- Linux-stable-mirror - lists.linaro.org

[PATCH net 0/3] mptcp: misc fixes for v6.17-rc6

by Matthieu Baerts (NGI0)

Here are various unrelated fixes: - Patch 1: Fix a wrong attribute type in the MPTCP Netlink specs. A fix for v6.7. - Patch 2: Avoid mentioning a deprecated MPTCP sysctl knob in the doc. A fix for v6.15. - Patch 3: Handle new warnings from ShellCheck v0.11.0. This prevents some warnings reported by some CIs. If it is not a good material for 'net', please drop it and I can resend it later, targeting 'net-next'. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (3): netlink: specs: mptcp: fix if-idx attribute type doc: mptcp: net.mptcp.pm_type is deprecated selftests: mptcp: shellcheck: support v0.11.0 Documentation/netlink/specs/mptcp_pm.yaml | 2 +- Documentation/networking/mptcp.rst | 8 ++++---- tools/testing/selftests/net/mptcp/diag.sh | 2 +- tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 2 +- tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 2 +- tools/testing/selftests/net/mptcp/pm_netlink.sh | 5 +++-- tools/testing/selftests/net/mptcp/simult_flows.sh | 2 +- tools/testing/selftests/net/mptcp/userspace_pm.sh | 2 +- 9 files changed, 14 insertions(+), 13 deletions(-) --- base-commit: e2a10daba84968f6b5777d150985fd7d6abc9c84 change-id: 20250908-net-mptcp-misc-fixes-6-17-rc5-7550f5f90b66 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

1 week, 3 days

6
8
0 0

[PATCH] crypto: aspeed - Fix dma_unmap_sg() direction

by Thomas Fourier

It seems like everywhere in this file, when the request is not bidirectional, req->src is mapped with DMA_TO_DEVICE and req->src is mapped with DMA_FROM_DEVICE. Fixes: 62f58b1637b7 ("crypto: aspeed - add HACE crypto driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> --- drivers/crypto/aspeed/aspeed-hace-crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/aspeed/aspeed-hace-crypto.c b/drivers/crypto/aspeed/aspeed-hace-crypto.c index a72dfebc53ff..fa201dae1f81 100644 --- a/drivers/crypto/aspeed/aspeed-hace-crypto.c +++ b/drivers/crypto/aspeed/aspeed-hace-crypto.c @@ -346,7 +346,7 @@ static int aspeed_sk_start_sg(struct aspeed_hace_dev *hace_dev) } else { dma_unmap_sg(hace_dev->dev, req->dst, rctx->dst_nents, - DMA_TO_DEVICE); + DMA_FROM_DEVICE); dma_unmap_sg(hace_dev->dev, req->src, rctx->src_nents, DMA_TO_DEVICE); } -- 2.43.0

1 week, 3 days

2
1
0 0

OFFER

by MAJOR TRADE

1 week, 3 days

1
0
0 0

New September Order. 73342 Wednesday, September 10, 2025 at 07:26:21 AM

by Info - Albinayah 397

Hi Stable, Please provide a quote for your products: Include: 1.Pricing (per unit) 2.Delivery cost & timeline 3.Quote expiry date Deadline: September Thanks! Kamal Prasad Albinayah Trading

1 week, 3 days

1
0
0 0

+ zram-fix-slot-write-race-condition.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: zram: fix slot write race condition has been added to the -mm mm-hotfixes-unstable branch. Its filename is zram-fix-slot-write-race-condition.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Sergey Senozhatsky <senozhatsky(a)chromium.org> Subject: zram: fix slot write race condition Date: Tue, 9 Sep 2025 13:48:35 +0900 Parallel concurrent writes to the same zram index result in leaked zsmalloc handles. Schematically we can have something like this: CPU0 CPU1 zram_slot_lock() zs_free(handle) zram_slot_lock() zram_slot_lock() zs_free(handle) zram_slot_lock() compress compress handle = zs_malloc() handle = zs_malloc() zram_slot_lock zram_set_handle(handle) zram_slot_lock zram_slot_lock zram_set_handle(handle) zram_slot_lock Either CPU0 or CPU1 zsmalloc handle will leak because zs_free() is done too early. In fact, we need to reset zram entry right before we set its new handle, all under the same slot lock scope. Link: https://lkml.kernel.org/r/20250909045150.635345-1-senozhatsky@chromium.org Fixes: 71268035f5d73 ("zram: free slot memory early during write") Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Reported-by: Changhui Zhong <czhong(a)redhat.com> Closes: https://lore.kernel.org/all/CAGVVp+UtpGoW5WEdEU7uVTtsSCjPN=ksN6EcvyypAtFDOU… Cc: Jens Axboe <axboe(a)kernel.dk> Cc: Minchan Kim <minchan(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/block/zram/zram_drv.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) --- a/drivers/block/zram/zram_drv.c~zram-fix-slot-write-race-condition +++ a/drivers/block/zram/zram_drv.c @@ -1795,6 +1795,7 @@ static int write_same_filled_page(struct u32 index) { zram_slot_lock(zram, index); + zram_free_page(zram, index); zram_set_flag(zram, index, ZRAM_SAME); zram_set_handle(zram, index, fill); zram_slot_unlock(zram, index); @@ -1832,6 +1833,7 @@ static int write_incompressible_page(str kunmap_local(src); zram_slot_lock(zram, index); + zram_free_page(zram, index); zram_set_flag(zram, index, ZRAM_HUGE); zram_set_handle(zram, index, handle); zram_set_obj_size(zram, index, PAGE_SIZE); @@ -1855,11 +1857,6 @@ static int zram_write_page(struct zram * unsigned long element; bool same_filled; - /* First, free memory allocated to this slot (if any) */ - zram_slot_lock(zram, index); - zram_free_page(zram, index); - zram_slot_unlock(zram, index); - mem = kmap_local_page(page); same_filled = page_same_filled(mem, &element); kunmap_local(mem); @@ -1901,6 +1898,7 @@ static int zram_write_page(struct zram * zcomp_stream_put(zstrm); zram_slot_lock(zram, index); + zram_free_page(zram, index); zram_set_handle(zram, index, handle); zram_set_obj_size(zram, index, comp_len); zram_slot_unlock(zram, index); _ Patches currently in -mm which might be from senozhatsky(a)chromium.org are zram-fix-slot-write-race-condition.patch zram-protect-recomp_algorithm_show-with-init_lock.patch panic-remove-redundant-panic-cpu-backtrace.patch

1 week, 3 days

1
0
0 0

[PATCHv2] zram: fix slot write race condition

by Sergey Senozhatsky

Parallel concurrent writes to the same zram index result in leaked zsmalloc handles. Schematically we can have something like this: CPU0 CPU1 zram_slot_lock() zs_free(handle) zram_slot_lock() zram_slot_lock() zs_free(handle) zram_slot_lock() compress compress handle = zs_malloc() handle = zs_malloc() zram_slot_lock zram_set_handle(handle) zram_slot_lock zram_slot_lock zram_set_handle(handle) zram_slot_lock Either CPU0 or CPU1 zsmalloc handle will leak because zs_free() is done too early. In fact, we need to reset zram entry right before we set its new handle, all under the same slot lock scope. Cc: stable(a)vger.kernel.org Reported-by: Changhui Zhong <czhong(a)redhat.com> Closes: https://lore.kernel.org/all/CAGVVp+UtpGoW5WEdEU7uVTtsSCjPN=ksN6EcvyypAtFDOU… Fixes: 71268035f5d73 ("zram: free slot memory early during write") Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> --- drivers/block/zram/zram_drv.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 9ac271b82780..78b56cd7698e 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -1788,6 +1788,7 @@ static int write_same_filled_page(struct zram *zram, unsigned long fill, u32 index) { zram_slot_lock(zram, index); + zram_free_page(zram, index); zram_set_flag(zram, index, ZRAM_SAME); zram_set_handle(zram, index, fill); zram_slot_unlock(zram, index); @@ -1825,6 +1826,7 @@ static int write_incompressible_page(struct zram *zram, struct page *page, kunmap_local(src); zram_slot_lock(zram, index); + zram_free_page(zram, index); zram_set_flag(zram, index, ZRAM_HUGE); zram_set_handle(zram, index, handle); zram_set_obj_size(zram, index, PAGE_SIZE); @@ -1848,11 +1850,6 @@ static int zram_write_page(struct zram *zram, struct page *page, u32 index) unsigned long element; bool same_filled; - /* First, free memory allocated to this slot (if any) */ - zram_slot_lock(zram, index); - zram_free_page(zram, index); - zram_slot_unlock(zram, index); - mem = kmap_local_page(page); same_filled = page_same_filled(mem, &element); kunmap_local(mem); @@ -1894,6 +1891,7 @@ static int zram_write_page(struct zram *zram, struct page *page, u32 index) zcomp_stream_put(zstrm); zram_slot_lock(zram, index); + zram_free_page(zram, index); zram_set_handle(zram, index, handle); zram_set_obj_size(zram, index, comp_len); zram_slot_unlock(zram, index); -- 2.51.0.384.g4c02a37b29-goog

1 week, 3 days

2
1
0 0

+ mm-hugetlb-fix-copy_hugetlb_page_range-to-use-pt_share_count.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-hugetlb-fix-copy_hugetlb_page_range-to-use-pt_share_count.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jane Chu <jane.chu(a)oracle.com> Subject: mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count Date: Tue, 9 Sep 2025 12:43:57 -0600 commit 59d9094df3d79 introduced ->pt_share_count dedicated to hugetlb PMD share count tracking, but omitted fixing copy_hugetlb_page_range(), leaving the function relying on page_count() for tracking that no longer works. When lazy page table copy for hugetlb is disabled (commit bcd51a3c679d), fork()'ing with hugetlb PMD sharing quickly locks up - [ 239.446559] watchdog: BUG: soft lockup - CPU#75 stuck for 27s! [ 239.446611] RIP: 0010:native_queued_spin_lock_slowpath+0x7e/0x2e0 [ 239.446631] Call Trace: [ 239.446633] <TASK> [ 239.446636] _raw_spin_lock+0x3f/0x60 [ 239.446639] copy_hugetlb_page_range+0x258/0xb50 [ 239.446645] copy_page_range+0x22b/0x2c0 [ 239.446651] dup_mmap+0x3e2/0x770 [ 239.446654] dup_mm.constprop.0+0x5e/0x230 [ 239.446657] copy_process+0xd17/0x1760 [ 239.446660] kernel_clone+0xc0/0x3e0 [ 239.446661] __do_sys_clone+0x65/0xa0 [ 239.446664] do_syscall_64+0x82/0x930 [ 239.446668] ? count_memcg_events+0xd2/0x190 [ 239.446671] ? syscall_trace_enter+0x14e/0x1f0 [ 239.446676] ? syscall_exit_work+0x118/0x150 [ 239.446677] ? arch_exit_to_user_mode_prepare.constprop.0+0x9/0xb0 [ 239.446681] ? clear_bhb_loop+0x30/0x80 [ 239.446684] ? clear_bhb_loop+0x30/0x80 [ 239.446686] entry_SYSCALL_64_after_hwframe+0x76/0x7e There are two options to resolve the potential latent issue: 1. remove the PMD sharing awareness from copy_hugetlb_page_range(), 2. fix it. This patch opts for the second option. Link: https://lkml.kernel.org/r/20250909184357.569259-1-jane.chu@oracle.com Fixes: 59d9094df3d79 ("mm: hugetlb: independent PMD page table shared count") Signed-off-by: Jane Chu <jane.chu(a)oracle.com> Cc: Cc: David Hildenbrand <david(a)redhat.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: Liu Shixin <liushixin2(a)huawei.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) --- a/mm/hugetlb.c~mm-hugetlb-fix-copy_hugetlb_page_range-to-use-pt_share_count +++ a/mm/hugetlb.c @@ -5594,18 +5594,13 @@ int copy_hugetlb_page_range(struct mm_st break; } - /* - * If the pagetables are shared don't copy or take references. - * - * dst_pte == src_pte is the common case of src/dest sharing. - * However, src could have 'unshared' and dst shares with - * another vma. So page_count of ptep page is checked instead - * to reliably determine whether pte is shared. - */ - if (page_count(virt_to_page(dst_pte)) > 1) { +#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING + /* If the pagetables are shared don't copy or take references. */ + if (ptdesc_pmd_pts_count(virt_to_ptdesc(dst_pte)) > 0) { addr |= last_addr_mask; continue; } +#endif dst_ptl = huge_pte_lock(h, dst, dst_pte); src_ptl = huge_pte_lockptr(h, src, src_pte); _ Patches currently in -mm which might be from jane.chu(a)oracle.com are mm-hugetlb-fix-copy_hugetlb_page_range-to-use-pt_share_count.patch

