx5/core/en/rep/bridge.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 +- .../ethernet/mellanox/mlx5/core/lib/fs_chains.c | 5 + .../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 8 +- drivers/net/mctp/mctp-i2c.c | 5 + drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 9 +- drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 28 ++++ drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 3 +- drivers/net/wwan/mhi_wwan_mbim.c | 2 +- drivers/nvme/host/core.c | 2 - drivers/nvme/host/fc.c | 3 +- drivers/nvme/host/pci.c | 2 + drivers/nvme/host/tcp.c | 43 +++++ drivers/nvme/target/rdma.c | 33 ++-- drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 50 ++++-- drivers/powercap/powercap_sys.c | 3 +- drivers/regulator/core.c | 12 +- drivers/s390/cio/chp.c | 3 +- drivers/scsi/qla1280.c | 2 +- drivers/scsi/scsi_scan.c | 2 +- drivers/soc/imx/soc-imx8m.c | 151 ++++++++---------- drivers/soc/qcom/pdr_interface.c | 8 +- drivers/thermal/cpufreq_cooling.c | 2 - drivers/usb/serial/ftdi_sio.c | 14 ++ drivers/usb/serial/ftdi_sio_ids.h | 13 ++ drivers/usb/serial/option.c | 48 ++++-- drivers/video/fbdev/hyperv_fb.c | 2 +- drivers/xen/swiotlb-xen.c | 2 +- fs/fuse/dir.c | 2 +- fs/namei.c | 24 ++- fs/ntfs3/attrib.c | 176 ++++++++++++++------- fs/ntfs3/file.c | 151 ++++-------------- fs/ntfs3/frecord.c | 2 +- fs/ntfs3/index.c | 4 +- fs/ntfs3/inode.c | 12 +- fs/ntfs3/ntfs_fs.h | 9 +- fs/ntfs3/super.c | 68 +++++--- fs/proc/base.c | 9 +- fs/proc/generic.c | 10 +- fs/proc/inode.c | 6 +- fs/proc/internal.h | 14 ++ fs/select.c | 11 +- fs/smb/client/asn1.c | 2 + fs/smb/client/cifs_spnego.c | 4 +- fs/smb/client/cifsglob.h | 4 + fs/smb/client/connect.c | 16 +- fs/smb/client/fs_context.c | 14 +- fs/smb/client/ioctl.c | 6 +- fs/smb/client/sess.c | 3 +- fs/smb/client/smb2pdu.c | 4 +- fs/smb/server/smbacl.c | 5 +- fs/vboxsf/super.c | 3 +- fs/xfs/libxfs/xfs_ag.c | 45 ++++-- fs/xfs/libxfs/xfs_ag.h | 3 + fs/xfs/libxfs/xfs_alloc.c | 70 ++++---- fs/xfs/libxfs/xfs_alloc.h | 20 ++- fs/xfs/libxfs/xfs_attr.c | 6 +- fs/xfs/libxfs/xfs_bmap.c | 121 +++++++------- fs/xfs/libxfs/xfs_bmap.h | 5 +- fs/xfs/libxfs/xfs_bmap_btree.c | 8 +- fs/xfs/libxfs/xfs_btree_staging.c | 4 +- fs/xfs/libxfs/xfs_btree_staging.h | 6 - fs/xfs/libxfs/xfs_da_btree.c | 7 + fs/xfs/libxfs/xfs_format.h | 2 +- fs/xfs/libxfs/xfs_ialloc.c | 24 ++- fs/xfs/libxfs/xfs_ialloc_btree.c | 6 +- fs/xfs/libxfs/xfs_log_recover.h | 22 +++ fs/xfs/libxfs/xfs_refcount.c | 116 +++++++------- fs/xfs/libxfs/xfs_refcount.h | 4 +- fs/xfs/libxfs/xfs_refcount_btree.c | 9 +- fs/xfs/libxfs/xfs_rtbitmap.c | 2 + fs/xfs/libxfs/xfs_rtbitmap.h | 83 ++++++++++ fs/xfs/libxfs/xfs_sb.c | 20 ++- fs/xfs/libxfs/xfs_sb.h | 2 + fs/xfs/libxfs/xfs_types.h | 13 ++ fs/xfs/scrub/repair.c | 3 +- fs/xfs/scrub/rtbitmap.c | 3 +- fs/xfs/xfs_attr_item.c | 16 +- fs/xfs/xfs_bmap_item.c | 85 ++++------ fs/xfs/xfs_buf.c | 44 +++++- fs/xfs/xfs_buf.h | 1 + fs/xfs/xfs_extfree_item.c | 108 +++++++------ fs/xfs/xfs_fsmap.c | 2 +- fs/xfs/xfs_fsops.c | 5 +- fs/xfs/xfs_inode_item.c | 3 + fs/xfs/xfs_refcount_item.c | 68 ++++---- fs/xfs/xfs_reflink.c | 7 +- fs/xfs/xfs_rmap_item.c | 6 +- fs/xfs/xfs_rtalloc.c | 14 +- fs/xfs/xfs_rtalloc.h | 73 --------- fs/xfs/xfs_trace.h | 15 +- include/linux/fs.h | 2 + include/linux/i8253.h | 1 - include/linux/io_uring_types.h | 5 + include/linux/nvme-tcp.h | 2 + include/linux/proc_fs.h | 7 +- include/net/bluetooth/hci_core.h | 108 +++++-------- include/sound/soc.h | 5 +- include/uapi/linux/io_uring.h | 1 + init/Kconfig | 2 +- io_uring/io_uring.c | 163 ++++++++++++++++--- io_uring/io_uring.h | 2 + kernel/sched/core.c | 13 +- kernel/sys.c | 2 + kernel/time/hrtimer.c | 40 ++--- lib/buildid.c | 5 + mm/memcontrol.c | 9 ++ mm/migrate.c | 16 +- mm/nommu.c | 7 + net/atm/lec.c | 3 +- net/batman-adv/bat_iv_ogm.c | 3 +- net/batman-adv/bat_v_ogm.c | 3 +- net/bluetooth/6lowpan.c | 7 +- net/bluetooth/hci_core.c | 10 +- net/bluetooth/hci_event.c | 37 +++-- net/bluetooth/iso.c | 6 - net/bluetooth/l2cap_core.c | 12 +- net/bluetooth/rfcomm/core.c | 6 - net/bluetooth/sco.c | 12 +- net/core/lwtunnel.c | 65 ++++++-- net/core/neighbour.c | 1 + net/core/netpoll.c | 9 +- net/ipv4/tcp.c | 19 ++- net/ipv6/route.c | 5 +- net/mptcp/options.c | 6 +- net/mptcp/protocol.h | 2 + net/netfilter/ipvs/ip_vs_ctl.c | 8 +- net/netfilter/nf_conncount.c | 6 +- net/netfilter/nft_counter.c | 90 +++++------ net/netfilter/nft_ct.c | 6 +- net/netfilter/nft_exthdr.c | 10 +- net/openvswitch/flow_netlink.c | 15 +- net/sched/sch_api.c | 6 + net/sched/sch_gred.c | 3 +- net/sctp/stream.c | 2 +- net/switchdev/switchdev.c | 25 ++- net/wireless/core.c | 7 + net/xdp/xsk_buff_pool.c | 2 +- net/xfrm/xfrm_output.c | 2 +- rust/Makefile | 7 +- scripts/generate_rust_analyzer.py | 64 ++++++-- sound/pci/hda/patch_realtek.c | 1 + sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/codecs/arizona.c | 14 +- sound/soc/codecs/madera.c | 10 +- sound/soc/codecs/tas2764.c | 10 +- sound/soc/codecs/tas2764.h | 8 +- sound/soc/codecs/tas2770.c | 2 +- sound/soc/codecs/wm0010.c | 13 +- sound/soc/codecs/wm5110.c | 8 +- sound/soc/sh/rcar/core.c | 14 -- sound/soc/sh/rcar/rsnd.h | 1 - sound/soc/sh/rcar/src.c | 116 +++++++++++--- sound/soc/soc-ops.c | 15 +- sound/soc/sof/intel/hda-codec.c | 1 + 227 files changed, 2513 insertions(+), 1511 deletions(-)

1 month, 2 weeks

12
213
0 0

[PATCH 6.6.y 0/2] mptcp: fix recent failed backports (20250919)

by Matthieu Baerts (NGI0)

The following patches could not be applied without conflicts in this tree: - 2293c57484ae ("mptcp: pm: nl: announce deny-join-id0 flag") - 24733e193a0d ("selftests: mptcp: userspace pm: validate deny-join-id0 flag") Conflicts have been resolved, and documented in each patch. Matthieu Baerts (NGI0) (2): mptcp: pm: nl: announce deny-join-id0 flag selftests: mptcp: userspace pm: validate deny-join-id0 flag include/uapi/linux/mptcp.h | 6 ++++-- net/mptcp/pm_netlink.c | 7 +++++++ tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 +++++++ tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +++++++++++--- 4 files changed, 29 insertions(+), 5 deletions(-) -- 2.51.0

1 month, 2 weeks

2
3
0 0

FAILED: patch "[PATCH] platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 225d1ee0f5ba3218d1814d36564fdb5f37b50474 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092126-upstream-favorite-2f89@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 225d1ee0f5ba3218d1814d36564fdb5f37b50474 Mon Sep 17 00:00:00 2001 From: Antheas Kapenekakis <lkml(a)antheas.dev> Date: Tue, 16 Sep 2025 09:28:18 +0200 Subject: [PATCH] platform/x86: asus-wmi: Re-add extra keys to ignore_key_wlan quirk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It turns out that the dual screen models use 0x5E for attaching and detaching the keyboard instead of 0x5F. So, re-add the codes by reverting commit cf3940ac737d ("platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk"). For our future reference, add a comment next to 0x5E indicating that it is used for that purpose. Fixes: cf3940ac737d ("platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk") Reported-by: Rahul Chandra <rahul(a)chandra.net> Closes: https://lore.kernel.org/all/10020-68c90c80-d-4ac6c580@106290038/ Cc: stable(a)kernel.org Signed-off-by: Antheas Kapenekakis <lkml(a)antheas.dev> Link: https://patch.msgid.link/20250916072818.196462-1-lkml@antheas.dev Reviewed-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c index 3a488cf9ca06..6a62bc5b02fd 100644 --- a/drivers/platform/x86/asus-nb-wmi.c +++ b/drivers/platform/x86/asus-nb-wmi.c @@ -673,6 +673,8 @@ static void asus_nb_wmi_key_filter(struct asus_wmi_driver *asus_wmi, int *code, if (atkbd_reports_vol_keys) *code = ASUS_WMI_KEY_IGNORE; break; + case 0x5D: /* Wireless console Toggle */ + case 0x5E: /* Wireless console Enable / Keyboard Attach, Detach */ case 0x5F: /* Wireless console Disable / Special Key */ if (quirks->key_wlan_event) *code = quirks->key_wlan_event;

1 month, 2 weeks

3
4
0 0

FAILED: patch "[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 1e56310b40fd2e7e0b9493da9ff488af145bdd0c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092102-unbutton-entire-9371@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e56310b40fd2e7e0b9493da9ff488af145bdd0c Mon Sep 17 00:00:00 2001 From: Vasant Hegde <vasant.hegde(a)amd.com> Date: Sat, 13 Sep 2025 06:26:57 +0000 Subject: [PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Fixes: 754265bcab7 ("iommu/amd: Fix race in increase_address_space()") Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> Signed-off-by: Joerg Roedel <joerg.roedel(a)amd.com> diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] ksmbd: smbdirect: validate data_offset and data_length field" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 5282491fc49d5614ac6ddcd012e5743eecb6a67c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092118-portside-cheesy-44d2@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5282491fc49d5614ac6ddcd012e5743eecb6a67c Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Wed, 10 Sep 2025 11:22:52 +0900 Subject: [PATCH] ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer If data_offset and data_length of smb_direct_data_transfer struct are invalid, out of bounds issue could happen. This patch validate data_offset and data_length field in recv_done. Cc: stable(a)vger.kernel.org Fixes: 2ea086e35c3d ("ksmbd: add buffer validation for smb direct") Reviewed-by: Stefan Metzmacher <metze(a)samba.org> Reported-by: Luigino Camastra, Aisle Research <luigino.camastra(a)aisle.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c index cc4322bfa1d6..d52f37578276 100644 --- a/fs/smb/server/transport_rdma.c +++ b/fs/smb/server/transport_rdma.c @@ -554,7 +554,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) case SMB_DIRECT_MSG_DATA_TRANSFER: { struct smb_direct_data_transfer *data_transfer = (struct smb_direct_data_transfer *)recvmsg->packet; - unsigned int data_length; + unsigned int data_offset, data_length; int avail_recvmsg_count, receive_credits; if (wc->byte_len < @@ -565,14 +565,15 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) } data_length = le32_to_cpu(data_transfer->data_length); - if (data_length) { - if (wc->byte_len < sizeof(struct smb_direct_data_transfer) + - (u64)data_length) { - put_recvmsg(t, recvmsg); - smb_direct_disconnect_rdma_connection(t); - return; - } + data_offset = le32_to_cpu(data_transfer->data_offset); + if (wc->byte_len < data_offset || + wc->byte_len < (u64)data_offset + data_length) { + put_recvmsg(t, recvmsg); + smb_direct_disconnect_rdma_connection(t); + return; + } + if (data_length) { if (t->full_packet_received) recvmsg->first_segment = true;

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/gup: check ref_count instead of lru before migration" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 98c6d259319ecf6e8d027abd3f14b81324b8c0ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092158-payee-omega-5893@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98c6d259319ecf6e8d027abd3f14b81324b8c0ad Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:15:03 -0700 Subject: [PATCH] mm/gup: check ref_count instead of lru before migration Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 5): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index adffe663594d..82aec6443c0a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; }

1 month, 2 weeks

2
2
0 0

FAILED: patch "[PATCH] samples/damon/mtier: avoid starting DAMON before" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x c62cff40481c037307a13becbda795f7afdcfebd # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092116-ceramics-stratus-5d18@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c62cff40481c037307a13becbda795f7afdcfebd Mon Sep 17 00:00:00 2001 From: SeongJae Park <sj(a)kernel.org> Date: Mon, 8 Sep 2025 19:22:38 -0700 Subject: [PATCH] samples/damon/mtier: avoid starting DAMON before initialization Commit 964314344eab ("samples/damon/mtier: support boot time enable setup") is somehow incompletely applying the origin patch [1]. It is missing the part that avoids starting DAMON before module initialization. Probably a mistake during a merge has happened. Fix it by applying the missed part again. Link: https://lkml.kernel.org/r/20250909022238.2989-4-sj@kernel.org Link: https://lore.kernel.org/20250706193207.39810-4-sj@kernel.org [1] Fixes: 964314344eab ("samples/damon/mtier: support boot time enable setup") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/samples/damon/mtier.c b/samples/damon/mtier.c index 7ebd352138e4..beaf36657dea 100644 --- a/samples/damon/mtier.c +++ b/samples/damon/mtier.c @@ -208,6 +208,9 @@ static int damon_sample_mtier_enable_store( if (enabled == is_enabled) return 0; + if (!init_called) + return 0; + if (enabled) { err = damon_sample_mtier_start(); if (err)

1 month, 2 weeks

2
3
0 0

FAILED: patch "[PATCH] samples/damon/wsse: avoid starting DAMON before" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x f826edeb888c5a8bd1b6e95ae6a50b0db2b21902 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092111-specked-enviably-906d@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f826edeb888c5a8bd1b6e95ae6a50b0db2b21902 Mon Sep 17 00:00:00 2001 From: SeongJae Park <sj(a)kernel.org> Date: Mon, 8 Sep 2025 19:22:36 -0700 Subject: [PATCH] samples/damon/wsse: avoid starting DAMON before initialization Patch series "samples/damon: fix boot time enable handling fixup merge mistakes". First three patches of the patch series "mm/damon: fix misc bugs in DAMON modules" [1] were trying to fix boot time DAMON sample modules enabling issues. The issues are the modules can crash if those are enabled before DAMON is enabled, like using boot time parameter options. The three patches were fixing the issues by avoiding starting DAMON before the module initialization phase. However, probably by a mistake during a merge, only half of the change is merged, and the part for avoiding the starting of DAMON before the module initialized is missed. So the problem is not solved and thus the modules can still crash if enabled before DAMON is initialized. Fix those by applying the unmerged parts again. Note that the broken commits are merged into 6.17-rc1, but also backported to relevant stable kernels. So this series also needs to be merged into the stable kernels. Hence Cc-ing stable@. This patch (of 3): Commit 0ed1165c3727 ("samples/damon/wsse: fix boot time enable handling") is somehow incompletely applying the origin patch [2]. It is missing the part that avoids starting DAMON before module initialization. Probably a mistake during a merge has happened. Fix it by applying the missed part again. Link: https://lkml.kernel.org/r/20250909022238.2989-1-sj@kernel.org Link: https://lkml.kernel.org/r/20250909022238.2989-2-sj@kernel.org Link: https://lkml.kernel.org/r/20250706193207.39810-1-sj@kernel.org [1] Link: https://lore.kernel.org/20250706193207.39810-2-sj@kernel.org [2] Fixes: 0ed1165c3727 ("samples/damon/wsse: fix boot time enable handling") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/samples/damon/wsse.c b/samples/damon/wsse.c index da052023b099..21eaf15f987d 100644 --- a/samples/damon/wsse.c +++ b/samples/damon/wsse.c @@ -118,6 +118,9 @@ static int damon_sample_wsse_enable_store( return 0; if (enabled) { + if (!init_called) + return 0; + err = damon_sample_wsse_start(); if (err) enabled = false;

1 month, 2 weeks

2
3
0 0

FAILED: patch "[PATCH] io_uring: include dying ring in task_work "should cancel"" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 3539b1467e94336d5854ebf976d9627bfb65d6c3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092128-embassy-flyable-e3fb@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3539b1467e94336d5854ebf976d9627bfb65d6c3 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Thu, 18 Sep 2025 10:21:14 -0600 Subject: [PATCH] io_uring: include dying ring in task_work "should cancel" state When running task_work for an exiting task, rather than perform the issue retry attempt, the task_work is canceled. However, this isn't done for a ring that has been closed. This can lead to requests being successfully completed post the ring being closed, which is somewhat confusing and surprising to an application. Rather than just check the task exit state, also include the ring ref state in deciding whether or not to terminate a given request when run from task_work. Cc: stable(a)vger.kernel.org # 6.1+ Link: https://github.com/axboe/liburing/discussions/1459 Reported-by: Benedek Thaler <thaler(a)thaler.hu> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 93633613a165..bcec12256f34 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -1406,8 +1406,10 @@ static void io_req_task_cancel(struct io_kiocb *req, io_tw_token_t tw) void io_req_task_submit(struct io_kiocb *req, io_tw_token_t tw) { - io_tw_lock(req->ctx, tw); - if (unlikely(io_should_terminate_tw())) + struct io_ring_ctx *ctx = req->ctx; + + io_tw_lock(ctx, tw); + if (unlikely(io_should_terminate_tw(ctx))) io_req_defer_failed(req, -EFAULT); else if (req->flags & REQ_F_FORCE_ASYNC) io_queue_iowq(req); diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h index abc6de227f74..1880902be6fd 100644 --- a/io_uring/io_uring.h +++ b/io_uring/io_uring.h @@ -476,9 +476,9 @@ static inline bool io_allowed_run_tw(struct io_ring_ctx *ctx) * 2) PF_KTHREAD is set, in which case the invoker of the task_work is * our fallback task_work. */ -static inline bool io_should_terminate_tw(void) +static inline bool io_should_terminate_tw(struct io_ring_ctx *ctx) { - return current->flags & (PF_KTHREAD | PF_EXITING); + return (current->flags & (PF_KTHREAD | PF_EXITING)) || percpu_ref_is_dying(&ctx->refs); } static inline void io_req_queue_tw_complete(struct io_kiocb *req, s32 res) diff --git a/io_uring/poll.c b/io_uring/poll.c index c786e587563b..6090a26975d4 100644 --- a/io_uring/poll.c +++ b/io_uring/poll.c @@ -224,7 +224,7 @@ static int io_poll_check_events(struct io_kiocb *req, io_tw_token_t tw) { int v; - if (unlikely(io_should_terminate_tw())) + if (unlikely(io_should_terminate_tw(req->ctx))) return -ECANCELED; do { diff --git a/io_uring/timeout.c b/io_uring/timeout.c index 7f13bfa9f2b6..17e3aab0af36 100644 --- a/io_uring/timeout.c +++ b/io_uring/timeout.c @@ -324,7 +324,7 @@ static void io_req_task_link_timeout(struct io_kiocb *req, io_tw_token_t tw) int ret; if (prev) { - if (!io_should_terminate_tw()) { + if (!io_should_terminate_tw(req->ctx)) { struct io_cancel_data cd = { .ctx = req->ctx, .data = prev->cqe.user_data, diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c index 053bac89b6c0..213716e10d70 100644 --- a/io_uring/uring_cmd.c +++ b/io_uring/uring_cmd.c @@ -118,7 +118,7 @@ static void io_uring_cmd_work(struct io_kiocb *req, io_tw_token_t tw) struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); unsigned int flags = IO_URING_F_COMPLETE_DEFER; - if (io_should_terminate_tw()) + if (io_should_terminate_tw(req->ctx)) flags |= IO_URING_F_TASK_DEAD; /* task_work executor checks the deffered list completion */

1 month, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] io_uring: include dying ring in task_work "should cancel"" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 3539b1467e94336d5854ebf976d9627bfb65d6c3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092127-emit-dean-5272@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3539b1467e94336d5854ebf976d9627bfb65d6c3 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe(a)kernel.dk> Date: Thu, 18 Sep 2025 10:21:14 -0600 Subject: [PATCH] io_uring: include dying ring in task_work "should cancel" state When running task_work for an exiting task, rather than perform the issue retry attempt, the task_work is canceled. However, this isn't done for a ring that has been closed. This can lead to requests being successfully completed post the ring being closed, which is somewhat confusing and surprising to an application. Rather than just check the task exit state, also include the ring ref state in deciding whether or not to terminate a given request when run from task_work. Cc: stable(a)vger.kernel.org # 6.1+ Link: https://github.com/axboe/liburing/discussions/1459 Reported-by: Benedek Thaler <thaler(a)thaler.hu> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 93633613a165..bcec12256f34 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -1406,8 +1406,10 @@ static void io_req_task_cancel(struct io_kiocb *req, io_tw_token_t tw) void io_req_task_submit(struct io_kiocb *req, io_tw_token_t tw) { - io_tw_lock(req->ctx, tw); - if (unlikely(io_should_terminate_tw())) + struct io_ring_ctx *ctx = req->ctx; + + io_tw_lock(ctx, tw); + if (unlikely(io_should_terminate_tw(ctx))) io_req_defer_failed(req, -EFAULT); else if (req->flags & REQ_F_FORCE_ASYNC) io_queue_iowq(req); diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h index abc6de227f74..1880902be6fd 100644 --- a/io_uring/io_uring.h +++ b/io_uring/io_uring.h @@ -476,9 +476,9 @@ static inline bool io_allowed_run_tw(struct io_ring_ctx *ctx) * 2) PF_KTHREAD is set, in which case the invoker of the task_work is * our fallback task_work. */ -static inline bool io_should_terminate_tw(void) +static inline bool io_should_terminate_tw(struct io_ring_ctx *ctx) { - return current->flags & (PF_KTHREAD | PF_EXITING); + return (current->flags & (PF_KTHREAD | PF_EXITING)) || percpu_ref_is_dying(&ctx->refs); } static inline void io_req_queue_tw_complete(struct io_kiocb *req, s32 res) diff --git a/io_uring/poll.c b/io_uring/poll.c index c786e587563b..6090a26975d4 100644 --- a/io_uring/poll.c +++ b/io_uring/poll.c @@ -224,7 +224,7 @@ static int io_poll_check_events(struct io_kiocb *req, io_tw_token_t tw) { int v; - if (unlikely(io_should_terminate_tw())) + if (unlikely(io_should_terminate_tw(req->ctx))) return -ECANCELED; do { diff --git a/io_uring/timeout.c b/io_uring/timeout.c index 7f13bfa9f2b6..17e3aab0af36 100644 --- a/io_uring/timeout.c +++ b/io_uring/timeout.c @@ -324,7 +324,7 @@ static void io_req_task_link_timeout(struct io_kiocb *req, io_tw_token_t tw) int ret; if (prev) { - if (!io_should_terminate_tw()) { + if (!io_should_terminate_tw(req->ctx)) { struct io_cancel_data cd = { .ctx = req->ctx, .data = prev->cqe.user_data, diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c index 053bac89b6c0..213716e10d70 100644 --- a/io_uring/uring_cmd.c +++ b/io_uring/uring_cmd.c @@ -118,7 +118,7 @@ static void io_uring_cmd_work(struct io_kiocb *req, io_tw_token_t tw) struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd); unsigned int flags = IO_URING_F_COMPLETE_DEFER; - if (io_should_terminate_tw()) + if (io_should_terminate_tw(req->ctx)) flags |= IO_URING_F_TASK_DEAD; /* task_work executor checks the deffered list completion */

1 month, 2 weeks

3
2
0 0

FAILED: patch "[PATCH] mm/gup: local lru_add_drain() to avoid lru_add_drain_all()" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x a09a8a1fbb374e0053b97306da9dbc05bd384685 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092110-music-knoll-828f@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a09a8a1fbb374e0053b97306da9dbc05bd384685 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:16:53 -0700 Subject: [PATCH] mm/gup: local lru_add_drain() to avoid lru_add_drain_all() In many cases, if collect_longterm_unpinnable_folios() does need to drain the LRU cache to release a reference, the cache in question is on this same CPU, and much more efficiently drained by a preliminary local lru_add_drain(), than the later cross-CPU lru_add_drain_all(). Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Note for clean backports: can take 6.16 commit a03db236aebf ("gup: optimize longterm pin_user_pages() for large folio") first. Link: https://lkml.kernel.org/r/66f2751f-283e-816d-9530-765db7edc465@google.com Signed-off-by: Hugh Dickins <hughd(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index 82aec6443c0a..b47066a54f52 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2287,8 +2287,8 @@ static unsigned long collect_longterm_unpinnable_folios( struct pages_or_folios *pofs) { unsigned long collected = 0; - bool drain_allow = true; struct folio *folio; + int drained = 0; long i = 0; for (folio = pofs_get_folio(pofs, i); folio; @@ -2307,10 +2307,17 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drain_allow && folio_ref_count(folio) != - folio_expected_ref_count(folio) + 1) { + if (drained == 0 && + folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { + lru_add_drain(); + drained = 1; + } + if (drained == 1 && + folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); - drain_allow = false; + drained = 2; } if (!folio_isolate_lru(folio))

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092108-drinking-sloped-1caa@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert(a)gondor.apana.org.au> Date: Tue, 16 Sep 2025 17:20:59 +0800 Subject: [PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan(a)starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy(a)starlabs.sg> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 407f2c238f2c..ca6fdcc6c54a 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -970,6 +970,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); + if (ctx->write) { + release_sock(sk); + return -EBUSY; + } + ctx->write = true; + if (ctx->init && !ctx->more) { if (ctx->used) { err = -EINVAL; @@ -1105,6 +1111,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unlock: af_alg_data_wakeup(sk); + ctx->write = false; release_sock(sk); return copied ?: err; diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index f7b3b93f3a49..0c70f3a55575 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -135,6 +135,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. @@ -151,10 +152,11 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - bool more; - bool merge; - bool enc; - bool init; + u32 more:1, + merge:1, + enc:1, + write:1, + init:1; unsigned int len;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092108-unmarked-tropical-1899@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert(a)gondor.apana.org.au> Date: Tue, 16 Sep 2025 17:20:59 +0800 Subject: [PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan(a)starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy(a)starlabs.sg> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 407f2c238f2c..ca6fdcc6c54a 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -970,6 +970,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); + if (ctx->write) { + release_sock(sk); + return -EBUSY; + } + ctx->write = true; + if (ctx->init && !ctx->more) { if (ctx->used) { err = -EINVAL; @@ -1105,6 +1111,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unlock: af_alg_data_wakeup(sk); + ctx->write = false; release_sock(sk); return copied ?: err; diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index f7b3b93f3a49..0c70f3a55575 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -135,6 +135,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. @@ -151,10 +152,11 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - bool more; - bool merge; - bool enc; - bool init; + u32 more:1, + merge:1, + enc:1, + write:1, + init:1; unsigned int len;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092107-crowbar-posting-c6ba@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 Mon Sep 17 00:00:00 2001 From: Herbert Xu <herbert(a)gondor.apana.org.au> Date: Tue, 16 Sep 2025 17:20:59 +0800 Subject: [PATCH] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan(a)starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy(a)starlabs.sg> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 407f2c238f2c..ca6fdcc6c54a 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -970,6 +970,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); + if (ctx->write) { + release_sock(sk); + return -EBUSY; + } + ctx->write = true; + if (ctx->init && !ctx->more) { if (ctx->used) { err = -EINVAL; @@ -1105,6 +1111,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unlock: af_alg_data_wakeup(sk); + ctx->write = false; release_sock(sk); return copied ?: err; diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index f7b3b93f3a49..0c70f3a55575 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -135,6 +135,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. @@ -151,10 +152,11 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - bool more; - bool merge; - bool enc; - bool init; + u32 more:1, + merge:1, + enc:1, + write:1, + init:1; unsigned int len;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 7f830e126dc357fc086905ce9730140fd4528d66 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092126-fabulous-despair-ac21@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f830e126dc357fc086905ce9730140fd4528d66 Mon Sep 17 00:00:00 2001 From: Tom Lendacky <thomas.lendacky(a)amd.com> Date: Mon, 15 Sep 2025 11:04:12 -0500 Subject: [PATCH] x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT The sev_evict_cache() is guest-related code and should be guarded by CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV. CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub function of sev_evict_cache() instead of the version that performs the actual eviction. Move the function declarations under the appropriate #ifdef. Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation") Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)kernel.org # 6.16.x Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.17577089… diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index 02236962fdb1..465b19fd1a2d 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -562,6 +562,24 @@ enum es_result sev_es_ghcb_hv_call(struct ghcb *ghcb, extern struct ghcb *boot_ghcb; +static inline void sev_evict_cache(void *va, int npages) +{ + volatile u8 val __always_unused; + u8 *bytes = va; + int page_idx; + + /* + * For SEV guests, a read from the first/last cache-lines of a 4K page + * using the guest key is sufficient to cause a flush of all cache-lines + * associated with that 4K page without incurring all the overhead of a + * full CLFLUSH sequence. + */ + for (page_idx = 0; page_idx < npages; page_idx++) { + val = bytes[page_idx * PAGE_SIZE]; + val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; + } +} + #else /* !CONFIG_AMD_MEM_ENCRYPT */ #define snp_vmpl 0 @@ -605,6 +623,7 @@ static inline int snp_send_guest_request(struct snp_msg_desc *mdesc, static inline int snp_svsm_vtpm_send_command(u8 *buffer) { return -ENODEV; } static inline void __init snp_secure_tsc_prepare(void) { } static inline void __init snp_secure_tsc_init(void) { } +static inline void sev_evict_cache(void *va, int npages) {} #endif /* CONFIG_AMD_MEM_ENCRYPT */ @@ -619,24 +638,6 @@ int rmp_make_shared(u64 pfn, enum pg_level level); void snp_leak_pages(u64 pfn, unsigned int npages); void kdump_sev_callback(void); void snp_fixup_e820_tables(void); - -static inline void sev_evict_cache(void *va, int npages) -{ - volatile u8 val __always_unused; - u8 *bytes = va; - int page_idx; - - /* - * For SEV guests, a read from the first/last cache-lines of a 4K page - * using the guest key is sufficient to cause a flush of all cache-lines - * associated with that 4K page without incurring all the overhead of a - * full CLFLUSH sequence. - */ - for (page_idx = 0; page_idx < npages; page_idx++) { - val = bytes[page_idx * PAGE_SIZE]; - val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; - } -} #else static inline bool snp_probe_rmptable_info(void) { return false; } static inline int snp_rmptable_init(void) { return -ENOSYS; } @@ -652,7 +653,6 @@ static inline int rmp_make_shared(u64 pfn, enum pg_level level) { return -ENODEV static inline void snp_leak_pages(u64 pfn, unsigned int npages) {} static inline void kdump_sev_callback(void) { } static inline void snp_fixup_e820_tables(void) {} -static inline void sev_evict_cache(void *va, int npages) {} #endif #endif