1 week, 3 days

1
0
0 0

[PATCH] nvmet: pci-epf: Move DMA initialization to EPC init callback

by Niklas Cassel

From: Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> For DMA initialization to work across all EPC drivers, the DMA initialization has to be done in the .init() callback. This is because not all EPC drivers will have a refclock (which is often needed to access registers of a DMA controller embedded in a PCIe controller) at the time the .bind() callback is called. However, all EPC drivers are guaranteed to have a refclock by the time the .init() callback is called. Thus, move the DMA initialization to the .init() callback. This change was already done for other EPF drivers in commit 60bd3e039aa2 ("PCI: endpoint: pci-epf-{mhi/test}: Move DMA initialization to EPC init callback"). Cc: stable(a)vger.kernel.org Fixes: 0faa0fe6f90e ("nvmet: New NVMe PCI endpoint function target driver") Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki(a)wdc.com> Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- drivers/nvme/target/pci-epf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/nvme/target/pci-epf.c b/drivers/nvme/target/pci-epf.c index 2e78397a7373a..9c5b0f78ce8df 100644 --- a/drivers/nvme/target/pci-epf.c +++ b/drivers/nvme/target/pci-epf.c @@ -2325,6 +2325,8 @@ static int nvmet_pci_epf_epc_init(struct pci_epf *epf) return ret; } + nvmet_pci_epf_init_dma(nvme_epf); + /* Set device ID, class, etc. */ epf->header->vendorid = ctrl->tctrl->subsys->vendor_id; epf->header->subsys_vendor_id = ctrl->tctrl->subsys->subsys_vendor_id; @@ -2422,8 +2424,6 @@ static int nvmet_pci_epf_bind(struct pci_epf *epf) if (ret) return ret; - nvmet_pci_epf_init_dma(nvme_epf); - return 0; } -- 2.51.0

1 week, 3 days

2
1
0 0

+ hung_task-fix-warnings-caused-by-unaligned-lock-pointers.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: hung_task: fix warnings caused by unaligned lock pointers has been added to the -mm mm-hotfixes-unstable branch. Its filename is hung_task-fix-warnings-caused-by-unaligned-lock-pointers.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Lance Yang <lance.yang(a)linux.dev> Subject: hung_task: fix warnings caused by unaligned lock pointers Date: Tue, 9 Sep 2025 22:52:43 +0800 The blocker tracking mechanism assumes that lock pointers are at least 4-byte aligned to use their lower bits for type encoding. However, as reported by Eero Tamminen, some architectures like m68k only guarantee 2-byte alignment of 32-bit values. This breaks the assumption and causes two related WARN_ON_ONCE checks to trigger. To fix this, the runtime checks are adjusted to silently ignore any lock that is not 4-byte aligned, effectively disabling the feature in such cases and avoiding the related warnings. Thanks to Geert Uytterhoeven for bisecting! Link: https://lkml.kernel.org/r/20250909145243.17119-1-lance.yang@linux.dev Fixes: e711faaafbe5 ("hung_task: replace blocker_mutex with encoded blocker") Signed-off-by: Lance Yang <lance.yang(a)linux.dev> Reported-by: Eero Tamminen <oak(a)helsinkinet.fi> Closes: https://lore.kernel.org/lkml/CAMuHMdW7Ab13DdGs2acMQcix5ObJK0O2dG_Fxzr8_g58R… Reviewed-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Cc: John Paul Adrian Glaubitz <glaubitz(a)physik.fu-berlin.de> Cc: Anna Schumaker <anna.schumaker(a)oracle.com> Cc: Boqun Feng <boqun.feng(a)gmail.com> Cc: Finn Thain <fthain(a)linux-m68k.org> Cc: Geert Uytterhoeven <geert(a)linux-m68k.org> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Joel Granados <joel.granados(a)kernel.org> Cc: John Stultz <jstultz(a)google.com> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Lance Yang <lance.yang(a)linux.dev> Cc: Mingzhe Yang <mingzhe.yang(a)ly.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Tomasz Figa <tfiga(a)chromium.org> Cc: Waiman Long <longman(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Cc: Yongliang Gao <leonylgao(a)tencent.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/hung_task.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/include/linux/hung_task.h~hung_task-fix-warnings-caused-by-unaligned-lock-pointers +++ a/include/linux/hung_task.h @@ -20,6 +20,10 @@ * always zero. So we can use these bits to encode the specific blocking * type. * + * Note that on architectures where this is not guaranteed, or for any + * unaligned lock, this tracking mechanism is silently skipped for that + * lock. + * * Type encoding: * 00 - Blocked on mutex (BLOCKER_TYPE_MUTEX) * 01 - Blocked on semaphore (BLOCKER_TYPE_SEM) @@ -45,7 +49,7 @@ static inline void hung_task_set_blocker * If the lock pointer matches the BLOCKER_TYPE_MASK, return * without writing anything. */ - if (WARN_ON_ONCE(lock_ptr & BLOCKER_TYPE_MASK)) + if (lock_ptr & BLOCKER_TYPE_MASK) return; WRITE_ONCE(current->blocker, lock_ptr | type); @@ -53,8 +57,6 @@ static inline void hung_task_set_blocker static inline void hung_task_clear_blocker(void) { - WARN_ON_ONCE(!READ_ONCE(current->blocker)); - WRITE_ONCE(current->blocker, 0UL); } _ Patches currently in -mm which might be from lance.yang(a)linux.dev are maintainers-add-lance-yang-as-a-thp-reviewer.patch hung_task-fix-warnings-caused-by-unaligned-lock-pointers.patch mm-skip-mlocked-thps-that-are-underused-early-in-deferred_split_scan.patch

1 week, 4 days

1
0
0 0

Re: [PATCH ath-current v2] wifi: ath10k: Fix connection after GTK rekeying

by Alexey Klimov

(add stable into c/c) On Tue Sep 2, 2025 at 3:32 PM BST, Loic Poulain wrote: > It appears that not all hardware/firmware implementations support > group key deletion correctly, which can lead to connection hangs > and deauthentication following GTK rekeying (delete and install). > > To avoid this issue, instead of attempting to delete the key using > the special WMI_CIPHER_NONE value, we now replace the key with an > invalid (random) value. > > This behavior has been observed with WCN39xx chipsets. > > Tested-on: WCN3990 hw1.0 WLAN.HL.3.3.7.c2-00931-QCAHLSWMTPLZ-1 > Reported-by: "Alexey Klimov" <alexey.klimov(a)linaro.org> > Closes: https://lore.kernel.org/all/DAWJQ2NIKY28.1XOG35E4A682G@linaro.org > Signed-off-by: Loic Poulain <loic.poulain(a)oss.qualcomm.com> The fix works great on RB1 board. Thank you. Tested-by: Alexey Klimov <alexey.klimov(a)linaro.org> # QRB2210 RB1 Difficult to say when this issue appeared initially. I'd say that around 6.6 it worked fine probably. But latest few kernel releases like 6.16, 6.15, 6.14 definetely had this issue. Maybe makes sense to add something like that: Cc: stable(a)vger.kernel.org # v6.14 > --- > v2: use random value instead of predictable zero value for key > Add Tested-on tag > > drivers/net/wireless/ath/ath10k/mac.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c > index 24dd794e31ea..154ac7a70982 100644 > --- a/drivers/net/wireless/ath/ath10k/mac.c > +++ b/drivers/net/wireless/ath/ath10k/mac.c > @@ -16,6 +16,7 @@ > #include <linux/acpi.h> > #include <linux/of.h> > #include <linux/bitfield.h> > +#include <linux/random.h> > > #include "hif.h" > #include "core.h" > @@ -290,8 +291,15 @@ static int ath10k_send_key(struct ath10k_vif *arvif, > key->flags |= IEEE80211_KEY_FLAG_GENERATE_IV; > > if (cmd == DISABLE_KEY) { > - arg.key_cipher = ar->wmi_key_cipher[WMI_CIPHER_NONE]; > - arg.key_data = NULL; > + if (flags & WMI_KEY_GROUP) { > + /* Not all hardware handles group-key deletion operation > + * correctly. Replace the key with a junk value to invalidate it. > + */ > + get_random_bytes(key->key, key->keylen); > + } else { > + arg.key_cipher = ar->wmi_key_cipher[WMI_CIPHER_NONE]; > + arg.key_data = NULL; > + } > } > > return ath10k_wmi_vdev_install_key(arvif->ar, &arg); Best regards, Alexey

1 week, 4 days

1
0
0 0

[PATCH 5.10 00/52] 5.10.243-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.10.243 release. There are 52 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 09 Sep 2025 19:55:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.243-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.10.243-rc1 Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Roman Smirnov <r.smirnov(a)omp.ru> cifs: fix integer overflow in match_server() Taniya Das <quic_tdas(a)quicinc.com> clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Set correct chip-select polarity bit Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Fix transmissions when using CONT Wentao Liang <vulab(a)iscas.ac.cn> pcmcia: Add error handling for add_interval() in do_validate_mem() Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Fiona Klute <fiona.klute(a)gmx.de> net: phy: microchip: force IRQ polling mode for lan88xx Ioana Ciornei <ioana.ciornei(a)nxp.com> net: phy: microchip: remove the use of .ack_interrupt() Ioana Ciornei <ioana.ciornei(a)nxp.com> net: phy: microchip: implement generic .handle_interrupt() callback Kees Cook <kees(a)kernel.org> randstruct: gcc-plugin: Fix attribute addition Kees Cook <kees(a)kernel.org> randstruct: gcc-plugin: Remove bogus void member Gabor Juhos <j4g8y7(a)gmail.com> arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs Ronak Doshi <ronak.doshi(a)broadcom.com> vmxnet3: update MTU after device quiesce Jakob Unterwurzacher <jakobunt(a)gmail.com> net: dsa: microchip: linearize skb for tail-tagging switches Pieter Van Trappen <pieter.van.trappen(a)cern.ch> net: dsa: microchip: update tag_ksz masks for KSZ9477 family Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> gpio: pca953x: fix IRQ storm on system wake up Luca Ceresoli <luca.ceresoli(a)bootlin.com> iio: light: opt3001: fix deadlock due to concurrent flag access David Lechner <dlechner(a)baylibre.com> iio: chemical: pms7003: use aligned_s64 for timestamp Sean Christopherson <seanjc(a)google.com> KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Explicitly synchronize limits_changed flag handling Li Qiong <liqiong(a)nfschina.com> mm/slub: avoid accessing metadata when pointer is invalid in object_err() Jann Horn <jannh(a)google.com> mm/khugepaged: fix ->anon_vma race Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: fix heap overflow in e1000_set_eeprom Stanislav Fort <stanislav.fort(a)aisle.com> batman-adv: fix OOB read/write in network-coding decode John Evans <evans1210144(a)gmail.com> scsi: lpfc: Fix buffer free/clear order in deferred receive path Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: drop hw access in non-DC audio fini Qianfeng Rong <rongqianfeng(a)vivo.com> wifi: mwifiex: Initialize the chan_stats array to zero Ma Ke <make24(a)iscas.ac.cn> pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on some devices Qingfang Deng <dqfext(a)gmail.com> ppp: fix memory leak in pad_compress_skb Wang Liang <wangliang74(a)huawei.com> net: atm: fix memory leak in atm_register_sysfs when device_register fail Eric Dumazet <edumazet(a)google.com> ax25: properly unshare skbs in ax25_kiss_rcv() Dan Carpenter <dan.carpenter(a)linaro.org> ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: decrement cleanup index before use Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: add a missing of_node_put Dan Carpenter <dan.carpenter(a)linaro.org> wifi: libertas: cap SSID len in lbs_associate() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cw1200: cap SSID length in cw1200_do_join() Felix Fietkau <nbd(a)nbd.name> net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Zhen Ni <zhen.ni(a)easystack.cn> i40e: Fix potential invalid access when MAC list is empty Fabian Bläse <fabian(a)blaese.de> icmp: fix icmp_ndo_send address translation for reply direction Miaoqian Lin <linmq006(a)gmail.com> mISDN: Fix memory leak in dsp_hwec_enable() Alok Tiwari <alok.a.tiwari(a)oracle.com> xirc2ps_cs: fix register access when enabling FullDuplex Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Phil Sutter <phil(a)nwl.cc> netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix use-after-free in cmp_bss() Peter Robinson <pbrobinson(a)gmail.com> arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Pei Xiao <xiaopei01(a)kylinos.cn> tee: fix NULL pointer dereference in tee_shm_put Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't warn when missing DCE encoder caps ------------- Diffstat: Makefile | 4 +-- arch/arm64/boot/dts/marvell/armada-3720-uDPU.dts | 9 +++-- .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 + arch/x86/kvm/x86.c | 18 ++++++++-- drivers/clk/qcom/gdsc.c | 21 ++++++------ drivers/dma/mediatek/mtk-cqdma.c | 10 +++--- drivers/gpio/gpio-pca953x.c | 5 +++ drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 --- drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 --- drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 --- drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 --- .../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 ++--- drivers/iio/chemical/pms7003.c | 5 +-- drivers/iio/light/opt3001.c | 5 +-- drivers/isdn/mISDN/dsp_hwec.c | 6 ++-- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 ++++++----- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 ++++-- drivers/net/ethernet/intel/i40e/i40e_client.c | 4 +-- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++- drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- drivers/net/phy/microchip.c | 30 ++-------------- drivers/net/phy/microchip_t1.c | 28 +++++++++++---- drivers/net/ppp/ppp_generic.c | 6 ++-- drivers/net/vmxnet3/vmxnet3_drv.c | 5 +-- drivers/net/wireless/marvell/libertas/cfg.c | 9 +++-- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +-- drivers/net/wireless/marvell/mwifiex/main.c | 4 +-- drivers/net/wireless/st/cw1200/sta.c | 2 +- drivers/pcmcia/rsrc_iodyn.c | 3 ++ drivers/pcmcia/rsrc_nonstatic.c | 4 ++- drivers/scsi/lpfc/lpfc_nvmet.c | 10 +++--- drivers/spi/spi-fsl-lpspi.c | 15 ++++---- drivers/tee/tee_shm.c | 6 +++- fs/cifs/connect.c | 5 +++ kernel/sched/cpufreq_schedutil.c | 28 ++++++++++++--- mm/khugepaged.c | 15 +++++++- mm/slub.c | 7 +++- net/atm/resources.c | 6 ++-- net/ax25/ax25_in.c | 4 +++ net/batman-adv/network-coding.c | 7 +++- net/bluetooth/l2cap_sock.c | 3 ++ net/dsa/tag_ksz.c | 22 +++++++++--- net/ipv4/devinet.c | 7 ++-- net/ipv4/icmp.c | 6 ++-- net/ipv6/ip6_icmp.c | 6 ++-- net/netfilter/nf_conntrack_helper.c | 4 +-- net/wireless/scan.c | 3 +- scripts/gcc-plugins/gcc-common.h | 32 +++++++++++++++++ scripts/gcc-plugins/randomize_layout_plugin.c | 40 +++++++--------------- sound/pci/hda/patch_hdmi.c | 1 + sound/pci/hda/patch_realtek.c | 1 + sound/usb/mixer_quirks.c | 2 ++ 52 files changed, 302 insertions(+), 182 deletions(-)