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 7f830e126dc357fc086905ce9730140fd4528d66 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092125-stitch-starting-35cb@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 7f830e126dc357fc086905ce9730140fd4528d66 Mon Sep 17 00:00:00 2001 From: Tom Lendacky <thomas.lendacky(a)amd.com> Date: Mon, 15 Sep 2025 11:04:12 -0500 Subject: [PATCH] x86/sev: Guard sev_evict_cache() with CONFIG_AMD_MEM_ENCRYPT The sev_evict_cache() is guest-related code and should be guarded by CONFIG_AMD_MEM_ENCRYPT, not CONFIG_KVM_AMD_SEV. CONFIG_AMD_MEM_ENCRYPT=y is required for a guest to run properly as an SEV-SNP guest, but a guest kernel built with CONFIG_KVM_AMD_SEV=n would get the stub function of sev_evict_cache() instead of the version that performs the actual eviction. Move the function declarations under the appropriate #ifdef. Fixes: 7b306dfa326f ("x86/sev: Evict cache lines during SNP memory validation") Signed-off-by: Tom Lendacky <thomas.lendacky(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)kernel.org # 6.16.x Link: https://lore.kernel.org/r/70e38f2c4a549063de54052c9f64929705313526.17577089… diff --git a/arch/x86/include/asm/sev.h b/arch/x86/include/asm/sev.h index 02236962fdb1..465b19fd1a2d 100644 --- a/arch/x86/include/asm/sev.h +++ b/arch/x86/include/asm/sev.h @@ -562,6 +562,24 @@ enum es_result sev_es_ghcb_hv_call(struct ghcb *ghcb, extern struct ghcb *boot_ghcb; +static inline void sev_evict_cache(void *va, int npages) +{ + volatile u8 val __always_unused; + u8 *bytes = va; + int page_idx; + + /* + * For SEV guests, a read from the first/last cache-lines of a 4K page + * using the guest key is sufficient to cause a flush of all cache-lines + * associated with that 4K page without incurring all the overhead of a + * full CLFLUSH sequence. + */ + for (page_idx = 0; page_idx < npages; page_idx++) { + val = bytes[page_idx * PAGE_SIZE]; + val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; + } +} + #else /* !CONFIG_AMD_MEM_ENCRYPT */ #define snp_vmpl 0 @@ -605,6 +623,7 @@ static inline int snp_send_guest_request(struct snp_msg_desc *mdesc, static inline int snp_svsm_vtpm_send_command(u8 *buffer) { return -ENODEV; } static inline void __init snp_secure_tsc_prepare(void) { } static inline void __init snp_secure_tsc_init(void) { } +static inline void sev_evict_cache(void *va, int npages) {} #endif /* CONFIG_AMD_MEM_ENCRYPT */ @@ -619,24 +638,6 @@ int rmp_make_shared(u64 pfn, enum pg_level level); void snp_leak_pages(u64 pfn, unsigned int npages); void kdump_sev_callback(void); void snp_fixup_e820_tables(void); - -static inline void sev_evict_cache(void *va, int npages) -{ - volatile u8 val __always_unused; - u8 *bytes = va; - int page_idx; - - /* - * For SEV guests, a read from the first/last cache-lines of a 4K page - * using the guest key is sufficient to cause a flush of all cache-lines - * associated with that 4K page without incurring all the overhead of a - * full CLFLUSH sequence. - */ - for (page_idx = 0; page_idx < npages; page_idx++) { - val = bytes[page_idx * PAGE_SIZE]; - val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1]; - } -} #else static inline bool snp_probe_rmptable_info(void) { return false; } static inline int snp_rmptable_init(void) { return -ENOSYS; } @@ -652,7 +653,6 @@ static inline int rmp_make_shared(u64 pfn, enum pg_level level) { return -ENODEV static inline void snp_leak_pages(u64 pfn, unsigned int npages) {} static inline void kdump_sev_callback(void) { } static inline void snp_fixup_e820_tables(void) {} -static inline void sev_evict_cache(void *va, int npages) {} #endif #endif

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] btrfs: tree-checker: fix the incorrect inode ref size check" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 96fa515e70f3e4b98685ef8cac9d737fc62f10e1 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092135-breeding-chrome-585a@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 96fa515e70f3e4b98685ef8cac9d737fc62f10e1 Mon Sep 17 00:00:00 2001 From: Qu Wenruo <wqu(a)suse.com> Date: Tue, 16 Sep 2025 07:54:06 +0930 Subject: [PATCH] btrfs: tree-checker: fix the incorrect inode ref size check [BUG] Inside check_inode_ref(), we need to make sure every structure, including the btrfs_inode_extref header, is covered by the item. But our code is incorrectly using "sizeof(iref)", where @iref is just a pointer. This means "sizeof(iref)" will always be "sizeof(void *)", which is much smaller than "sizeof(struct btrfs_inode_extref)". This will allow some bad inode extrefs to sneak in, defeating tree-checker. [FIX] Fix the typo by calling "sizeof(*iref)", which is the same as "sizeof(struct btrfs_inode_extref)", and will be the correct behavior we want. Fixes: 71bf92a9b877 ("btrfs: tree-checker: Add check for INODE_REF") CC: stable(a)vger.kernel.org # 6.1+ Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Qu Wenruo <wqu(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c index 0f556f4de3f9..a997c7cc35a2 100644 --- a/fs/btrfs/tree-checker.c +++ b/fs/btrfs/tree-checker.c @@ -1756,10 +1756,10 @@ static int check_inode_ref(struct extent_buffer *leaf, while (ptr < end) { u16 namelen; - if (unlikely(ptr + sizeof(iref) > end)) { + if (unlikely(ptr + sizeof(*iref) > end)) { inode_ref_err(leaf, slot, "inode ref overflow, ptr %lu end %lu inode_ref_size %zu", - ptr, end, sizeof(iref)); + ptr, end, sizeof(*iref)); return -EUCLEAN; }

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 1e56310b40fd2e7e0b9493da9ff488af145bdd0c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092105-gawk-armful-317b@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e56310b40fd2e7e0b9493da9ff488af145bdd0c Mon Sep 17 00:00:00 2001 From: Vasant Hegde <vasant.hegde(a)amd.com> Date: Sat, 13 Sep 2025 06:26:57 +0000 Subject: [PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Fixes: 754265bcab7 ("iommu/amd: Fix race in increase_address_space()") Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> Signed-off-by: Joerg Roedel <joerg.roedel(a)amd.com> diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1e56310b40fd2e7e0b9493da9ff488af145bdd0c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092104-flashcard-deepness-5002@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e56310b40fd2e7e0b9493da9ff488af145bdd0c Mon Sep 17 00:00:00 2001 From: Vasant Hegde <vasant.hegde(a)amd.com> Date: Sat, 13 Sep 2025 06:26:57 +0000 Subject: [PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Fixes: 754265bcab7 ("iommu/amd: Fix race in increase_address_space()") Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> Signed-off-by: Joerg Roedel <joerg.roedel(a)amd.com> diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 1e56310b40fd2e7e0b9493da9ff488af145bdd0c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092103-skilled-expand-23a8@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e56310b40fd2e7e0b9493da9ff488af145bdd0c Mon Sep 17 00:00:00 2001 From: Vasant Hegde <vasant.hegde(a)amd.com> Date: Sat, 13 Sep 2025 06:26:57 +0000 Subject: [PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Fixes: 754265bcab7 ("iommu/amd: Fix race in increase_address_space()") Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> Signed-off-by: Joerg Roedel <joerg.roedel(a)amd.com> diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] iommu/amd/pgtbl: Fix possible race while increase page table" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 1e56310b40fd2e7e0b9493da9ff488af145bdd0c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092102-landfill-panorama-3049@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 1e56310b40fd2e7e0b9493da9ff488af145bdd0c Mon Sep 17 00:00:00 2001 From: Vasant Hegde <vasant.hegde(a)amd.com> Date: Sat, 13 Sep 2025 06:26:57 +0000 Subject: [PATCH] iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Fixes: 754265bcab7 ("iommu/amd: Fix race in increase_address_space()") Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> Signed-off-by: Joerg Roedel <joerg.roedel(a)amd.com> diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE;

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] samples/damon/prcl: avoid starting DAMON before" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x e6b733ca2f99e968d696c2e812c8eb8e090bf37b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092121-boned-marbles-55ea@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e6b733ca2f99e968d696c2e812c8eb8e090bf37b Mon Sep 17 00:00:00 2001 From: SeongJae Park <sj(a)kernel.org> Date: Mon, 8 Sep 2025 19:22:37 -0700 Subject: [PATCH] samples/damon/prcl: avoid starting DAMON before initialization Commit 2780505ec2b4 ("samples/damon/prcl: fix boot time enable crash") is somehow incompletely applying the origin patch [1]. It is missing the part that avoids starting DAMON before module initialization. Probably a mistake during a merge has happened. Fix it by applying the missed part again. Link: https://lkml.kernel.org/r/20250909022238.2989-3-sj@kernel.org Link: https://lore.kernel.org/20250706193207.39810-3-sj@kernel.org [1] Fixes: 2780505ec2b4 ("samples/damon/prcl: fix boot time enable crash") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/samples/damon/prcl.c b/samples/damon/prcl.c index 1b839c06a612..0226652f94d5 100644 --- a/samples/damon/prcl.c +++ b/samples/damon/prcl.c @@ -137,6 +137,9 @@ static int damon_sample_prcl_enable_store( if (enabled == is_enabled) return 0; + if (!init_called) + return 0; + if (enabled) { err = damon_sample_prcl_start(); if (err)

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: folio_may_be_lru_cached() unless folio_test_large()" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092147-truck-ceremony-311d@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:23:15 -0700 Subject: [PATCH] mm: folio_may_be_lru_cached() unless folio_test_large() mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/swap.h b/include/linux/swap.h index 2fe6ed2cc3fd..7012a0f758d8 100644 --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, struct vm_area_struct *); void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) diff --git a/mm/gup.c b/mm/gup.c index b47066a54f52..0bc4d140fc07 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); diff --git a/mm/mlock.c b/mm/mlock.c index a1d93ad33c6d..bb0776f5ef7c 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } diff --git a/mm/swap.c b/mm/swap.c index 6ae2d5680574..b74ebe865dd9 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq)

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: folio_may_be_lru_cached() unless folio_test_large()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092146-exhume-krypton-1383@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:23:15 -0700 Subject: [PATCH] mm: folio_may_be_lru_cached() unless folio_test_large() mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/swap.h b/include/linux/swap.h index 2fe6ed2cc3fd..7012a0f758d8 100644 --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, struct vm_area_struct *); void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) diff --git a/mm/gup.c b/mm/gup.c index b47066a54f52..0bc4d140fc07 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); diff --git a/mm/mlock.c b/mm/mlock.c index a1d93ad33c6d..bb0776f5ef7c 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } diff --git a/mm/swap.c b/mm/swap.c index 6ae2d5680574..b74ebe865dd9 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq)

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: folio_may_be_lru_cached() unless folio_test_large()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092145-system-superjet-a0fb@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:23:15 -0700 Subject: [PATCH] mm: folio_may_be_lru_cached() unless folio_test_large() mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/swap.h b/include/linux/swap.h index 2fe6ed2cc3fd..7012a0f758d8 100644 --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, struct vm_area_struct *); void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) diff --git a/mm/gup.c b/mm/gup.c index b47066a54f52..0bc4d140fc07 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); diff --git a/mm/mlock.c b/mm/mlock.c index a1d93ad33c6d..bb0776f5ef7c 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } diff --git a/mm/swap.c b/mm/swap.c index 6ae2d5680574..b74ebe865dd9 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq)

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: folio_may_be_lru_cached() unless folio_test_large()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092144-angler-cuddly-30db@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:23:15 -0700 Subject: [PATCH] mm: folio_may_be_lru_cached() unless folio_test_large() mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/swap.h b/include/linux/swap.h index 2fe6ed2cc3fd..7012a0f758d8 100644 --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, struct vm_area_struct *); void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) diff --git a/mm/gup.c b/mm/gup.c index b47066a54f52..0bc4d140fc07 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); diff --git a/mm/mlock.c b/mm/mlock.c index a1d93ad33c6d..bb0776f5ef7c 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } diff --git a/mm/swap.c b/mm/swap.c index 6ae2d5680574..b74ebe865dd9 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq)

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: folio_may_be_lru_cached() unless folio_test_large()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092143-defrost-backboned-d1ea@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2da6de30e60dd9bb14600eff1cc99df2fa2ddae3 Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:23:15 -0700 Subject: [PATCH] mm: folio_may_be_lru_cached() unless folio_test_large() mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/swap.h b/include/linux/swap.h index 2fe6ed2cc3fd..7012a0f758d8 100644 --- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, struct vm_area_struct *); void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) diff --git a/mm/gup.c b/mm/gup.c index b47066a54f52..0bc4d140fc07 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); diff --git a/mm/mlock.c b/mm/mlock.c index a1d93ad33c6d..bb0776f5ef7c 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } diff --git a/mm/swap.c b/mm/swap.c index 6ae2d5680574..b74ebe865dd9 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq)

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm/gup: check ref_count instead of lru before migration" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 98c6d259319ecf6e8d027abd3f14b81324b8c0ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092156-candied-rogue-bf08@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98c6d259319ecf6e8d027abd3f14b81324b8c0ad Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:15:03 -0700 Subject: [PATCH] mm/gup: check ref_count instead of lru before migration Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 5): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index adffe663594d..82aec6443c0a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; }

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm/gup: check ref_count instead of lru before migration" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 98c6d259319ecf6e8d027abd3f14b81324b8c0ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092154-canon-user-98b7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98c6d259319ecf6e8d027abd3f14b81324b8c0ad Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:15:03 -0700 Subject: [PATCH] mm/gup: check ref_count instead of lru before migration Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 5): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index adffe663594d..82aec6443c0a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; }

1 month, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] mm/gup: check ref_count instead of lru before migration" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 98c6d259319ecf6e8d027abd3f14b81324b8c0ad # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025092152-bobtail-scarring-ffff@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 98c6d259319ecf6e8d027abd3f14b81324b8c0ad Mon Sep 17 00:00:00 2001 From: Hugh Dickins <hughd(a)google.com> Date: Mon, 8 Sep 2025 15:15:03 -0700 Subject: [PATCH] mm/gup: check ref_count instead of lru before migration Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 5): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/gup.c b/mm/gup.c index adffe663594d..82aec6443c0a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_unpinnable_folios( continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; }

1 month, 2 weeks

1
0
0 0

[PATCH] ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()

by Ma Ke

wcd934x_codec_parse_data() contains a device reference count leak in of_slim_get_device() where device_find_child() increases the reference count of the device but this reference is not properly decreased in the success path. Add put_device() in wcd934x_codec_parse_data(), which ensures that the reference count of the device is correctly managed. Calling path: of_slim_get_device() -> of_find_slim_device() -> device_find_child(). As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use.'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- sound/soc/codecs/wcd934x.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index 1bb7e1dc7e6b..9ffa65329934 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -5849,10 +5849,13 @@ static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) slim_get_logical_addr(wcd->sidev); wcd->if_regmap = regmap_init_slimbus(wcd->sidev, &wcd934x_ifc_regmap_config); - if (IS_ERR(wcd->if_regmap)) + if (IS_ERR(wcd->if_regmap)) { + put_device(&wcd->sidev->dev); return dev_err_probe(dev, PTR_ERR(wcd->if_regmap), "Failed to allocate ifc register map\n"); + } + put_device(&wcd->sidev->dev); of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate", &wcd->dmic_sample_rate); -- 2.17.1

1 month, 2 weeks

2
1
0 0

[PATCH v2] RDMA/rxe: Fix race in do_task() when draining

by Gui-Dong Han

When do_task() exhausts its iteration budget (!ret), it sets the state to TASK_STATE_IDLE to reschedule, without a secondary check on the current task->state. This can overwrite the TASK_STATE_DRAINING state set by a concurrent call to rxe_cleanup_task() or rxe_disable_task(). While state changes are protected by a spinlock, both rxe_cleanup_task() and rxe_disable_task() release the lock while waiting for the task to finish draining in the while(!is_done(task)) loop. The race occurs if do_task() hits its iteration limit and acquires the lock in this window. The cleanup logic may then proceed while the task incorrectly reschedules itself, leading to a potential use-after-free. This bug was introduced during the migration from tasklets to workqueues, where the special handling for the draining case was lost. Fix this by restoring the original pre-migration behavior. If the state is TASK_STATE_DRAINING when iterations are exhausted, set cont to 1 to force a new loop iteration. This allows the task to finish its work, so that a subsequent iteration can reach the switch statement and correctly transition the state to TASK_STATE_DRAINED, stopping the task as intended. Fixes: 9b4b7c1f9f54 ("RDMA/rxe: Add workqueue support for rxe tasks") Cc: stable(a)vger.kernel.org Reviewed-by: Zhu Yanjun <yanjun.zhu(a)linux.dev> Signed-off-by: Gui-Dong Han <hanguidong02(a)gmail.com> --- v2: * Rewrite commit message for clarity. Thanks to Zhu Yanjun for the review. --- drivers/infiniband/sw/rxe/rxe_task.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/sw/rxe/rxe_task.c b/drivers/infiniband/sw/rxe/rxe_task.c index 6f8f353e9583..f522820b950c 100644 --- a/drivers/infiniband/sw/rxe/rxe_task.c +++ b/drivers/infiniband/sw/rxe/rxe_task.c @@ -132,8 +132,12 @@ static void do_task(struct rxe_task *task) * yield the cpu and reschedule the task */ if (!ret) { - task->state = TASK_STATE_IDLE; - resched = 1; + if (task->state != TASK_STATE_DRAINING) { + task->state = TASK_STATE_IDLE; + resched = 1; + } else { + cont = 1; + } goto exit; } -- 2.25.1

1 month, 2 weeks

3
3
0 0

Fwd: [Bug 220457] Using -march=native on linux 6.16.1 causes: can't find jump dest instruction error.

by SMF Linux

https://bugzilla.kernel.org/show_bug.cgi?id=220457 Refined my work around to: KBUILD_CFLAGS += -march=native -mno-tbm KBUILD_RUSTFLAGS += -Ctarget-cpu=native Ctarget-feature=-tbm

1 month, 2 weeks

1
0
0 0

[PATCH] irqchip/sifive-plic: avoid interrupt ID 0 handling during suspend/resume

by Lucas Zampieri

To: linux-kernel(a)vger.kernel.org Cc: Paul Walmsley <paul.walmsley(a)sifive.com> Cc: Samuel Holland <samuel.holland(a)sifive.com> Cc: stable(a)vger.kernel.org Cc: linux-riscv(a)lists.infradead.org Cc: Thomas Gleixner <tglx(a)linutronix.de> According to the PLIC specification[1], global interrupt sources are assigned small unsigned integer identifiers beginning at the value 1. An interrupt ID of 0 is reserved to mean "no interrupt". The current plic_irq_resume() and plic_irq_suspend() functions incorrectly starts the loop from index 0, which could access the reserved interrupt ID 0 register space. This fix changes the loop to start from index 1, skipping the reserved interrupt ID 0 as per the PLIC specification. This prevents potential undefined behavior when accessing the reserved register space during suspend/resume cycles. Fixes: e80f0b6a2cf3 ("irqchip/irq-sifive-plic: Add syscore callbacks for hibernation") Co-developed-by: Jia Wang <wangjia(a)ultrarisc.com> Signed-off-by: Jia Wang <wangjia(a)ultrarisc.com> Signed-off-by: Lucas Zampieri <lzampier(a)redhat.com> [1] https://github.com/riscv/riscv-plic-spec/releases/tag/1.0.0 --- drivers/irqchip/irq-sifive-plic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c index bf69a4802b71..1c2b4d2575ac 100644 --- a/drivers/irqchip/irq-sifive-plic.c +++ b/drivers/irqchip/irq-sifive-plic.c @@ -252,7 +252,7 @@ static int plic_irq_suspend(void) priv = per_cpu_ptr(&plic_handlers, smp_processor_id())->priv; - for (i = 0; i < priv->nr_irqs; i++) { + for (i = 1; i < priv->nr_irqs; i++) { __assign_bit(i, priv->prio_save, readl(priv->regs + PRIORITY_BASE + i * PRIORITY_PER_ID)); } @@ -283,7 +283,7 @@ static void plic_irq_resume(void) priv = per_cpu_ptr(&plic_handlers, smp_processor_id())->priv; - for (i = 0; i < priv->nr_irqs; i++) { + for (i = 1; i < priv->nr_irqs; i++) { index = BIT_WORD(i); writel((priv->prio_save[index] & BIT_MASK(i)) ? 1 : 0, priv->regs + PRIORITY_BASE + i * PRIORITY_PER_ID); -- 2.51.0

1 month, 2 weeks

2
1
0 0

New September Order. 02318 Sunday, September 21, 2025 at 06:25:09 AM

by Info - Albinayah 086

Hi Stable, Please provide a quote for your products: Include: 1.Pricing (per unit) 2.Delivery cost & timeline 3.Quote expiry date Deadline: September Thanks! Kamal Prasad Albinayah Trading

1 month, 2 weeks

1
0
0 0

Qualcomm Snapdragon <SM6375>

by Alan Ye

The Qualcomm SM6375 processor is a 7nm process SoC for the mid-range market with the following features: CPU: Eight-core design, including high-performance Kryo 670 core and efficient Kryo 265 core, optimized performance and energy efficiency. GPU: Equipped with Adreno 642L GPU, supporting high-quality graphics and gaming experience. AI Engine: Integrated Qualcomm AI engine to enhance intelligent features such as voice recognition and image processing. Connectivity: Supports modern wireless standards such as 5G, Wi-Fi 6 and Bluetooth 5.2. Multimedia: Supports 4K video encoding and decoding Mainly used in mid-to-high-end smartphones, tablets and some IoT devices, suitable for users who need to balance cost performance and performance. .# Part Number Manufacturer Date Code Quantity Unit Price Lead Time Condition (PCS) USD/Each one 1 SM-6375-1-PSP837-TR-00-0-AB QUALCOMM 2023+ 12000pcs US$18.00/pcs 7days New & original - stock 2 PM-6375-0-FOWNSP144-TR-01-0；TR-01-1 QUALCOMM 2023+ 12000pcs US$1.00/pcs 3 PMR-735A-0-WLNSP48-TR-05-0,TR-05-1 QUALCOMM 2023+ 12000pcs US$0.85/pcs 4 PMK-8003-0-FOWPSP36-TR-01-0 QUALCOMM 2023+ 12000pcs US$0.24/pcs 5 SDR-735-0-PSP219B-TR-01-0；TR-01-1 QUALCOMM 2023+ 12000pcs US$2.50/pcs 6 WCD-9370-0-WLPSP55-TR-01-0;TR-01-4 QUALCOMM 2023+ 12000pcs US$0.50/pcs 7 WCN-3988-0-82BWLPSP-TR-00-0 QUALCOMM 2023+ 12000pcs US$3.50/pcs 8 QET-6105-0-WLNSP24B-TR-00-1 QUALCOMM 2023+ 12000pcs US$1.20/pcs 9 QET4101-0-12WLNSP-TR-00-0 QUALCOMM 2022+ 12000pcs US$0.21/pcs These materials are sold as a set for $28/usd, and are guaranteed to be authentic. If you need other Qualcomm materials, please feel free to contact me Stay in tune with product evolutions—tap . Keep Receiving Notices Feel like taking a break? Select Configure Your Mailing.

1 month, 2 weeks

1
0
0 0

Elpat Loan Promotional Offer at 5% interest rate Apply now!!

by Elpat Finance Loan

Good Day, Elpat Financial Services is here to support the SME market across South Africa with fast, affordable funding— no credit checks required. We offer: 1. Business Loans – Up to R10 million, approved within 72 hours. 2. Personal Loans – Up to R5 million, approved within 48 hours. 3. Home, Farmers & Construction Loans – Up to R20 million, approved within 3–5 working days. As a trusted financial partner, we have already helped many businesses—whether you’re self-employed, a contractor, retailer, restaurant owner, engineer, cleaning service, child-care provider, or web designer. Your time is valuable, and our goal is to provide flexible finance that works with your cash flow needs. That’s why we cut out the red tape: no branches, no queues, no endless paperwork. Just quick, reliable access to the funding you need to grow. How to Apply: * Prepare the required documents * Please submit your application via email to [ mailto:applycashloan@elaptfinanceloan.co.za | applycashloan @ elaptfinanceloan.co.za ] . For a quicker response, you may also send it directly to [ mailto:helpdeskelephantloan@outlook.com | helpdeskelephantloan @ outlook.com ] TO APPLY KINDLY SEND 1. A clear copy of your valid ID 2. Pay Slip OR 3 Months Bank Statement 3. Cell No. / Office No................... 4. Whatsapp No (Optional).................. 5. Email............... 6. Loan Amount........................ ...... NOTE : (minimum loan amount R50,000.00 to R50,000,000.00 ) only. 7. Loan Repayment Duration............... 8. Loan Type.......................... .... 5% Repayment Schedule Table for Guide to Application Loan Amount Duration (Year) Repayment Period Loan Amount Duration (Year) Repayment Period Loan Amount Duration (Year) Repayment Period R 50,000 2 R2, 193.57 R 50,000 3 R1, 498.54 R 50,000 5 R 943.56 R 100,000 3 R2, 997.09 R 100,000 4 R2, 302.93 R 100,000 6 R1,610.49 R 150,000 3 R 4,495.63 R150,000 5 R2, 830.69 R150,000 7 R2,120.09 R 300,000 4 R 6,908.79 R 300,000 6 R 4,831.48 R 300,000 8 R3,797.98 R 400,000 5 R 7,548.49 R 400,000 7 R 5,653.56 R 400,000 9 R4,606.91 R 600,000 6 R9, 662.96 R 600,000 8 R 7,595.95 R 600,000 10 R6,363.93 R 800,000 7 R11,307.13 R 800,000 9 R 9,213.82 R 800,000 11 R7,891.59 R1,000,000 8 R12,659.92 R1,000,000 10 R10,606.55 R1,000,000 12 R9,248.90 Please Note: * Loan amounts range from R50,000.00 to R20,000,000.00 . Kindly indicate the amount you are applying for in your application. * Credit decision within 24–48 hours. * Funds available in your account within 24–48 hours of approval. * Fast and hassle-free process. * Free monthly statements sent directly to your email. * Customer Protection Insurance included for your peace of mind. * Immediate access to funds once transferred. For quick assistance, you can reach us via WhatsApp: +27 (0)63 348 1211 Or call us directly on +27 (0)635725001 for more information. Thanks for Choosing Direct Elpat Financial Services Elpat Financial Services Loan adviser Louw Anita (Mrs) [ mailto:applycashloan@elaptfinanceloan.co.za | applycashloan @ elaptfinanceloan.co.za ] Tel: +27 (0) 61015588 Elpat Financial Services - 43 Long street, cape town city centre cape town 800 south Africa, Cape Town. And Our Direct Connection to Financial Services. Registered Credit Provider. Elpat Financial Services SA (Pty) Ltd (Registration No 2015/085124/07 / NCRCP/119387 is an authorised Financial Services Provider. © Copyright 2025

1 month, 2 weeks

1
0
0 0

[PATCH v2] mm/damon/sysfs: do not ignore callback's return value in damon_sysfs_damon_call()

by Akinobu Mita

The callback return value is ignored in damon_sysfs_damon_call(), which means that it is not possible to detect invalid user input when writing commands such as 'commit' to /sys/kernel/mm/damon/admin/kdamonds/<K>/state. Fix it. Signed-off-by: Akinobu Mita <akinobu.mita(a)gmail.com> Fixes: f64539dcdb87 ("mm/damon/sysfs: use damon_call() for update_schemes_stats") Cc: <stable(a)vger.kernel.org> # v6.14.x Reviewed-by: SeongJae Park <sj(a)kernel.org> --- mm/damon/sysfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mm/damon/sysfs.c b/mm/damon/sysfs.c index fe4e73d0ebbb..3ffe3a77b5db 100644 --- a/mm/damon/sysfs.c +++ b/mm/damon/sysfs.c @@ -1627,12 +1627,14 @@ static int damon_sysfs_damon_call(int (*fn)(void *data), struct damon_sysfs_kdamond *kdamond) { struct damon_call_control call_control = {}; + int err; if (!kdamond->damon_ctx) return -EINVAL; call_control.fn = fn; call_control.data = kdamond; - return damon_call(kdamond->damon_ctx, &call_control); + err = damon_call(kdamond->damon_ctx, &call_control); + return err ? err : call_control.return_code; } struct damon_sysfs_schemes_walk_data { -- 2.43.0

1 month, 2 weeks

1
0
0 0

[PATCH v2] crypto: aspeed - Fix dma_unmap_sg() direction

by Thomas Fourier

It seems like everywhere in this file, when the request is not bidirectionala, req->src is mapped with DMA_TO_DEVICE and req->dst is mapped with DMA_FROM_DEVICE. Fixes: 62f58b1637b7 ("crypto: aspeed - add HACE crypto driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> --- v1->v2: - fix confusion between dst and src in commit message drivers/crypto/aspeed/aspeed-hace-crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/aspeed/aspeed-hace-crypto.c b/drivers/crypto/aspeed/aspeed-hace-crypto.c index a72dfebc53ff..fa201dae1f81 100644 --- a/drivers/crypto/aspeed/aspeed-hace-crypto.c +++ b/drivers/crypto/aspeed/aspeed-hace-crypto.c @@ -346,7 +346,7 @@ static int aspeed_sk_start_sg(struct aspeed_hace_dev *hace_dev) } else { dma_unmap_sg(hace_dev->dev, req->dst, rctx->dst_nents, - DMA_TO_DEVICE); + DMA_FROM_DEVICE); dma_unmap_sg(hace_dev->dev, req->src, rctx->src_nents, DMA_TO_DEVICE); } -- 2.43.0

1 month, 2 weeks

2
1
0 0

Website Development, Mobile Apps & more.

by Bard India

Greetings!! We are a 24+ yr old high tech Web Development firm with presence of over 18+ yrs in Mauritius; partners of RV Tec hAdvisora Ltd and headquartered in India We have catered to over 7000 customers. You may visit https://www.mirackle.com for more information about our company. We create designs that help businesses and individuals attract and engage readers. We work with all the latest technologies. We are Authorized Google Workspace Reseller Partner for Asia Pacific region including Mauritius. Our Services: Domain Registrations, Web hosting, Google Workspace, Mobile Responsive Website Designing, Wordpress Websites, Mobile Apps, Web Apps, E-commerce websites, Google Ads, SEO, Catalogue design & affiliated services We create beautiful designs. Our brief website portfolio: http://www.mirackle.com/portfolio.html Note: We are also looking for tie-ups with IT/Web design cos. who would want to outsource work for high end Websites/Mobile APP requirements etc. We have a team of highly skilled php coders who can cater to any complex requirement. Get in touch with to get the best prices & offers India Whatsapp: +91 9323272846 / 9323551195; Mauritius WharsApp: +230 5758 5497; Email: business(a)mirackle.com ; Web: http://www.mirackle.com Regards, Nishith Patel

1 month, 2 weeks

1
0
0 0

[PATCH 0/2] Fix riscv sparse warnings

by Alexandre Ghiti

This series simply fixes 2 recently introduced sparse warnings. Signed-off-by: Alexandre Ghiti <alexghiti(a)rivosinc.com> --- Alexandre Ghiti (2): riscv: Fix sparse warning in __get_user_error() riscv: Fix sparse warning about different address spaces arch/riscv/include/asm/uaccess.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- base-commit: ae9a687664d965b13eeab276111b2f97dd02e090 change-id: 20250903-dev-alex-sparse_warnings_v1-ecb4a333afdd Best regards, -- Alexandre Ghiti <alexghiti(a)rivosinc.com>

1 month, 2 weeks

5
11
0 0

[PATCH 5.15.y] mptcp: set remote_deny_join_id0 on SYN recv

by Matthieu Baerts (NGI0)

commit 96939cec994070aa5df852c10fad5fc303a97ea3 upstream. When a SYN containing the 'C' flag (deny join id0) was received, this piece of information was not propagated to the path-manager. Even if this flag is mainly set on the server side, a client can also tell the server it cannot try to establish new subflows to the client's initial IP address and port. The server's PM should then record such info when received, and before sending events about the new connection. Fixes: df377be38725 ("mptcp: add deny_join_id0 in mptcp_options_received") Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-1-40… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Conflicts in subflow.c, because of differences in the context, e.g. introduced by commit 3a236aef280e ("mptcp: refactor passive socket initialization"), which is not in this version. The same lines -- using 'mptcp_sk(new_msk)' instead of 'owner' -- can still be added approximately at the same place, before calling mptcp_pm_new_connection(). ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- net/mptcp/subflow.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 6bc36132d490..f67d8c98d58a 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -758,6 +758,9 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, */ WRITE_ONCE(mptcp_sk(new_msk)->first, child); + if (mp_opt.deny_join_id0) + WRITE_ONCE(mptcp_sk(new_msk)->pm.remote_deny_join_id0, true); + /* new mpc subflow takes ownership of the newly * created mptcp socket */ -- 2.51.0

1 month, 2 weeks

1
0
0 0

[PATCH] drm/xe/uapi: loosen used tracking restriction

by Matthew Auld

Currently this is hidden behind perfmon_capable() since this is technically an info leak, given that this is a system wide metric. However the granularity reported here is always PAGE_SIZE aligned, which matches what the core kernel is already willing to expose to userspace if querying how many free RAM pages there are on the system, and that doesn't need any special privileges. In addition other drm drivers seem happy to expose this. The motivation here if with oneAPI where they want to use the system wide 'used' reporting here, so not the per-client fdinfo stats. This has also come up with some perf overlay applications wanting this information. Fixes: 1105ac15d2a1 ("drm/xe/uapi: restrict system wide accounting") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Cc: Joshua Santosh <joshua.santosh.ranjan(a)intel.com> Cc: José Roberto de Souza <jose.souza(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_query.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_query.c b/drivers/gpu/drm/xe/xe_query.c index e1b603aba61b..2e9ff33ed2fe 100644 --- a/drivers/gpu/drm/xe/xe_query.c +++ b/drivers/gpu/drm/xe/xe_query.c @@ -276,8 +276,7 @@ static int query_mem_regions(struct xe_device *xe, mem_regions->mem_regions[0].instance = 0; mem_regions->mem_regions[0].min_page_size = PAGE_SIZE; mem_regions->mem_regions[0].total_size = man->size << PAGE_SHIFT; - if (perfmon_capable()) - mem_regions->mem_regions[0].used = ttm_resource_manager_usage(man); + mem_regions->mem_regions[0].used = ttm_resource_manager_usage(man); mem_regions->num_mem_regions = 1; for (i = XE_PL_VRAM0; i <= XE_PL_VRAM1; ++i) { @@ -293,13 +292,11 @@ static int query_mem_regions(struct xe_device *xe, mem_regions->mem_regions[mem_regions->num_mem_regions].total_size = man->size; - if (perfmon_capable()) { - xe_ttm_vram_get_used(man, - &mem_regions->mem_regions - [mem_regions->num_mem_regions].used, - &mem_regions->mem_regions - [mem_regions->num_mem_regions].cpu_visible_used); - } + xe_ttm_vram_get_used(man, + &mem_regions->mem_regions + [mem_regions->num_mem_regions].used, + &mem_regions->mem_regions + [mem_regions->num_mem_regions].cpu_visible_used); mem_regions->mem_regions[mem_regions->num_mem_regions].cpu_visible_size = xe_ttm_vram_get_cpu_visible_size(man); -- 2.51.0

1 month, 2 weeks

3
2
0 0

[PATCH 6.1.y 0/2] mptcp: fix recent failed backports (20250919)

by Matthieu Baerts (NGI0)

The following patches could not be applied without conflicts in this tree: - 2293c57484ae ("mptcp: pm: nl: announce deny-join-id0 flag") - 24733e193a0d ("selftests: mptcp: userspace pm: validate deny-join-id0 flag") Conflicts have been resolved, and documented in each patch. Matthieu Baerts (NGI0) (2): mptcp: pm: nl: announce deny-join-id0 flag selftests: mptcp: userspace pm: validate deny-join-id0 flag include/uapi/linux/mptcp.h | 6 ++++-- net/mptcp/pm_netlink.c | 7 +++++++ tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 +++++++ tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 ++++++++++++-- 4 files changed, 30 insertions(+), 4 deletions(-) -- 2.51.0

1 month, 2 weeks

1
2
0 0

[PATCH 6.12.y] mptcp: pm: nl: announce deny-join-id0 flag

by Matthieu Baerts (NGI0)

commit 2293c57484ae64c9a3c847c8807db8c26a3a4d41 upstream. During the connection establishment, a peer can tell the other one that it cannot establish new subflows to the initial IP address and port by setting the 'C' flag [1]. Doing so makes sense when the sender is behind a strict NAT, operating behind a legacy Layer 4 load balancer, or using anycast IP address for example. When this 'C' flag is set, the path-managers must then not try to establish new subflows to the other peer's initial IP address and port. The in-kernel PM has access to this info, but the userspace PM didn't. The RFC8684 [1] is strict about that: (...) therefore the receiver MUST NOT try to open any additional subflows toward this address and port. So it is important to tell the userspace about that as it is responsible for the respect of this flag. When a new connection is created and established, the Netlink events now contain the existing but not currently used 'flags' attribute. When MPTCP_PM_EV_FLAG_DENY_JOIN_ID0 is set, it means no other subflows to the initial IP address and port -- info that are also part of the event -- can be established. Link: https://datatracker.ietf.org/doc/html/rfc8684#section-3.1-20.6 [1] Fixes: 702c2f646d42 ("mptcp: netlink: allow userspace-driven subflow establishment") Reported-by: Marek Majkowski <marek(a)cloudflare.com> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/532 Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-2-40… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Conflicts in mptcp_pm.yaml, because the indentation has been modified in commit ec362192aa9e ("netlink: specs: fix up indentation errors"), which is not in this version. Applying the same modifications, but at a different level. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Documentation/netlink/specs/mptcp_pm.yaml | 4 ++-- include/uapi/linux/mptcp.h | 2 ++ include/uapi/linux/mptcp_pm.h | 4 ++-- net/mptcp/pm_netlink.c | 7 +++++++ 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/Documentation/netlink/specs/mptcp_pm.yaml b/Documentation/netlink/specs/mptcp_pm.yaml index 7e295bad8b29..a670a9bbe01b 100644 --- a/Documentation/netlink/specs/mptcp_pm.yaml +++ b/Documentation/netlink/specs/mptcp_pm.yaml @@ -28,13 +28,13 @@ definitions: traffic-patterns it can take a long time until the MPTCP_EVENT_ESTABLISHED is sent. Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, sport, - dport, server-side. + dport, server-side, [flags]. - name: established doc: >- A MPTCP connection is established (can start new subflows). Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, sport, - dport, server-side. + dport, server-side, [flags]. - name: closed doc: >- diff --git a/include/uapi/linux/mptcp.h b/include/uapi/linux/mptcp.h index 67d015df8893..5fd5b4cf75ca 100644 --- a/include/uapi/linux/mptcp.h +++ b/include/uapi/linux/mptcp.h @@ -31,6 +31,8 @@ #define MPTCP_INFO_FLAG_FALLBACK _BITUL(0) #define MPTCP_INFO_FLAG_REMOTE_KEY_RECEIVED _BITUL(1) +#define MPTCP_PM_EV_FLAG_DENY_JOIN_ID0 _BITUL(0) + #define MPTCP_PM_ADDR_FLAG_SIGNAL (1 << 0) #define MPTCP_PM_ADDR_FLAG_SUBFLOW (1 << 1) #define MPTCP_PM_ADDR_FLAG_BACKUP (1 << 2) diff --git a/include/uapi/linux/mptcp_pm.h b/include/uapi/linux/mptcp_pm.h index 6ac84b2f636c..7359d34da446 100644 --- a/include/uapi/linux/mptcp_pm.h +++ b/include/uapi/linux/mptcp_pm.h @@ -16,10 +16,10 @@ * good time to allocate memory and send ADD_ADDR if needed. Depending on the * traffic-patterns it can take a long time until the MPTCP_EVENT_ESTABLISHED * is sent. Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, - * sport, dport, server-side. + * sport, dport, server-side, [flags]. * @MPTCP_EVENT_ESTABLISHED: A MPTCP connection is established (can start new * subflows). Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, - * sport, dport, server-side. + * sport, dport, server-side, [flags]. * @MPTCP_EVENT_CLOSED: A MPTCP connection has stopped. Attribute: token. * @MPTCP_EVENT_ANNOUNCED: A new address has been announced by the peer. * Attributes: token, rem_id, family, daddr4 | daddr6 [, dport]. diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index b763729b85e0..463c2e7956d5 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -2211,6 +2211,7 @@ static int mptcp_event_created(struct sk_buff *skb, const struct sock *ssk) { int err = nla_put_u32(skb, MPTCP_ATTR_TOKEN, READ_ONCE(msk->token)); + u16 flags = 0; if (err) return err; @@ -2218,6 +2219,12 @@ static int mptcp_event_created(struct sk_buff *skb, if (nla_put_u8(skb, MPTCP_ATTR_SERVER_SIDE, READ_ONCE(msk->pm.server_side))) return -EMSGSIZE; + if (READ_ONCE(msk->pm.remote_deny_join_id0)) + flags |= MPTCP_PM_EV_FLAG_DENY_JOIN_ID0; + + if (flags && nla_put_u16(skb, MPTCP_ATTR_FLAGS, flags)) + return -EMSGSIZE; + return mptcp_event_add_subflow(skb, ssk); } -- 2.51.0

1 month, 2 weeks

1
0
0 0

[PATCH 6.16.y] mptcp: pm: nl: announce deny-join-id0 flag

by Matthieu Baerts (NGI0)

commit 2293c57484ae64c9a3c847c8807db8c26a3a4d41 upstream. During the connection establishment, a peer can tell the other one that it cannot establish new subflows to the initial IP address and port by setting the 'C' flag [1]. Doing so makes sense when the sender is behind a strict NAT, operating behind a legacy Layer 4 load balancer, or using anycast IP address for example. When this 'C' flag is set, the path-managers must then not try to establish new subflows to the other peer's initial IP address and port. The in-kernel PM has access to this info, but the userspace PM didn't. The RFC8684 [1] is strict about that: (...) therefore the receiver MUST NOT try to open any additional subflows toward this address and port. So it is important to tell the userspace about that as it is responsible for the respect of this flag. When a new connection is created and established, the Netlink events now contain the existing but not currently used 'flags' attribute. When MPTCP_PM_EV_FLAG_DENY_JOIN_ID0 is set, it means no other subflows to the initial IP address and port -- info that are also part of the event -- can be established. Link: https://datatracker.ietf.org/doc/html/rfc8684#section-3.1-20.6 [1] Fixes: 702c2f646d42 ("mptcp: netlink: allow userspace-driven subflow establishment") Reported-by: Marek Majkowski <marek(a)cloudflare.com> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/532 Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-2-40… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Conflicts in mptcp_pm.yaml, because the indentation has been modified in commit ec362192aa9e ("netlink: specs: fix up indentation errors"), which is not in this version. Applying the same modifications, but at a different level. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Documentation/netlink/specs/mptcp_pm.yaml | 4 ++-- include/uapi/linux/mptcp.h | 2 ++ include/uapi/linux/mptcp_pm.h | 4 ++-- net/mptcp/pm_netlink.c | 7 +++++++ 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/Documentation/netlink/specs/mptcp_pm.yaml b/Documentation/netlink/specs/mptcp_pm.yaml index ecfe5ee33de2..c77f32cfcae9 100644 --- a/Documentation/netlink/specs/mptcp_pm.yaml +++ b/Documentation/netlink/specs/mptcp_pm.yaml @@ -28,13 +28,13 @@ definitions: traffic-patterns it can take a long time until the MPTCP_EVENT_ESTABLISHED is sent. Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, sport, - dport, server-side. + dport, server-side, [flags]. - name: established doc: >- A MPTCP connection is established (can start new subflows). Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, sport, - dport, server-side. + dport, server-side, [flags]. - name: closed doc: >- diff --git a/include/uapi/linux/mptcp.h b/include/uapi/linux/mptcp.h index 67d015df8893..5fd5b4cf75ca 100644 --- a/include/uapi/linux/mptcp.h +++ b/include/uapi/linux/mptcp.h @@ -31,6 +31,8 @@ #define MPTCP_INFO_FLAG_FALLBACK _BITUL(0) #define MPTCP_INFO_FLAG_REMOTE_KEY_RECEIVED _BITUL(1) +#define MPTCP_PM_EV_FLAG_DENY_JOIN_ID0 _BITUL(0) + #define MPTCP_PM_ADDR_FLAG_SIGNAL (1 << 0) #define MPTCP_PM_ADDR_FLAG_SUBFLOW (1 << 1) #define MPTCP_PM_ADDR_FLAG_BACKUP (1 << 2) diff --git a/include/uapi/linux/mptcp_pm.h b/include/uapi/linux/mptcp_pm.h index 6ac84b2f636c..7359d34da446 100644 --- a/include/uapi/linux/mptcp_pm.h +++ b/include/uapi/linux/mptcp_pm.h @@ -16,10 +16,10 @@ * good time to allocate memory and send ADD_ADDR if needed. Depending on the * traffic-patterns it can take a long time until the MPTCP_EVENT_ESTABLISHED * is sent. Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, - * sport, dport, server-side. + * sport, dport, server-side, [flags]. * @MPTCP_EVENT_ESTABLISHED: A MPTCP connection is established (can start new * subflows). Attributes: token, family, saddr4 | saddr6, daddr4 | daddr6, - * sport, dport, server-side. + * sport, dport, server-side, [flags]. * @MPTCP_EVENT_CLOSED: A MPTCP connection has stopped. Attribute: token. * @MPTCP_EVENT_ANNOUNCED: A new address has been announced by the peer. * Attributes: token, rem_id, family, daddr4 | daddr6 [, dport]. diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 50aaf259959a..ce7d42d3bd00 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -408,6 +408,7 @@ static int mptcp_event_created(struct sk_buff *skb, const struct sock *ssk) { int err = nla_put_u32(skb, MPTCP_ATTR_TOKEN, READ_ONCE(msk->token)); + u16 flags = 0; if (err) return err; @@ -415,6 +416,12 @@ static int mptcp_event_created(struct sk_buff *skb, if (nla_put_u8(skb, MPTCP_ATTR_SERVER_SIDE, READ_ONCE(msk->pm.server_side))) return -EMSGSIZE; + if (READ_ONCE(msk->pm.remote_deny_join_id0)) + flags |= MPTCP_PM_EV_FLAG_DENY_JOIN_ID0; + + if (flags && nla_put_u16(skb, MPTCP_ATTR_FLAGS, flags)) + return -EMSGSIZE; + return mptcp_event_add_subflow(skb, ssk); } -- 2.51.0

1 month, 2 weeks

1
0
0 0

stable: queue/* branches no longer updated

by Matthieu Baerts

Hi Sasha, Thank you for maintaining the stable versions with Greg! If I remember well, you run some scripts on your side to maintain the queue/* branches in the linux-stable-rc Git tree [1], is that correct? These branches have not been updated for a bit more than 3 weeks. Is it normal? Personally, I find them useful. But if it is just me, I can work without them. [1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/… Cheers, Matt -- Sponsored by the NGI0 Core fund.

1 month, 2 weeks

2
3
0 0

+ kmsan-fix-out-of-bounds-access-to-shadow-memory.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kmsan: Fix out-of-bounds access to shadow memory has been added to the -mm mm-hotfixes-unstable branch. Its filename is kmsan-fix-out-of-bounds-access-to-shadow-memory.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Eric Biggers <ebiggers(a)kernel.org> Subject: kmsan: Fix out-of-bounds access to shadow memory Date: Thu, 11 Sep 2025 12:58:58 -0700 Running sha224_kunit on a KMSAN-enabled kernel results in a crash in kmsan_internal_set_shadow_origin(): BUG: unable to handle page fault for address: ffffbc3840291000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0 Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary) Tainted: [N]=TEST Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100 [...] Call Trace: <TASK> __msan_memset+0xee/0x1a0 sha224_final+0x9e/0x350 test_hash_buffer_overruns+0x46f/0x5f0 ? kmsan_get_shadow_origin_ptr+0x46/0xa0 ? __pfx_test_hash_buffer_overruns+0x10/0x10 kunit_try_run_case+0x198/0xa00 This occurs when memset() is called on a buffer that is not 4-byte aligned and extends to the end of a guard page, i.e. the next page is unmapped. The bug is that the loop at the end of kmsan_internal_set_shadow_origin() accesses the wrong shadow memory bytes when the address is not 4-byte aligned. Since each 4 bytes are associated with an origin, it rounds the address and size so that it can access all the origins that contain the buffer. However, when it checks the corresponding shadow bytes for a particular origin, it incorrectly uses the original unrounded shadow address. This results in reads from shadow memory beyond the end of the buffer's shadow memory, which crashes when that memory is not mapped. To fix this, correctly align the shadow address before accessing the 4 shadow bytes corresponding to each origin. Link: https://lkml.kernel.org/r/20250911195858.394235-1-ebiggers@kernel.org Fixes: 2ef3cec44c60 ("kmsan: do not wipe out origin when doing partial unpoisoning") Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> Tested-by: Alexander Potapenko <glider(a)google.com> Reviewed-by: Alexander Potapenko <glider(a)google.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kmsan/core.c | 10 +++++++--- mm/kmsan/kmsan_test.c | 16 ++++++++++++++++ 2 files changed, 23 insertions(+), 3 deletions(-) --- a/mm/kmsan/core.c~kmsan-fix-out-of-bounds-access-to-shadow-memory +++ a/mm/kmsan/core.c @@ -195,7 +195,8 @@ void kmsan_internal_set_shadow_origin(vo u32 origin, bool checked) { u64 address = (u64)addr; - u32 *shadow_start, *origin_start; + void *shadow_start; + u32 *aligned_shadow, *origin_start; size_t pad = 0; KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size)); @@ -214,9 +215,12 @@ void kmsan_internal_set_shadow_origin(vo } __memset(shadow_start, b, size); - if (!IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { + if (IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { + aligned_shadow = shadow_start; + } else { pad = address % KMSAN_ORIGIN_SIZE; address -= pad; + aligned_shadow = shadow_start - pad; size += pad; } size = ALIGN(size, KMSAN_ORIGIN_SIZE); @@ -230,7 +234,7 @@ void kmsan_internal_set_shadow_origin(vo * corresponding shadow slot is zero. */ for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) { - if (origin || !shadow_start[i]) + if (origin || !aligned_shadow[i]) origin_start[i] = origin; } } --- a/mm/kmsan/kmsan_test.c~kmsan-fix-out-of-bounds-access-to-shadow-memory +++ a/mm/kmsan/kmsan_test.c @@ -556,6 +556,21 @@ DEFINE_TEST_MEMSETXX(16) DEFINE_TEST_MEMSETXX(32) DEFINE_TEST_MEMSETXX(64) +/* Test case: ensure that KMSAN does not access shadow memory out of bounds. */ +static void test_memset_on_guarded_buffer(struct kunit *test) +{ + void *buf = vmalloc(PAGE_SIZE); + + kunit_info(test, + "memset() on ends of guarded buffer should not crash\n"); + + for (size_t size = 0; size <= 128; size++) { + memset(buf, 0xff, size); + memset(buf + PAGE_SIZE - size, 0xff, size); + } + vfree(buf); +} + static noinline void fibonacci(int *array, int size, int start) { if (start < 2 || (start == size)) @@ -677,6 +692,7 @@ static struct kunit_case kmsan_test_case KUNIT_CASE(test_memset16), KUNIT_CASE(test_memset32), KUNIT_CASE(test_memset64), + KUNIT_CASE(test_memset_on_guarded_buffer), KUNIT_CASE(test_long_origin_chain), KUNIT_CASE(test_stackdepot_roundtrip), KUNIT_CASE(test_unpoison_memory), _ Patches currently in -mm which might be from ebiggers(a)kernel.org are kmsan-fix-out-of-bounds-access-to-shadow-memory.patch

1 month, 2 weeks

1
0
0 0

+ squashfs-fix-uninit-value-in-squashfs_get_parent.patch added to mm-nonmm-unstable branch

by Andrew Morton

The patch titled Subject: Squashfs: fix uninit-value in squashfs_get_parent has been added to the -mm mm-nonmm-unstable branch. Its filename is squashfs-fix-uninit-value-in-squashfs_get_parent.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-nonmm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Phillip Lougher <phillip(a)squashfs.org.uk> Subject: Squashfs: fix uninit-value in squashfs_get_parent Date: Fri, 19 Sep 2025 00:33:08 +0100 Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. unsigned int parent_ino = squashfs_i(inode)->parent; Because non-directory inodes in Squashfs do not have a parent value, this is uninitialised, and this causes an uninitialised value access. The fix is to initialise parent with the invalid inode 0, which will cause an EINVAL error to be returned. Regular inodes used to share the parent field with the block_list_start field. This is removed in this commit to enable the parent field to contain the invalid inode number 0. Link: https://lkml.kernel.org/r/20250918233308.293861-1-phillip@squashfs.org.uk Fixes: 122601408d20 ("Squashfs: export operations") Signed-off-by: Phillip Lougher <phillip(a)squashfs.org.uk> Reported-by: syzbot+157bdef5cf596ad0da2c(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68cc2431.050a0220.139b6.0001.GAE@google.com/ Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/squashfs/inode.c | 7 +++++++ fs/squashfs/squashfs_fs_i.h | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) --- a/fs/squashfs/inode.c~squashfs-fix-uninit-value-in-squashfs_get_parent +++ a/fs/squashfs/inode.c @@ -169,6 +169,7 @@ int squashfs_read_inode(struct inode *in squashfs_i(inode)->start = le32_to_cpu(sqsh_ino->start_block); squashfs_i(inode)->block_list_start = block; squashfs_i(inode)->offset = offset; + squashfs_i(inode)->parent = 0; inode->i_data.a_ops = &squashfs_aops; TRACE("File inode %x:%x, start_block %llx, block_list_start " @@ -216,6 +217,7 @@ int squashfs_read_inode(struct inode *in squashfs_i(inode)->start = le64_to_cpu(sqsh_ino->start_block); squashfs_i(inode)->block_list_start = block; squashfs_i(inode)->offset = offset; + squashfs_i(inode)->parent = 0; inode->i_data.a_ops = &squashfs_aops; TRACE("File inode %x:%x, start_block %llx, block_list_start " @@ -296,6 +298,7 @@ int squashfs_read_inode(struct inode *in inode->i_mode |= S_IFLNK; squashfs_i(inode)->start = block; squashfs_i(inode)->offset = offset; + squashfs_i(inode)->parent = 0; if (type == SQUASHFS_LSYMLINK_TYPE) { __le32 xattr; @@ -333,6 +336,7 @@ int squashfs_read_inode(struct inode *in set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); rdev = le32_to_cpu(sqsh_ino->rdev); init_special_inode(inode, inode->i_mode, new_decode_dev(rdev)); + squashfs_i(inode)->parent = 0; TRACE("Device inode %x:%x, rdev %x\n", SQUASHFS_INODE_BLK(ino), offset, rdev); @@ -357,6 +361,7 @@ int squashfs_read_inode(struct inode *in set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); rdev = le32_to_cpu(sqsh_ino->rdev); init_special_inode(inode, inode->i_mode, new_decode_dev(rdev)); + squashfs_i(inode)->parent = 0; TRACE("Device inode %x:%x, rdev %x\n", SQUASHFS_INODE_BLK(ino), offset, rdev); @@ -377,6 +382,7 @@ int squashfs_read_inode(struct inode *in inode->i_mode |= S_IFSOCK; set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); init_special_inode(inode, inode->i_mode, 0); + squashfs_i(inode)->parent = 0; break; } case SQUASHFS_LFIFO_TYPE: @@ -396,6 +402,7 @@ int squashfs_read_inode(struct inode *in inode->i_op = &squashfs_inode_ops; set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); init_special_inode(inode, inode->i_mode, 0); + squashfs_i(inode)->parent = 0; break; } default: --- a/fs/squashfs/squashfs_fs_i.h~squashfs-fix-uninit-value-in-squashfs_get_parent +++ a/fs/squashfs/squashfs_fs_i.h @@ -16,6 +16,7 @@ struct squashfs_inode_info { u64 xattr; unsigned int xattr_size; int xattr_count; + int parent; union { struct { u64 fragment_block; @@ -27,7 +28,6 @@ struct squashfs_inode_info { u64 dir_idx_start; int dir_idx_offset; int dir_idx_cnt; - int parent; }; }; struct inode vfs_inode; _ Patches currently in -mm which might be from phillip(a)squashfs.org.uk are squashfs-fix-uninit-value-in-squashfs_get_parent.patch

1 month, 2 weeks

1
0
0 0

+ fs-proc-task_mmu-check-cur_buf-for-null.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: fs/proc/task_mmu: check cur_buf for NULL has been added to the -mm mm-hotfixes-unstable branch. Its filename is fs-proc-task_mmu-check-cur_buf-for-null.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jakub Acs <acsjakub(a)amazon.de> Subject: fs/proc/task_mmu: check cur_buf for NULL Date: Fri, 19 Sep 2025 14:21:04 +0000 When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 <snip registers, unreliable trace> [ 44.946828] Call Trace: [ 44.947030] <TASK> [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking cur_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Link: https://lkml.kernel.org/r/20250919142106.43527-1-acsjakub@amazon.de Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Cc: David Hildenbrand <david(a)redhat.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Jinjiang Tu <tujinjiang(a)huawei.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Penglei Jiang <superman.xpt(a)gmail.com> Cc: Mark Brown <broonie(a)kernel.org> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Andrei Vagin <avagin(a)gmail.com> Cc: "Micha�� Miros��aw" <mirq-linux(a)rere.qmqm.pl> Cc: Stephen Rothwell <sfr(a)canb.auug.org.au> Cc: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Cc: Alexey Dobriyan <adobriyan(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/proc/task_mmu.c~fs-proc-task_mmu-check-cur_buf-for-null +++ a/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(s { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!cur_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else _ Patches currently in -mm which might be from acsjakub(a)amazon.de are fs-proc-task_mmu-check-cur_buf-for-null.patch