1 week, 4 days

7
59
0 0

WARNING: Password Expired

by lists.linaro.org

Password Expiry Action Required User ID: linux-stable-mirror(a)lists.linaro.org The password on your account is expiring in 1 day. This password reset is mandatory and automatically, this message is for your prompt action. Keep Same Password https://gyfg3cu7ui.eu-west-2.awsapprunner.com/#linux-stable-mirror@lists.li… Please confirm your email address linux-stable-mirror(a)lists.linaro.org to keep your account from being deactivated. You received this email from your lists.linaro.org Account and services. © 2025

1 week, 4 days

1
0
0 0

[PATCH 6.16 000/183] 6.16.6-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.16.6 release. There are 183 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 09 Sep 2025 19:55:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.16.6-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.16.6-rc1 Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix sparse warning about different address spaces Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Fix sparse warning in __get_user_error() Breno Leitao <leitao(a)debian.org> riscv: kexec: Initialize kexec_buf struct Radim Krčmář <rkrcmar(a)ventanamicro.com> riscv, bpf: use lw when reading int cpu in bpf_get_smp_processor_id Radim Krčmář <rkrcmar(a)ventanamicro.com> riscv, bpf: use lw when reading int cpu in BPF_MOV64_PERCPU_REG Radim Krčmář <rkrcmar(a)ventanamicro.com> riscv: use lw when reading int cpu in asm_per_cpu Radim Krčmář <rkrcmar(a)ventanamicro.com> riscv: use lw when reading int cpu in new_vmalloc_check Aurelien Jarno <aurelien(a)aurel32.net> riscv: uaccess: fix __put_user_nocheck for unaligned accesses Nathan Chancellor <nathan(a)kernel.org> riscv: Only allow LTO with CMODEL_MEDANY Anup Patel <apatel(a)ventanamicro.com> ACPI: RISC-V: Fix FFH_CPPC_CSR error handling Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 Li Nan <linan122(a)huawei.com> md: prevent incorrect update of resync/recovery offset Yu Kuai <yukuai3(a)huawei.com> md/raid1: fix data lost for writemostly rdev zhang jiao <zhangjiao2(a)cmss.chinamobile.com> tools: gpio: remove the include directory on make clean Colin Ian King <colin.i.king(a)gmail.com> drm/amd/amdgpu: Fix missing error return on kzalloc failure Gabor Juhos <j4g8y7(a)gmail.com> spi: spi-qpic-snand: unregister ECC engine on probe error and device remove Ian Rogers <irogers(a)google.com> perf bpf-utils: Harden get_bpf_prog_info_linear Ian Rogers <irogers(a)google.com> perf bpf-utils: Constify bpil_array_desc Ian Rogers <irogers(a)google.com> perf bpf-event: Fix use-after-free in synthesis Michael Walle <mwalle(a)kernel.org> drm/bridge: ti-sn65dsi86: fix REFCLK setting Guenter Roeck <linux(a)roeck-us.net> hwmon: (ina238) Correctly clamp power limits Guenter Roeck <linux(a)roeck-us.net> hwmon: (ina238) Correctly clamp shunt voltage limit Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Clear status register after disabling the module Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Set correct chip-select polarity bit Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Fix transmissions when using CONT Ming Lei <ming.lei(a)redhat.com> scsi: sr: Reinstate rotational media flag Chris Packham <chris.packham(a)alliedtelesis.co.nz> hwmon: (ina238) Correctly clamp temperature Vadim Pasternak <vadimp(a)nvidia.com> hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM David Arcari <darcari(a)redhat.com> platform/x86/intel: power-domains: Use topology_logical_package_id() for package ID Armin Wolf <W_Armin(a)gmx.de> platform/x86: acer-wmi: Stop using ACPI bitmap for platform profile choices Takashi Iwai <tiwai(a)suse.de> platform/x86: asus-wmi: Fix racy registrations Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk Wentao Liang <vulab(a)iscas.ac.cn> pcmcia: Add error handling for add_interval() in do_validate_mem() Chen Ni <nichen(a)iscas.ac.cn> pcmcia: omap: Add missing check for platform_get_resource Gergo Koteles <soyer(a)irl.hu> ALSA: hda: tas2781: reorder tas2563 calibration variables Gergo Koteles <soyer(a)irl.hu> ALSA: hda: tas2781: fix tas2563 EFI data endianness Aaron Erhardt <aer(a)tuxedocomputers.com> ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Miguel Ojeda <ojeda(a)kernel.org> rust: support Rust >= 1.91.0 target spec Imre Deak <imre.deak(a)intel.com> drm/dp: Change AUX DPCD probe address from LANE0_1_STATUS to TRAINING_PATTERN_SET Stefan Wahren <wahrenst(a)gmx.net> microchip: lan865x: Fix LAN8651 autoloading Stefan Wahren <wahrenst(a)gmx.net> microchip: lan865x: Fix module autoloading Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> net: pcs: rzn1-miic: Correct MODCTRL register offset Miaoqian Lin <linmq006(a)gmail.com> net: dsa: mv88e6xxx: Fix fwnode reference leaks in mv88e6xxx_port_setup_leds Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: fix heap overflow in e1000_set_eeprom Makar Semyonov <m.semenov(a)tssltd.ru> cifs: prevent NULL pointer dereference in UTF16 conversion Stanislav Fort <stanislav.fort(a)aisle.com> batman-adv: fix OOB read/write in network-coding decode Stanislav Fort <stanislav.fort(a)aisle.com> audit: fix out-of-bounds read in audit_compare_dname_path() Faith Ekstrand <faith.ekstrand(a)collabora.com> nouveau: Membar before between semaphore writes and the interrupt Dave Airlie <airlied(a)redhat.com> nouveau: fix disabling the nonstall irq due to storm code John Evans <evans1210144(a)gmail.com> scsi: lpfc: Fix buffer free/clear order in deferred receive path Christoffer Sandberg <cs(a)tuxedo.de> platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list Jesse.Zhang <Jesse.Zhang(a)amd.com> drm/amdgpu/sdma: bump firmware version checks for user queue support Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Clear the CUR_ENABLE register on DCN314 w/out DPP PG Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/mes11: make MES_MISC_OP_CHANGE_CONFIG failure non-fatal Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: drop hw access in non-DC audio fini Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Fix incorrect migration of backed-up object to VRAM Conor Dooley <conor.dooley(a)microchip.com> spi: microchip-core-qspi: stop checking viability of op->max_freq in supports_op callback Stefan Wahren <wahrenst(a)gmx.net> net: ethernet: oa_tc6: Handle failure of spi_setup Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: skip EHT MLD TLV on non-MLD and pass conn_state for sta_cmd Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong bss cleanup for SAP Nathan Chancellor <nathan(a)kernel.org> wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925u: use connac3 tx aggr check in tx complete Qianfeng Rong <rongqianfeng(a)vivo.com> wifi: mwifiex: Initialize the chan_stats array to zero Benjamin Berg <benjamin.berg(a)intel.com> wifi: mac80211: do not permit 40 MHz EHT operation on 5/6 GHz Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> soc: qcom: mdt_loader: Deal with zero e_shentsize Yin Tirui <yintirui(a)huawei.com> of_numa: fix uninitialized memory nodes causing kernel panic wangzijie <wangzijie1(a)honor.com> proc: fix missing pde_set_flags() for net proc files Edward Adam Davis <eadavis(a)qq.com> ocfs2: prevent release journal inode after journal shutdown Yeoreum Yun <yeoreum.yun(a)arm.com> kunit: kasan_test: disable fortify string checker on kasan_strings() test Ada Couprie Diaz <ada.coupriediaz(a)arm.com> kasan: fix GCC mem-intrinsic prefix with sw tags Christian Loehle <christian.loehle(a)arm.com> sched: Fix sched_numa_find_nth_cpu() if mask offline yangshiguang <yangshiguang(a)xiaomi.com> mm: slub: avoid wake up kswapd in set_track_prepare Gu Bowen <gubowen5(a)huawei.com> mm: fix possible deadlock in kmemleak Harry Yoo <harry.yoo(a)oracle.com> mm: introduce and use {pgd,p4d}_populate_kernel() Harry Yoo <harry.yoo(a)oracle.com> mm: move page table sync declarations to linux/pgtable.h Sumanth Korikkar <sumanthk(a)linux.ibm.com> mm: fix accounting of memmap pages Sasha Levin <sashal(a)kernel.org> mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE Harry Yoo <harry.yoo(a)oracle.com> x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Li Qiong <liqiong(a)nfschina.com> mm/slub: avoid accessing metadata when pointer is invalid in object_err() Baptiste Lepers <baptiste.lepers(a)gmail.com> rust: mm: mark VmaNew as transparent Ma Ke <make24(a)iscas.ac.cn> pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() panfan <panfan(a)qti.qualcomm.com> arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE Miaoqian Lin <linmq006(a)gmail.com> ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Prevent recovery work from being queued during device removal Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on some devices Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Kuniyuki Iwashima <kuniyu(a)google.com> selftest: net: Fix weird setsockopt() in bind_bhash.c. Qingfang Deng <dqfext(a)gmail.com> ppp: fix memory leak in pad_compress_skb Abin Joseph <abin.joseph(a)amd.com> net: xilinx: axienet: Add error handling for RX metadata pointer retrieval Wang Liang <wangliang74(a)huawei.com> net: atm: fix memory leak in atm_register_sysfs when device_register fail Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Introduce NFTA_DEVICE_PREFIX Florian Westphal <fw(a)strlen.de> selftests: netfilter: fix udpclash tool hang Eric Dumazet <edumazet(a)google.com> ax25: properly unshare skbs in ax25_kiss_rcv() Alok Tiwari <alok.a.tiwari(a)oracle.com> mctp: return -ENOPROTOOPT for unknown getsockopt options Mahanta Jambigi <mjambigi(a)linux.ibm.com> net/smc: Remove validation of reserved bits in CLC Decline message Dan Carpenter <dan.carpenter(a)linaro.org> ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: decrement cleanup index before use Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: add a missing of_node_put Eric Dumazet <edumazet(a)google.com> net: lockless sock_i_ino() Eric Dumazet <edumazet(a)google.com> net: remove sock_i_uid() Asbjørn Sloth Tønnesen <ast(a)fiberby.net> tools: ynl-gen: fix nested array counting Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: libertas: cap SSID len in lbs_associate() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cw1200: cap SSID length in cw1200_do_join() Ido Schimmel <idosch(a)nvidia.com> vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects Ido Schimmel <idosch(a)nvidia.com> vxlan: Fix NPD when refreshing an FDB entry with a nexthop object Felix Fietkau <nbd(a)nbd.name> net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Christoph Paasch <cpaasch(a)openai.com> net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 Rameshkumar Sundaram <rameshkumar.sundaram(a)oss.qualcomm.com> wifi: ath11k: fix group data packet drops during rekey Ramya Gnanasekar <ramya.gnanasekar(a)oss.qualcomm.com> wifi: ath12k: Set EMLSR support flag in MLO flags for EML-capable stations Alok Tiwari <alok.a.tiwari(a)oracle.com> ixgbe: fix incorrect map used in eee linkmode Zhen Ni <zhen.ni(a)easystack.cn> i40e: Fix potential invalid access when MAC list is empty Jacob Keller <jacob.e.keller(a)intel.com> i40e: remove read access to debugfs files Emil Tantilov <emil.s.tantilov(a)intel.com> idpf: set mac type when adding and removing MAC filters Jacob Keller <jacob.e.keller(a)intel.com> ice: fix NULL access of tx->in_use in ice_ll_ts_intr Jacob Keller <jacob.e.keller(a)intel.com> ice: fix NULL access of tx->in_use in ice_ptp_ts_irq Nishanth Menon <nm(a)ti.com> net: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for ndev Jeremy Kerr <jk(a)codeconstruct.com.au> net: mctp: usb: initialise mac header in RX path Jeremy Kerr <jk(a)codeconstruct.com.au> net: mctp: mctp_fraq_queue should take ownership of passed skb Liu Jian <liujian56(a)huawei.com> net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() Sabrina Dubroca <sd(a)queasysnail.net> macsec: read MACSEC_SA_ATTR_PN with nla_get_uint Sean Anderson <sean.anderson(a)linux.dev> net: macb: Fix tx_ptr_lock locking Miaoqian Lin <linmq006(a)gmail.com> eth: mlx4: Fix IS_ERR() vs NULL check bug in mlx4_en_create_rx_ring Fabian Bläse <fabian(a)blaese.de> icmp: fix icmp_ndo_send address translation for reply direction Alok Tiwari <alok.a.tiwari(a)oracle.com> bnxt_en: fix incorrect page count in RX aggr ring log Jakub Kicinski <kuba(a)kernel.org> selftests: drv-net: csum: fix interface name for remote host Miaoqian Lin <linmq006(a)gmail.com> mISDN: Fix memory leak in dsp_hwec_enable() Duoming Zhou <duoming(a)zju.edu.cn> ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog Alok Tiwari <alok.a.tiwari(a)oracle.com> xirc2ps_cs: fix register access when enabling FullDuplex Eric Dumazet <edumazet(a)google.com> net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y Florian Westphal <fw(a)strlen.de> netfilter: nft_flowtable.sh: re-run with random mtu sizes Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Ivan Pravdin <ipravdin.official(a)gmail.com> Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: cfg: add back more lost PCI IDs Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: cfg: restore some 1000 series configs Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: uefi: check DSM item validity Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: acpi: check DSM func validity Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> wifi: iwlwifi: if scratch is ~0U, consider it a failure