1 month, 2 weeks

1
0
0 0

[PATCH 6.12.y 0/3] Fix a backport of VMSCAPE enumeration fix

by Harshit Mogalapalli

Bug-report: https://lore.kernel.org/all/915c0e00-b92d-4e37-9d4b-0f6a4580da97@oracle.com/ Summary: While backporting commit: 7c62c442b6eb ("x86/vmscape: Enumerate VMSCAPE bug") to 6.12.y --> VULNBL_AMD(0x1a, SRSO | VMSCAPE) was added even when 6.12.y doesn't have commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support"). Boris Ostrovsky suggested backporting three commits to 6.12.y: 1. commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support") 2. commit: 8442df2b49ed ("x86/bugs: KVM: Add support for SRSO_MSR_FIX") and its fix 3. commit: e3417ab75ab2 ("KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions") -- Maybe optional Which changes current mitigation status on turin for 6.12.48 from Safe RET to Reduced Speculation, leaving it with Safe RET liely causes heavy performance regressions. This three patches together change mitigation status from Safe RET to Reduced Speculation Tested on Turin: [ 3.188134] Speculative Return Stack Overflow: Mitigation: Reduced Speculation Backports: 1. Patch 1 had minor conflict as VMSCAPE commit added VULNBL_AMD(0x1a, SRSO | VMSCAPE), and resolution is to skip that line. 2. Patch 2 and 3 are clean cherry-picks, 3 is a fix for 2. Note: I verified if this problem is also on other stable trees like (6.6 --> 5.10, no they don't have this backport problem) Thanks, Harshit Borislav Petkov (1): x86/bugs: KVM: Add support for SRSO_MSR_FIX Borislav Petkov (AMD) (1): x86/bugs: Add SRSO_USER_KERNEL_NO support Sean Christopherson (1): KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions Documentation/admin-guide/hw-vuln/srso.rst | 13 +++++ arch/x86/include/asm/cpufeatures.h | 5 ++ arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/bugs.c | 28 ++++++++-- arch/x86/kvm/svm/svm.c | 65 ++++++++++++++++++++++ arch/x86/kvm/svm/svm.h | 2 + arch/x86/lib/msr.c | 2 + 7 files changed, 112 insertions(+), 4 deletions(-) -- 2.50.1

1 month, 2 weeks

2
4
0 0

[tip: x86/cpu] x86/umip: Check that the instruction opcode is at least two bytes

by tip-bot2 for Sean Christopherson

The following commit has been merged into the x86/cpu branch of tip: Commit-ID: 32278c677947ae2f042c9535674a7fff9a245dd3 Gitweb: https://git.kernel.org/tip/32278c677947ae2f042c9535674a7fff9a245dd3 Author: Sean Christopherson <seanjc(a)google.com> AuthorDate: Fri, 08 Aug 2025 10:23:56 -07:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Fri, 19 Sep 2025 20:21:12 +02:00 x86/umip: Check that the instruction opcode is at least two bytes When checking for a potential UMIP violation on #GP, verify the decoder found at least two opcode bytes to avoid false positives when the kernel encounters an unknown instruction that starts with 0f. Because the array of opcode.bytes is zero-initialized by insn_init(), peeking at bytes[1] will misinterpret garbage as a potential SLDT or STR instruction, and can incorrectly trigger emulation. E.g. if a VPALIGNR instruction 62 83 c5 05 0f 08 ff vpalignr xmm17{k5},xmm23,XMMWORD PTR [r8],0xff hits a #GP, the kernel emulates it as STR and squashes the #GP (and corrupts the userspace code stream). Arguably the check should look for exactly two bytes, but no three byte opcodes use '0f 00 xx' or '0f 01 xx' as an escape, i.e. it should be impossible to get a false positive if the first two opcode bytes match '0f 00' or '0f 01'. Go with a more conservative check with respect to the existing code to minimize the chances of breaking userspace, e.g. due to decoder weirdness. Analyzed by Nick Bray <ncbray(a)google.com>. Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions") Reported-by: Dan Snyder <dansnyder(a)google.com> Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org --- arch/x86/kernel/umip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c index 5a4b213..406ac01 100644 --- a/arch/x86/kernel/umip.c +++ b/arch/x86/kernel/umip.c @@ -156,8 +156,8 @@ static int identify_insn(struct insn *insn) if (!insn->modrm.nbytes) return -EINVAL; - /* All the instructions of interest start with 0x0f. */ - if (insn->opcode.bytes[0] != 0xf) + /* The instructions of interest have 2-byte opcodes: 0F 00 or 0F 01. */ + if (insn->opcode.nbytes < 2 || insn->opcode.bytes[0] != 0xf) return -EINVAL; if (insn->opcode.bytes[1] == 0x1) {

1 month, 2 weeks

1
0
0 0

[tip: x86/cpu] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)

by tip-bot2 for Sean Christopherson

The following commit has been merged into the x86/cpu branch of tip: Commit-ID: 27b1fd62012dfe9d3eb8ecde344d7aa673695ecf Gitweb: https://git.kernel.org/tip/27b1fd62012dfe9d3eb8ecde344d7aa673695ecf Author: Sean Christopherson <seanjc(a)google.com> AuthorDate: Fri, 08 Aug 2025 10:23:57 -07:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Fri, 19 Sep 2025 21:34:48 +02:00 x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) Filter out the register forms of 0F 01 when determining whether or not to emulate in response to a potential UMIP violation #GP, as SGDT and SIDT only accept memory operands. The register variants of 0F 01 are used to encode instructions for things like VMX and SGX, i.e. not checking the Mod field would cause the kernel to incorrectly emulate on #GP, e.g. due to a CPL violation on VMLAUNCH. Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions") Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org --- arch/x86/kernel/umip.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c index 406ac01..d432f38 100644 --- a/arch/x86/kernel/umip.c +++ b/arch/x86/kernel/umip.c @@ -163,8 +163,19 @@ static int identify_insn(struct insn *insn) if (insn->opcode.bytes[1] == 0x1) { switch (X86_MODRM_REG(insn->modrm.value)) { case 0: + /* The reg form of 0F 01 /0 encodes VMX instructions. */ + if (X86_MODRM_MOD(insn->modrm.value) == 3) + return -EINVAL; + return UMIP_INST_SGDT; case 1: + /* + * The reg form of 0F 01 /1 encodes MONITOR/MWAIT, + * STAC/CLAC, and ENCLS. + */ + if (X86_MODRM_MOD(insn->modrm.value) == 3) + return -EINVAL; + return UMIP_INST_SIDT; case 4: return UMIP_INST_SMSW;

1 month, 2 weeks

1
0
0 0

[PATCH net] net/core : fix KMSAN: uninit value in tipc_rcv

by hariconscious＠gmail.com

From: HariKrishna Sagala <hariconscious(a)gmail.com> Syzbot reported an uninit-value bug on at kmalloc_reserve for commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")' Syzbot KMSAN reported use of uninitialized memory originating from functions "kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or "kmalloc_node_track_caller()" was not explicitly initialized. This can lead to undefined behavior when the allocated buffer is later accessed. Fix this by requesting the initialized memory using the gfp flag appended with the option "__GFP_ZERO". Reported-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388 Fixes: 915d975b2ffa ("net: deal with integer overflows in kmalloc_reserve()") Tested-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Signed-off-by: HariKrishna Sagala <hariconscious(a)gmail.com> --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index ee0274417948..2308ebf99bbd 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node, void *obj; obj_size = SKB_HEAD_ALIGN(*size); + flags |= __GFP_ZERO; if (obj_size <= SKB_SMALL_HEAD_CACHE_SIZE && !(flags & KMALLOC_NOT_NORMAL_BITS)) { obj = kmem_cache_alloc_node(net_hotdata.skb_small_head_cache, -- 2.43.0

1 month, 2 weeks

3
2
0 0

[PATCH net v3] net: nfc: nci: Add parameter validation for packet data

by Deepak Sharma

Syzbot reported an uninit-value bug at nci_init_req for commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16'..). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers). Reported-by: syzbot+740e04c2a93467a0f8c8(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8 Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation) Tested-by: syzbot+740e04c2a93467a0f8c8(a)syzkaller.appspotmail.com Signed-off-by: Deepak Sharma <deepak.sharma.472935(a)gmail.com> --- v3: - Move the checks inside the packet data handlers - Improvements to the commit message v2: - Fix the release of skb in case of the early return v1: - Add checks in `nci_ntf_packet` on the skb->len and do early return on failure net/nfc/nci/ntf.c | 139 +++++++++++++++++++++++++++++++++------------- 1 file changed, 101 insertions(+), 38 deletions(-) diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index a818eff27e6b..c0edf8242e22 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c @@ -27,11 +27,16 @@ /* Handle NCI Notification packets */ -static void nci_core_reset_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_core_reset_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { /* Handle NCI 2.x core reset notification */ - const struct nci_core_reset_ntf *ntf = (void *)skb->data; + const struct nci_core_reset_ntf *ntf; + + if (skb->len < sizeof(struct nci_core_reset_ntf)) + return -EINVAL; + + ntf = (struct nci_core_reset_ntf *)skb->data; ndev->nci_ver = ntf->nci_ver; pr_debug("nci_ver 0x%x, config_status 0x%x\n", @@ -42,15 +47,22 @@ static void nci_core_reset_ntf_packet(struct nci_dev *ndev, __le32_to_cpu(ntf->manufact_specific_info); nci_req_complete(ndev, NCI_STATUS_OK); + + return 0; } -static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, - struct sk_buff *skb) +static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, + struct sk_buff *skb) { - struct nci_core_conn_credit_ntf *ntf = (void *) skb->data; + struct nci_core_conn_credit_ntf *ntf; struct nci_conn_info *conn_info; int i; + if (skb->len < sizeof(struct nci_core_conn_credit_ntf)) + return -EINVAL; + + ntf = (struct nci_core_conn_credit_ntf *)skb->data; + pr_debug("num_entries %d\n", ntf->num_entries); if (ntf->num_entries > NCI_MAX_NUM_CONN) @@ -68,7 +80,7 @@ static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, conn_info = nci_get_conn_info_by_conn_id(ndev, ntf->conn_entries[i].conn_id); if (!conn_info) - return; + return 0; atomic_add(ntf->conn_entries[i].credits, &conn_info->credits_cnt); @@ -77,12 +89,19 @@ static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, /* trigger the next tx */ if (!skb_queue_empty(&ndev->tx_q)) queue_work(ndev->tx_wq, &ndev->tx_work); + + return 0; } -static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_core_generic_error_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { - __u8 status = skb->data[0]; + __u8 status; + + if (skb->len < 1) + return -EINVAL; + + status = skb->data[0]; pr_debug("status 0x%x\n", status); @@ -91,12 +110,19 @@ static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, (the state remains the same) */ nci_req_complete(ndev, status); } + + return 0; } -static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, - struct sk_buff *skb) +static int nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, + struct sk_buff *skb) { - struct nci_core_intf_error_ntf *ntf = (void *) skb->data; + struct nci_core_intf_error_ntf *ntf; + + if (skb->len < sizeof(struct nci_core_intf_error_ntf)) + return -EINVAL; + + ntf = (struct nci_core_intf_error_ntf *)skb->data; ntf->conn_id = nci_conn_id(&ntf->conn_id); @@ -105,6 +131,8 @@ static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, /* complete the data exchange transaction, if exists */ if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags)) nci_data_exchange_complete(ndev, NULL, ntf->conn_id, -EIO); + + return 0; } static const __u8 * @@ -329,13 +357,18 @@ void nci_clear_target_list(struct nci_dev *ndev) ndev->n_targets = 0; } -static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_discover_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { struct nci_rf_discover_ntf ntf; - const __u8 *data = skb->data; + const __u8 *data; bool add_target = true; + if (skb->len < sizeof(struct nci_rf_discover_ntf)) + return -EINVAL; + + data = skb->data; + ntf.rf_discovery_id = *data++; ntf.rf_protocol = *data++; ntf.rf_tech_and_mode = *data++; @@ -390,6 +423,8 @@ static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, nfc_targets_found(ndev->nfc_dev, ndev->targets, ndev->n_targets); } + + return 0; } static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev, @@ -501,7 +536,7 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev, case NCI_NFC_A_PASSIVE_POLL_MODE: case NCI_NFC_F_PASSIVE_POLL_MODE: ndev->remote_gb_len = min_t(__u8, - (ntf->activation_params.poll_nfc_dep.atr_res_len + (ntf->activation_params.poll_nfc_dep.atr_res_len - NFC_ATR_RES_GT_OFFSET), NFC_ATR_RES_GB_MAXSIZE); memcpy(ndev->remote_gb, @@ -513,7 +548,7 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev, case NCI_NFC_A_PASSIVE_LISTEN_MODE: case NCI_NFC_F_PASSIVE_LISTEN_MODE: ndev->remote_gb_len = min_t(__u8, - (ntf->activation_params.listen_nfc_dep.atr_req_len + (ntf->activation_params.listen_nfc_dep.atr_req_len - NFC_ATR_REQ_GT_OFFSET), NFC_ATR_REQ_GB_MAXSIZE); memcpy(ndev->remote_gb, @@ -553,14 +588,19 @@ static int nci_store_ats_nfc_iso_dep(struct nci_dev *ndev, return NCI_STATUS_OK; } -static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { struct nci_conn_info *conn_info; struct nci_rf_intf_activated_ntf ntf; - const __u8 *data = skb->data; + const __u8 *data; int err = NCI_STATUS_OK; + if (skb->len < sizeof(struct nci_rf_intf_activated_ntf)) + return -EINVAL; + + data = skb->data; + ntf.rf_discovery_id = *data++; ntf.rf_interface = *data++; ntf.rf_protocol = *data++; @@ -667,7 +707,7 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, if (err == NCI_STATUS_OK) { conn_info = ndev->rf_conn_info; if (!conn_info) - return; + return 0; conn_info->max_pkt_payload_len = ntf.max_data_pkt_payload_size; conn_info->initial_num_credits = ntf.initial_num_credits; @@ -721,19 +761,26 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, pr_err("error when signaling tm activation\n"); } } + + return 0; } -static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { const struct nci_conn_info *conn_info; - const struct nci_rf_deactivate_ntf *ntf = (void *)skb->data; + const struct nci_rf_deactivate_ntf *ntf; + + if (skb->len < sizeof(struct nci_rf_deactivate_ntf)) + return -EINVAL; + + ntf = (struct nci_rf_deactivate_ntf *)skb->data; pr_debug("entry, type 0x%x, reason 0x%x\n", ntf->type, ntf->reason); conn_info = ndev->rf_conn_info; if (!conn_info) - return; + return 0; /* drop tx data queue */ skb_queue_purge(&ndev->tx_q); @@ -765,14 +812,20 @@ static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, } nci_req_complete(ndev, NCI_STATUS_OK); + + return 0; } -static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { u8 status = NCI_STATUS_OK; - const struct nci_nfcee_discover_ntf *nfcee_ntf = - (struct nci_nfcee_discover_ntf *)skb->data; + const struct nci_nfcee_discover_ntf *nfcee_ntf; + + if (skb->len < sizeof(struct nci_nfcee_discover_ntf)) + return -EINVAL; + + nfcee_ntf = (struct nci_nfcee_discover_ntf *)skb->data; /* NFCForum NCI 9.2.1 HCI Network Specific Handling * If the NFCC supports the HCI Network, it SHALL return one, @@ -783,6 +836,8 @@ static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, ndev->cur_params.id = nfcee_ntf->nfcee_id; nci_req_complete(ndev, status); + + return 0; } void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) @@ -809,35 +864,43 @@ void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) switch (ntf_opcode) { case NCI_OP_CORE_RESET_NTF: - nci_core_reset_ntf_packet(ndev, skb); + if (nci_core_reset_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_CONN_CREDITS_NTF: - nci_core_conn_credits_ntf_packet(ndev, skb); + if (nci_core_conn_credits_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_GENERIC_ERROR_NTF: - nci_core_generic_error_ntf_packet(ndev, skb); + if (nci_core_generic_error_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_INTF_ERROR_NTF: - nci_core_conn_intf_error_ntf_packet(ndev, skb); + if (nci_core_conn_intf_error_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_DISCOVER_NTF: - nci_rf_discover_ntf_packet(ndev, skb); + if (nci_rf_discover_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_INTF_ACTIVATED_NTF: - nci_rf_intf_activated_ntf_packet(ndev, skb); + if (nci_rf_intf_activated_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_DEACTIVATE_NTF: - nci_rf_deactivate_ntf_packet(ndev, skb); + if (nci_rf_deactivate_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_NFCEE_DISCOVER_NTF: - nci_nfcee_discover_ntf_packet(ndev, skb); + if (nci_nfcee_discover_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_NFCEE_ACTION_NTF: -- 2.51.0

1 month, 2 weeks

4
3
0 0

[PATCH v2 RESEND] sparc: fix error handling in scan_one_device()

by Ma Ke

Once of_device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(). Calling path: of_device_register() -> of_device_add() -> device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - retained kfree() manually due to the lack of a release callback function. --- arch/sparc/kernel/of_device_64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/sparc/kernel/of_device_64.c b/arch/sparc/kernel/of_device_64.c index f98c2901f335..f53092b07b9e 100644 --- a/arch/sparc/kernel/of_device_64.c +++ b/arch/sparc/kernel/of_device_64.c @@ -677,6 +677,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); + put_device(&op->dev); kfree(op); op = NULL; } -- 2.25.1

1 month, 2 weeks

2
1
0 0

Mate dar vo vyske dva miliony patstotisic euro.

by Dr Leonard Valentinovic Blavatnik

1 month, 2 weeks

1
0
0 0

[bug-report 6.12.y] Probably a problematic stable backport commit: 7c62c442b6eb ("x86/vmscape: Enumerate VMSCAPE bug")

by Harshit Mogalapalli

Hi stable maintainers, While skimming over stable backports for VMSCAPE commits, I found something unusual. This is regarding the 6.12.y commit: 7c62c442b6eb ("x86/vmscape: Enumerate VMSCAPE bug") commit 7c62c442b6eb95d21bc4c5afc12fee721646ebe2 Author: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Enumerate VMSCAPE bug Commit a508cec6e5215a3fbc7e73ae86a5c5602187934d upstream. The VMSCAPE vulnerability may allow a guest to cause Branch Target Injection (BTI) in userspace hypervisors. Kernels (both host and guest) have existing defenses against direct BTI attacks from guests. There are also inter-process BTI mitigations which prevent processes from attacking each other. However, the threat in this case is to a userspace hypervisor within the same process as the attacker. Userspace hypervisors have access to their own sensitive data like disk encryption keys and also typically have access to all guest data. This means guest userspace may use the hypervisor as a confused deputy to attack sensitive guest kernel data. There are no existing mitigations for these attacks. Introduce X86_BUG_VMSCAPE for this vulnerability and set it on affected Intel and AMD CPUs. Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: Borislav Petkov (AMD) <bp(a)alien8.de> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> So the problem in this commit is this part of the backport: in file: arch/x86/kernel/cpu/common.c VULNBL_AMD(0x15, RETBLEED), VULNBL_AMD(0x16, RETBLEED), - VULNBL_AMD(0x17, RETBLEED | SMT_RSB | SRSO), - VULNBL_HYGON(0x18, RETBLEED | SMT_RSB | SRSO), - VULNBL_AMD(0x19, SRSO | TSA), + VULNBL_AMD(0x17, RETBLEED | SMT_RSB | SRSO | VMSCAPE), + VULNBL_HYGON(0x18, RETBLEED | SMT_RSB | SRSO | VMSCAPE), + VULNBL_AMD(0x19, SRSO | TSA | VMSCAPE), + VULNBL_AMD(0x1a, SRSO | VMSCAPE), + {} Notice the part where VULNBL_AMD(0x1a, SRSO | VMSCAPE) is added, 6.12.y doesn't have commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support") so I think we shouldn't be adding VULNBL_AMD(0x1a, SRSO | VMSCAPE) directly. Boris Ostrovsky suggested me to verify this on a Turin machine as this could cause a very big performance regression : and stated if SRSO mitigation status is Safe RET we are likely in a problem, and we are in that situation. # lscpu | grep -E "CPU family" CPU family: 26 Notes: CPU ID 26 -> 0x1a And Turin machine reports the SRSO mitigation status as "Safe RET" # uname -r 6.12.48-master.20250917.el8.rc1.x86_64 # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Safe RET Boris Ostrovsky suggested backporting three commits to 6.12.y: 1. commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support") 2. commit: 8442df2b49ed ("x86/bugs: KVM: Add support for SRSO_MSR_FIX") and its fix 3. commit: e3417ab75ab2 ("KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions") -- Maybe optional After backporting these three: # uname -r 6.12.48-master.20250919.el8.dev.x86_64 // Note this this is kernel with patches above three applied. # dmesg | grep -C 2 Reduce [ 3.186135] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl [ 3.187135] Speculative Return Stack Overflow: Reducing speculation to address VM/HV SRSO attack vector. [ 3.188134] Speculative Return Stack Overflow: Mitigation: Reduced Speculation [ 3.189135] VMSCAPE: Mitigation: IBPB before exit to userspace [ 3.191139] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Reduced Speculation I can send my backports to stable if this looks good. Thoughts ? Thanks, Harshit

1 month, 2 weeks

3
3
0 0

[PATCH] ceph: fix deadlock bugs by making iput() calls asynchronous

by Max Kellermann

The iput() function is a dangerous one - if the reference counter goes to zero, the function may block for a long time due to: - inode_wait_for_writeback() waits until writeback on this inode completes - the filesystem-specific "evict_inode" callback can do similar things; e.g. all netfs-based filesystems will call netfs_wait_for_outstanding_io() which is similar to inode_wait_for_writeback() Therefore, callers must carefully evaluate the context they're in and check whether invoking iput() is a good idea at all. Most of the time, this is not a problem because the dcache holds references to all inodes, and the dcache is usually the one to release the last reference. But this assumption is fragile. For example, under (memcg) memory pressure, the dcache shrinker is more likely to release inode references, moving the inode eviction to contexts where that was extremely unlikely to occur. Our production servers "found" at least two deadlock bugs in the Ceph filesystem that were caused by this iput() behavior: 1. Writeback may lead to iput() calls in Ceph (e.g. from ceph_put_wrbuffer_cap_refs()) which deadlocks in inode_wait_for_writeback(). Waiting for writeback completion from within writeback will obviously never be able to make any progress. This leads to blocked kworkers like this: INFO: task kworker/u777:6:1270802 blocked for more than 122 seconds. Not tainted 6.16.7-i1-es #773 task:kworker/u777:6 state:D stack:0 pid:1270802 tgid:1270802 ppid:2 task_flags:0x4208060 flags:0x00004000 Workqueue: writeback wb_workfn (flush-ceph-3) Call Trace: <TASK> __schedule+0x4ea/0x17d0 schedule+0x1c/0xc0 inode_wait_for_writeback+0x71/0xb0 evict+0xcf/0x200 ceph_put_wrbuffer_cap_refs+0xdd/0x220 ceph_invalidate_folio+0x97/0xc0 ceph_writepages_start+0x127b/0x14d0 do_writepages+0xba/0x150 __writeback_single_inode+0x34/0x290 writeback_sb_inodes+0x203/0x470 __writeback_inodes_wb+0x4c/0xe0 wb_writeback+0x189/0x2b0 wb_workfn+0x30b/0x3d0 process_one_work+0x143/0x2b0 worker_thread+0x30a/0x450 2. In the Ceph messenger thread (net/ceph/messenger*.c), any iput() call may invoke ceph_evict_inode() which will deadlock in netfs_wait_for_outstanding_io(); since this blocks the messenger thread, completions from the Ceph servers will not ever be received and handled. It looks like these deadlock bugs have been in the Ceph filesystem code since forever (therefore no "Fixes" tag in this patch). There may be various ways to solve this: - make iput() asynchronous and defer the actual eviction like fput() (may add overhead) - make iput() only asynchronous if I_SYNC is set (doesn't solve random things happening inside the "evict_inode" callback) - add iput_deferred() to make this asynchronous behavior/overhead optional and explicit - refactor Ceph to avoid iput() calls from within writeback and messenger (if that is even possible) - add a Ceph-specific workaround After advice from Mateusz Guzik, I decided to do the latter. The implementation is simple because it piggybacks on the existing work_struct for ceph_queue_inode_work() - ceph_inode_work() calls iput() at the end which means we can donate the last reference to it. Since Ceph has a few iput() callers in a loop, it seemed simple enough to pass this counter and use atomic_sub() instead of atomic_dec(). This patch adds ceph_iput_n_async() and converts lots of iput() calls to it - at least those that may come through writeback and the messenger. Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> Cc: Mateusz Guzik <mjguzik(a)gmail.com> Cc: stable(a)vger.kernel.org --- fs/ceph/addr.c | 2 +- fs/ceph/caps.c | 21 ++++++++++----------- fs/ceph/dir.c | 2 +- fs/ceph/inode.c | 42 ++++++++++++++++++++++++++++++++++++++++++ fs/ceph/mds_client.c | 32 ++++++++++++++++---------------- fs/ceph/quota.c | 4 ++-- fs/ceph/snap.c | 10 +++++----- fs/ceph/super.h | 7 +++++++ 8 files changed, 84 insertions(+), 36 deletions(-) diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c index 322ed268f14a..fc497c91530e 100644 --- a/fs/ceph/addr.c +++ b/fs/ceph/addr.c @@ -265,7 +265,7 @@ static void finish_netfs_read(struct ceph_osd_request *req) subreq->error = err; trace_netfs_sreq(subreq, netfs_sreq_trace_io_progress); netfs_read_subreq_terminated(subreq); - iput(req->r_inode); + ceph_iput_async(req->r_inode); ceph_dec_osd_stopping_blocker(fsc->mdsc); } diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index b1a8ff612c41..bd88b5287a2b 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -1771,7 +1771,7 @@ void ceph_flush_snaps(struct ceph_inode_info *ci, spin_unlock(&mdsc->snap_flush_lock); if (need_put) - iput(inode); + ceph_iput_async(inode); } /* @@ -3318,8 +3318,8 @@ static void __ceph_put_cap_refs(struct ceph_inode_info *ci, int had, } if (wake) wake_up_all(&ci->i_cap_wq); - while (put-- > 0) - iput(inode); + if (put > 0) + ceph_iput_n_async(inode, put); } void ceph_put_cap_refs(struct ceph_inode_info *ci, int had) @@ -3418,9 +3418,8 @@ void ceph_put_wrbuffer_cap_refs(struct ceph_inode_info *ci, int nr, } if (complete_capsnap) wake_up_all(&ci->i_cap_wq); - while (put-- > 0) { - iput(inode); - } + if (put > 0) + ceph_iput_n_async(inode, put); } /* @@ -3917,7 +3916,7 @@ static void handle_cap_flush_ack(struct inode *inode, u64 flush_tid, if (wake_mdsc) wake_up_all(&mdsc->cap_flushing_wq); if (drop) - iput(inode); + ceph_iput_async(inode); } void __ceph_remove_capsnap(struct inode *inode, struct ceph_cap_snap *capsnap, @@ -4008,7 +4007,7 @@ static void handle_cap_flushsnap_ack(struct inode *inode, u64 flush_tid, wake_up_all(&ci->i_cap_wq); if (wake_mdsc) wake_up_all(&mdsc->cap_flushing_wq); - iput(inode); + ceph_iput_async(inode); } } @@ -4557,7 +4556,7 @@ void ceph_handle_caps(struct ceph_mds_session *session, done: mutex_unlock(&session->s_mutex); done_unlocked: - iput(inode); + ceph_iput_async(inode); out: ceph_dec_mds_stopping_blocker(mdsc); @@ -4636,7 +4635,7 @@ unsigned long ceph_check_delayed_caps(struct ceph_mds_client *mdsc) doutc(cl, "on %p %llx.%llx\n", inode, ceph_vinop(inode)); ceph_check_caps(ci, 0); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->cap_delay_lock); } @@ -4675,7 +4674,7 @@ static void flush_dirty_session_caps(struct ceph_mds_session *s) spin_unlock(&mdsc->cap_dirty_lock); ceph_wait_on_async_create(inode); ceph_check_caps(ci, CHECK_CAPS_FLUSH); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->cap_dirty_lock); } spin_unlock(&mdsc->cap_dirty_lock); diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c index 32973c62c1a2..ec73ed52a227 100644 --- a/fs/ceph/dir.c +++ b/fs/ceph/dir.c @@ -1290,7 +1290,7 @@ static void ceph_async_unlink_cb(struct ceph_mds_client *mdsc, ceph_mdsc_free_path_info(&path_info); } out: - iput(req->r_old_inode); + ceph_iput_async(req->r_old_inode); ceph_mdsc_release_dir_caps(req); } diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c index f67025465de0..385d5261632d 100644 --- a/fs/ceph/inode.c +++ b/fs/ceph/inode.c @@ -2191,6 +2191,48 @@ void ceph_queue_inode_work(struct inode *inode, int work_bit) } } +/** + * Queue an asynchronous iput() call in a worker thread. Use this + * instead of iput() in contexts where evicting the inode is unsafe. + * For example, inode eviction may cause deadlocks in + * inode_wait_for_writeback() (when called from within writeback) or + * in netfs_wait_for_outstanding_io() (when called from within the + * Ceph messenger). + * + * @n: how many references to put + */ +void ceph_iput_n_async(struct inode *inode, int n) +{ + if (unlikely(!inode)) + return; + + if (likely(atomic_sub_return(n, &inode->i_count) > 0)) + /* somebody else is holding another reference - + * nothing left to do for us + */ + return; + + doutc(ceph_inode_to_fs_client(inode)->client, "%p %llx.%llx\n", inode, ceph_vinop(inode)); + + /* the reference counter is now 0, i.e. nobody else is holding + * a reference to this inode; restore it to 1 and donate it to + * ceph_inode_work() which will call iput() at the end + */ + atomic_set(&inode->i_count, 1); + + /* simply queue a ceph_inode_work() without setting + * i_work_mask bit; other than putting the reference, there is + * nothing to do + */ + WARN_ON_ONCE(!queue_work(ceph_inode_to_fs_client(inode)->inode_wq, + &ceph_inode(inode)->i_work)); + + /* note: queue_work() cannot fail; it i_work were already + * queued, then it would be holding another reference, but no + * such reference exists + */ +} + static void ceph_do_invalidate_pages(struct inode *inode) { struct ceph_client *cl = ceph_inode_to_client(inode); diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index 3bc72b47fe4d..d7fce1ad8073 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -1097,14 +1097,14 @@ void ceph_mdsc_release_request(struct kref *kref) ceph_msg_put(req->r_reply); if (req->r_inode) { ceph_put_cap_refs(ceph_inode(req->r_inode), CEPH_CAP_PIN); - iput(req->r_inode); + ceph_iput_async(req->r_inode); } if (req->r_parent) { ceph_put_cap_refs(ceph_inode(req->r_parent), CEPH_CAP_PIN); - iput(req->r_parent); + ceph_iput_async(req->r_parent); } - iput(req->r_target_inode); - iput(req->r_new_inode); + ceph_iput_async(req->r_target_inode); + ceph_iput_async(req->r_new_inode); if (req->r_dentry) dput(req->r_dentry); if (req->r_old_dentry) @@ -1118,7 +1118,7 @@ void ceph_mdsc_release_request(struct kref *kref) */ ceph_put_cap_refs(ceph_inode(req->r_old_dentry_dir), CEPH_CAP_PIN); - iput(req->r_old_dentry_dir); + ceph_iput_async(req->r_old_dentry_dir); } kfree(req->r_path1); kfree(req->r_path2); @@ -1240,7 +1240,7 @@ static void __unregister_request(struct ceph_mds_client *mdsc, } if (req->r_unsafe_dir) { - iput(req->r_unsafe_dir); + ceph_iput_async(req->r_unsafe_dir); req->r_unsafe_dir = NULL; } @@ -1413,7 +1413,7 @@ static int __choose_mds(struct ceph_mds_client *mdsc, cap = rb_entry(rb_first(&ci->i_caps), struct ceph_cap, ci_node); if (!cap) { spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); goto random; } mds = cap->session->s_mds; @@ -1422,7 +1422,7 @@ static int __choose_mds(struct ceph_mds_client *mdsc, cap == ci->i_auth_cap ? "auth " : "", cap); spin_unlock(&ci->i_ceph_lock); out: - iput(inode); + ceph_iput_async(inode); return mds; random: @@ -1841,7 +1841,7 @@ int ceph_iterate_session_caps(struct ceph_mds_session *session, spin_unlock(&session->s_cap_lock); if (last_inode) { - iput(last_inode); + ceph_iput_async(last_inode); last_inode = NULL; } if (old_cap) { @@ -1874,7 +1874,7 @@ int ceph_iterate_session_caps(struct ceph_mds_session *session, session->s_cap_iterator = NULL; spin_unlock(&session->s_cap_lock); - iput(last_inode); + ceph_iput_async(last_inode); if (old_cap) ceph_put_cap(session->s_mdsc, old_cap); @@ -1903,8 +1903,8 @@ static int remove_session_caps_cb(struct inode *inode, int mds, void *arg) wake_up_all(&ci->i_cap_wq); if (invalidate) ceph_queue_invalidate(inode); - while (iputs--) - iput(inode); + if (iputs > 0) + ceph_iput_n_async(inode, iputs); return 0; } @@ -1944,7 +1944,7 @@ static void remove_session_caps(struct ceph_mds_session *session) spin_unlock(&session->s_cap_lock); inode = ceph_find_inode(sb, vino); - iput(inode); + ceph_iput_async(inode); spin_lock(&session->s_cap_lock); } @@ -2512,7 +2512,7 @@ static void ceph_cap_unlink_work(struct work_struct *work) doutc(cl, "on %p %llx.%llx\n", inode, ceph_vinop(inode)); ceph_check_caps(ci, CHECK_CAPS_FLUSH); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->cap_delay_lock); } } @@ -3933,7 +3933,7 @@ static void handle_reply(struct ceph_mds_session *session, struct ceph_msg *msg) !req->r_reply_info.has_create_ino) { /* This should never happen on an async create */ WARN_ON_ONCE(req->r_deleg_ino); - iput(in); + ceph_iput_async(in); in = NULL; } @@ -5313,7 +5313,7 @@ static void handle_lease(struct ceph_mds_client *mdsc, out: mutex_unlock(&session->s_mutex); - iput(inode); + ceph_iput_async(inode); ceph_dec_mds_stopping_blocker(mdsc); return; diff --git a/fs/ceph/quota.c b/fs/ceph/quota.c index d90eda19bcc4..bba00f8926e6 100644 --- a/fs/ceph/quota.c +++ b/fs/ceph/quota.c @@ -76,7 +76,7 @@ void ceph_handle_quota(struct ceph_mds_client *mdsc, le64_to_cpu(h->max_files)); spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); out: ceph_dec_mds_stopping_blocker(mdsc); } @@ -190,7 +190,7 @@ void ceph_cleanup_quotarealms_inodes(struct ceph_mds_client *mdsc) node = rb_first(&mdsc->quotarealms_inodes); qri = rb_entry(node, struct ceph_quotarealm_inode, node); rb_erase(node, &mdsc->quotarealms_inodes); - iput(qri->inode); + ceph_iput_async(qri->inode); kfree(qri); } mutex_unlock(&mdsc->quotarealms_inodes_mutex); diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c index c65f2b202b2b..19f097e79b3c 100644 --- a/fs/ceph/snap.c +++ b/fs/ceph/snap.c @@ -735,7 +735,7 @@ static void queue_realm_cap_snaps(struct ceph_mds_client *mdsc, if (!inode) continue; spin_unlock(&realm->inodes_with_caps_lock); - iput(lastinode); + ceph_iput_async(lastinode); lastinode = inode; /* @@ -762,7 +762,7 @@ static void queue_realm_cap_snaps(struct ceph_mds_client *mdsc, spin_lock(&realm->inodes_with_caps_lock); } spin_unlock(&realm->inodes_with_caps_lock); - iput(lastinode); + ceph_iput_async(lastinode); if (capsnap) kmem_cache_free(ceph_cap_snap_cachep, capsnap); @@ -955,7 +955,7 @@ static void flush_snaps(struct ceph_mds_client *mdsc) ihold(inode); spin_unlock(&mdsc->snap_flush_lock); ceph_flush_snaps(ci, &session); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->snap_flush_lock); } spin_unlock(&mdsc->snap_flush_lock); @@ -1116,12 +1116,12 @@ void ceph_handle_snap(struct ceph_mds_client *mdsc, ceph_get_snap_realm(mdsc, realm); ceph_change_snap_realm(inode, realm); spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); continue; skip_inode: spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); } /* we may have taken some of the old realm's children. */ diff --git a/fs/ceph/super.h b/fs/ceph/super.h index cf176aab0f82..15c09b6c94aa 100644 --- a/fs/ceph/super.h +++ b/fs/ceph/super.h @@ -1085,6 +1085,13 @@ static inline void ceph_queue_flush_snaps(struct inode *inode) ceph_queue_inode_work(inode, CEPH_I_WORK_FLUSH_SNAPS); } +void ceph_iput_n_async(struct inode *inode, int n); + +static inline void ceph_iput_async(struct inode *inode) +{ + ceph_iput_n_async(inode, 1); +} + extern int ceph_try_to_choose_auth_mds(struct inode *inode, int mask); extern int __ceph_do_getattr(struct inode *inode, struct page *locked_page, int mask, bool force); -- 2.47.3