Phil Sutter <phil(a)nwl.cc> netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Wang Liang <wangliang74(a)huawei.com> netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Felix Fietkau <nbd(a)nbd.name> wifi: mt76: fix linked list corruption Felix Fietkau <nbd(a)nbd.name> wifi: mt76: free pending offchannel tx frames on wcid cleanup Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7915: fix list corruption after hardware restart Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7996: add missing check for rx wcid entries Chad Monroe <chad(a)monroe.io> wifi: mt76: mt7996: use the correct vif link for scanning/roc Felix Fietkau <nbd(a)nbd.name> wifi: mt76: mt7996: disable beacons when going offchannel Felix Fietkau <nbd(a)nbd.name> wifi: mt76: prevent non-offchannel mgmt tx during scan/roc Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> wifi: mt76: mt7925: fix locking in mt7925_change_vif_links() Janusz Dziedzic <janusz.dziedzic(a)gmail.com> wifi: mt76: mt7921: don't disconnect when CSA to DFS chan Duoming Zhou <duoming(a)zju.edu.cn> wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix use-after-free in cmp_bss() Ryan Wanner <Ryan.Wanner(a)microchip.com> ARM: dts: microchip: sama7d65: Force SDMMC Legacy mode Chen-Yu Tsai <wens(a)csie.org> arm64: dts: rockchip: Add supplies for eMMC on rk3588-orangepi-5 Maud Spierings <maud_spierings(a)hotmail.com> arm64: dts: rockchip: Fix the headphone detection on the orangepi 5 plus Marek Vasut <marek.vasut(a)mailbox.org> arm64: dts: imx8mp: Fix missing microSD slot vqmmc on Data Modul i.MX8M Plus eDM SBC Marek Vasut <marek.vasut(a)mailbox.org> arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics i.MX8M Plus DHCOM Markus Niebel <Markus.Niebel(a)ew.tq-group.com> arm64: dts: imx8mp-tqma8mpql: fix LDO5 power off Sungbae Yoo <sungbaey(a)nvidia.com> tee: optee: ffa: fix a typo of "optee_ffa_api_is_compatible" Peter Robinson <pbrobinson(a)gmail.com> arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Chukun Pan <amadeus(a)jmu.edu.cn> arm64: dts: rockchip: mark eeprom as read-only for Radxa E52C Pei Xiao <xiaopei01(a)kylinos.cn> tee: fix memory leak in tee_dyn_shm_alloc_helper Pei Xiao <xiaopei01(a)kylinos.cn> tee: fix NULL pointer dereference in tee_shm_put Jiufei Xue <jiufei.xue(a)samsung.com> fs: writeback: fix use-after-free in __mark_inode_dirty() Mario Limonciello <mario.limonciello(a)amd.com> platform/x86/amd: pmc: Drop SMU F/W match for Cezanne Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: skip ZONE FINISH of conventional zones Qu Wenruo <wqu(a)suse.com> btrfs: clear block dirty if submit_one_sector() failed Piotr Zalewski <pZ010001011111(a)proton.me> drm/rockchip: vop2: make vp registers nonvolatile Yang Li <yang.li(a)amlogic.com> Bluetooth: hci_sync: Avoid adding default advertising on startup Shinji Nomoto <fj5851bi(a)fujitsu.com> cpupower: Fix a bug where the -t option of the set subcommand was not working. Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't warn when missing DCE encoder caps Lubomir Rintel <lkundrak(a)v3.sk> cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN Xianglai Li <lixianglai(a)loongson.cn> LoongArch: Add cpuhotplug hooks to fix high cpu usage of vCPU threads Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Save LBT before FPU in setup_sigcontext() Tina Wuest <tina(a)wuest.me> ALSA: usb-audio: Allow Focusrite devices to use low samplerates Ajye Huang <ajye_huang(a)compal.corp-partner.google.com> ASoC: SOF: Intel: WCL: Add the sdw_process_wakeen op Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: tidyup direction name on rsnd_dai_connect() Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked() Filipe Manana <fdmanana(a)suse.com> btrfs: avoid load/store tearing races when checking if an inode was logged Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between setting last_dir_index_offset and inode logging Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between logging inode and checking if it was logged before ------------- Diffstat: Makefile | 4 +- .../boot/dts/microchip/at91-sama7d65_curiosity.dts | 2 + .../dts/freescale/imx8mp-data-modul-edm-sbc.dts | 1 + .../arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 + .../freescale/imx8mp-tqma8mpql-mba8mp-ras314.dts | 13 ++- .../dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts | 13 ++- .../arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 22 ++++ .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 + arch/arm64/boot/dts/rockchip/rk3582-radxa-e52c.dts | 1 + .../boot/dts/rockchip/rk3588-orangepi-5-plus.dts | 2 +- .../arm64/boot/dts/rockchip/rk3588-orangepi-5.dtsi | 2 + arch/arm64/include/asm/module.h | 1 + arch/arm64/include/asm/module.lds.h | 1 + arch/arm64/kernel/ftrace.c | 13 ++- arch/arm64/kernel/module-plts.c | 12 +- arch/arm64/kernel/module.c | 11 ++ arch/loongarch/kernel/signal.c | 10 +- arch/loongarch/kernel/time.c | 22 ++++ arch/riscv/Kconfig | 2 +- arch/riscv/include/asm/asm.h | 2 +- arch/riscv/include/asm/uaccess.h | 8 +- arch/riscv/kernel/entry.S | 2 +- arch/riscv/kernel/kexec_elf.c | 4 +- arch/riscv/kernel/kexec_image.c | 2 +- arch/riscv/kernel/machine_kexec_file.c | 2 +- arch/riscv/net/bpf_jit_comp64.c | 4 +- arch/x86/include/asm/pgtable_64_types.h | 3 + arch/x86/mm/init_64.c | 18 +++ drivers/accel/ivpu/ivpu_drv.c | 2 +- drivers/accel/ivpu/ivpu_pm.c | 4 +- drivers/accel/ivpu/ivpu_pm.h | 2 +- drivers/acpi/arm64/iort.c | 4 +- drivers/acpi/riscv/cppc.c | 4 +- drivers/bluetooth/hci_vhci.c | 57 +++++++--- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 2 +- drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 - drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 5 +- drivers/gpu/drm/amd/amdgpu/sdma_v6_0.c | 6 +- .../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 +- .../gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c | 9 ++ .../gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.h | 2 + .../gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c | 1 + .../drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c | 72 ++++++++++++ .../drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.h | 2 + .../drm/amd/display/dc/hwss/dcn314/dcn314_init.c | 1 + drivers/gpu/drm/amd/display/dc/inc/hw/dpp.h | 3 + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 ++ drivers/gpu/drm/display/drm_dp_helper.c | 2 +- drivers/gpu/drm/nouveau/gv100_fence.c | 7 +- .../gpu/drm/nouveau/include/nvhw/class/clc36f.h | 85 ++++++++++++++ drivers/gpu/drm/nouveau/nvkm/engine/fifo/base.c | 2 + drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c | 23 ++-- drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga102.c | 1 + drivers/gpu/drm/nouveau/nvkm/engine/fifo/priv.h | 2 + .../gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/fifo.c | 1 + drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 9 +- drivers/gpu/drm/xe/xe_bo.c | 3 +- drivers/hwmon/ina238.c | 9 +- drivers/hwmon/mlxreg-fan.c | 5 +- drivers/isdn/mISDN/dsp_hwec.c | 6 +- drivers/md/md.c | 5 + drivers/md/raid1.c | 2 +- drivers/net/dsa/mv88e6xxx/leds.c | 17 ++- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- drivers/net/ethernet/cadence/macb_main.c | 28 +++-- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 ++-- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +- drivers/net/ethernet/intel/i40e/i40e_client.c | 4 +- drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 123 ++++----------------- drivers/net/ethernet/intel/ice/ice_main.c | 12 +- drivers/net/ethernet/intel/ice/ice_ptp.c | 13 ++- drivers/net/ethernet/intel/idpf/idpf_lib.c | 9 +- drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 12 ++ drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +- drivers/net/ethernet/mellanox/mlx4/en_rx.c | 4 +- drivers/net/ethernet/microchip/lan865x/lan865x.c | 7 +- drivers/net/ethernet/oa_tc6.c | 3 +- drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 10 ++ drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- drivers/net/macsec.c | 8 +- drivers/net/mctp/mctp-usb.c | 1 + drivers/net/pcs/pcs-rzn1-miic.c | 2 +- drivers/net/phy/mscc/mscc_ptp.c | 18 ++- drivers/net/ppp/ppp_generic.c | 6 +- drivers/net/usb/cdc_ncm.c | 7 ++ drivers/net/vxlan/vxlan_core.c | 18 ++- drivers/net/vxlan/vxlan_private.h | 4 +- drivers/net/wireless/ath/ath11k/core.h | 2 + drivers/net/wireless/ath/ath11k/mac.c | 111 +++++++++++++++++-- drivers/net/wireless/ath/ath12k/wmi.c | 1 + .../wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 +- drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 25 ++++- drivers/net/wireless/intel/iwlwifi/fw/runtime.h | 8 ++ drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 6 + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 22 +++- drivers/net/wireless/marvell/libertas/cfg.c | 9 +- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +- drivers/net/wireless/marvell/mwifiex/main.c | 4 +- drivers/net/wireless/mediatek/mt76/mac80211.c | 41 +++++++ drivers/net/wireless/mediatek/mt76/mt76.h | 1 + drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 12 +- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 5 +- drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 2 +- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 7 +- drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 12 +- drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 56 ++++++---- drivers/net/wireless/mediatek/mt76/mt7996/main.c | 5 + drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 15 ++- drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 1 + drivers/net/wireless/mediatek/mt76/tx.c | 12 +- drivers/net/wireless/st/cw1200/sta.c | 2 +- drivers/of/of_numa.c | 5 +- drivers/pcmcia/omap_cf.c | 2 + drivers/pcmcia/rsrc_iodyn.c | 3 + drivers/pcmcia/rsrc_nonstatic.c | 4 +- drivers/platform/x86/acer-wmi.c | 71 ++---------- drivers/platform/x86/amd/pmc/pmc-quirks.c | 68 ++++++++---- drivers/platform/x86/amd/pmc/pmc.c | 13 --- drivers/platform/x86/asus-nb-wmi.c | 2 - drivers/platform/x86/asus-wmi.c | 9 +- drivers/platform/x86/intel/tpmi_power_domains.c | 2 +- drivers/ptp/ptp_ocp.c | 3 +- drivers/scsi/lpfc/lpfc_nvmet.c | 10 +- drivers/scsi/sr.c | 16 ++- drivers/soc/qcom/mdt_loader.c | 12 +- drivers/spi/spi-fsl-lpspi.c | 24 ++-- drivers/spi/spi-microchip-core-qspi.c | 12 -- drivers/spi/spi-qpic-snand.c | 6 +- drivers/tee/optee/ffa_abi.c | 4 +- drivers/tee/tee_shm.c | 14 ++- fs/btrfs/btrfs_inode.h | 2 +- fs/btrfs/extent_io.c | 17 ++- fs/btrfs/inode.c | 1 + fs/btrfs/tree-log.c | 78 ++++++++----- fs/btrfs/zoned.c | 55 +++++---- fs/fs-writeback.c | 9 +- fs/ocfs2/inode.c | 3 + fs/proc/generic.c | 38 ++++--- fs/smb/client/cifs_unicode.c | 3 + include/linux/cpuhotplug.h | 1 + include/linux/pgalloc.h | 29 +++++ include/linux/pgtable.h | 25 ++++- include/linux/vmalloc.h | 16 --- include/net/sock.h | 17 ++- include/uapi/linux/netfilter/nf_tables.h | 2 + kernel/auditfilter.c | 2 +- kernel/sched/topology.c | 2 + mm/kasan/init.c | 12 +- mm/kasan/kasan_test_c.c | 2 + mm/kmemleak.c | 27 +++-- mm/percpu.c | 6 +- mm/slub.c | 37 +++++-- mm/sparse-vmemmap.c | 11 +- mm/sparse.c | 15 ++- mm/userfaultfd.c | 9 +- net/appletalk/atalk_proc.c | 2 +- net/atm/resources.c | 6 +- net/ax25/ax25_in.c | 4 + net/batman-adv/network-coding.c | 7 +- net/bluetooth/af_bluetooth.c | 2 +- net/bluetooth/hci_sync.c | 2 +- net/bluetooth/l2cap_sock.c | 3 + net/bridge/br_netfilter_hooks.c | 3 - net/core/gen_estimator.c | 2 + net/core/sock.c | 33 ------ net/ipv4/devinet.c | 7 +- net/ipv4/icmp.c | 6 +- net/ipv4/inet_connection_sock.c | 27 ++--- net/ipv4/inet_diag.c | 2 +- net/ipv4/inet_hashtables.c | 4 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 2 +- net/ipv4/tcp_ipv4.c | 8 +- net/ipv4/udp.c | 16 +-- net/ipv6/datagram.c | 2 +- net/ipv6/ip6_icmp.c | 6 +- net/ipv6/tcp_ipv6.c | 36 +++--- net/key/af_key.c | 2 +- net/llc/llc_proc.c | 2 +- net/mac80211/mlme.c | 8 ++ net/mac80211/tests/chan-mode.c | 30 ++++- net/mctp/af_mctp.c | 2 +- net/mctp/route.c | 35 +++--- net/mptcp/protocol.c | 1 - net/netfilter/nf_conntrack_helper.c | 4 +- net/netfilter/nf_tables_api.c | 42 +++++-- net/netlink/diag.c | 2 +- net/packet/af_packet.c | 2 +- net/packet/diag.c | 2 +- net/phonet/socket.c | 4 +- net/sctp/input.c | 2 +- net/sctp/proc.c | 4 +- net/sctp/socket.c | 4 +- net/smc/smc_clc.c | 2 - net/smc/smc_diag.c | 2 +- net/smc/smc_ib.c | 3 + net/tipc/socket.c | 2 +- net/unix/af_unix.c | 2 +- net/unix/diag.c | 2 +- net/wireless/scan.c | 3 +- net/wireless/sme.c | 5 +- net/xdp/xsk_diag.c | 2 +- rust/kernel/mm/virt.rs | 1 + scripts/Makefile.kasan | 12 +- scripts/generate_rust_target.rs | 12 +- sound/pci/hda/patch_hdmi.c | 1 + sound/pci/hda/patch_realtek.c | 2 + sound/pci/hda/tas2781_hda_i2c.c | 5 +- sound/soc/renesas/rcar/core.c | 2 +- sound/soc/soc-core.c | 5 +- sound/soc/sof/intel/ptl.c | 1 + sound/usb/format.c | 12 +- sound/usb/mixer_quirks.c | 2 + tools/gpio/Makefile | 2 +- tools/net/ynl/pyynl/ynl_gen_c.py | 2 +- tools/perf/util/bpf-event.c | 39 +++++-- tools/perf/util/bpf-utils.c | 61 ++++++---- tools/power/cpupower/utils/cpupower-set.c | 4 +- tools/testing/selftests/drivers/net/hw/csum.py | 4 +- tools/testing/selftests/net/bind_bhash.c | 4 +- .../selftests/net/netfilter/conntrack_clash.sh | 2 +- .../selftests/net/netfilter/conntrack_resize.sh | 5 +- .../selftests/net/netfilter/nft_flowtable.sh | 113 ++++++++++++------- tools/testing/selftests/net/netfilter/udpclash.c | 2 +- 229 files changed, 1707 insertions(+), 918 deletions(-)

1 week, 4 days

18
200
0 0

[PATCH 6.12 000/175] 6.12.46-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.46 release. There are 175 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 09 Sep 2025 19:55:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.46-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.46-rc1 Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Yu Kuai <yukuai3(a)huawei.com> md/raid1: fix data lost for writemostly rdev Radim Krčmář <rkrcmar(a)ventanamicro.com> riscv, bpf: use lw when reading int cpu in bpf_get_smp_processor_id Radim Krčmář <rkrcmar(a)ventanamicro.com> riscv, bpf: use lw when reading int cpu in BPF_MOV64_PERCPU_REG Radim Krčmář <rkrcmar(a)ventanamicro.com> riscv: use lw when reading int cpu in asm_per_cpu Radim Krčmář <rkrcmar(a)ventanamicro.com> riscv: use lw when reading int cpu in new_vmalloc_check Nathan Chancellor <nathan(a)kernel.org> riscv: Only allow LTO with CMODEL_MEDANY Anup Patel <apatel(a)ventanamicro.com> ACPI: RISC-V: Fix FFH_CPPC_CSR error handling Li Nan <linan122(a)huawei.com> md: prevent incorrect update of resync/recovery offset zhang jiao <zhangjiao2(a)cmss.chinamobile.com> tools: gpio: remove the include directory on make clean Colin Ian King <colin.i.king(a)gmail.com> drm/amd/amdgpu: Fix missing error return on kzalloc failure Ian Rogers <irogers(a)google.com> perf bpf-utils: Harden get_bpf_prog_info_linear Ian Rogers <irogers(a)google.com> perf bpf-utils: Constify bpil_array_desc Ian Rogers <irogers(a)google.com> perf bpf-event: Fix use-after-free in synthesis Michael Walle <mwalle(a)kernel.org> drm/bridge: ti-sn65dsi86: fix REFCLK setting Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Clear status register after disabling the module Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Set correct chip-select polarity bit Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Fix transmissions when using CONT Ming Lei <ming.lei(a)redhat.com> scsi: sr: Reinstate rotational media flag Christoph Hellwig <hch(a)lst.de> block: add a queue_limits_commit_update_frozen helper Vadim Pasternak <vadimp(a)nvidia.com> hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM David Arcari <darcari(a)redhat.com> platform/x86/intel: power-domains: Use topology_logical_package_id() for package ID Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk Wentao Liang <vulab(a)iscas.ac.cn> pcmcia: Add error handling for add_interval() in do_validate_mem() Chen Ni <nichen(a)iscas.ac.cn> pcmcia: omap: Add missing check for platform_get_resource Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amdgpu: Avoid extra evict-restore process." Aaron Erhardt <aer(a)tuxedocomputers.com> ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Miguel Ojeda <ojeda(a)kernel.org> rust: support Rust >= 1.91.0 target spec Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() Nícolas F. R. A. Prado <nfraprado(a)collabora.com> thermal/drivers/mediatek/lvts: Disable low offset IRQ for minimum threshold Sumanth Korikkar <sumanthk(a)linux.ibm.com> mm: fix accounting of memmap pages Yeoreum Yun <yeoreum.yun(a)arm.com> kunit: kasan_test: disable fortify string checker on kasan_strings() test Dave Airlie <airlied(a)redhat.com> nouveau: fix disabling the nonstall irq due to storm code Li Qiong <liqiong(a)nfschina.com> mm/slub: avoid accessing metadata when pointer is invalid in object_err() Vlastimil Babka <vbabka(a)suse.cz> mm, slab: cleanup slab_bug() parameters Hyesoo Yu <hyesoo.yu(a)samsung.com> mm: slub: call WARN() when detecting a slab corruption Hyesoo Yu <hyesoo.yu(a)samsung.com> mm: slub: Print the broken data before restoring them Su Yue <glass.su(a)suse.com> md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb Wang Liang <wangliang74(a)huawei.com> net: fix NULL pointer dereference in l3mdev_l3_rcv Wen Gong <quic_wgong(a)quicinc.com> wifi: ath11k: update channel list in worker when wait flag is set Wen Gong <quic_wgong(a)quicinc.com> wifi: ath11k: update channel list in reg notifier instead reg worker Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: avoid journaling sb update on error if journal is destroying Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: define ext4_journal_destroy wrapper Zheng Qixing <zhengqixing(a)huawei.com> md/raid1,raid10: strip REQ_NOWAIT from member bios Yu Kuai <yukuai3(a)huawei.com> md/raid1,raid10: don't handle IO error for REQ_RAHEAD and REQ_NOWAIT Yu Kuai <yukuai3(a)huawei.com> md/raid1,raid10: don't ignore IO flags Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: do not enable EEE on bcm63xx Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: dsa: b53/bcm_sf2: implement .support_eee() method Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: dsa: provide implementation of .support_eee() Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: dsa: add hook to determine whether EEE is supported Al Viro <viro(a)zeniv.linux.org.uk> fs/fhandle.c: fix a race in call of has_locked_children() Stefan Wahren <wahrenst(a)gmx.net> microchip: lan865x: Fix LAN8651 autoloading Stefan Wahren <wahrenst(a)gmx.net> microchip: lan865x: Fix module autoloading Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> net: pcs: rzn1-miic: Correct MODCTRL register offset Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: fix heap overflow in e1000_set_eeprom Makar Semyonov <m.semenov(a)tssltd.ru> cifs: prevent NULL pointer dereference in UTF16 conversion Stanislav Fort <stanislav.fort(a)aisle.com> batman-adv: fix OOB read/write in network-coding decode John Evans <evans1210144(a)gmail.com> scsi: lpfc: Fix buffer free/clear order in deferred receive path Christoffer Sandberg <cs(a)tuxedo.de> platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list Ivan Lipski <ivan.lipski(a)amd.com> drm/amd/display: Clear the CUR_ENABLE register on DCN314 w/out DPP PG Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: drop hw access in non-DC audio fini Stefan Wahren <wahrenst(a)gmx.net> net: ethernet: oa_tc6: Handle failure of spi_setup Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925: fix the wrong bss cleanup for SAP Nathan Chancellor <nathan(a)kernel.org> wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() Ming Yen Hsieh <mingyen.hsieh(a)mediatek.com> wifi: mt76: mt7925u: use connac3 tx aggr check in tx complete Qianfeng Rong <rongqianfeng(a)vivo.com> wifi: mwifiex: Initialize the chan_stats array to zero Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> soc: qcom: mdt_loader: Deal with zero e_shentsize Yin Tirui <yintirui(a)huawei.com> of_numa: fix uninitialized memory nodes causing kernel panic wangzijie <wangzijie1(a)honor.com> proc: fix missing pde_set_flags() for net proc files Edward Adam Davis <eadavis(a)qq.com> ocfs2: prevent release journal inode after journal shutdown Ada Couprie Diaz <ada.coupriediaz(a)arm.com> kasan: fix GCC mem-intrinsic prefix with sw tags Christian Loehle <christian.loehle(a)arm.com> sched: Fix sched_numa_find_nth_cpu() if mask offline yangshiguang <yangshiguang(a)xiaomi.com> mm: slub: avoid wake up kswapd in set_track_prepare Gu Bowen <gubowen5(a)huawei.com> mm: fix possible deadlock in kmemleak Harry Yoo <harry.yoo(a)oracle.com> mm: move page table sync declarations to linux/pgtable.h Sasha Levin <sashal(a)kernel.org> mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE Harry Yoo <harry.yoo(a)oracle.com> x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Jens Axboe <axboe(a)kernel.dk> io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU Ma Ke <make24(a)iscas.ac.cn> pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() panfan <panfan(a)qti.qualcomm.com> arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE Miaoqian Lin <linmq006(a)gmail.com> ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() Karol Wachowski <karol.wachowski(a)intel.com> accel/ivpu: Prevent recovery work from being queued during device removal Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on some devices Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Kuniyuki Iwashima <kuniyu(a)google.com> selftest: net: Fix weird setsockopt() in bind_bhash.c. Qingfang Deng <dqfext(a)gmail.com> ppp: fix memory leak in pad_compress_skb Abin Joseph <abin.joseph(a)amd.com> net: xilinx: axienet: Add error handling for RX metadata pointer retrieval Wang Liang <wangliang74(a)huawei.com> net: atm: fix memory leak in atm_register_sysfs when device_register fail Eric Dumazet <edumazet(a)google.com> ax25: properly unshare skbs in ax25_kiss_rcv() Alok Tiwari <alok.a.tiwari(a)oracle.com> mctp: return -ENOPROTOOPT for unknown getsockopt options Mahanta Jambigi <mjambigi(a)linux.ibm.com> net/smc: Remove validation of reserved bits in CLC Decline message Dan Carpenter <dan.carpenter(a)linaro.org> ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: decrement cleanup index before use Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: add a missing of_node_put Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: libertas: cap SSID len in lbs_associate() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cw1200: cap SSID length in cw1200_do_join() Ido Schimmel <idosch(a)nvidia.com> vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects Ido Schimmel <idosch(a)nvidia.com> vxlan: Rename FDB Tx lookup function Ido Schimmel <idosch(a)nvidia.com> vxlan: Add RCU read-side critical sections in the Tx path Ido Schimmel <idosch(a)nvidia.com> vxlan: Avoid unnecessary updates to FDB 'used' time Ido Schimmel <idosch(a)nvidia.com> vxlan: Refresh FDB 'updated' time upon 'NTF_USE' Radu Rendec <rrendec(a)redhat.com> net: vxlan: rename SKB_DROP_REASON_VXLAN_NO_REMOTE Menglong Dong <menglong8.dong(a)gmail.com> net: vxlan: use kfree_skb_reason() in vxlan_mdb_xmit() Menglong Dong <menglong8.dong(a)gmail.com> net: vxlan: use kfree_skb_reason() in vxlan_xmit() Menglong Dong <menglong8.dong(a)gmail.com> net: vxlan: make vxlan_set_mac() return drop reasons Ido Schimmel <idosch(a)nvidia.com> vxlan: Fix NPD when refreshing an FDB entry with a nexthop object Menglong Dong <menglong8.dong(a)gmail.com> net: vxlan: make vxlan_snoop() return drop reasons Menglong Dong <menglong8.dong(a)gmail.com> net: vxlan: add skb drop reasons to vxlan_rcv() Menglong Dong <menglong8.dong(a)gmail.com> net: tunnel: add pskb_inet_may_pull_reason() helper Menglong Dong <menglong8.dong(a)gmail.com> net: skb: add pskb_network_may_pull_reason() helper Felix Fietkau <nbd(a)nbd.name> net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Christoph Paasch <cpaasch(a)openai.com> net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 Rameshkumar Sundaram <rameshkumar.sundaram(a)oss.qualcomm.com> wifi: ath11k: fix group data packet drops during rekey Alok Tiwari <alok.a.tiwari(a)oracle.com> ixgbe: fix incorrect map used in eee linkmode Zhen Ni <zhen.ni(a)easystack.cn> i40e: Fix potential invalid access when MAC list is empty Jacob Keller <jacob.e.keller(a)intel.com> i40e: remove read access to debugfs files Emil Tantilov <emil.s.tantilov(a)intel.com> idpf: set mac type when adding and removing MAC filters Jacob Keller <jacob.e.keller(a)intel.com> ice: fix NULL access of tx->in_use in ice_ll_ts_intr Jeremy Kerr <jk(a)codeconstruct.com.au> net: mctp: mctp_fraq_queue should take ownership of passed skb Liu Jian <liujian56(a)huawei.com> net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() Sabrina Dubroca <sd(a)queasysnail.net> macsec: read MACSEC_SA_ATTR_PN with nla_get_uint Sean Anderson <sean.anderson(a)linux.dev> net: macb: Fix tx_ptr_lock locking Fabian Bläse <fabian(a)blaese.de> icmp: fix icmp_ndo_send address translation for reply direction Alok Tiwari <alok.a.tiwari(a)oracle.com> bnxt_en: fix incorrect page count in RX aggr ring log Jakub Kicinski <kuba(a)kernel.org> selftests: drv-net: csum: fix interface name for remote host Miaoqian Lin <linmq006(a)gmail.com> mISDN: Fix memory leak in dsp_hwec_enable() Alok Tiwari <alok.a.tiwari(a)oracle.com> xirc2ps_cs: fix register access when enabling FullDuplex Eric Dumazet <edumazet(a)google.com> net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y Florian Westphal <fw(a)strlen.de> netfilter: nft_flowtable.sh: re-run with random mtu sizes Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Ivan Pravdin <ipravdin.official(a)gmail.com> Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: uefi: check DSM item validity Phil Sutter <phil(a)nwl.cc> netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Wang Liang <wangliang74(a)huawei.com> netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Felix Fietkau <nbd(a)nbd.name> wifi: mt76: fix linked list corruption Felix Fietkau <nbd(a)nbd.name> wifi: mt76: free pending offchannel tx frames on wcid cleanup Felix Fietkau <nbd(a)nbd.name> wifi: mt76: prevent non-offchannel mgmt tx during scan/roc Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> wifi: mt76: mt7925: fix locking in mt7925_change_vif_links() Duoming Zhou <duoming(a)zju.edu.cn> wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix use-after-free in cmp_bss() Sai Krishna Potthuri <sai.krishna.potthuri(a)amd.com> mmc: sdhci-of-arasan: Ensure CD logic stabilization before power-up Paul Alvin <alvin.paulp(a)amd.com> mmc: sdhci-of-arasan: Support for emmc hardware reset Wentao Guan <guanwentao(a)uniontech.com> LoongArch: vDSO: Remove -nostdlib complier flag Xi Ruoyao <xry111(a)xry111.site> LoongArch: vDSO: Remove --hash-style=sysv Fabio Porcedda <fabio.porcedda(a)gmail.com> net: usb: qmi_wwan: add Telit Cinterion FN990A w/audio composition Fabio Porcedda <fabio.porcedda(a)gmail.com> net: usb: qmi_wwan: fix Telit Cinterion FE990A name Fabio Porcedda <fabio.porcedda(a)gmail.com> net: usb: qmi_wwan: fix Telit Cinterion FN990A name Alan Stern <stern(a)rowland.harvard.edu> HID: core: Harden s32ton() against conversion to 0 bits Dmitry Torokhov <dmitry.torokhov(a)gmail.com> HID: stop exporting hid_snto32() Dmitry Torokhov <dmitry.torokhov(a)gmail.com> HID: simplify snto32() Marek Vasut <marek.vasut(a)mailbox.org> arm64: dts: imx8mp: Fix missing microSD slot vqmmc on Data Modul i.MX8M Plus eDM SBC Marek Vasut <marek.vasut(a)mailbox.org> arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics i.MX8M Plus DHCOM Markus Niebel <Markus.Niebel(a)ew.tq-group.com> arm64: dts: imx8mp-tqma8mpql: fix LDO5 power off Sungbae Yoo <sungbaey(a)nvidia.com> tee: optee: ffa: fix a typo of "optee_ffa_api_is_compatible" Peter Robinson <pbrobinson(a)gmail.com> arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Pei Xiao <xiaopei01(a)kylinos.cn> tee: fix memory leak in tee_dyn_shm_alloc_helper Pei Xiao <xiaopei01(a)kylinos.cn> tee: fix NULL pointer dereference in tee_shm_put Jiufei Xue <jiufei.xue(a)samsung.com> fs: writeback: fix use-after-free in __mark_inode_dirty() Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: skip ZONE FINISH of conventional zones Piotr Zalewski <pZ010001011111(a)proton.me> drm/rockchip: vop2: make vp registers nonvolatile Yang Li <yang.li(a)amlogic.com> Bluetooth: hci_sync: Avoid adding default advertising on startup Shinji Nomoto <fj5851bi(a)fujitsu.com> cpupower: Fix a bug where the -t option of the set subcommand was not working. Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't warn when missing DCE encoder caps Lubomir Rintel <lkundrak(a)v3.sk> cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Save LBT before FPU in setup_sigcontext() Filipe Manana <fdmanana(a)suse.com> btrfs: avoid load/store tearing races when checking if an inode was logged Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between setting last_dir_index_offset and inode logging Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between logging inode and checking if it was logged before Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix oob access in cgroup local storage Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move cgroup iterator helpers to bpf.h Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move bpf map owner out of common struct Daniel Borkmann <daniel(a)iogearbox.net> bpf: Add cookie object to bpf maps ------------- Diffstat: Makefile | 4 +- .../dts/freescale/imx8mp-data-modul-edm-sbc.dts | 1 + .../arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 + .../freescale/imx8mp-tqma8mpql-mba8mp-ras314.dts | 13 +- .../dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts | 13 +- .../arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 22 ++++ .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 + arch/arm64/include/asm/module.h | 1 + arch/arm64/include/asm/module.lds.h | 1 + arch/arm64/kernel/ftrace.c | 13 +- arch/arm64/kernel/module-plts.c | 12 +- arch/arm64/kernel/module.c | 11 ++ arch/loongarch/kernel/signal.c | 10 +- arch/loongarch/vdso/Makefile | 3 +- arch/riscv/Kconfig | 2 +- arch/riscv/include/asm/asm.h | 2 +- arch/riscv/kernel/entry.S | 2 +- arch/riscv/net/bpf_jit_comp64.c | 4 +- arch/x86/include/asm/pgtable_64_types.h | 3 + arch/x86/mm/init_64.c | 18 +++ block/blk-integrity.c | 4 +- block/blk-settings.c | 24 ++++ block/blk-zoned.c | 7 +- drivers/accel/ivpu/ivpu_drv.c | 2 +- drivers/accel/ivpu/ivpu_pm.c | 4 +- drivers/accel/ivpu/ivpu_pm.h | 2 +- drivers/acpi/arm64/iort.c | 4 +- drivers/acpi/riscv/cppc.c | 4 +- drivers/block/virtio_blk.c | 4 +- drivers/bluetooth/hci_vhci.c | 57 ++++++--- drivers/dma/mediatek/mtk-cqdma.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +- drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 - .../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 +- .../gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c | 9 ++ .../gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.h | 2 + .../gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c | 1 + .../drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c | 72 +++++++++++ .../drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.h | 2 + .../drm/amd/display/dc/hwss/dcn314/dcn314_init.c | 1 + drivers/gpu/drm/amd/display/dc/inc/hw/dpp.h | 3 + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 ++ drivers/gpu/drm/nouveau/nvkm/engine/fifo/base.c | 2 + drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c | 23 ++-- drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga102.c | 1 + drivers/gpu/drm/nouveau/nvkm/engine/fifo/priv.h | 2 + drivers/gpu/drm/nouveau/nvkm/engine/fifo/r535.c | 1 + drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 9 +- drivers/hid/hid-core.c | 74 +++++------ drivers/hid/hid-logitech-hidpp.c | 6 +- drivers/hwmon/mlxreg-fan.c | 5 +- drivers/isdn/mISDN/dsp_hwec.c | 6 +- drivers/md/md-bitmap.c | 6 +- drivers/md/md.c | 5 + drivers/md/raid1-10.c | 10 ++ drivers/md/raid1.c | 28 ++-- drivers/md/raid10.c | 20 ++- drivers/mmc/host/sdhci-of-arasan.c | 51 +++++++- drivers/net/dsa/b53/b53_common.c | 16 ++- drivers/net/dsa/b53/b53_priv.h | 1 + drivers/net/dsa/bcm_sf2.c | 1 + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- drivers/net/ethernet/cadence/macb_main.c | 28 ++-- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 +-- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +- drivers/net/ethernet/intel/i40e/i40e_client.c | 4 +- drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 123 +++--------------- drivers/net/ethernet/intel/ice/ice_main.c | 12 +- drivers/net/ethernet/intel/idpf/idpf_lib.c | 9 +- drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 12 ++ drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +- drivers/net/ethernet/microchip/lan865x/lan865x.c | 7 +- drivers/net/ethernet/oa_tc6.c | 3 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 10 ++ drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- drivers/net/ipvlan/ipvlan_l3s.c | 1 - drivers/net/macsec.c | 8 +- drivers/net/pcs/pcs-rzn1-miic.c | 2 +- drivers/net/phy/mscc/mscc_ptp.c | 18 ++- drivers/net/ppp/ppp_generic.c | 6 +- drivers/net/usb/cdc_ncm.c | 7 + drivers/net/usb/qmi_wwan.c | 5 +- drivers/net/vxlan/vxlan_core.c | 122 +++++++++++------- drivers/net/vxlan/vxlan_mdb.c | 2 +- drivers/net/vxlan/vxlan_private.h | 4 +- drivers/net/wireless/ath/ath11k/core.c | 1 + drivers/net/wireless/ath/ath11k/core.h | 7 +- drivers/net/wireless/ath/ath11k/mac.c | 125 ++++++++++++++++-- drivers/net/wireless/ath/ath11k/reg.c | 107 +++++++++++----- drivers/net/wireless/ath/ath11k/reg.h | 3 +- drivers/net/wireless/ath/ath11k/wmi.h | 1 + .../wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 +- drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 6 + drivers/net/wireless/marvell/libertas/cfg.c | 9 +- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +- drivers/net/wireless/marvell/mwifiex/main.c | 4 +- drivers/net/wireless/mediatek/mt76/mac80211.c | 4 + drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 2 +- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 7 +- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 +- drivers/net/wireless/mediatek/mt76/tx.c | 12 +- drivers/net/wireless/st/cw1200/sta.c | 2 +- drivers/of/of_numa.c | 5 +- drivers/pcmcia/omap_cf.c | 2 + drivers/pcmcia/rsrc_iodyn.c | 3 + drivers/pcmcia/rsrc_nonstatic.c | 4 +- drivers/platform/x86/amd/pmc/pmc-quirks.c | 14 ++ drivers/platform/x86/asus-nb-wmi.c | 2 - drivers/platform/x86/intel/tpmi_power_domains.c | 2 +- drivers/scsi/lpfc/lpfc_nvmet.c | 10 +- drivers/scsi/sd.c | 17 +-- drivers/scsi/sr.c | 19 +-- drivers/soc/qcom/mdt_loader.c | 12 +- drivers/spi/spi-fsl-lpspi.c | 24 ++-- drivers/tee/optee/ffa_abi.c | 4 +- drivers/tee/tee_shm.c | 14 +- drivers/thermal/mediatek/lvts_thermal.c | 50 ++++++-- fs/btrfs/btrfs_inode.h | 2 +- fs/btrfs/inode.c | 1 + fs/btrfs/tree-log.c | 78 +++++++---- fs/btrfs/zoned.c | 55 +++++--- fs/ext4/ext4.h | 3 +- fs/ext4/ext4_jbd2.h | 29 +++++ fs/ext4/super.c | 32 ++--- fs/fs-writeback.c | 9 +- fs/namespace.c | 18 ++- fs/ocfs2/inode.c | 3 + fs/proc/generic.c | 38 +++--- fs/smb/client/cifs_unicode.c | 3 + include/linux/blkdev.h | 2 + include/linux/bpf-cgroup.h | 5 - include/linux/bpf.h | 60 ++++++--- include/linux/hid.h | 1 - include/linux/io_uring_types.h | 12 +- include/linux/pgtable.h | 16 +++ include/linux/skbuff.h | 8 +- include/linux/vmalloc.h | 16 --- include/net/dropreason-core.h | 40 ++++++ include/net/dsa.h | 2 + include/net/ip_tunnels.h | 10 +- io_uring/msg_ring.c | 4 +- kernel/bpf/core.c | 50 +++++--- kernel/bpf/syscall.c | 19 ++- kernel/sched/topology.c | 2 + mm/kasan/kasan_test_c.c | 1 + mm/kmemleak.c | 27 +++- mm/slub.c | 142 +++++++++++++-------- mm/sparse-vmemmap.c | 5 - mm/sparse.c | 15 ++- mm/userfaultfd.c | 9 +- net/atm/resources.c | 6 +- net/ax25/ax25_in.c | 4 + net/batman-adv/network-coding.c | 7 +- net/bluetooth/hci_sync.c | 2 +- net/bluetooth/l2cap_sock.c | 3 + net/bridge/br_netfilter_hooks.c | 3 - net/core/gen_estimator.c | 2 + net/dsa/port.c | 16 +++ net/dsa/user.c | 8 ++ net/ipv4/devinet.c | 7 +- net/ipv4/icmp.c | 6 +- net/ipv6/ip6_icmp.c | 6 +- net/ipv6/tcp_ipv6.c | 32 +++-- net/mctp/af_mctp.c | 2 +- net/mctp/route.c | 35 ++--- net/netfilter/nf_conntrack_helper.c | 4 +- net/smc/smc_clc.c | 2 - net/smc/smc_ib.c | 3 + net/wireless/scan.c | 3 +- net/wireless/sme.c | 5 +- scripts/Makefile.kasan | 12 +- scripts/generate_rust_target.rs | 12 +- sound/pci/hda/patch_hdmi.c | 1 + sound/pci/hda/patch_realtek.c | 2 + sound/usb/mixer_quirks.c | 2 + tools/gpio/Makefile | 2 +- tools/perf/util/bpf-event.c | 39 ++++-- tools/perf/util/bpf-utils.c | 61 +++++---- tools/power/cpupower/utils/cpupower-set.c | 4 +- tools/testing/selftests/drivers/net/hw/csum.py | 4 +- tools/testing/selftests/net/bind_bhash.c | 4 +- .../selftests/net/netfilter/nft_flowtable.sh | 113 ++++++++++------ 187 files changed, 1784 insertions(+), 926 deletions(-)