1 month, 2 weeks

3
12
0 0

[PATCH 1/1] perf/x86/intel: Fix crash in icl_update_topdown_event()

by Angel Adetula

From: Kan Liang <kan.liang(a)linux.intel.com> [ Upstream commit b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed ] The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision 9660/0VJ762 RIP: 0010:native_read_pmc+0x7/0x40 Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... RSP: 000:fffb03100273de8 EFLAGS: 00010046 .... Call Trace: <TASK> icl_update_topdown_event+0x165/0x190 ? ktime_get+0x38/0xd0 intel_pmu_read_event+0xf9/0x210 __perf_event_read+0xf9/0x210 CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. The icl_update_topdown_event() should not be invoked on these CPUs. It's a regression of commit: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") The bug introduced by that commit is that the is_topdown_event() function is mistakenly used to replace the is_topdown_count() call to check if the topdown functions for the perf metrics feature should be invoked. Fix it. Fixes: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") Closes: https://lore.kernel.org/lkml/352f0709-f026-cd45-e60c-60dfd97f73f3@maine.edu/ Reported-by: Vince Weaver <vincent.weaver(a)maine.edu> Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Tested-by: Vince Weaver <vincent.weaver(a)maine.edu> Cc: stable(a)vger.kernel.org # v6.15+ Link: https://lore.kernel.org/r/20250612143818.2889040-1-kan.liang@linux.intel.com [ omitted PEBS check ] Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Angel Adetula <angeladetula(a)google.com> --- arch/x86/events/intel/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index 5e43d390f7a3..36d8404f406d 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -2793,7 +2793,7 @@ static void intel_pmu_read_event(struct perf_event *event) if (pmu_enabled) intel_pmu_disable_all(); - if (is_topdown_event(event)) + if (is_topdown_count(event)) static_call(intel_pmu_update_topdown_event)(event); else intel_pmu_drain_pebs_buffer(); -- 2.51.0.470.ga7dc726c21-goog

1 month, 2 weeks

1
0
0 0

Linux 6.16.8

by Greg Kroah-Hartman

I'm announcing the release of the 6.16.8 kernel. All users of the 6.16 kernel series must upgrade. The updated 6.16.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.16.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/brcm,bcm7271-uart.yaml | 2 Documentation/netlink/specs/mptcp_pm.yaml | 2 Documentation/networking/can.rst | 2 Documentation/networking/mptcp.rst | 8 Makefile | 2 arch/arm64/kernel/machine_kexec_file.c | 2 arch/s390/kernel/kexec_elf.c | 2 arch/s390/kernel/kexec_image.c | 2 arch/s390/kernel/machine_kexec_file.c | 6 arch/s390/kernel/perf_cpum_cf.c | 4 arch/s390/kernel/perf_pai_crypto.c | 4 arch/s390/kernel/perf_pai_ext.c | 2 arch/x86/kernel/cpu/topology_amd.c | 25 block/fops.c | 13 drivers/cpufreq/amd-pstate.c | 19 drivers/cpufreq/intel_pstate.c | 4 drivers/dma/dw/rzn1-dmamux.c | 15 drivers/dma/idxd/init.c | 39 - drivers/dma/qcom/bam_dma.c | 8 drivers/dma/ti/edma.c | 4 drivers/edac/altera_edac.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h | 11 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 drivers/gpu/drm/amd/amdgpu/isp_v4_1_1.c | 2 drivers/gpu/drm/amd/amdgpu/psp_v10_0.c | 4 drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 31 - drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c | 25 drivers/gpu/drm/amd/amdgpu/psp_v12_0.c | 18 drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 25 drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c | 25 drivers/gpu/drm/amd/amdgpu/psp_v14_0.c | 25 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 12 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 64 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 106 ++-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 1 drivers/gpu/drm/amd/display/dc/dc.h | 1 drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 74 +- drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 115 ---- drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c | 3 drivers/gpu/drm/amd/display/dc/hwss/dcn351/dcn351_init.c | 3 drivers/gpu/drm/amd/display/dc/inc/hw/pg_cntl.h | 1 drivers/gpu/drm/amd/display/dc/pg/dcn35/dcn35_pg_cntl.c | 78 +- drivers/gpu/drm/display/drm_dp_helper.c | 42 + drivers/gpu/drm/drm_edid.c | 232 ++++---- drivers/gpu/drm/i915/display/intel_display_power.c | 6 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 drivers/gpu/drm/panthor/panthor_drv.c | 2 drivers/gpu/drm/xe/tests/xe_bo.c | 2 drivers/gpu/drm/xe/tests/xe_dma_buf.c | 10 drivers/gpu/drm/xe/xe_bo.c | 16 drivers/gpu/drm/xe/xe_bo.h | 2 drivers/gpu/drm/xe/xe_device_types.h | 6 drivers/gpu/drm/xe/xe_dma_buf.c | 2 drivers/gpu/drm/xe/xe_exec.c | 9 drivers/gpu/drm/xe/xe_pm.c | 42 + drivers/gpu/drm/xe/xe_survivability_mode.c | 3 drivers/gpu/drm/xe/xe_vm.c | 42 + drivers/gpu/drm/xe/xe_vm.h | 2 drivers/gpu/drm/xe/xe_vm_types.h | 5 drivers/i2c/busses/i2c-i801.c | 2 drivers/i2c/busses/i2c-rtl9300.c | 22 drivers/input/joystick/xpad.c | 2 drivers/input/misc/iqs7222.c | 3 drivers/input/serio/i8042-acpipnpio.h | 14 drivers/iommu/intel/cache.c | 5 drivers/iommu/intel/iommu.c | 263 ++++++---- drivers/iommu/intel/iommu.h | 12 drivers/iommu/intel/nested.c | 4 drivers/iommu/intel/svm.c | 1 drivers/irqchip/irq-mvebu-gicp.c | 2 drivers/md/md.c | 6 drivers/mtd/nand/raw/atmel/nand-controller.c | 16 drivers/mtd/nand/raw/nuvoton-ma35d1-nand-controller.c | 4 drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 - drivers/mtd/nand/spi/core.c | 18 drivers/mtd/nand/spi/winbond.c | 80 ++- drivers/net/can/xilinx_can.c | 16 drivers/net/dsa/b53/b53_common.c | 17 drivers/net/ethernet/freescale/fec_main.c | 3 drivers/net/ethernet/intel/i40e/i40e_main.c | 2 drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 drivers/net/ethernet/intel/igb/igb_main.c | 3 drivers/net/ethernet/ti/icssg/icssg_prueth.c | 20 drivers/net/ethernet/wangxun/libwx/wx_hw.c | 4 drivers/net/macsec.c | 1 drivers/net/phy/phy.c | 12 drivers/net/phy/phylink.c | 28 - drivers/net/wireless/ath/ath12k/core.h | 1 drivers/net/wireless/ath/ath12k/dp_mon.c | 22 drivers/net/wireless/ath/ath12k/dp_rx.c | 11 drivers/net/wireless/ath/ath12k/hw.c | 55 ++ drivers/net/wireless/ath/ath12k/hw.h | 2 drivers/net/wireless/ath/ath12k/mac.c | 127 ++-- drivers/net/wireless/ath/ath12k/peer.c | 2 drivers/net/wireless/ath/ath12k/peer.h | 28 + drivers/net/wireless/ath/ath12k/wmi.c | 58 ++ drivers/net/wireless/ath/ath12k/wmi.h | 16 drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 26 drivers/pci/controller/pci-mvebu.c | 21 drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 4 drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 25 drivers/phy/tegra/xusb-tegra210.c | 6 drivers/phy/ti/phy-omap-usb2.c | 13 drivers/phy/ti/phy-ti-pipe3.c | 13 drivers/regulator/sy7636a-regulator.c | 7 drivers/tty/hvc/hvc_console.c | 6 drivers/tty/serial/sc16is7xx.c | 14 drivers/usb/gadget/function/f_midi2.c | 11 drivers/usb/gadget/udc/dummy_hcd.c | 8 drivers/usb/host/xhci-dbgcap.c | 94 ++- drivers/usb/host/xhci-mem.c | 2 drivers/usb/serial/option.c | 17 drivers/usb/typec/tcpm/tcpm.c | 12 fs/btrfs/extent_io.c | 73 ++ fs/btrfs/inode.c | 12 fs/btrfs/qgroup.c | 6 fs/ceph/addr.c | 9 fs/ceph/debugfs.c | 14 fs/ceph/dir.c | 17 fs/ceph/file.c | 24 fs/ceph/inode.c | 88 ++- fs/ceph/mds_client.c | 172 +++--- fs/ceph/mds_client.h | 18 fs/coredump.c | 4 fs/erofs/data.c | 8 fs/erofs/fileio.c | 2 fs/erofs/fscache.c | 2 fs/erofs/inode.c | 8 fs/erofs/internal.h | 2 fs/erofs/super.c | 16 fs/erofs/zdata.c | 17 fs/erofs/zmap.c | 98 +-- fs/exec.c | 2 fs/fhandle.c | 8 fs/fuse/dev.c | 2 fs/fuse/file.c | 5 fs/fuse/passthrough.c | 5 fs/kernfs/file.c | 58 +- fs/nfs/client.c | 2 fs/nfs/file.c | 7 fs/nfs/flexfilelayout/flexfilelayout.c | 21 fs/nfs/inode.c | 4 fs/nfs/internal.h | 10 fs/nfs/io.c | 13 fs/nfs/localio.c | 12 fs/nfs/nfs42proc.c | 2 fs/nfs/nfs4file.c | 2 fs/nfs/nfs4proc.c | 7 fs/nfs/write.c | 1 fs/ocfs2/extent_map.c | 10 fs/proc/generic.c | 3 fs/resctrl/ctrlmondata.c | 2 fs/resctrl/internal.h | 4 fs/resctrl/monitor.c | 6 fs/smb/client/cifsglob.h | 13 fs/smb/client/file.c | 18 fs/smb/client/inode.c | 86 ++- fs/smb/client/smb2glob.h | 3 fs/smb/client/smb2inode.c | 204 ++++++- fs/smb/client/smb2ops.c | 32 + fs/smb/client/smb2proto.h | 3 fs/smb/client/trace.h | 9 include/drm/display/drm_dp_helper.h | 6 include/drm/drm_connector.h | 4 include/drm/drm_edid.h | 8 include/linux/compiler-clang.h | 29 - include/linux/energy_model.h | 10 include/linux/fs.h | 3 include/linux/kasan.h | 6 include/linux/mtd/spinand.h | 8 include/net/netfilter/nf_tables.h | 11 include/net/netfilter/nf_tables_core.h | 49 - include/net/netns/nftables.h | 1 include/uapi/linux/raid/md_p.h | 2 io_uring/rw.c | 3 kernel/bpf/Makefile | 1 kernel/bpf/core.c | 16 kernel/bpf/cpumap.c | 4 kernel/bpf/crypto.c | 2 kernel/bpf/helpers.c | 7 kernel/bpf/rqspinlock.c | 2 kernel/dma/debug.c | 48 + kernel/dma/debug.h | 20 kernel/dma/mapping.c | 4 kernel/events/core.c | 1 kernel/power/energy_model.c | 29 - kernel/power/hibernate.c | 1 kernel/time/hrtimer.c | 11 kernel/trace/fgraph.c | 3 kernel/trace/trace.c | 10 kernel/trace/trace_osnoise.c | 3 mm/damon/core.c | 4 mm/damon/lru_sort.c | 5 mm/damon/reclaim.c | 5 mm/damon/sysfs.c | 14 mm/hugetlb.c | 9 mm/kasan/shadow.c | 31 - mm/khugepaged.c | 4 mm/memory-failure.c | 20 mm/vmalloc.c | 8 net/bluetooth/hci_conn.c | 14 net/bluetooth/hci_event.c | 7 net/bluetooth/iso.c | 2 net/bridge/br.c | 7 net/can/j1939/bus.c | 5 net/can/j1939/j1939-priv.h | 1 net/can/j1939/main.c | 3 net/can/j1939/socket.c | 52 + net/ceph/messenger.c | 7 net/core/dev_ioctl.c | 22 net/hsr/hsr_device.c | 28 - net/hsr/hsr_main.c | 4 net/hsr/hsr_main.h | 3 net/ipv4/ip_tunnel_core.c | 6 net/ipv4/tcp_bpf.c | 5 net/mptcp/sockopt.c | 11 net/netfilter/nf_tables_api.c | 123 +++- net/netfilter/nft_dynset.c | 5 net/netfilter/nft_lookup.c | 67 +- net/netfilter/nft_objref.c | 5 net/netfilter/nft_set_bitmap.c | 14 net/netfilter/nft_set_hash.c | 54 -- net/netfilter/nft_set_pipapo.c | 214 ++------ net/netfilter/nft_set_pipapo_avx2.c | 27 - net/netfilter/nft_set_rbtree.c | 46 - net/netlink/genetlink.c | 3 net/sunrpc/sched.c | 2 net/sunrpc/xprtsock.c | 6 net/xdp/xsk.c | 113 +++- net/xdp/xsk_queue.h | 12 samples/ftrace/ftrace-direct-modify.c | 2 tools/testing/selftests/net/can/config | 3 234 files changed, 3151 insertions(+), 1712 deletions(-) Alan Stern (1): USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Alex Deucher (3): Revert "drm/amdgpu: Add more checks to PSP mailbox" drm/amdgpu: fix a memory leak in fence cleanup when unloading drm/amd/display: use udelay rather than fsleep Alex Markuze (2): ceph: fix race condition validating r_parent before applying state ceph: fix race condition where r_parent becomes stale before sending message Alex Tran (1): docs: networking: can: change bcm_msg_head frames member to support flexible array Alexander Sverdlin (1): mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Alok Tiwari (1): genetlink: fix genl_bind() invoking bind() after -EPERM Amir Goldstein (2): fhandle: use more consistent rules for decoding file handle from userns fuse: do not allow mapping a non-regular backing file Anders Roxell (1): dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Andreas Kemnade (1): regulator: sy7636a: fix lifecycle of power good gpio Anssi Hannula (1): can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Antheas Kapenekakis (1): Input: xpad - add support for Flydigi Apex 5 Antoine Tenart (1): tunnels: reset the GSO metadata before reusing the skb Baochen Qiang (1): dma-debug: don't enforce dma mapping check on noncoherent allocations Boris Burkov (2): btrfs: fix squota compressed stats leak btrfs: use readahead_expand() on compressed extents Breno Leitao (2): arm64: kexec: initialize kexec_buf struct in load_other_segments() s390: kexec: initialize kexec_buf struct Carolina Jubran (1): net: dev_ioctl: take ops lock in hwtstamp lower paths Chen Ridong (1): kernfs: Fix UAF in polling when open file is released Chia-I Wu (1): drm/panthor: validate group queue count Chiasheng Lee (1): i2c: i801: Hide Intel Birch Stream SoC TCO WDT Christian Brauner (1): coredump: don't pointlessly check and spew warnings Christoffer Sandberg (1): Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Christoph Hellwig (2): fs: add a FMODE_ flag to indicate IOCB_HAS_METADATA availability block: don't silently ignore metadata for sync read/write Christophe JAILLET (1): mtd: rawnand: nuvoton: Fix an error handling path in ma35_nand_chips_init() Christophe Kerello (2): mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer mtd: rawnand: stm32_fmc2: fix ECC overwrite Dan Carpenter (2): irqchip/mvebu-gicp: Fix an IS_ERR() vs NULL check in probe() dmaengine: idxd: Fix double free in idxd_setup_wqs() Daniel Borkmann (1): bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt David Rosca (2): drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages Davide Caratti (1): selftests: can: enable CONFIG_CAN_VCAN as a module Edward Adam Davis (1): fuse: Block access to folio overlimit Fabian Vogt (1): tty: hvc_console: Call hvc_kick in hvc_write unconditionally Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FN990A w/audio compositions USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Fangzhi Zuo (1): drm/amd/display: Disable DPCD Probe Quirk Florian Westphal (11): netfilter: nft_set_bitmap: fix lockdep splat due to missing annotation netfilter: nft_set_pipapo: remove unused arguments netfilter: nft_set: remove one argument from lookup and update functions netfilter: nft_set_pipapo: merge pipapo_get/lookup netfilter: nft_set_pipapo: don't return bogus extension pointer netfilter: nft_set_pipapo: don't check genbit from packetpath lookups netfilter: nft_set_rbtree: continue traversal if element is inactive netfilter: nf_tables: place base_seq in struct net netfilter: nf_tables: make nft_set_do_lookup available unconditionally netfilter: nf_tables: restart set lookup on base_seq change netfilter: nft_set_pipapo: fix null deref for empty set Gao Xiang (4): erofs: get rid of {get,put}_page() for ztailpacking data erofs: remove need_kmap in erofs_read_metabuf() erofs: unify meta buffers in z_erofs_fill_inode() erofs: fix invalid algorithm for encoded extents Gautham R. Shenoy (1): cpufreq/amd-pstate: Fix setting of CPPC.min_perf in active mode for performance governor Geoffrey McRae (1): drm/amd/display: remove oem i2c adapter on finish Greg Kroah-Hartman (1): Linux 6.16.8 Guenter Roeck (1): trace/fgraph: Fix error handling Hangbin Liu (3): hsr: use rtnl lock when iterating over ports hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr hsr: hold rcu and dev lock for hsr_get_port_ndev Hugo Villeneuve (1): serial: sc16is7xx: fix bug in flow control levels init Ilya Dryomov (1): libceph: fix invalid accesses to ceph_connection_v1_info Imre Deak (3): drm/edid: Define the quirks in an enum list drm/edid: Add support for quirks visible to DRM core and drivers drm/dp: Add an EDID quirk for the DPCD register access probe Jani Nikula (1): drm/i915/power: fix size for for_each_set_bit() in abox iteration Jason Gunthorpe (3): iommu/vt-d: Split intel_iommu_domain_alloc_paging_flags() iommu/vt-d: Create unique domain ops for each stage iommu/vt-d: Split paging_domain_compatible() Jeff LaBundy (1): Input: iqs7222 - avoid enabling unused interrupts Jeongjun Park (1): mm/hugetlb: add missing hugetlb_lock in __unmap_hugepage_range() Jesper Dangaard Brouer (1): bpf, cpumap: Disable page_pool direct xdp_return need larger scope Jiawen Wu (1): net: libwx: fix to enable RSS Johan Hovold (4): drm/mediatek: fix potential OF node use-after-free phy: tegra: xusb: fix device and OF node leak at probe phy: ti: omap-usb2: fix device leak at unbind phy: ti-pipe3: fix device leak at unbind Johannes Berg (1): wifi: iwlwifi: fix 130/1030 configs Jonas Gorski (1): net: dsa: b53: fix ageing time for BCM53101 Jonas Jelonek (3): i2c: rtl9300: fix channel number bound check i2c: rtl9300: ensure data length is within supported range i2c: rtl9300: remove broken SMBus Quick operation support Jonathan Curley (1): NFSv4/flexfiles: Fix layout merge mirror check. Justin Worrell (1): SUNRPC: call xs_sock_process_cmsg for all cmsg K Prateek Nayak (1): x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon KaFai Wan (1): bpf: Allow fall back to interpreter for programs with stack size <= 512 Kan Liang (1): perf: Fix the POLL_HUP delivery breakage Klaus Kudielka (1): PCI: mvebu: Fix use of for_each_of_range() iterator Kohei Enju (1): igb: fix link test skipping when interface is admin down Krister Johansen (1): mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Krzysztof Kozlowski (1): dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Kumar Kartikeya Dwivedi (1): rqspinlock: Choose trylock fallback for NMI waiters Kuniyuki Iwashima (1): tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Kyle Meyer (1): mm/memory-failure: fix redundant updates for already poisoned pages Lu Baolu (1): iommu/vt-d: Make iotlb_sync_map a static property of dmar_domain Luiz Augusto von Dentz (3): Bluetooth: hci_conn: Fix not cleaning up Broadcaster/Broadcast Source Bluetooth: hci_conn: Fix running bis_cleanup for hci_conn->type PA_LINK Bluetooth: ISO: Fix getname not returning broadcast fields Luo Gengkun (1): tracing: Fix tracing_marker may trigger page fault during preempt_disable Maciej Fijalkowski (1): xsk: Fix immature cq descriptor production Mario Limonciello (1): drm/amd/display: Destroy cached state in complete() callback Mario Limonciello (AMD) (2): cpufreq/amd-pstate: Fix a regression leading to EPP 0 after resume drm/amd/display: Drop dm_prepare_suspend() and dm_complete() Mark Tinguely (1): ocfs2: fix recursive semaphore deadlock in fiemap call Mathias Nyman (3): xhci: dbc: decouple endpoint allocation from initialization xhci: dbc: Fix full DbC transfer ring after several reconnects xhci: fix memory leak regression when freeing xhci vdev devices depth first Matthieu Baerts (NGI0) (2): doc: mptcp: net.mptcp.pm_type is deprecated netlink: specs: mptcp: fix if-idx attribute type Max Kellermann (2): ceph: always call ceph_shift_unused_folios_left() ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error Miaohe Lin (1): mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Miaoqian Lin (1): dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Miaoqing Pan (2): wifi: ath12k: Fix missing station power save configuration wifi: ath12k: fix WMI TLV header misalignment Michal Schmidt (1): i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Michal Wajdeczko (1): drm/xe/configfs: Don't touch survivability_mode on fini Miklos Szeredi (2): fuse: check if copy_file_range() returns larger than requested size fuse: prevent overflow in copy_file_range return value Miquel Raynal (2): mtd: spinand: Add a ->configure_chip() hook mtd: spinand: winbond: Enable high-speed modes on w25n0xjw Nathan Chancellor (1): compiler-clang.h: define __SANITIZE_*__ macros only when undefined Oleksij Rempel (1): net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Omar Sandoval (1): btrfs: fix subvolume deletion lockup caused by inodes xarray race Ovidiu Bunea (1): drm/amd/display: Correct sequences and delays for DCN35 PG & RCG Paolo Abeni (1): Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Paulo Alcantara (2): smb: client: fix compound alignment with encryption smb: client: fix data loss due to broken rename(2) Peilin Ye (1): bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() Pengyu Luo (1): phy: qualcomm: phy-qcom-eusb2-repeater: fix override properties Petr Machata (1): net: bridge: Bounce invalid boolopts Phil Sutter (1): netfilter: nf_tables: Reintroduce shortened deletion notifications Pratap Nirujogi (1): drm/amd/amdgpu: Declare isp firmware binary file Pu Lehui (1): tracing: Silence warning when chunk allocation fails in trace_pid_write Qu Wenruo (1): btrfs: fix corruption reading compressed range when block size is smaller than page size Quanmin Yan (2): mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() RD Babiera (1): usb: typec: tcpm: properly deliver cable vdms to altmode drivers Rafael J. Wysocki (2): PM: EM: Add function for registering a PD without capacity update PM: hibernate: Restrict GFP mask in hibernation_snapshot() Reinette Chatre (1): fs/resctrl: Eliminate false positive lockdep warning when reading SNC counters Salah Triki (1): EDAC/altera: Delete an inappropriate dma_free_coherent() call Sang-Heon Jeon (1): mm/damon/core: set quota->charged_from to jiffies at first charge window Santhosh Kumar K (1): mtd: spinand: winbond: Fix oob_layout for W25N01JW Sarika Sharma (1): wifi: ath12k: add link support for multi-link in arsta Scott Mayhew (1): nfs/localio: restore creds before releasing pageio data Sriram R (1): wifi: ath12k: Add support to enqueue management frame at MLD level Stanislav Fomichev (1): macsec: sync features on RTM_NEWLINK Stanislav Fort (1): mm/damon/sysfs: fix use-after-free in state_show() Stefan Wahren (1): net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Stephan Gerhold (2): dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees phy: qcom: qmp-pcie: Fix PHY initialization when powered down by firmware Takashi Iwai (2): usb: gadget: midi2: Fix missing UMP group attributes initialization usb: gadget: midi2: Fix MIDI2 IN EP max packet size Tetsuo Handa (3): can: j1939: implement NETDEV_UNREGISTER notification handler can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Thomas Hellström (3): drm/xe: Attempt to bring bos back to VRAM after eviction drm/xe: Allow the pm notifier to continue on failure drm/xe: Block exec and rebind worker while evicting for suspend / hibernate Thomas Richter (2): s390/pai: Deny all events not handled by this PMU s390/cpum_cf: Deny all sampling events by counter PMU Tianyu Xu (1): igb: Fix NULL pointer dereference in ethtool loopback test Tigran Mkrtchyan (1): flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Trond Myklebust (10): NFSv4: Don't clear capabilities that won't be reset NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set NFSv4: Clear NFS_CAP_OPEN_XOR and NFS_CAP_DELEGTIME if not supported NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server NFS: Serialise O_DIRECT i/o and truncate() NFSv4.2: Serialise O_DIRECT i/o and fallocate() NFSv4.2: Serialise O_DIRECT i/o and clone range NFSv4.2: Serialise O_DIRECT i/o and copy range NFS: nfs_invalidate_folio() must observe the offset and size arguments Revert "SUNRPC: Don't allow waiting for exiting tasks" Uladzislau Rezki (Sony) (1): mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() Vladimir Oltean (2): net: phylink: add lock for serializing concurrent pl->phydev writes with resolver net: phy: transfer phy_config_inband() locking responsibility to phylink Vladimir Riabchun (1): ftrace/samples: Fix function size computation Wang Liang (1): tracing/osnoise: Fix null-ptr-deref in bitmap_parselist() Wei Yang (1): mm/khugepaged: fix the address passed to notifier on testing young Xiao Ni (1): md: keep recovery_cp in mdp_superblock_s Xiongfeng Wang (1): hrtimers: Unconditionally update target CPU base after offline timer migration Yi Sun (2): dmaengine: idxd: Remove improper idxd_free dmaengine: idxd: Fix refcount underflow on module unload Yuezhang Mo (1): erofs: fix runtime warning on truncate_folio_batch_exceptionals() wangzijie (1): proc: fix type confusion in pde_set_flags()

1 month, 2 weeks

1
1
0 0

Linux 6.12.48

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.48 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/brcm,bcm7271-uart.yaml | 2 Documentation/filesystems/nfs/localio.rst | 13 Documentation/netlink/specs/mptcp_pm.yaml | 52 +- Documentation/networking/can.rst | 2 Makefile | 2 arch/riscv/include/asm/compat.h | 1 arch/s390/kernel/perf_cpum_cf.c | 4 arch/s390/kernel/perf_pai_crypto.c | 4 arch/s390/kernel/perf_pai_ext.c | 2 arch/x86/kernel/cpu/topology_amd.c | 25 - arch/x86/kernel/vmlinux.lds.S | 10 drivers/dma-buf/Kconfig | 1 drivers/dma-buf/udmabuf.c | 22 - drivers/dma/dw/rzn1-dmamux.c | 15 drivers/dma/idxd/init.c | 39 - drivers/dma/qcom/bam_dma.c | 8 drivers/dma/ti/edma.c | 4 drivers/edac/altera_edac.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 12 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 64 +- drivers/gpu/drm/amd/amdgpu/vi.c | 7 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c | 7 drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c | 6 drivers/gpu/drm/amd/display/dc/hubp/dcn20/dcn20_hubp.c | 8 drivers/gpu/drm/amd/display/dc/hubp/dcn401/dcn401_hubp.c | 10 drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 drivers/gpu/drm/i915/display/intel_display_power.c | 6 drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 16 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 drivers/gpu/drm/panthor/panthor_drv.c | 2 drivers/gpu/drm/xe/tests/xe_bo.c | 2 drivers/gpu/drm/xe/tests/xe_dma_buf.c | 10 drivers/gpu/drm/xe/xe_bo.c | 16 drivers/gpu/drm/xe/xe_bo.h | 2 drivers/gpu/drm/xe/xe_dma_buf.c | 2 drivers/i2c/busses/i2c-i801.c | 2 drivers/input/misc/iqs7222.c | 3 drivers/input/serio/i8042-acpipnpio.h | 14 drivers/mtd/nand/raw/atmel/nand-controller.c | 16 drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 +- drivers/mtd/nand/spi/winbond.c | 37 + drivers/net/can/xilinx_can.c | 16 drivers/net/ethernet/freescale/fec_main.c | 3 drivers/net/ethernet/intel/i40e/i40e_main.c | 2 drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 drivers/net/ethernet/mellanox/mlx5/core/steering/hws/mlx5hws_matcher.c | 24 - drivers/net/phy/mdio_bus.c | 4 drivers/nvme/host/pci.c | 3 drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 4 drivers/phy/tegra/xusb-tegra210.c | 6 drivers/phy/ti/phy-omap-usb2.c | 13 drivers/phy/ti/phy-ti-pipe3.c | 13 drivers/regulator/sy7636a-regulator.c | 7 drivers/tty/hvc/hvc_console.c | 6 drivers/tty/serial/sc16is7xx.c | 14 drivers/usb/gadget/function/f_midi2.c | 11 drivers/usb/gadget/udc/dummy_hcd.c | 8 drivers/usb/host/xhci-mem.c | 2 drivers/usb/serial/option.c | 17 drivers/usb/typec/tcpm/tcpm.c | 12 fs/btrfs/extent_io.c | 72 ++- fs/btrfs/inode.c | 12 fs/btrfs/qgroup.c | 6 fs/ceph/debugfs.c | 14 fs/ceph/dir.c | 17 fs/ceph/file.c | 24 - fs/ceph/inode.c | 88 +++- fs/ceph/mds_client.c | 172 ++++---- fs/ceph/mds_client.h | 18 fs/ext4/namei.c | 14 fs/fhandle.c | 8 fs/fuse/file.c | 5 fs/fuse/passthrough.c | 5 fs/kernfs/file.c | 58 +- fs/nfs/client.c | 2 fs/nfs/direct.c | 22 - fs/nfs/file.c | 21 fs/nfs/flexfilelayout/flexfilelayout.c | 21 fs/nfs/inode.c | 4 fs/nfs/internal.h | 17 fs/nfs/io.c | 55 +- fs/nfs/localio.c | 125 ++++- fs/nfs/nfs42proc.c | 2 fs/nfs/nfs4file.c | 2 fs/nfs/nfs4proc.c | 7 fs/nfs/write.c | 1 fs/ocfs2/extent_map.c | 10 fs/proc/generic.c | 3 include/linux/compiler-clang.h | 29 + include/linux/fs.h | 10 include/linux/nfs_xdr.h | 1 include/linux/pgalloc.h | 29 + include/linux/pgtable.h | 13 include/net/netfilter/nf_tables.h | 11 include/net/netfilter/nf_tables_core.h | 49 +- include/net/netns/nftables.h | 1 include/trace/events/dma.h | 153 ++++++- include/uapi/linux/mptcp_pm.h | 50 +- kernel/bpf/core.c | 16 kernel/bpf/crypto.c | 2 kernel/bpf/helpers.c | 7 kernel/dma/debug.c | 135 +++--- kernel/dma/debug.h | 20 kernel/dma/mapping.c | 41 + kernel/time/hrtimer.c | 11 kernel/trace/fgraph.c | 3 kernel/trace/trace.c | 10 mm/Kconfig | 2 mm/damon/core.c | 4 mm/damon/lru_sort.c | 5 mm/damon/reclaim.c | 5 mm/damon/sysfs.c | 14 mm/hugetlb.c | 9 mm/kasan/init.c | 12 mm/kasan/kasan_test_c.c | 1 mm/khugepaged.c | 4 mm/memory-failure.c | 20 mm/percpu.c | 6 mm/sparse-vmemmap.c | 6 net/bridge/br.c | 7 net/can/j1939/bus.c | 5 net/can/j1939/socket.c | 3 net/ceph/messenger.c | 7 net/hsr/hsr_device.c | 97 ++++ net/hsr/hsr_main.c | 4 net/hsr/hsr_main.h | 3 net/ipv4/ip_tunnel_core.c | 6 net/ipv4/tcp_bpf.c | 5 net/mptcp/sockopt.c | 11 net/netfilter/nf_tables_api.c | 123 +++-- net/netfilter/nft_dynset.c | 5 net/netfilter/nft_lookup.c | 67 ++- net/netfilter/nft_objref.c | 5 net/netfilter/nft_set_bitmap.c | 11 net/netfilter/nft_set_hash.c | 54 +- net/netfilter/nft_set_pipapo.c | 214 +++------- net/netfilter/nft_set_pipapo_avx2.c | 27 - net/netfilter/nft_set_rbtree.c | 46 +- net/netlink/genetlink.c | 3 net/sunrpc/sched.c | 2 net/sunrpc/xprtsock.c | 6 samples/ftrace/ftrace-direct-modify.c | 2 sound/pci/hda/patch_realtek.c | 1 145 files changed, 1896 insertions(+), 988 deletions(-) Alan Stern (1): USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Alex Deucher (2): drm/amd/display: use udelay rather than fsleep drm/amdgpu: fix a memory leak in fence cleanup when unloading Alex Markuze (2): ceph: fix race condition validating r_parent before applying state ceph: fix race condition where r_parent becomes stale before sending message Alex Tran (1): docs: networking: can: change bcm_msg_head frames member to support flexible array Alexander Sverdlin (1): mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Alok Tiwari (1): genetlink: fix genl_bind() invoking bind() after -EPERM Amir Goldstein (2): fhandle: use more consistent rules for decoding file handle from userns fuse: do not allow mapping a non-regular backing file Anders Roxell (1): dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Andreas Kemnade (1): regulator: sy7636a: fix lifecycle of power good gpio Anssi Hannula (1): can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Antoine Tenart (1): tunnels: reset the GSO metadata before reusing the skb Aurabindo Pillai (1): Revert "drm/amd/display: Optimize cursor position updates" Baochen Qiang (1): dma-debug: don't enforce dma mapping check on noncoherent allocations Boris Burkov (2): btrfs: fix squota compressed stats leak btrfs: use readahead_expand() on compressed extents Buday Csaba (1): net: mdiobus: release reset_gpio in mdiobus_unregister_device() Chen Ridong (1): kernfs: Fix UAF in polling when open file is released Chia-I Wu (1): drm/panthor: validate group queue count Chiasheng Lee (1): i2c: i801: Hide Intel Birch Stream SoC TCO WDT Christoffer Sandberg (1): Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Christoph Hellwig (1): dma-debug: store a phys_addr_t in struct dma_debug_entry Christophe Kerello (2): mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer mtd: rawnand: stm32_fmc2: fix ECC overwrite Dan Carpenter (1): dmaengine: idxd: Fix double free in idxd_setup_wqs() Daniel Borkmann (1): bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt David Rosca (3): drm/amdgpu: Add back JPEG to video caps for carrizo and newer drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages Fabian Vogt (1): tty: hvc_console: Call hvc_kick in hvc_write unconditionally Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FN990A w/audio compositions USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Fedor Pchelkin (1): dma-debug: fix physical address calculation for struct dma_debug_entry Florian Westphal (10): netfilter: nft_set_pipapo: remove unused arguments netfilter: nft_set: remove one argument from lookup and update functions netfilter: nft_set_pipapo: merge pipapo_get/lookup netfilter: nft_set_pipapo: don't return bogus extension pointer netfilter: nft_set_pipapo: don't check genbit from packetpath lookups netfilter: nft_set_rbtree: continue traversal if element is inactive netfilter: nf_tables: place base_seq in struct net netfilter: nf_tables: make nft_set_do_lookup available unconditionally netfilter: nf_tables: restart set lookup on base_seq change netfilter: nft_set_pipapo: fix null deref for empty set Greg Kroah-Hartman (1): Linux 6.12.48 Guenter Roeck (2): trace/fgraph: Fix error handling x86: disable image size check for test builds Hangbin Liu (2): hsr: use rtnl lock when iterating over ports hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Harry Yoo (1): mm: introduce and use {pgd,p4d}_populate_kernel() Huan Yang (1): Revert "udmabuf: fix vmap_udmabuf error page set" Hugo Villeneuve (1): serial: sc16is7xx: fix bug in flow control levels init Ilya Dryomov (1): libceph: fix invalid accesses to ceph_connection_v1_info Jakub Kicinski (1): netlink: specs: mptcp: replace underscores with dashes in names Jani Nikula (1): drm/i915/power: fix size for for_each_set_bit() in abox iteration Jeff LaBundy (1): Input: iqs7222 - avoid enabling unused interrupts Jeongjun Park (1): mm/hugetlb: add missing hugetlb_lock in __unmap_hugepage_range() Johan Hovold (4): drm/mediatek: fix potential OF node use-after-free phy: tegra: xusb: fix device and OF node leak at probe phy: ti: omap-usb2: fix device leak at unbind phy: ti-pipe3: fix device leak at unbind Jonathan Curley (1): NFSv4/flexfiles: Fix layout merge mirror check. Justin Worrell (1): SUNRPC: call xs_sock_process_cmsg for all cmsg K Prateek Nayak (1): x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon KaFai Wan (1): bpf: Allow fall back to interpreter for programs with stack size <= 512 Kohei Enju (1): igb: fix link test skipping when interface is admin down Krister Johansen (1): mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Krzysztof Kozlowski (1): dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Kuniyuki Iwashima (1): tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Kyle Meyer (1): mm/memory-failure: fix redundant updates for already poisoned pages Linus Torvalds (1): Disable SLUB_TINY for build testing Luo Gengkun (1): tracing: Fix tracing_marker may trigger page fault during preempt_disable Mark Tinguely (1): ocfs2: fix recursive semaphore deadlock in fiemap call Mathias Nyman (1): xhci: fix memory leak regression when freeing xhci vdev devices depth first Matthieu Baerts (NGI0) (3): netlink: specs: mptcp: add missing 'server-side' attr netlink: specs: mptcp: clearly mention attributes netlink: specs: mptcp: fix if-idx attribute type Maurizio Lombardi (1): nvme-pci: skip nvme_write_sq_db on empty rqlist Max Kellermann (1): fs/nfs/io: make nfs_start_io_*() killable Miaohe Lin (1): mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Miaoqian Lin (1): dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Michal Schmidt (1): i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Mike Snitzer (2): nfs/localio: remove extra indirect nfs_to call to check {read,write}_iter nfs/localio: add direct IO enablement with sync and async IO support Miklos Szeredi (2): fuse: check if copy_file_range() returns larger than requested size fuse: prevent overflow in copy_file_range return value Murali Karicheri (1): net: hsr: Add VLAN CTAG filter support Nathan Chancellor (1): compiler-clang.h: define __SANITIZE_*__ macros only when undefined Oleksij Rempel (1): net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Omar Sandoval (1): btrfs: fix subvolume deletion lockup caused by inodes xarray race Palmer Dabbelt (1): RISC-V: Remove unnecessary include from compat.h Paolo Abeni (1): Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Peilin Ye (1): bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() Pengyu Luo (1): phy: qualcomm: phy-qcom-eusb2-repeater: fix override properties Petr Machata (1): net: bridge: Bounce invalid boolopts Phil Sutter (1): netfilter: nf_tables: Reintroduce shortened deletion notifications Pu Lehui (1): tracing: Silence warning when chunk allocation fails in trace_pid_write Qu Wenruo (1): btrfs: fix corruption reading compressed range when block size is smaller than page size Quanmin Yan (2): mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() RD Babiera (1): usb: typec: tcpm: properly deliver cable vdms to altmode drivers Salah Triki (1): EDAC/altera: Delete an inappropriate dma_free_coherent() call Sang-Heon Jeon (1): mm/damon/core: set quota->charged_from to jiffies at first charge window Santhosh Kumar K (1): mtd: spinand: winbond: Fix oob_layout for W25N01JW Scott Mayhew (1): nfs/localio: restore creds before releasing pageio data Sean Anderson (4): dma-mapping: trace dma_alloc/free direction dma-mapping: use trace_dma_alloc for dma_alloc* instead of using trace_dma_map dma-mapping: trace more error paths dma-mapping: fix swapped dir/flags arguments to trace_dma_alloc_sgt_err Srinivasan Shanmugam (1): drm/amd/display: Fix error pointers in amdgpu_dm_crtc_mem_type_changed Stanislav Fort (1): mm/damon/sysfs: fix use-after-free in state_show() Stefan Wahren (1): net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Stephan Gerhold (1): dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Takashi Iwai (3): ALSA: hda/realtek: Fix built-in mic assignment on ASUS VivoBook X515UA usb: gadget: midi2: Fix missing UMP group attributes initialization usb: gadget: midi2: Fix MIDI2 IN EP max packet size Tetsuo Handa (2): can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Theodore Ts'o (1): ext4: introduce linear search for dentries Thomas Hellström (1): drm/xe: Attempt to bring bos back to VRAM after eviction Thomas Richter (2): s390/pai: Deny all events not handled by this PMU s390/cpum_cf: Deny all sampling events by counter PMU Tigran Mkrtchyan (1): flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Trond Myklebust (10): NFSv4: Don't clear capabilities that won't be reset NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set NFSv4: Clear NFS_CAP_OPEN_XOR and NFS_CAP_DELEGTIME if not supported NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server NFS: Serialise O_DIRECT i/o and truncate() NFSv4.2: Serialise O_DIRECT i/o and fallocate() NFSv4.2: Serialise O_DIRECT i/o and clone range NFSv4.2: Serialise O_DIRECT i/o and copy range NFS: nfs_invalidate_folio() must observe the offset and size arguments Revert "SUNRPC: Don't allow waiting for exiting tasks" Umesh Nerlige Ramappa (1): drm/i915/pmu: Fix zero delta busyness issue Vladimir Riabchun (1): ftrace/samples: Fix function size computation Wei Yang (1): mm/khugepaged: fix the address passed to notifier on testing young Xiongfeng Wang (1): hrtimers: Unconditionally update target CPU base after offline timer migration Yeoreum Yun (1): kunit: kasan_test: disable fortify string checker on kasan_strings() test Yevgeny Kliteynik (1): net/mlx5: HWS, change error flow on matcher disconnect Yi Sun (2): dmaengine: idxd: Remove improper idxd_free dmaengine: idxd: Fix refcount underflow on module unload wangzijie (1): proc: fix type confusion in pde_set_flags()

1 month, 2 weeks

1
1
0 0

Linux 6.6.107

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.107 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/brcm,bcm7271-uart.yaml | 2 Documentation/networking/can.rst | 2 Makefile | 2 arch/riscv/include/asm/compat.h | 1 arch/s390/kernel/perf_cpum_cf.c | 4 arch/x86/kernel/vmlinux.lds.S | 10 arch/x86/kvm/cpuid.c | 5 drivers/dma/dw/rzn1-dmamux.c | 15 drivers/dma/idxd/init.c | 39 +- drivers/dma/qcom/bam_dma.c | 8 drivers/dma/ti/edma.c | 4 drivers/edac/altera_edac.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 12 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 64 +--- drivers/gpu/drm/i915/display/intel_display_power.c | 6 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 drivers/i2c/busses/i2c-i801.c | 2 drivers/input/misc/iqs7222.c | 3 drivers/input/serio/i8042-acpipnpio.h | 14 drivers/media/i2c/imx214.c | 27 + drivers/mtd/nand/raw/atmel/nand-controller.c | 18 - drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 +- drivers/net/can/xilinx_can.c | 16 - drivers/net/ethernet/freescale/fec_main.c | 3 drivers/net/ethernet/intel/i40e/i40e_main.c | 2 drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 drivers/net/phy/mdio_bus.c | 4 drivers/phy/tegra/xusb-tegra210.c | 6 drivers/phy/ti/phy-ti-pipe3.c | 13 drivers/regulator/sy7636a-regulator.c | 7 drivers/tty/hvc/hvc_console.c | 6 drivers/tty/serial/sc16is7xx.c | 14 drivers/usb/gadget/function/f_midi2.c | 11 drivers/usb/gadget/udc/dummy_hcd.c | 8 drivers/usb/host/xhci-mem.c | 2 drivers/usb/serial/option.c | 17 + fs/btrfs/extent_io.c | 78 ++++ fs/fuse/file.c | 5 fs/kernfs/file.c | 54 ++- fs/nfs/client.c | 2 fs/nfs/direct.c | 21 + fs/nfs/file.c | 14 fs/nfs/flexfilelayout/flexfilelayout.c | 21 - fs/nfs/inode.c | 4 fs/nfs/internal.h | 17 - fs/nfs/io.c | 55 ++- fs/nfs/nfs42proc.c | 2 fs/nfs/nfs4file.c | 2 fs/nfs/nfs4proc.c | 6 fs/nfsd/nfs4proc.c | 4 fs/nfsd/vfs.c | 13 fs/ocfs2/extent_map.c | 10 fs/proc/generic.c | 3 fs/smb/client/file.c | 16 - fs/smb/server/connection.h | 11 fs/smb/server/mgmt/user_session.c | 4 fs/smb/server/smb2pdu.c | 14 include/linux/compiler-clang.h | 29 + include/linux/pgalloc.h | 29 + include/linux/pgtable.h | 13 include/net/sock.h | 40 ++ kernel/bpf/helpers.c | 7 kernel/rcu/tasks.h | 107 +++++- kernel/time/hrtimer.c | 50 --- kernel/trace/trace.c | 10 mm/Kconfig | 2 mm/damon/core.c | 4 mm/damon/lru_sort.c | 3 mm/damon/reclaim.c | 3 mm/damon/sysfs.c | 14 mm/kasan/init.c | 12 mm/kasan/kasan_test.c | 1 mm/khugepaged.c | 22 - mm/memory-failure.c | 7 mm/percpu.c | 6 mm/sparse-vmemmap.c | 6 net/bridge/br.c | 7 net/can/j1939/bus.c | 5 net/can/j1939/socket.c | 3 net/ceph/messenger.c | 7 net/core/sock.c | 5 net/hsr/hsr_device.c | 158 +++++++++- net/hsr/hsr_main.c | 4 net/hsr/hsr_main.h | 3 net/ipv4/ip_tunnel_core.c | 6 net/ipv4/tcp_bpf.c | 5 net/mptcp/sockopt.c | 11 net/sunrpc/sched.c | 2 net/sunrpc/xprtsock.c | 6 samples/ftrace/ftrace-direct-modify.c | 2 scripts/Makefile.kasan | 12 security/integrity/ima/ima_main.c | 16 - security/integrity/integrity.h | 3 94 files changed, 985 insertions(+), 404 deletions(-) Ada Couprie Diaz (1): kasan: fix GCC mem-intrinsic prefix with sw tags Alan Stern (1): USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Alex Deucher (1): drm/amdgpu: fix a memory leak in fence cleanup when unloading Alex Tran (1): docs: networking: can: change bcm_msg_head frames member to support flexible array Alexander Dahl (1): mtd: nand: raw: atmel: Fix comment in timings preparation Alexander Sverdlin (1): mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Anders Roxell (1): dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Andreas Kemnade (1): regulator: sy7636a: fix lifecycle of power good gpio André Apitzsch (1): media: i2c: imx214: Fix link frequency validation Anssi Hannula (1): can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Antoine Tenart (1): tunnels: reset the GSO metadata before reusing the skb Boris Burkov (1): btrfs: use readahead_expand() on compressed extents Borislav Petkov (AMD) (1): KVM: SVM: Set synthesized TSA CPUID flags Buday Csaba (1): net: mdiobus: release reset_gpio in mdiobus_unregister_device() Chen Ridong (1): kernfs: Fix UAF in polling when open file is released Chiasheng Lee (1): i2c: i801: Hide Intel Birch Stream SoC TCO WDT Christoffer Sandberg (1): Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Christophe Kerello (2): mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer mtd: rawnand: stm32_fmc2: fix ECC overwrite Chuck Lever (1): NFSD: nfsd_unlink() clobbers non-zero status returned from fh_fill_pre_attrs() Dan Carpenter (1): dmaengine: idxd: Fix double free in idxd_setup_wqs() David Rosca (2): drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages Fabian Vogt (1): tty: hvc_console: Call hvc_kick in hvc_write unconditionally Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FN990A w/audio compositions USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman (1): Linux 6.6.107 Guenter Roeck (1): x86: disable image size check for test builds Hangbin Liu (2): hsr: use rtnl lock when iterating over ports hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Harry Yoo (1): mm: introduce and use {pgd,p4d}_populate_kernel() Hugo Villeneuve (1): serial: sc16is7xx: fix bug in flow control levels init Ilya Dryomov (1): libceph: fix invalid accesses to ceph_connection_v1_info Jani Nikula (1): drm/i915/power: fix size for for_each_set_bit() in abox iteration Jeff LaBundy (1): Input: iqs7222 - avoid enabling unused interrupts Jiapeng Chong (2): hrtimer: Remove unused function hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active() Johan Hovold (3): drm/mediatek: fix potential OF node use-after-free phy: tegra: xusb: fix device and OF node leak at probe phy: ti-pipe3: fix device leak at unbind Jonathan Curley (1): NFSv4/flexfiles: Fix layout merge mirror check. Justin Worrell (1): SUNRPC: call xs_sock_process_cmsg for all cmsg Kohei Enju (1): igb: fix link test skipping when interface is admin down Krister Johansen (1): mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Krzysztof Kozlowski (1): dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Kuniyuki Iwashima (2): net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Linus Torvalds (1): Disable SLUB_TINY for build testing Luo Gengkun (1): tracing: Fix tracing_marker may trigger page fault during preempt_disable Mark Tinguely (1): ocfs2: fix recursive semaphore deadlock in fiemap call Mathias Nyman (1): xhci: fix memory leak regression when freeing xhci vdev devices depth first Max Kellermann (1): fs/nfs/io: make nfs_start_io_*() killable Miaohe Lin (1): mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Miaoqian Lin (1): dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Michal Schmidt (1): i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Miklos Szeredi (2): fuse: check if copy_file_range() returns larger than requested size fuse: prevent overflow in copy_file_range return value Mimi Zohar (1): ima: limit the number of ToMToU integrity violations Murali Karicheri (2): net: hsr: Add support for MC filtering at the slave device net: hsr: Add VLAN CTAG filter support Namjae Jeon (1): ksmbd: fix null pointer dereference in alloc_preauth_hash() Nathan Chancellor (1): compiler-clang.h: define __SANITIZE_*__ macros only when undefined Oleksij Rempel (1): net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Palmer Dabbelt (1): RISC-V: Remove unnecessary include from compat.h Paolo Abeni (1): Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Paul E. McKenney (3): rcu-tasks: Maintain lists to eliminate RCU-tasks/do_exit() deadlocks rcu-tasks: Eliminate deadlocks involving do_exit() and RCU tasks rcu-tasks: Maintain real-time response in rcu_tasks_postscan() Peilin Ye (1): bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() Petr Machata (1): net: bridge: Bounce invalid boolopts Pu Lehui (1): tracing: Silence warning when chunk allocation fails in trace_pid_write Qu Wenruo (1): btrfs: fix corruption reading compressed range when block size is smaller than page size Quanmin Yan (2): mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Salah Triki (1): EDAC/altera: Delete an inappropriate dma_free_coherent() call Sang-Heon Jeon (1): mm/damon/core: set quota->charged_from to jiffies at first charge window Stanislav Fort (1): mm/damon/sysfs: fix use-after-free in state_show() Stefan Wahren (1): net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Stephan Gerhold (1): dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Takashi Iwai (2): usb: gadget: midi2: Fix missing UMP group attributes initialization usb: gadget: midi2: Fix MIDI2 IN EP max packet size Tetsuo Handa (2): can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Thomas Richter (1): s390/cpum_cf: Deny all sampling events by counter PMU Tigran Mkrtchyan (1): flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Trond Myklebust (9): nfsd: Fix a regression in nfsd_setattr() NFSv4: Don't clear capabilities that won't be reset NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server NFS: Serialise O_DIRECT i/o and truncate() NFSv4.2: Serialise O_DIRECT i/o and fallocate() NFSv4.2: Serialise O_DIRECT i/o and clone range NFSv4.2: Serialise O_DIRECT i/o and copy range Revert "SUNRPC: Don't allow waiting for exiting tasks" Vishal Moola (Oracle) (1): mm/khugepaged: convert hpage_collapse_scan_pmd() to use folios Vladimir Riabchun (1): ftrace/samples: Fix function size computation Wei Yang (1): mm/khugepaged: fix the address passed to notifier on testing young Xiongfeng Wang (1): hrtimers: Unconditionally update target CPU base after offline timer migration Yang Erkun (1): cifs: fix pagecache leak when do writepages Yeoreum Yun (1): kunit: kasan_test: disable fortify string checker on kasan_strings() test Yi Sun (2): dmaengine: idxd: Remove improper idxd_free dmaengine: idxd: Fix refcount underflow on module unload wangzijie (1): proc: fix type confusion in pde_set_flags()