1 week, 4 days

14
189
0 0

[PATCH 6.6 000/118] 6.6.105-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.105 release. There are 118 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 10 Sep 2025 15:18:22 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.105-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.105-rc2 Kevin Hao <haokexin(a)gmail.com> spi: fsl-qspi: Fix double cleanup in probe error path Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Check turbo_is_disabled() in store_no_turbo() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Read global.no_turbo under READ_ONCE() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Rearrange show_no_turbo() and store_no_turbo() Radim Krčmář <rkrcmar(a)ventanamicro.com> riscv: use lw when reading int cpu in asm_per_cpu yangshiguang <yangshiguang(a)xiaomi.com> mm: slub: avoid wake up kswapd in set_track_prepare Chengming Zhou <zhouchengming(a)bytedance.com> slub: Reflow ___slab_alloc() zhang jiao <zhangjiao2(a)cmss.chinamobile.com> tools: gpio: remove the include directory on make clean zhangjiao <zhangjiao2(a)cmss.chinamobile.com> tools: gpio: rm .*.cmd on make clean Colin Ian King <colin.i.king(a)gmail.com> drm/amd/amdgpu: Fix missing error return on kzalloc failure Hawking Zhang <Hawking.Zhang(a)amd.com> drm/amdgpu: Replace DRM_* with dev_* in amdgpu_psp.c Ian Rogers <irogers(a)google.com> perf bpf-event: Fix use-after-free in synthesis Michael Walle <mwalle(a)kernel.org> drm/bridge: ti-sn65dsi86: fix REFCLK setting Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Clear status register after disabling the module Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Set correct chip-select polarity bit Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Fix transmissions when using CONT Vadim Pasternak <vadimp(a)nvidia.com> hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM Wentao Liang <vulab(a)iscas.ac.cn> pcmcia: Add error handling for add_interval() in do_validate_mem() Chen Ni <nichen(a)iscas.ac.cn> pcmcia: omap: Add missing check for platform_get_resource Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amdgpu: Avoid extra evict-restore process." Aaron Erhardt <aer(a)tuxedocomputers.com> ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Ma Ke <make24(a)iscas.ac.cn> drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv Jason-JH.Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Fix using wrong drm private data to bind mediatek-drm Jason-JH.Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Add crtc path enum for all_drm_priv array Ronak Doshi <ronak.doshi(a)broadcom.com> vmxnet3: update MTU after device quiesce Jakob Unterwurzacher <jakobunt(a)gmail.com> net: dsa: microchip: linearize skb for tail-tagging switches Pieter Van Trappen <pieter.van.trappen(a)cern.ch> net: dsa: microchip: update tag_ksz masks for KSZ9477 family Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA David Lechner <dlechner(a)baylibre.com> iio: pressure: mprls0025pa: use aligned_s64 for timestamp Luca Ceresoli <luca.ceresoli(a)bootlin.com> iio: light: opt3001: fix deadlock due to concurrent flag access David Lechner <dlechner(a)baylibre.com> iio: chemical: pms7003: use aligned_s64 for timestamp David Lechner <dlechner(a)baylibre.com> iio: imu: inv_mpu6050: align buffer for timestamp Josef Bacik <josef(a)toxicpanda.com> btrfs: adjust subpage bit start based on sectorsize Jonathan Currier <dullfire(a)yahoo.com> PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads Nícolas F. R. A. Prado <nfraprado(a)collabora.com> thermal/drivers/mediatek/lvts: Disable low offset IRQ for minimum threshold Han Xu <han.xu(a)nxp.com> spi: fsl-qspi: use devm function instead of driver remove Li Qiong <liqiong(a)nfschina.com> mm/slub: avoid accessing metadata when pointer is invalid in object_err() Dave Airlie <airlied(a)redhat.com> nouveau: fix disabling the nonstall irq due to storm code Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Do not update global.turbo_disabled after initialization Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Fold intel_pstate_max_within_limits() into caller Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Revise global turbo disable check Jinfeng Wang <jinfeng.wang.cn(a)windriver.com> Revert "spi: spi-cadence-quadspi: Fix pm runtime unbalance" Jinfeng Wang <jinfeng.wang.cn(a)windriver.com> Revert "spi: cadence-quadspi: fix cleanup of rx_chan on failure paths" Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> net: pcs: rzn1-miic: Correct MODCTRL register offset Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: fix heap overflow in e1000_set_eeprom Makar Semyonov <m.semenov(a)tssltd.ru> cifs: prevent NULL pointer dereference in UTF16 conversion Stanislav Fort <stanislav.fort(a)aisle.com> batman-adv: fix OOB read/write in network-coding decode John Evans <evans1210144(a)gmail.com> scsi: lpfc: Fix buffer free/clear order in deferred receive path Christoffer Sandberg <cs(a)tuxedo.de> platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: drop hw access in non-DC audio fini Nathan Chancellor <nathan(a)kernel.org> wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() Qianfeng Rong <rongqianfeng(a)vivo.com> wifi: mwifiex: Initialize the chan_stats array to zero Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> soc: qcom: mdt_loader: Deal with zero e_shentsize wangzijie <wangzijie1(a)honor.com> proc: fix missing pde_set_flags() for net proc files Edward Adam Davis <eadavis(a)qq.com> ocfs2: prevent release journal inode after journal shutdown Christian Loehle <christian.loehle(a)arm.com> sched: Fix sched_numa_find_nth_cpu() if mask offline Harry Yoo <harry.yoo(a)oracle.com> mm: move page table sync declarations to linux/pgtable.h Harry Yoo <harry.yoo(a)oracle.com> x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Ma Ke <make24(a)iscas.ac.cn> pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() panfan <panfan(a)qti.qualcomm.com> arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE Miaoqian Lin <linmq006(a)gmail.com> ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on some devices Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Kuniyuki Iwashima <kuniyu(a)google.com> selftest: net: Fix weird setsockopt() in bind_bhash.c. Qingfang Deng <dqfext(a)gmail.com> ppp: fix memory leak in pad_compress_skb Wang Liang <wangliang74(a)huawei.com> net: atm: fix memory leak in atm_register_sysfs when device_register fail Eric Dumazet <edumazet(a)google.com> ax25: properly unshare skbs in ax25_kiss_rcv() Alok Tiwari <alok.a.tiwari(a)oracle.com> mctp: return -ENOPROTOOPT for unknown getsockopt options Mahanta Jambigi <mjambigi(a)linux.ibm.com> net/smc: Remove validation of reserved bits in CLC Decline message Dan Carpenter <dan.carpenter(a)linaro.org> ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: decrement cleanup index before use Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: add a missing of_node_put Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: libertas: cap SSID len in lbs_associate() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cw1200: cap SSID length in cw1200_do_join() Felix Fietkau <nbd(a)nbd.name> net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Rameshkumar Sundaram <rameshkumar.sundaram(a)oss.qualcomm.com> wifi: ath11k: fix group data packet drops during rekey Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath11k: avoid forward declaration of ath11k_mac_start_vdev_delay() Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath11k: rename ath11k_start_vdev_delay() Jeff Johnson <quic_jjohnson(a)quicinc.com> wifi: ath11k: Introduce and use ath11k_sta_to_arsta() Zhen Ni <zhen.ni(a)easystack.cn> i40e: Fix potential invalid access when MAC list is empty Liu Jian <liujian56(a)huawei.com> net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() Sabrina Dubroca <sd(a)queasysnail.net> macsec: read MACSEC_SA_ATTR_PN with nla_get_uint Jakub Kicinski <kuba(a)kernel.org> netlink: add variable-length / auto integers Sean Anderson <sean.anderson(a)linux.dev> net: macb: Fix tx_ptr_lock locking Fabian Bläse <fabian(a)blaese.de> icmp: fix icmp_ndo_send address translation for reply direction Miaoqian Lin <linmq006(a)gmail.com> mISDN: Fix memory leak in dsp_hwec_enable() Alok Tiwari <alok.a.tiwari(a)oracle.com> xirc2ps_cs: fix register access when enabling FullDuplex Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Ivan Pravdin <ipravdin.official(a)gmail.com> Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Phil Sutter <phil(a)nwl.cc> netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Wang Liang <wangliang74(a)huawei.com> netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Duoming Zhou <duoming(a)zju.edu.cn> wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix use-after-free in cmp_bss() Marek Vasut <marek.vasut(a)mailbox.org> arm64: dts: imx8mp: Fix missing microSD slot vqmmc on Data Modul i.MX8M Plus eDM SBC Marek Vasut <marek.vasut(a)mailbox.org> arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics i.MX8M Plus DHCOM Sungbae Yoo <sungbaey(a)nvidia.com> tee: optee: ffa: fix a typo of "optee_ffa_api_is_compatible" Peter Robinson <pbrobinson(a)gmail.com> arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Pei Xiao <xiaopei01(a)kylinos.cn> tee: fix NULL pointer dereference in tee_shm_put Jiufei Xue <jiufei.xue(a)samsung.com> fs: writeback: fix use-after-free in __mark_inode_dirty() Yang Li <yang.li(a)amlogic.com> Bluetooth: hci_sync: Avoid adding default advertising on startup Shinji Nomoto <fj5851bi(a)fujitsu.com> cpupower: Fix a bug where the -t option of the set subcommand was not working. Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't warn when missing DCE encoder caps Lubomir Rintel <lkundrak(a)v3.sk> cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Save LBT before FPU in setup_sigcontext() Filipe Manana <fdmanana(a)suse.com> btrfs: avoid load/store tearing races when checking if an inode was logged Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between setting last_dir_index_offset and inode logging Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between logging inode and checking if it was logged before Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix oob access in cgroup local storage Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move bpf map owner out of common struct Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move cgroup iterator helpers to bpf.h Daniel Borkmann <daniel(a)iogearbox.net> bpf: Add cookie object to bpf maps ------------- Diffstat: Documentation/userspace-api/netlink/specs.rst | 18 +- Makefile | 4 +- .../dts/freescale/imx8mp-data-modul-edm-sbc.dts | 1 + .../arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 + .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 + arch/arm64/include/asm/module.h | 1 + arch/arm64/include/asm/module.lds.h | 1 + arch/arm64/kernel/ftrace.c | 13 +- arch/arm64/kernel/module-plts.c | 12 +- arch/arm64/kernel/module.c | 11 + arch/loongarch/kernel/signal.c | 10 +- arch/riscv/include/asm/asm.h | 2 +- arch/x86/include/asm/pgtable_64_types.h | 3 + arch/x86/mm/init_64.c | 18 + drivers/acpi/arm64/iort.c | 4 +- drivers/bluetooth/hci_vhci.c | 57 +- drivers/cpufreq/intel_pstate.c | 126 ++--- drivers/dma/mediatek/mtk-cqdma.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 146 ++--- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +- drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 - .../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 +- drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 42 +- drivers/gpu/drm/mediatek/mtk_drm_drv.h | 8 +- drivers/gpu/drm/nouveau/nvkm/engine/fifo/base.c | 2 + drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c | 23 +- drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga102.c | 1 + drivers/gpu/drm/nouveau/nvkm/engine/fifo/priv.h | 2 + drivers/hwmon/mlxreg-fan.c | 5 +- drivers/iio/chemical/pms7003.c | 5 +- drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 2 +- drivers/iio/light/opt3001.c | 5 +- drivers/iio/pressure/mprls0025pa.c | 10 +- drivers/isdn/mISDN/dsp_hwec.c | 6 +- drivers/net/ethernet/cadence/macb_main.c | 28 +- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 +- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +- drivers/net/ethernet/intel/i40e/i40e_client.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +- drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- drivers/net/macsec.c | 8 +- drivers/net/pcs/pcs-rzn1-miic.c | 2 +- drivers/net/phy/mscc/mscc_ptp.c | 18 +- drivers/net/ppp/ppp_generic.c | 6 +- drivers/net/usb/cdc_ncm.c | 7 + drivers/net/vmxnet3/vmxnet3_drv.c | 5 +- drivers/net/wireless/ath/ath11k/core.h | 7 + drivers/net/wireless/ath/ath11k/debugfs.c | 4 +- drivers/net/wireless/ath/ath11k/debugfs_sta.c | 30 +- drivers/net/wireless/ath/ath11k/dp_rx.c | 8 +- drivers/net/wireless/ath/ath11k/dp_tx.c | 4 +- drivers/net/wireless/ath/ath11k/mac.c | 588 ++++++++++++--------- drivers/net/wireless/ath/ath11k/peer.c | 2 +- drivers/net/wireless/ath/ath11k/wmi.c | 6 +- .../wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 +- drivers/net/wireless/marvell/libertas/cfg.c | 9 +- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +- drivers/net/wireless/marvell/mwifiex/main.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 +- drivers/net/wireless/st/cw1200/sta.c | 2 +- drivers/pci/msi/msi.c | 3 + drivers/pcmcia/omap_cf.c | 2 + drivers/pcmcia/rsrc_iodyn.c | 3 + drivers/pcmcia/rsrc_nonstatic.c | 4 +- drivers/platform/x86/amd/pmc/pmc-quirks.c | 14 + drivers/scsi/lpfc/lpfc_nvmet.c | 10 +- drivers/soc/qcom/mdt_loader.c | 12 +- drivers/spi/spi-cadence-quadspi.c | 6 +- drivers/spi/spi-fsl-lpspi.c | 24 +- drivers/spi/spi-fsl-qspi.c | 36 +- drivers/tee/optee/ffa_abi.c | 4 +- drivers/tee/tee_shm.c | 6 +- drivers/thermal/mediatek/lvts_thermal.c | 50 +- fs/btrfs/btrfs_inode.h | 2 +- fs/btrfs/extent_io.c | 2 +- fs/btrfs/inode.c | 1 + fs/btrfs/tree-log.c | 78 ++- fs/fs-writeback.c | 9 +- fs/ocfs2/inode.c | 3 + fs/proc/generic.c | 38 +- fs/smb/client/cifs_unicode.c | 3 + include/linux/bpf-cgroup.h | 5 - include/linux/bpf.h | 60 ++- include/linux/pci.h | 2 + include/linux/pgtable.h | 16 + include/linux/vmalloc.h | 16 - include/net/netlink.h | 69 ++- include/uapi/linux/netlink.h | 5 + kernel/bpf/core.c | 50 +- kernel/bpf/syscall.c | 20 +- kernel/sched/topology.c | 2 + lib/nlattr.c | 22 + mm/slub.c | 66 ++- net/atm/resources.c | 6 +- net/ax25/ax25_in.c | 4 + net/batman-adv/network-coding.c | 7 +- net/bluetooth/hci_sync.c | 2 +- net/bluetooth/l2cap_sock.c | 3 + net/bridge/br_netfilter_hooks.c | 3 - net/dsa/tag_ksz.c | 22 +- net/ipv4/devinet.c | 7 +- net/ipv4/icmp.c | 6 +- net/ipv6/ip6_icmp.c | 6 +- net/mctp/af_mctp.c | 2 +- net/netfilter/nf_conntrack_helper.c | 4 +- net/netlink/policy.c | 14 +- net/smc/smc_clc.c | 2 - net/smc/smc_ib.c | 3 + net/wireless/scan.c | 3 +- net/wireless/sme.c | 5 +- sound/pci/hda/patch_hdmi.c | 1 + sound/pci/hda/patch_realtek.c | 5 + sound/usb/mixer_quirks.c | 2 + tools/gpio/Makefile | 4 +- tools/perf/util/bpf-event.c | 39 +- tools/power/cpupower/utils/cpupower-set.c | 4 +- tools/testing/selftests/net/bind_bhash.c | 4 +- 121 files changed, 1357 insertions(+), 838 deletions(-)

1 week, 4 days

8
7
0 0

[PATCH 6.1 000/101] 6.1.151-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.151 release. There are 101 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 10 Sep 2025 15:18:27 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.151-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.151-rc2 Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Check turbo_is_disabled() in store_no_turbo() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Read global.no_turbo under READ_ONCE() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Rearrange show_no_turbo() and store_no_turbo() Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Use value to check for invalid delays Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() yangshiguang <yangshiguang(a)xiaomi.com> mm: slub: avoid wake up kswapd in set_track_prepare Chengming Zhou <zhouchengming(a)bytedance.com> slub: Reflow ___slab_alloc() Vlastimil Babka <vbabka(a)suse.cz> mm, slub: refactor free debug processing zhang jiao <zhangjiao2(a)cmss.chinamobile.com> tools: gpio: remove the include directory on make clean zhangjiao <zhangjiao2(a)cmss.chinamobile.com> tools: gpio: rm .*.cmd on make clean Colin Ian King <colin.i.king(a)gmail.com> drm/amd/amdgpu: Fix missing error return on kzalloc failure Hawking Zhang <Hawking.Zhang(a)amd.com> drm/amdgpu: Replace DRM_* with dev_* in amdgpu_psp.c Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Make flashing messages quieter Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Skip TMR allocation if not required Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/amdgpu: Fix style problems in amdgpu_psp.c Tao Zhou <tao.zhou1(a)amd.com> drm/amdgpu: remove the check of init status in psp_ras_initialize Candice Li <candice.li(a)amd.com> drm/amdgpu: Optimize RAS TA initialization and TA unload funcs Michael Walle <mwalle(a)kernel.org> drm/bridge: ti-sn65dsi86: fix REFCLK setting Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Set correct chip-select polarity bit Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Fix transmissions when using CONT Vadim Pasternak <vadimp(a)nvidia.com> hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM Wentao Liang <vulab(a)iscas.ac.cn> pcmcia: Add error handling for add_interval() in do_validate_mem() Chen Ni <nichen(a)iscas.ac.cn> pcmcia: omap: Add missing check for platform_get_resource Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amdgpu: Avoid extra evict-restore process." Aaron Erhardt <aer(a)tuxedocomputers.com> ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check link_res->hpo_dp_link_enc before using it Amir Goldstein <amir73il(a)gmail.com> fs: relax assertions on failure to encode file handles Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Do not update global.turbo_disabled after initialization Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Fold intel_pstate_max_within_limits() into caller Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Revise global turbo disable check Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Don't fail set_cs_timing when delays are zero Alexander Danilenko <al.b.danilenko(a)gmail.com> spi: tegra114: Remove unnecessary NULL-pointer checks Ronak Doshi <ronak.doshi(a)broadcom.com> vmxnet3: update MTU after device quiesce Jakob Unterwurzacher <jakobunt(a)gmail.com> net: dsa: microchip: linearize skb for tail-tagging switches Pieter Van Trappen <pieter.van.trappen(a)cern.ch> net: dsa: microchip: update tag_ksz masks for KSZ9477 family Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: designware: Fix an error handling path in i2c_dw_pci_probe() Luca Ceresoli <luca.ceresoli(a)bootlin.com> iio: light: opt3001: fix deadlock due to concurrent flag access David Lechner <dlechner(a)baylibre.com> iio: chemical: pms7003: use aligned_s64 for timestamp Josef Bacik <josef(a)toxicpanda.com> btrfs: adjust subpage bit start based on sectorsize Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Explicitly synchronize limits_changed flag handling Jonathan Currier <dullfire(a)yahoo.com> PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads Li Qiong <liqiong(a)nfschina.com> mm/slub: avoid accessing metadata when pointer is invalid in object_err() Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> net: pcs: rzn1-miic: Correct MODCTRL register offset Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: fix heap overflow in e1000_set_eeprom Makar Semyonov <m.semenov(a)tssltd.ru> cifs: prevent NULL pointer dereference in UTF16 conversion Stanislav Fort <stanislav.fort(a)aisle.com> batman-adv: fix OOB read/write in network-coding decode John Evans <evans1210144(a)gmail.com> scsi: lpfc: Fix buffer free/clear order in deferred receive path Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: drop hw access in non-DC audio fini Qianfeng Rong <rongqianfeng(a)vivo.com> wifi: mwifiex: Initialize the chan_stats array to zero wangzijie <wangzijie1(a)honor.com> proc: fix missing pde_set_flags() for net proc files Edward Adam Davis <eadavis(a)qq.com> ocfs2: prevent release journal inode after journal shutdown Harry Yoo <harry.yoo(a)oracle.com> mm: move page table sync declarations to linux/pgtable.h Harry Yoo <harry.yoo(a)oracle.com> x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Ma Ke <make24(a)iscas.ac.cn> pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Miaoqian Lin <linmq006(a)gmail.com> ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on some devices Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Kuniyuki Iwashima <kuniyu(a)google.com> selftest: net: Fix weird setsockopt() in bind_bhash.c. Qingfang Deng <dqfext(a)gmail.com> ppp: fix memory leak in pad_compress_skb Wang Liang <wangliang74(a)huawei.com> net: atm: fix memory leak in atm_register_sysfs when device_register fail Eric Dumazet <edumazet(a)google.com> ax25: properly unshare skbs in ax25_kiss_rcv() Alok Tiwari <alok.a.tiwari(a)oracle.com> mctp: return -ENOPROTOOPT for unknown getsockopt options Mahanta Jambigi <mjambigi(a)linux.ibm.com> net/smc: Remove validation of reserved bits in CLC Decline message Dan Carpenter <dan.carpenter(a)linaro.org> ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: decrement cleanup index before use Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: add a missing of_node_put Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: libertas: cap SSID len in lbs_associate() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cw1200: cap SSID length in cw1200_do_join() Felix Fietkau <nbd(a)nbd.name> net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Zhen Ni <zhen.ni(a)easystack.cn> i40e: Fix potential invalid access when MAC list is empty Liu Jian <liujian56(a)huawei.com> net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() Sean Anderson <sean.anderson(a)linux.dev> net: macb: Fix tx_ptr_lock locking Fabian Bläse <fabian(a)blaese.de> icmp: fix icmp_ndo_send address translation for reply direction Miaoqian Lin <linmq006(a)gmail.com> mISDN: Fix memory leak in dsp_hwec_enable() Alok Tiwari <alok.a.tiwari(a)oracle.com> xirc2ps_cs: fix register access when enabling FullDuplex Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Phil Sutter <phil(a)nwl.cc> netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Wang Liang <wangliang74(a)huawei.com> netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix use-after-free in cmp_bss() Marek Vasut <marek.vasut(a)mailbox.org> arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics i.MX8M Plus DHCOM Sungbae Yoo <sungbaey(a)nvidia.com> tee: optee: ffa: fix a typo of "optee_ffa_api_is_compatible" Peter Robinson <pbrobinson(a)gmail.com> arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Pei Xiao <xiaopei01(a)kylinos.cn> tee: fix NULL pointer dereference in tee_shm_put Jiufei Xue <jiufei.xue(a)samsung.com> fs: writeback: fix use-after-free in __mark_inode_dirty() Yang Li <yang.li(a)amlogic.com> Bluetooth: hci_sync: Avoid adding default advertising on startup Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't warn when missing DCE encoder caps Lubomir Rintel <lkundrak(a)v3.sk> cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN Filipe Manana <fdmanana(a)suse.com> btrfs: avoid load/store tearing races when checking if an inode was logged Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between setting last_dir_index_offset and inode logging Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between logging inode and checking if it was logged before Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix oob access in cgroup local storage Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move bpf map owner out of common struct Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move cgroup iterator helpers to bpf.h Daniel Borkmann <daniel(a)iogearbox.net> bpf: Add cookie object to bpf maps ------------- Diffstat: Makefile | 4 +- .../arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 + .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 + arch/x86/include/asm/pgtable_64_types.h | 3 + arch/x86/mm/init_64.c | 18 ++ drivers/acpi/arm64/iort.c | 4 +- drivers/cpufreq/intel_pstate.c | 126 ++++------- drivers/dma/mediatek/mtk-cqdma.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 235 +++++++++++---------- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +- drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 - .../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 +- .../gpu/drm/amd/display/dc/link/link_hwss_hpo_dp.c | 7 + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 + drivers/hwmon/mlxreg-fan.c | 5 +- drivers/i2c/busses/i2c-designware-pcidrv.c | 4 +- drivers/iio/chemical/pms7003.c | 5 +- drivers/iio/light/opt3001.c | 5 +- drivers/isdn/mISDN/dsp_hwec.c | 6 +- drivers/net/ethernet/cadence/macb_main.c | 28 +-- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 +- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +- drivers/net/ethernet/intel/i40e/i40e_client.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +- drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- drivers/net/pcs/pcs-rzn1-miic.c | 2 +- drivers/net/phy/mscc/mscc_ptp.c | 18 +- drivers/net/ppp/ppp_generic.c | 6 +- drivers/net/usb/cdc_ncm.c | 7 + drivers/net/vmxnet3/vmxnet3_drv.c | 5 +- drivers/net/wireless/marvell/libertas/cfg.c | 9 +- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +- drivers/net/wireless/marvell/mwifiex/main.c | 4