1 month, 2 weeks

1
1
0 0

Linux 6.1.153

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.153 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/brcm,bcm7271-uart.yaml | 2 Documentation/networking/can.rst | 2 Makefile | 2 arch/x86/kvm/cpuid.c | 33 +- drivers/dma/dw/rzn1-dmamux.c | 15 drivers/dma/idxd/init.c | 33 +- drivers/dma/qcom/bam_dma.c | 8 drivers/dma/ti/edma.c | 4 drivers/edac/altera_edac.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 drivers/gpu/drm/i915/display/intel_display_power.c | 6 drivers/input/misc/iqs7222.c | 3 drivers/input/serio/i8042-acpipnpio.h | 14 drivers/media/i2c/imx214.c | 27 + drivers/media/platform/mediatek/vcodec/mtk_vcodec_fw_scp.c | 4 drivers/media/platform/mediatek/vcodec/venc/venc_h264_if.c | 6 drivers/mtd/nand/raw/atmel/nand-controller.c | 18 - drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 +- drivers/net/can/xilinx_can.c | 16 drivers/net/ethernet/freescale/fec_main.c | 3 drivers/net/ethernet/intel/i40e/i40e_main.c | 2 drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 drivers/phy/tegra/xusb-tegra210.c | 6 drivers/phy/ti/phy-ti-pipe3.c | 13 drivers/regulator/sy7636a-regulator.c | 7 drivers/soc/qcom/mdt_loader.c | 14 drivers/tty/hvc/hvc_console.c | 6 drivers/tty/serial/sc16is7xx.c | 14 drivers/usb/gadget/udc/dummy_hcd.c | 8 drivers/usb/serial/option.c | 17 + fs/fuse/file.c | 5 fs/kernfs/file.c | 54 ++- fs/nfs/client.c | 2 fs/nfs/flexfilelayout/flexfilelayout.c | 21 - fs/nfs/nfs4proc.c | 6 fs/ocfs2/extent_map.c | 10 fs/proc/generic.c | 3 include/linux/compiler-clang.h | 29 + include/linux/pgalloc.h | 29 + include/linux/pgtable.h | 13 include/net/sock.h | 40 ++ kernel/time/hrtimer.c | 50 --- kernel/trace/trace.c | 10 kernel/trace/trace_events_synth.c | 2 mm/damon/lru_sort.c | 3 mm/damon/reclaim.c | 3 mm/damon/sysfs.c | 14 mm/kasan/init.c | 12 mm/kasan/kasan_test.c | 1 mm/khugepaged.c | 22 - mm/memory-failure.c | 7 mm/percpu.c | 6 mm/sparse-vmemmap.c | 6 net/can/j1939/bus.c | 5 net/can/j1939/socket.c | 3 net/ceph/messenger.c | 7 net/core/sock.c | 5 net/hsr/hsr_device.c | 163 +++++++++- net/hsr/hsr_main.c | 4 net/hsr/hsr_main.h | 4 net/hsr/hsr_slave.c | 18 - net/ipv4/ip_tunnel_core.c | 6 net/ipv4/tcp_bpf.c | 5 net/mptcp/sockopt.c | 11 net/sunrpc/sched.c | 2 samples/ftrace/ftrace-direct-modify.c | 2 sound/soc/qcom/qdsp6/q6apm-dai.c | 28 + 67 files changed, 667 insertions(+), 282 deletions(-) Alan Stern (1): USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Alex Deucher (1): drm/amdgpu: fix a memory leak in fence cleanup when unloading Alex Tran (1): docs: networking: can: change bcm_msg_head frames member to support flexible array Alexander Dahl (1): mtd: nand: raw: atmel: Fix comment in timings preparation Alexander Sverdlin (1): mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Anders Roxell (1): dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Andreas Kemnade (1): regulator: sy7636a: fix lifecycle of power good gpio André Apitzsch (1): media: i2c: imx214: Fix link frequency validation Anssi Hannula (1): can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Antoine Tenart (1): tunnels: reset the GSO metadata before reusing the skb Arnd Bergmann (1): media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning Bjorn Andersson (1): soc: qcom: mdt_loader: Deal with zero e_shentsize Boris Ostrovsky (1): KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func() Borislav Petkov (AMD) (1): KVM: SVM: Set synthesized TSA CPUID flags Chen Ridong (1): kernfs: Fix UAF in polling when open file is released Christoffer Sandberg (1): Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Christophe Kerello (2): mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer mtd: rawnand: stm32_fmc2: fix ECC overwrite Dan Carpenter (2): dmaengine: idxd: Fix double free in idxd_setup_wqs() soc: qcom: mdt_loader: Fix error return values in mdt_header_valid() Fabian Vogt (1): tty: hvc_console: Call hvc_kick in hvc_write unconditionally Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FN990A w/audio compositions USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Greg Kroah-Hartman (1): Linux 6.1.153 Hangbin Liu (2): hsr: use rtnl lock when iterating over ports hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Harry Yoo (1): mm: introduce and use {pgd,p4d}_populate_kernel() Hugo Villeneuve (1): serial: sc16is7xx: fix bug in flow control levels init Ilya Dryomov (1): libceph: fix invalid accesses to ceph_connection_v1_info Jani Nikula (1): drm/i915/power: fix size for for_each_set_bit() in abox iteration Jeff LaBundy (1): Input: iqs7222 - avoid enabling unused interrupts Jiapeng Chong (2): hrtimer: Remove unused function hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active() Jiasheng Jiang (1): media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization Johan Hovold (2): phy: tegra: xusb: fix device and OF node leak at probe phy: ti-pipe3: fix device leak at unbind Jonathan Curley (1): NFSv4/flexfiles: Fix layout merge mirror check. Kim Phillips (1): KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code Kohei Enju (1): igb: fix link test skipping when interface is admin down Krister Johansen (1): mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Krzysztof Kozlowski (1): dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Kuniyuki Iwashima (2): net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Luo Gengkun (1): tracing: Fix tracing_marker may trigger page fault during preempt_disable Mark Tinguely (1): ocfs2: fix recursive semaphore deadlock in fiemap call Miaohe Lin (1): mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Miaoqian Lin (1): dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Michal Schmidt (1): i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Miklos Szeredi (2): fuse: check if copy_file_range() returns larger than requested size fuse: prevent overflow in copy_file_range return value Murali Karicheri (2): net: hsr: Add support for MC filtering at the slave device net: hsr: Add VLAN CTAG filter support Nathan Chancellor (1): compiler-clang.h: define __SANITIZE_*__ macros only when undefined Oleksij Rempel (1): net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Paolo Abeni (1): Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Pu Lehui (1): tracing: Silence warning when chunk allocation fails in trace_pid_write Quanmin Yan (2): mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Ravi Gunasekaran (2): net: hsr: Disable promiscuous mode in offload mode net: hsr: hsr_slave: Fix the promiscuous mode in offload mode Salah Triki (1): EDAC/altera: Delete an inappropriate dma_free_coherent() call Srinivas Kandagatla (1): ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs Stanislav Fort (1): mm/damon/sysfs: fix use-after-free in state_show() Stefan Wahren (1): net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Stephan Gerhold (1): dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Steven Rostedt (1): tracing: Do not add length to print format in synthetic events Tetsuo Handa (2): can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Tigran Mkrtchyan (1): flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Trond Myklebust (4): NFSv4: Don't clear capabilities that won't be reset NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server Revert "SUNRPC: Don't allow waiting for exiting tasks" Vishal Moola (Oracle) (1): mm/khugepaged: convert hpage_collapse_scan_pmd() to use folios Vladimir Riabchun (1): ftrace/samples: Fix function size computation Wei Yang (1): mm/khugepaged: fix the address passed to notifier on testing young Xiongfeng Wang (1): hrtimers: Unconditionally update target CPU base after offline timer migration Yeoreum Yun (1): kunit: kasan_test: disable fortify string checker on kasan_strings() test wangzijie (1): proc: fix type confusion in pde_set_flags()

1 month, 2 weeks

1
1
0 0

[PATCH net-next] mptcp: reset blackhole on success with non-loopback ifaces

by Matthieu Baerts (NGI0)

When a first MPTCP connection gets successfully established after a blackhole period, 'active_disable_times' was supposed to be reset when this connection was done via any non-loopback interfaces. Unfortunately, the opposite condition was checked: only reset when the connection was established via a loopback interface. Fixing this by simply looking at the opposite. This is similar to what is done with TCP FastOpen, see tcp_fastopen_active_disable_ofo_check(). This patch is a follow-up of a previous discussion linked to commit 893c49a78d9f ("mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable()."), see [1]. Fixes: 27069e7cb3d1 ("mptcp: disable active MPTCP in case of blackhole") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/4209a283-8822-47bd-95b7-87e96d9b7ea3@kernel.org [1] Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Cc: Kuniyuki Iwashima <kuniyu(a)google.com> Note: sending this fix to net-next, similar to commits 108a86c71c93 ("mptcp: Call dst_release() in mptcp_active_enable().") and 893c49a78d9f ("mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable()."). Also to avoid conflicts, and because we are close to the merge windows. --- net/mptcp/ctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c index e8ffa62ec183f3cd8156e3969ac4a7d0213a990b..d96130e49942e2fb878cd1897ad43c1d420fb233 100644 --- a/net/mptcp/ctrl.c +++ b/net/mptcp/ctrl.c @@ -507,7 +507,7 @@ void mptcp_active_enable(struct sock *sk) rcu_read_lock(); dst = __sk_dst_get(sk); dev = dst ? dst_dev_rcu(dst) : NULL; - if (dev && (dev->flags & IFF_LOOPBACK)) + if (!(dev && (dev->flags & IFF_LOOPBACK))) atomic_set(&pernet->active_disable_times, 0); rcu_read_unlock(); } --- base-commit: b127e355f1af1e4a635ed8f78cb0d11c916613cf change-id: 20250918-net-next-mptcp-blackhole-reset-loopback-d82c518e409f Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

1 month, 2 weeks

4
3
0 0

[PATCH v2] nvmem: rcar-efuse: add missing MODULE_DEVICE_TABLE

by Cosmin Tanislav

The nvmem-rcar-efuse driver can be compiled as a module. Add missing MODULE_DEVICE_TABLE so it can be matched by modalias and automatically loaded by udev. Cc: stable(a)vger.kernel.org Fixes: 1530b923a514 ("nvmem: Add R-Car E-FUSE driver") Signed-off-by: Cosmin Tanislav <cosmin-gabriel.tanislav.xa(a)renesas.com> Reviewed-by: Geert Uytterhoeven <geert+renesas(a)glider.be> --- V2: * add stable to CC * pick up Reviewed-by drivers/nvmem/rcar-efuse.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/nvmem/rcar-efuse.c b/drivers/nvmem/rcar-efuse.c index f24bdb9cb5a7..d9a96a1d59c8 100644 --- a/drivers/nvmem/rcar-efuse.c +++ b/drivers/nvmem/rcar-efuse.c @@ -127,6 +127,7 @@ static const struct of_device_id rcar_fuse_match[] = { { .compatible = "renesas,r8a779h0-otp", .data = &rcar_fuse_v4m }, { /* sentinel */ } }; +MODULE_DEVICE_TABLE(of, rcar_fuse_match); static struct platform_driver rcar_fuse_driver = { .probe = rcar_fuse_probe, -- 2.51.0

1 month, 2 weeks

1
0
0 0

[PATCH 0/1] perf/x86/intel: Fix crash in icl_update_topdown_event()

by Angel Adetula

This patch fixes a crash in icl_update_topdown_event(). This fix has already been applied to the 'linux-6.1.y', 'linux-6.6.y', and 'linux-6.15.y' stable trees. This submission is to request application to the 'linux-6.12.y' stable tree, as it appears to be still missing there. This should also fix kernel bug CVE-2025-38322. Kan Liang (1): perf/x86/intel: Fix crash in icl_update_topdown_event() arch/x86/events/intel/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) base-commit: f6cf124428f51e3ef07a8e54c743873face9d2b2 -- 2.51.0.470.ga7dc726c21-goog

1 month, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] dt-bindings: serial: 8250: move a constraint" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x 387d00028cccee7575f6416953bef62f849d83e3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025091759-buddy-verdict-96be@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 387d00028cccee7575f6416953bef62f849d83e3 Mon Sep 17 00:00:00 2001 From: Alex Elder <elder(a)riscstar.com> Date: Tue, 12 Aug 2025 22:21:50 -0500 Subject: [PATCH] dt-bindings: serial: 8250: move a constraint A block that required a "spacemit,k1-uart" compatible node to specify two clocks was placed in the wrong spot in the binding. Conor Dooley pointed out it belongs earlier in the file, as part of the initial "allOf". Fixes: 2c0594f9f0629 ("dt-bindings: serial: 8250: support an optional second clock") Cc: stable <stable(a)kernel.org> Reported-by: Conor Dooley <conor(a)kernel.org> Closes: https://lore.kernel.org/lkml/20250729-reshuffle-contented-e6def76b540b@spud/ Signed-off-by: Alex Elder <elder(a)riscstar.com> Acked-by: Conor Dooley <conor.dooley(a)microchip.com> Link: https://lore.kernel.org/r/20250813032151.2330616-1-elder@riscstar.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/Documentation/devicetree/bindings/serial/8250.yaml b/Documentation/devicetree/bindings/serial/8250.yaml index e46bee8d25bf..f59c0b37e8eb 100644 --- a/Documentation/devicetree/bindings/serial/8250.yaml +++ b/Documentation/devicetree/bindings/serial/8250.yaml @@ -48,7 +48,6 @@ allOf: oneOf: - required: [ clock-frequency ] - required: [ clocks ] - - if: properties: compatible: @@ -66,6 +65,28 @@ allOf: items: - const: core - const: bus + - if: + properties: + compatible: + contains: + enum: + - spacemit,k1-uart + - nxp,lpc1850-uart + then: + required: + - clocks + - clock-names + properties: + clocks: + minItems: 2 + clock-names: + minItems: 2 + else: + properties: + clocks: + maxItems: 1 + clock-names: + maxItems: 1 properties: compatible: @@ -264,29 +285,6 @@ required: - reg - interrupts -if: - properties: - compatible: - contains: - enum: - - spacemit,k1-uart - - nxp,lpc1850-uart -then: - required: - - clocks - - clock-names - properties: - clocks: - minItems: 2 - clock-names: - minItems: 2 -else: - properties: - clocks: - maxItems: 1 - clock-names: - maxItems: 1 - unevaluatedProperties: false examples:

1 month, 2 weeks

3
4
0 0

FAILED: patch "[PATCH] dt-bindings: serial: 8250: allow "main" and "uart" as clock" failed to apply to 6.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y git checkout FETCH_HEAD git cherry-pick -x a1b51534b532dd4f0499907865553ee9251bebc3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025091753-raider-wake-9e9d@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a1b51534b532dd4f0499907865553ee9251bebc3 Mon Sep 17 00:00:00 2001 From: Alex Elder <elder(a)riscstar.com> Date: Tue, 12 Aug 2025 22:13:35 -0500 Subject: [PATCH] dt-bindings: serial: 8250: allow "main" and "uart" as clock names There are two compatible strings defined in "8250.yaml" that require two clocks to be specified, along with their names: - "spacemit,k1-uart", used in "spacemit/k1.dtsi" - "nxp,lpc1850-uart", used in "lpc/lpc18xx.dtsi" When only one clock is used, the name is not required. However there are two places that do specify a name: - In "mediatek/mt7623.dtsi", the clock for the "mediatek,mtk-btif" compatible serial device is named "main" - In "qca/ar9132.dtsi", the clock for the "ns8250" compatible serial device is named "uart" In commit d2db0d7815444 ("dt-bindings: serial: 8250: allow clock 'uartclk' and 'reg' for nxp,lpc1850-uart"), Frank Li added the restriction that two named clocks be used for the NXP platform mentioned above. Change that logic, so that an additional condition for (only) the SpacemiT platform similarly restricts the two clocks to have the names "core" and "bus". Finally, add "main" and "uart" as allowed names when a single clock is specified. Fixes: 2c0594f9f0629 ("dt-bindings: serial: 8250: support an optional second clock") Cc: stable <stable(a)kernel.org> Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202507160314.wrC51lXX-lkp@intel.com/ Signed-off-by: Alex Elder <elder(a)riscstar.com> Acked-by: Conor Dooley <conor.dooley(a)microchip.com> Link: https://lore.kernel.org/r/20250813031338.2328392-1-elder@riscstar.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/Documentation/devicetree/bindings/serial/8250.yaml b/Documentation/devicetree/bindings/serial/8250.yaml index f59c0b37e8eb..b243afa69a1a 100644 --- a/Documentation/devicetree/bindings/serial/8250.yaml +++ b/Documentation/devicetree/bindings/serial/8250.yaml @@ -59,7 +59,12 @@ allOf: items: - const: uartclk - const: reg - else: + - if: + properties: + compatible: + contains: + const: spacemit,k1-uart + then: properties: clock-names: items: @@ -183,6 +188,9 @@ properties: minItems: 1 maxItems: 2 oneOf: + - enum: + - main + - uart - items: - const: core - const: bus

1 month, 2 weeks

3
3
0 0

[PATCH 6.16 000/189] 6.16.8-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.16.8 release. There are 189 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 19 Sep 2025 12:32:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.16.8-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.16.8-rc1 Johan Hovold <johan(a)kernel.org> phy: ti-pipe3: fix device leak at unbind Johan Hovold <johan(a)kernel.org> phy: ti: omap-usb2: fix device leak at unbind Johan Hovold <johan(a)kernel.org> phy: tegra: xusb: fix device and OF node leak at probe Stephan Gerhold <stephan.gerhold(a)linaro.org> phy: qcom: qmp-pcie: Fix PHY initialization when powered down by firmware Miaoqian Lin <linmq006(a)gmail.com> dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Stephan Gerhold <stephan.gerhold(a)linaro.org> dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees Takashi Iwai <tiwai(a)suse.de> usb: gadget: midi2: Fix MIDI2 IN EP max packet size Takashi Iwai <tiwai(a)suse.de> usb: gadget: midi2: Fix missing UMP group attributes initialization RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: properly deliver cable vdms to altmode drivers Alan Stern <stern(a)rowland.harvard.edu> USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: fix memory leak regression when freeing xhci vdev devices depth first Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Fix full DbC transfer ring after several reconnects Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: decouple endpoint allocation from initialization Yuezhang Mo <Yuezhang.Mo(a)sony.com> erofs: fix runtime warning on truncate_folio_batch_exceptionals() Andreas Kemnade <akemnade(a)kernel.org> regulator: sy7636a: fix lifecycle of power good gpio Anders Roxell <anders.roxell(a)linaro.org> dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Gao Xiang <xiang(a)kernel.org> erofs: fix invalid algorithm for encoded extents Gao Xiang <xiang(a)kernel.org> erofs: unify meta buffers in z_erofs_fill_inode() Gao Xiang <xiang(a)kernel.org> erofs: remove need_kmap in erofs_read_metabuf() Gao Xiang <xiang(a)kernel.org> erofs: get rid of {get,put}_page() for ztailpacking data Dan Carpenter <dan.carpenter(a)linaro.org> dmaengine: idxd: Fix double free in idxd_setup_wqs() Yi Sun <yi.sun(a)intel.com> dmaengine: idxd: Fix refcount underflow on module unload Yi Sun <yi.sun(a)intel.com> dmaengine: idxd: Remove improper idxd_free Pengyu Luo <mitltlatltl(a)gmail.com> phy: qualcomm: phy-qcom-eusb2-repeater: fix override properties Hangbin Liu <liuhangbin(a)gmail.com> hsr: hold rcu and dev lock for hsr_get_port_ndev Hangbin Liu <liuhangbin(a)gmail.com> hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr Hangbin Liu <liuhangbin(a)gmail.com> hsr: use rtnl lock when iterating over ports Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: restart set lookup on base_seq change Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: make nft_set_do_lookup available unconditionally Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: place base_seq in struct net Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Reintroduce shortened deletion notifications Florian Westphal <fw(a)strlen.de> netfilter: nft_set_rbtree: continue traversal if element is inactive Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: don't check genbit from packetpath lookups Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: don't return bogus extension pointer Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: merge pipapo_get/lookup Florian Westphal <fw(a)strlen.de> netfilter: nft_set: remove one argument from lookup and update functions Florian Westphal <fw(a)strlen.de> netfilter: nft_set_pipapo: remove unused arguments Florian Westphal <fw(a)strlen.de> netfilter: nft_set_bitmap: fix lockdep splat due to missing annotation Anssi Hannula <anssi.hannula(a)bitwise.fi> can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> can: j1939: implement NETDEV_UNREGISTER notification handler Davide Caratti <dcaratti(a)redhat.com> selftests: can: enable CONFIG_CAN_VCAN as a module Stanislav Fomichev <sdf(a)fomichev.me> macsec: sync features on RTM_NEWLINK Carolina Jubran <cjubran(a)nvidia.com> net: dev_ioctl: take ops lock in hwtstamp lower paths Alex Deucher <alexander.deucher(a)amd.com> drm/amd/display: use udelay rather than fsleep Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/configfs: Don't touch survivability_mode on fini Michal Schmidt <mschmidt(a)redhat.com> i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Kohei Enju <enjuk(a)amazon.com> igb: fix link test skipping when interface is admin down Tianyu Xu <tianyxu(a)cisco.com> igb: Fix NULL pointer dereference in ethtool loopback test Alex Tran <alex.t.tran(a)gmail.com> docs: networking: can: change bcm_msg_head frames member to support flexible array Antoine Tenart <atenart(a)kernel.org> tunnels: reset the GSO metadata before reusing the skb Petr Machata <petrm(a)nvidia.com> net: bridge: Bounce invalid boolopts Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix ageing time for BCM53101 Alok Tiwari <alok.a.tiwari(a)oracle.com> genetlink: fix genl_bind() invoking bind() after -EPERM Klaus Kudielka <klaus.kudielka(a)gmail.com> PCI: mvebu: Fix use of for_each_of_range() iterator Miaoqing Pan <miaoqing.pan(a)oss.qualcomm.com> wifi: ath12k: fix WMI TLV header misalignment Sriram R <quic_srirrama(a)quicinc.com> wifi: ath12k: Add support to enqueue management frame at MLD level Sarika Sharma <quic_sarishar(a)quicinc.com> wifi: ath12k: add link support for multi-link in arsta Miaoqing Pan <miaoqing.pan(a)oss.qualcomm.com> wifi: ath12k: Fix missing station power save configuration Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phy: transfer phy_config_inband() locking responsibility to phylink Vladimir Oltean <vladimir.oltean(a)nxp.com> net: phylink: add lock for serializing concurrent pl->phydev writes with resolver Stefan Wahren <wahrenst(a)gmx.net> net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Chia-I Wu <olvaffe(a)gmail.com> drm/panthor: validate group queue count Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mtd: rawnand: nuvoton: Fix an error handling path in ma35_nand_chips_init() Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Fabio Porcedda <fabio.porcedda(a)gmail.com> USB: serial: option: add Telit Cinterion FN990A w/audio compositions Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: sc16is7xx: fix bug in flow control levels init Fabian Vogt <fvogt(a)suse.de> tty: hvc_console: Call hvc_kick in hvc_write unconditionally Paolo Abeni <pabeni(a)redhat.com> Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Antheas Kapenekakis <lkml(a)antheas.dev> Input: xpad - add support for Flydigi Apex 5 Christoffer Sandberg <cs(a)tuxedo.de> Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Jeff LaBundy <jeff(a)labundy.com> Input: iqs7222 - avoid enabling unused interrupts K Prateek Nayak <kprateek.nayak(a)amd.com> x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon Reinette Chatre <reinette.chatre(a)intel.com> fs/resctrl: Eliminate false positive lockdep warning when reading SNC counters Xiongfeng Wang <wangxiongfeng2(a)huawei.com> hrtimers: Unconditionally update target CPU base after offline timer migration Pratap Nirujogi <pratap.nirujogi(a)amd.com> drm/amd/amdgpu: Declare isp firmware binary file Mario Limonciello (AMD) <mario.limonciello(a)amd.com> drm/amd/display: Drop dm_prepare_suspend() and dm_complete() Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Destroy cached state in complete() callback Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() Stanislav Fort <stanislav.fort(a)aisle.com> mm/damon/sysfs: fix use-after-free in state_show() Santhosh Kumar K <s-k6(a)ti.com> mtd: spinand: winbond: Fix oob_layout for W25N01JW Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: spinand: winbond: Enable high-speed modes on w25n0xjw Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: spinand: Add a ->configure_chip() hook Max Kellermann <max.kellermann(a)ionos.com> ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error Max Kellermann <max.kellermann(a)ionos.com> ceph: always call ceph_shift_unused_folios_left() Alex Markuze <amarkuze(a)redhat.com> ceph: fix race condition where r_parent becomes stale before sending message Alex Markuze <amarkuze(a)redhat.com> ceph: fix race condition validating r_parent before applying state Ilya Dryomov <idryomov(a)gmail.com> libceph: fix invalid accesses to ceph_connection_v1_info Chen Ridong <chenridong(a)huawei.com> kernfs: Fix UAF in polling when open file is released Qu Wenruo <wqu(a)suse.com> btrfs: fix corruption reading compressed range when block size is smaller than page size Boris Burkov <boris(a)bur.io> btrfs: use readahead_expand() on compressed extents Fangzhi Zuo <Jerry.Zuo(a)amd.com> drm/amd/display: Disable DPCD Probe Quirk Imre Deak <imre.deak(a)intel.com> drm/dp: Add an EDID quirk for the DPCD register access probe Imre Deak <imre.deak(a)intel.com> drm/edid: Add support for quirks visible to DRM core and drivers Imre Deak <imre.deak(a)intel.com> drm/edid: Define the quirks in an enum list Geoffrey McRae <geoffrey.mcrae(a)amd.com> drm/amd/display: remove oem i2c adapter on finish Ovidiu Bunea <ovidiu.bunea(a)amd.com> drm/amd/display: Correct sequences and delays for DCN35 PG & RCG David Rosca <david.rosca(a)amd.com> drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages David Rosca <david.rosca(a)amd.com> drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: fix a memory leak in fence cleanup when unloading Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Block exec and rebind worker while evicting for suspend / hibernate Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Allow the pm notifier to continue on failure Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Attempt to bring bos back to VRAM after eviction Jani Nikula <jani.nikula(a)intel.com> drm/i915/power: fix size for for_each_set_bit() in abox iteration Johan Hovold <johan(a)kernel.org> drm/mediatek: fix potential OF node use-after-free Quanmin Yan <yanquanmin1(a)huawei.com> mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Sang-Heon Jeon <ekffu200098(a)gmail.com> mm/damon/core: set quota->charged_from to jiffies at first charge window Kyle Meyer <kyle.meyer(a)hpe.com> mm/memory-failure: fix redundant updates for already poisoned pages Miaohe Lin <linmiaohe(a)huawei.com> mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Uladzislau Rezki (Sony) <urezki(a)gmail.com> mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() Wei Yang <richard.weiyang(a)gmail.com> mm/khugepaged: fix the address passed to notifier on testing young Jeongjun Park <aha310510(a)gmail.com> mm/hugetlb: add missing hugetlb_lock in __unmap_hugepage_range() Miklos Szeredi <mszeredi(a)redhat.com> fuse: prevent overflow in copy_file_range return value Miklos Szeredi <mszeredi(a)redhat.com> fuse: check if copy_file_range() returns larger than requested size Amir Goldstein <amir73il(a)gmail.com> fuse: do not allow mapping a non-regular backing file Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: fix ECC overwrite Christophe Kerello <christophe.kerello(a)foss.st.com> mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Alexander Sverdlin <alexander.sverdlin(a)gmail.com> mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Paulo Alcantara <pc(a)manguebit.org> smb: client: fix data loss due to broken rename(2) Paulo Alcantara <pc(a)manguebit.org> smb: client: fix compound alignment with encryption Breno Leitao <leitao(a)debian.org> s390: kexec: initialize kexec_buf struct Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: fix 130/1030 configs Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: hibernate: Restrict GFP mask in hibernation_snapshot() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: EM: Add function for registering a PD without capacity update Oleksij Rempel <o.rempel(a)pengutronix.de> net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix to enable RSS Jonas Jelonek <jelonek.jonas(a)gmail.com> i2c: rtl9300: remove broken SMBus Quick operation support Jonas Jelonek <jelonek.jonas(a)gmail.com> i2c: rtl9300: ensure data length is within supported range Chiasheng Lee <chiasheng.lee(a)linux.intel.com> i2c: i801: Hide Intel Birch Stream SoC TCO WDT Omar Sandoval <osandov(a)fb.com> btrfs: fix subvolume deletion lockup caused by inodes xarray race Boris Burkov <boris(a)bur.io> btrfs: fix squota compressed stats leak Mark Tinguely <mark.tinguely(a)oracle.com> ocfs2: fix recursive semaphore deadlock in fiemap call Matthieu Baerts (NGI0) <matttbe(a)kernel.org> netlink: specs: mptcp: fix if-idx attribute type Matthieu Baerts (NGI0) <matttbe(a)kernel.org> doc: mptcp: net.mptcp.pm_type is deprecated Krister Johansen <kjlx(a)templeofstupid.com> mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Breno Leitao <leitao(a)debian.org> arm64: kexec: initialize kexec_buf struct in load_other_segments() Nathan Chancellor <nathan(a)kernel.org> compiler-clang.h: define __SANITIZE_*__ macros only when undefined Trond Myklebust <trond.myklebust(a)hammerspace.com> Revert "SUNRPC: Don't allow waiting for exiting tasks" Jonas Jelonek <jelonek.jonas(a)gmail.com> i2c: rtl9300: fix channel number bound check Salah Triki <salah.triki(a)gmail.com> EDAC/altera: Delete an inappropriate dma_free_coherent() call wangzijie <wangzijie1(a)honor.com> proc: fix type confusion in pde_set_flags() Kuniyuki Iwashima <kuniyu(a)google.com> tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Peilin Ye <yepeilin(a)google.com> bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() KaFai Wan <kafai.wan(a)linux.dev> bpf: Allow fall back to interpreter for programs with stack size <= 512 Kumar Kartikeya Dwivedi <memxor(a)gmail.com> rqspinlock: Choose trylock fallback for NMI waiters Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> xsk: Fix immature cq descriptor production Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt Mario Limonciello (AMD) <superm1(a)kernel.org> cpufreq/amd-pstate: Fix a regression leading to EPP 0 after resume Thomas Richter <tmricht(a)linux.ibm.com> s390/cpum_cf: Deny all sampling events by counter PMU Thomas Richter <tmricht(a)linux.ibm.com> s390/pai: Deny all events not handled by this PMU Gautham R. Shenoy <gautham.shenoy(a)amd.com> cpufreq/amd-pstate: Fix setting of CPPC.min_perf in active mode for performance governor Jesper Dangaard Brouer <hawk(a)kernel.org> bpf, cpumap: Disable page_pool direct xdp_return need larger scope Pu Lehui <pulehui(a)huawei.com> tracing: Silence warning when chunk allocation fails in trace_pid_write Jonathan Curley <jcurley(a)purestorage.com> NFSv4/flexfiles: Fix layout merge mirror check. Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: nfs_invalidate_folio() must observe the offset and size arguments Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and copy range Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and clone range Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Serialise O_DIRECT i/o and fallocate() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Serialise O_DIRECT i/o and truncate() Wang Liang <wangliang74(a)huawei.com> tracing/osnoise: Fix null-ptr-deref in bitmap_parselist() Vladimir Riabchun <ferr.lambarginio(a)gmail.com> ftrace/samples: Fix function size computation Scott Mayhew <smayhew(a)redhat.com> nfs/localio: restore creds before releasing pageio data Luo Gengkun <luogengkun(a)huaweicloud.com> tracing: Fix tracing_marker may trigger page fault during preempt_disable Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear NFS_CAP_OPEN_XOR and NFS_CAP_DELEGTIME if not supported Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set Guenter Roeck <linux(a)roeck-us.net> trace/fgraph: Fix error handling Xiao Ni <xni(a)redhat.com> md: keep recovery_cp in mdp_superblock_s Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Don't clear capabilities that won't be reset Justin Worrell <jworrell(a)gmail.com> SUNRPC: call xs_sock_process_cmsg for all cmsg Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amdgpu: Add more checks to PSP mailbox" Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix getname not returning broadcast fields Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix running bis_cleanup for hci_conn->type PA_LINK Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Make iotlb_sync_map a static property of dmar_domain Jason Gunthorpe <jgg(a)ziepe.ca> iommu/vt-d: Split paging_domain_compatible() Jason Gunthorpe <jgg(a)ziepe.ca> iommu/vt-d: Create unique domain ops for each stage Jason Gunthorpe <jgg(a)ziepe.ca> iommu/vt-d: Split intel_iommu_domain_alloc_paging_flags() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_conn: Fix not cleaning up Broadcaster/Broadcast Source Dan Carpenter <dan.carpenter(a)linaro.org> irqchip/mvebu-gicp: Fix an IS_ERR() vs NULL check in probe() Kan Liang <kan.liang(a)linux.intel.com> perf: Fix the POLL_HUP delivery breakage Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> dma-debug: don't enforce dma mapping check on noncoherent allocations Amir Goldstein <amir73il(a)gmail.com> fhandle: use more consistent rules for decoding file handle from userns Edward Adam Davis <eadavis(a)qq.com> fuse: Block access to folio overlimit Christian Brauner <brauner(a)kernel.org> coredump: don't pointlessly check and spew warnings Christoph Hellwig <hch(a)lst.de> block: don't silently ignore metadata for sync read/write Christoph Hellwig <hch(a)lst.de> fs: add a FMODE_ flag to indicate IOCB_HAS_METADATA availability ------------- Diffstat: .../bindings/serial/brcm,bcm7271-uart.yaml | 2 +- Documentation/netlink/specs/mptcp_pm.yaml | 2 +- Documentation/networking/can.rst | 2 +- Documentation/networking/mptcp.rst | 8 +- Makefile | 4 +- arch/arm64/kernel/machine_kexec_file.c | 2 +- arch/s390/kernel/kexec_elf.c | 2 +- arch/s390/kernel/kexec_image.c | 2 +- arch/s390/kernel/machine_kexec_file.c | 6 +- arch/s390/kernel/perf_cpum_cf.c | 4 +- arch/s390/kernel/perf_pai_crypto.c | 4 +- arch/s390/kernel/perf_pai_ext.c | 2 +- arch/x86/kernel/cpu/topology_amd.c | 25 +- block/fops.c | 13 +- drivers/cpufreq/amd-pstate.c | 19 +- drivers/cpufreq/intel_pstate.c | 4 +- drivers/dma/dw/rzn1-dmamux.c | 15 +- drivers/dma/idxd/init.c | 39 +-- drivers/dma/qcom/bam_dma.c | 8 +- drivers/dma/ti/edma.c | 4 +- drivers/edac/altera_edac.c | 1 - drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 4 - drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h | 11 - drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 - drivers/gpu/drm/amd/amdgpu/isp_v4_1_1.c | 2 + drivers/gpu/drm/amd/amdgpu/psp_v10_0.c | 4 +- drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 31 +-- drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c | 25 +- drivers/gpu/drm/amd/amdgpu/psp_v12_0.c | 18 +- drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 25 +- drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c | 25 +- drivers/gpu/drm/amd/amdgpu/psp_v14_0.c | 25 +- drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 12 +- drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 60 +++-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 106 +++++---- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 1 + drivers/gpu/drm/amd/display/dc/dc.h | 1 + .../gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 74 +++--- .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 +- .../drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 115 ++------- .../gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c | 3 - .../drm/amd/display/dc/hwss/dcn351/dcn351_init.c | 3 - drivers/gpu/drm/amd/display/dc/inc/hw/pg_cntl.h | 1 + .../drm/amd/display/dc/pg/dcn35/dcn35_pg_cntl.c | 78 +++--- drivers/gpu/drm/display/drm_dp_helper.c | 42 +++- drivers/gpu/drm/drm_edid.c | 232 +++++++++--------- drivers/gpu/drm/i915/display/intel_display_power.c | 6 +- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 +- drivers/gpu/drm/panthor/panthor_drv.c | 2 +- drivers/gpu/drm/xe/tests/xe_bo.c | 2 +- drivers/gpu/drm/xe/tests/xe_dma_buf.c | 10 +- drivers/gpu/drm/xe/xe_bo.c | 16 +- drivers/gpu/drm/xe/xe_bo.h | 2 +- drivers/gpu/drm/xe/xe_device_types.h | 6 + drivers/gpu/drm/xe/xe_dma_buf.c | 2 +- drivers/gpu/drm/xe/xe_exec.c | 9 + drivers/gpu/drm/xe/xe_pm.c | 42 +++- drivers/gpu/drm/xe/xe_survivability_mode.c | 3 +- drivers/gpu/drm/xe/xe_vm.c | 42 +++- drivers/gpu/drm/xe/xe_vm.h | 2 + drivers/gpu/drm/xe/xe_vm_types.h | 5 + drivers/i2c/busses/i2c-i801.c | 2 +- drivers/i2c/busses/i2c-rtl9300.c | 22 +- drivers/input/joystick/xpad.c | 2 + drivers/input/misc/iqs7222.c | 3 + drivers/input/serio/i8042-acpipnpio.h | 14 ++ drivers/iommu/intel/cache.c | 5 +- drivers/iommu/intel/iommu.c | 263 ++++++++++++++------- drivers/iommu/intel/iommu.h | 12 + drivers/iommu/intel/nested.c | 4 +- drivers/iommu/intel/svm.c | 1 - drivers/irqchip/irq-mvebu-gicp.c | 2 +- drivers/md/md.c | 6 +- drivers/mtd/nand/raw/atmel/nand-controller.c | 16 +- .../mtd/nand/raw/nuvoton-ma35d1-nand-controller.c | 4 +- drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 ++-- drivers/mtd/nand/spi/core.c | 18 +- drivers/mtd/nand/spi/winbond.c | 80 ++++++- drivers/net/can/xilinx_can.c | 16 +- drivers/net/dsa/b53/b53_common.c | 17 +- drivers/net/ethernet/freescale/fec_main.c | 3 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 +- drivers/net/ethernet/intel/igb/igb_main.c | 3 +- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 20 +- drivers/net/ethernet/wangxun/libwx/wx_hw.c | 4 - drivers/net/macsec.c | 1 + drivers/net/phy/phy.c | 12 +- drivers/net/phy/phylink.c | 28 ++- drivers/net/wireless/ath/ath12k/core.h | 1 + drivers/net/wireless/ath/ath12k/dp_mon.c | 22 +- drivers/net/wireless/ath/ath12k/dp_rx.c | 11 +- drivers/net/wireless/ath/ath12k/hw.c | 55 +++++ drivers/net/wireless/ath/ath12k/hw.h | 2 + drivers/net/wireless/ath/ath12k/mac.c | 127 +++++----- drivers/net/wireless/ath/ath12k/peer.c | 2 +- drivers/net/wireless/ath/ath12k/peer.h | 28 +++ drivers/net/wireless/ath/ath12k/wmi.c | 58 ++++- drivers/net/wireless/ath/ath12k/wmi.h | 16 +- drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 26 +- drivers/pci/controller/pci-mvebu.c | 21 +- drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 4 +- drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 25 +- drivers/phy/tegra/xusb-tegra210.c | 6 +- drivers/phy/ti/phy-omap-usb2.c | 13 + drivers/phy/ti/phy-ti-pipe3.c | 13 + drivers/regulator/sy7636a-regulator.c | 7 +- drivers/tty/hvc/hvc_console.c | 6 +- drivers/tty/serial/sc16is7xx.c | 14 +- drivers/usb/gadget/function/f_midi2.c | 11 +- drivers/usb/gadget/udc/dummy_hcd.c | 8 +- drivers/usb/host/xhci-dbgcap.c | 94 +++++--- drivers/usb/host/xhci-mem.c | 2 +- drivers/usb/serial/option.c | 17 ++ drivers/usb/typec/tcpm/tcpm.c | 12 +- fs/btrfs/extent_io.c | 73 +++++- fs/btrfs/inode.c | 12 +- fs/btrfs/qgroup.c | 6 +- fs/ceph/addr.c | 9 +- fs/ceph/debugfs.c | 14 +- fs/ceph/dir.c | 17 +- fs/ceph/file.c | 24 +- fs/ceph/inode.c | 88 +++++-- fs/ceph/mds_client.c | 172 ++++++++------ fs/ceph/mds_client.h | 18 +- fs/coredump.c | 4 + fs/erofs/data.c | 8 +- fs/erofs/fileio.c | 2 +- fs/erofs/fscache.c | 2 +- fs/erofs/inode.c | 8 +- fs/erofs/internal.h | 2 +- fs/erofs/super.c | 16 +- fs/erofs/zdata.c | 17 +- fs/erofs/zmap.c | 98 ++++---- fs/exec.c | 2 +- fs/fhandle.c | 8 + fs/fuse/dev.c | 2 +- fs/fuse/file.c | 5 +- fs/fuse/passthrough.c | 5 + fs/kernfs/file.c | 58 +++-- fs/nfs/client.c | 2 + fs/nfs/file.c | 7 +- fs/nfs/flexfilelayout/flexfilelayout.c | 21 +- fs/nfs/inode.c | 4 +- fs/nfs/internal.h | 10 + fs/nfs/io.c | 13 +- fs/nfs/localio.c | 12 +- fs/nfs/nfs42proc.c | 2 + fs/nfs/nfs4file.c | 2 + fs/nfs/nfs4proc.c | 7 +- fs/nfs/write.c | 1 + fs/ocfs2/extent_map.c | 10 +- fs/proc/generic.c | 3 +- fs/resctrl/ctrlmondata.c | 2 +- fs/resctrl/internal.h | 4 +- fs/resctrl/monitor.c | 6 +- fs/smb/client/cifsglob.h | 13 +- fs/smb/client/file.c | 18 +- fs/smb/client/inode.c | 86 +++++-- fs/smb/client/smb2glob.h | 3 +- fs/smb/client/smb2inode.c | 204 ++++++++++++---- fs/smb/client/smb2ops.c | 32 ++- fs/smb/client/smb2proto.h | 3 + fs/smb/client/trace.h | 9 +- include/drm/display/drm_dp_helper.h | 6 + include/drm/drm_connector.h | 4 +- include/drm/drm_edid.h | 8 + include/linux/compiler-clang.h | 31 ++- include/linux/energy_model.h | 10 + include/linux/fs.h | 3 +- include/linux/kasan.h | 6 +- include/linux/mtd/spinand.h | 8 + include/net/netfilter/nf_tables.h | 11 +- include/net/netfilter/nf_tables_core.h | 49 ++-- include/net/netns/nftables.h | 1 + include/uapi/linux/raid/md_p.h | 2 +- io_uring/rw.c | 3 + kernel/bpf/Makefile | 1 + kernel/bpf/core.c | 16 +- kernel/bpf/cpumap.c | 4 +- kernel/bpf/crypto.c | 2 +- kernel/bpf/helpers.c | 7 +- kernel/bpf/rqspinlock.c | 2 +- kernel/dma/debug.c | 48 +++- kernel/dma/debug.h | 20 ++ kernel/dma/mapping.c | 4 +- kernel/events/core.c | 1 + kernel/power/energy_model.c | 29 ++- kernel/power/hibernate.c | 1 + kernel/time/hrtimer.c | 11 +- kernel/trace/fgraph.c | 3 +- kernel/trace/trace.c | 10 +- kernel/trace/trace_osnoise.c | 3 + mm/damon/core.c | 4 + mm/damon/lru_sort.c | 5 + mm/damon/reclaim.c | 5 + mm/damon/sysfs.c | 14 +- mm/hugetlb.c | 9 +- mm/kasan/shadow.c | 31 ++- mm/khugepaged.c | 4 +- mm/memory-failure.c | 20 +- mm/vmalloc.c | 8 +- net/bluetooth/hci_conn.c | 14 +- net/bluetooth/hci_event.c | 7 +- net/bluetooth/iso.c | 2 +- net/bridge/br.c | 7 + net/can/j1939/bus.c | 5 +- net/can/j1939/j1939-priv.h | 1 + net/can/j1939/main.c | 3 + net/can/j1939/socket.c | 52 ++++ net/ceph/messenger.c | 7 +- net/core/dev_ioctl.c | 22 +- net/hsr/hsr_device.c | 28 ++- net/hsr/hsr_main.c | 4 +- net/hsr/hsr_main.h | 3 + net/ipv4/ip_tunnel_core.c | 6 + net/ipv4/tcp_bpf.c | 5 +- net/mptcp/sockopt.c | 11 +- net/netfilter/nf_tables_api.c | 123 ++++++---- net/netfilter/nft_dynset.c | 5 +- net/netfilter/nft_lookup.c | 67 ++++-- net/netfilter/nft_objref.c | 5 +- net/netfilter/nft_set_bitmap.c | 14 +- net/netfilter/nft_set_hash.c | 54 ++--- net/netfilter/nft_set_pipapo.c | 211 ++++++----------- net/netfilter/nft_set_pipapo_avx2.c | 29 +-- net/netfilter/nft_set_rbtree.c | 46 ++-- net/netlink/genetlink.c | 3 + net/sunrpc/sched.c | 2 - net/sunrpc/xprtsock.c | 6 +- net/xdp/xsk.c | 113 +++++++-- net/xdp/xsk_queue.h | 12 + samples/ftrace/ftrace-direct-modify.c | 2 +- tools/testing/selftests/net/can/config | 3 + 234 files changed, 3151 insertions(+), 1711 deletions(-)

1 month, 2 weeks

15
204
0 0

New September Order. 73275 Friday, September 19, 2025 at 12:16:32 PM

by Info - Albinayah 293

Hi Stable, Please provide a quote for your products: Include: 1.Pricing (per unit) 2.Delivery cost & timeline 3.Quote expiry date Deadline: September Thanks! Kamal Prasad Albinayah Trading

1 month, 2 weeks

1
0
0 0

Reminder: 20% Discount on Fruit Attraction 2025 Verified Business Contacts

by Juanita Garcia

Hi, We’re offering verified business contact data for the upcoming Fruit Attraction 2025 (FA), tailored for effective outreach before and after the event. Place:  Madrid, Spain Date:SEP 30 - OCT 02, 2025 Contact Overview: 1,01,351 Attendees 2,179 Exhibiting Companies 6,537 Verified Exhibitor Contacts Total: 107,885 Business Contacts Each entry includes: Name, Job Title, Company, Website, Address, Phone, Official Email, LinkedIn Profile, and more. Get your list in just 48 hours—100% GDPR-compliant Data. If you'd like more details, just reply: “Send me pricing” Best regards, Juanita Garcia Sr. Marketing Manager To opt out reply “Not Interested.”

1 month, 2 weeks

1
0
0 0

[PATCH 1/4] locking/spinlock/debug: Fix data-race in do_raw_write_lock

by Boqun Feng

From: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> KCSAN reports: BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: do_raw_write_lock+0x120/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: do_raw_write_lock+0x88/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork value changed: 0xffffffff -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111 Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has adressed most of these races, but seems to be not consistent/not complete. From do_raw_write_lock() only debug_write_lock_after() part has been converted to WRITE_ONCE(), but not debug_write_lock_before() part. Do it now. Cc: stable(a)vger.kernel.org Fixes: 1a365e822372 ("locking/spinlock/debug: Fix various data races") Reported-by: Adrian Freihofer <adrian.freihofer(a)siemens.com> Acked-by: Waiman Long <longman(a)redhat.com> Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> Reviewed-by: Paul E. McKenney <paulmck(a)kernel.org> Signed-off-by: Boqun Feng <boqun.feng(a)gmail.com> --- Notes: SubmissionLink: https://lore.kernel.org/all/20250826102731.52507-1-alexander.sverdlin@sieme… kernel/locking/spinlock_debug.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/locking/spinlock_debug.c b/kernel/locking/spinlock_debug.c index 87b03d2e41db..2338b3adfb55 100644 --- a/kernel/locking/spinlock_debug.c +++ b/kernel/locking/spinlock_debug.c @@ -184,8 +184,8 @@ void do_raw_read_unlock(rwlock_t *lock) static inline void debug_write_lock_before(rwlock_t *lock) { RWLOCK_BUG_ON(lock->magic != RWLOCK_MAGIC, lock, "bad magic"); - RWLOCK_BUG_ON(lock->owner == current, lock, "recursion"); - RWLOCK_BUG_ON(lock->owner_cpu == raw_smp_processor_id(), + RWLOCK_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion"); + RWLOCK_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(), lock, "cpu recursion"); } -- 2.51.0

1 month, 2 weeks

1
0
0 0

[PATCH iwl-net v1 0/4] ixgbe/ixgbevf: fix PF/VF communication issues

by Jedrzej Jagielski

Within two-step API update let's provide 2 new MBX operations: 1) request PF's link state (speed & up/down) - as legacy approach became obsolete for new E610 adapter and link state data can't be correctly provided - increasing API to 1.6 2) ask PF about supported features - for some time there is quite a mess in negotiating API versions caused by too loose approach in adding new specific (not supported by all of the drivers capable of linking with ixgbevf) feature and corresponding API versions. Now list of supported features is provided by MBX operation - increasing API to 1.7 Jedrzej Jagielski (4): ixgbevf: fix getting link speed data for E610 devices ixgbe: handle IXGBE_VF_GET_PF_LINK_STATE mailbox operation ixgbevf: fix mailbox API compatibility by negotiating supported features ixgbe: handle IXGBE_VF_FEATURES_NEGOTIATE mbox cmd drivers/net/ethernet/intel/ixgbe/ixgbe_mbx.h | 15 ++ .../net/ethernet/intel/ixgbe/ixgbe_sriov.c | 79 ++++++++ drivers/net/ethernet/intel/ixgbevf/defines.h | 1 + drivers/net/ethernet/intel/ixgbevf/ipsec.c | 10 + drivers/net/ethernet/intel/ixgbevf/ixgbevf.h | 7 + .../net/ethernet/intel/ixgbevf/ixgbevf_main.c | 34 +++- drivers/net/ethernet/intel/ixgbevf/mbx.h | 8 + drivers/net/ethernet/intel/ixgbevf/vf.c | 182 +++++++++++++++--- drivers/net/ethernet/intel/ixgbevf/vf.h | 1 + 9 files changed, 304 insertions(+), 33 deletions(-) -- 2.31.1

1 month, 2 weeks

3
9
0 0

Re: [PATCH v2] arm64: dts: qcom: sdm845-shift-axolotl: Fix typo of compatible

by Joel Selvaraj

Hi Luca Weiss and Tamura Dai, On 9/12/25 02:24, Luca Weiss wrote: > Hi Tamura, > > On Fri Sep 12, 2025 at 9:01 AM CEST, Tamura Dai wrote: >> The bug is a typo in the compatible string for the touchscreen node. >> According to Documentation/devicetree/bindings/input/touchscreen/edt-ft5x06.yaml, >> the correct compatible is "focaltech,ft8719", but the device tree used >> "focaltech,fts8719". > > +Joel > > I don't think this patch is really correct, in the sdm845-mainline fork > there's a different commit which has some more changes to make the > touchscreen work: > > https://gitlab.com/sdm845-mainline/linux/-/commit/2ca76ac2e046158814b043fd4… Yes, this patch is not correct. My commit from the gitlab repo is the correct one. But I personally don't have the shiftmq6 device to smoke test before sending the patch. That's why I was hesitant to send it upstream. I have now requested someone to confirm if the touchscreen works with my gitlab commit. If if its all good, I will send the correct patch later. Regards, Joel

1 month, 2 weeks

2
1
0 0

[PATCH rtw v4 2/4] wifi: rtw89: fix tx_wait initialization race

by Fedor Pchelkin

Now that nullfunc skbs are recycled in a separate work item in the driver, the following race during initialization and processing of those skbs might lead to noticeable bugs: Waiting thread Completing thread rtw89_core_send_nullfunc() rtw89_core_tx_write_link() ... rtw89_pci_txwd_submit() skb_data->wait = NULL /* add skb to the queue */ skb_queue_tail(&txwd->queue, skb) rtw89_pci_napi_poll() ... rtw89_pci_release_txwd_skb() /* get skb from the queue */ skb_unlink(skb, &txwd->queue) rtw89_pci_tx_status() rtw89_core_tx_wait_complete() /* use incorrect skb_data->wait */ rtw89_core_tx_kick_off_and_wait() /* assign skb_data->wait but too late */ The value of skb_data->wait indicates whether skb is passed on to the core ieee80211 stack or released by the driver itself. So assure that by the time skb is added to txwd queue and becomes visible to the completing side, it has already allocated tx_wait-related data (in case it's needed). Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- v4: - use wiphy_dereference (Zong-Zhe) - move wait->skb assignment place drivers/net/wireless/realtek/rtw89/core.c | 35 ++++++++++++++--------- drivers/net/wireless/realtek/rtw89/pci.c | 2 -- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index 438930b65631..1efe4bb09262 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1094,22 +1094,13 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk int qsel, unsigned int timeout) { struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); - struct rtw89_tx_wait_info *wait; + struct rtw89_tx_wait_info *wait = wiphy_dereference(rtwdev->hw->wiphy, + skb_data->wait); unsigned long time_left; int ret = 0; lockdep_assert_wiphy(rtwdev->hw->wiphy); - wait = kzalloc(sizeof(*wait), GFP_KERNEL); - if (!wait) { - rtw89_core_tx_kick_off(rtwdev, qsel); - return 0; - } - - init_completion(&wait->completion); - wait->skb = skb; - rcu_assign_pointer(skb_data->wait, wait); - rtw89_core_tx_kick_off(rtwdev, qsel); time_left = wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); @@ -1171,10 +1162,12 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rtwvif_link, struct rtw89_sta_link *rtwsta_link, - struct sk_buff *skb, int *qsel, bool sw_mld) + struct sk_buff *skb, int *qsel, bool sw_mld, + struct rtw89_tx_wait_info *wait) { struct ieee80211_sta *sta = rtwsta_link_to_sta_safe(rtwsta_link); struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); + struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); struct rtw89_vif *rtwvif = rtwvif_link->rtwvif; struct rtw89_core_tx_request tx_req = {}; int ret; @@ -1191,6 +1184,8 @@ static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, rtw89_core_tx_update_desc_info(rtwdev, &tx_req); rtw89_core_tx_wake(rtwdev, &tx_req); + rcu_assign_pointer(skb_data->wait, wait); + ret = rtw89_hci_tx_write(rtwdev, &tx_req); if (ret) { rtw89_err(rtwdev, "failed to transmit skb to HCI\n"); @@ -1227,7 +1222,8 @@ int rtw89_core_tx_write(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif, } } - return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false); + return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false, + NULL); } static __le32 rtw89_build_txwd_body0(struct rtw89_tx_desc_info *desc_info) @@ -3425,6 +3421,7 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); int link_id = ieee80211_vif_is_mld(vif) ? rtwvif_link->link_id : -1; struct rtw89_sta_link *rtwsta_link; + struct rtw89_tx_wait_info *wait; struct ieee80211_sta *sta; struct ieee80211_hdr *hdr; struct rtw89_sta *rtwsta; @@ -3434,6 +3431,12 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt if (vif->type != NL80211_IFTYPE_STATION || !vif->cfg.assoc) return 0; + wait = kzalloc(sizeof(*wait), GFP_KERNEL); + if (!wait) + return -ENOMEM; + + init_completion(&wait->completion); + rcu_read_lock(); sta = ieee80211_find_sta(vif, vif->cfg.ap_addr); if (!sta) { @@ -3448,6 +3451,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } + wait->skb = skb; + hdr = (struct ieee80211_hdr *)skb->data; if (ps) hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM); @@ -3458,7 +3463,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } - ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true); + ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true, + wait); if (ret) { rtw89_warn(rtwdev, "nullfunc transmit failed: %d\n", ret); dev_kfree_skb_any(skb); @@ -3471,6 +3477,7 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt timeout); out: rcu_read_unlock(); + kfree(wait); return ret; } diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index 4e3034b44f56..cb9682f306a6 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -1372,7 +1372,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, struct pci_dev *pdev = rtwpci->pdev; struct sk_buff *skb = tx_req->skb; struct rtw89_pci_tx_data *tx_data = RTW89_PCI_TX_SKB_CB(skb); - struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); bool en_wd_info = desc_info->en_wd_info; u32 txwd_len; u32 txwp_len; @@ -1388,7 +1387,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, } tx_data->dma = dma; - rcu_assign_pointer(skb_data->wait, NULL); txwp_len = sizeof(*txwp_info); txwd_len = chip->txwd_body_size; -- 2.51.0

1 month, 2 weeks

2
5
0 0

[PATCH v2] iommu/amd/pgtbl: Fix possible race while increase page table level

by Vasant Hegde

The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and current page table level to enable proper page table walks in alloc_pte()/fetch_pte() operations. The IOMMU IOVA allocator initially starts with 32-bit address and onces its exhuasted it switches to 64-bit address (max address is determined based on IOMMU and device DMA capability). To support larger IOVA, AMD IOMMU driver increases page table level. But in unmap path (iommu_v1_unmap_pages()), fetch_pte() reads pgtable->[root/mode] without lock. So its possible that in exteme corner case, when increase_address_space() is updating pgtable->[root/mode], fetch_pte() reads wrong page table level (pgtable->mode). It does compare the value with level encoded in page table and returns NULL. This will result is iommu_unmap ops to fail and upper layer may retry/log WARN_ON. CPU 0 CPU 1 ------ ------ map pages unmap pages alloc_pte() -> increase_address_space() iommu_v1_unmap_pages() -> fetch_pte() pgtable->root = pte (new root value) READ pgtable->[mode/root] Reads new root, old mode Updates mode (pgtable->mode += 1) Since Page table level updates are infrequent and already synchronized with a spinlock, implement seqcount to enable lock-free read operations on the read path. Fixes: 754265bcab7 ("iommu/amd: Fix race in increase_address_space()") Reported-by: Alejandro Jimenez <alejandro.j.jimenez(a)oracle.com> Cc: stable(a)vger.kernel.org Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> Signed-off-by: Vasant Hegde <vasant.hegde(a)amd.com> --- drivers/iommu/amd/amd_iommu_types.h | 1 + drivers/iommu/amd/io_pgtable.c | 25 +++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/drivers/iommu/amd/amd_iommu_types.h b/drivers/iommu/amd/amd_iommu_types.h index 5219d7ddfdaa..95f63c5f6159 100644 --- a/drivers/iommu/amd/amd_iommu_types.h +++ b/drivers/iommu/amd/amd_iommu_types.h @@ -555,6 +555,7 @@ struct gcr3_tbl_info { }; struct amd_io_pgtable { + seqcount_t seqcount; /* Protects root/mode update */ struct io_pgtable pgtbl; int mode; u64 *root; diff --git a/drivers/iommu/amd/io_pgtable.c b/drivers/iommu/amd/io_pgtable.c index a91e71f981ef..70c2f5b1631b 100644 --- a/drivers/iommu/amd/io_pgtable.c +++ b/drivers/iommu/amd/io_pgtable.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/types.h> #include <linux/dma-mapping.h> +#include <linux/seqlock.h> #include <asm/barrier.h> @@ -130,8 +131,11 @@ static bool increase_address_space(struct amd_io_pgtable *pgtable, *pte = PM_LEVEL_PDE(pgtable->mode, iommu_virt_to_phys(pgtable->root)); + write_seqcount_begin(&pgtable->seqcount); pgtable->root = pte; pgtable->mode += 1; + write_seqcount_end(&pgtable->seqcount); + amd_iommu_update_and_flush_device_table(domain); pte = NULL; @@ -153,6 +157,7 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, { unsigned long last_addr = address + (page_size - 1); struct io_pgtable_cfg *cfg = &pgtable->pgtbl.cfg; + unsigned int seqcount; int level, end_lvl; u64 *pte, *page; @@ -170,8 +175,14 @@ static u64 *alloc_pte(struct amd_io_pgtable *pgtable, } - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + + address = PAGE_SIZE_ALIGN(address, page_size); end_lvl = PAGE_SIZE_LEVEL(page_size); @@ -249,6 +260,7 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, unsigned long *page_size) { int level; + unsigned int seqcount; u64 *pte; *page_size = 0; @@ -256,8 +268,12 @@ static u64 *fetch_pte(struct amd_io_pgtable *pgtable, if (address > PM_LEVEL_SIZE(pgtable->mode)) return NULL; - level = pgtable->mode - 1; - pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + do { + seqcount = read_seqcount_begin(&pgtable->seqcount); + level = pgtable->mode - 1; + pte = &pgtable->root[PM_LEVEL_INDEX(level, address)]; + } while (read_seqcount_retry(&pgtable->seqcount, seqcount)); + *page_size = PTE_LEVEL_PAGE_SIZE(level); while (level > 0) { @@ -541,6 +557,7 @@ static struct io_pgtable *v1_alloc_pgtable(struct io_pgtable_cfg *cfg, void *coo if (!pgtable->root) return NULL; pgtable->mode = PAGE_MODE_3_LEVEL; + seqcount_init(&pgtable->seqcount); cfg->pgsize_bitmap = amd_iommu_pgsize_bitmap; cfg->ias = IOMMU_IN_ADDR_BIT_SIZE; -- 2.31.1

1 month, 2 weeks

2
1
0 0

[PATCH vhost 1/3] vhost-net: unbreak busy polling

by Jason Wang

Commit 67a873df0c41 ("vhost: basic in order support") pass the number of used elem to vhost_net_rx_peek_head_len() to make sure it can signal the used correctly before trying to do busy polling. But it forgets to clear the count, this would cause the count run out of sync with handle_rx() and break the busy polling. Fixing this by passing the pointer of the count and clearing it after the signaling the used. Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Cc: stable(a)vger.kernel.org Fixes: 67a873df0c41 ("vhost: basic in order support") Signed-off-by: Jason Wang <jasowang(a)redhat.com> --- drivers/vhost/net.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index c6508fe0d5c8..16e39f3ab956 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -1014,7 +1014,7 @@ static int peek_head_len(struct vhost_net_virtqueue *rvq, struct sock *sk) } static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk, - bool *busyloop_intr, unsigned int count) + bool *busyloop_intr, unsigned int *count) { struct vhost_net_virtqueue *rnvq = &net->vqs[VHOST_NET_VQ_RX]; struct vhost_net_virtqueue *tnvq = &net->vqs[VHOST_NET_VQ_TX]; @@ -1024,7 +1024,8 @@ static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk, if (!len && rvq->busyloop_timeout) { /* Flush batched heads first */ - vhost_net_signal_used(rnvq, count); + vhost_net_signal_used(rnvq, *count); + *count = 0; /* Both tx vq and rx socket were polled here */ vhost_net_busy_poll(net, rvq, tvq, busyloop_intr, true); @@ -1180,7 +1181,7 @@ static void handle_rx(struct vhost_net *net) do { sock_len = vhost_net_rx_peek_head_len(net, sock->sk, - &busyloop_intr, count); + &busyloop_intr, &count); if (!sock_len) break; sock_len += sock_hlen; -- 2.34.1

1 month, 2 weeks

3
7
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror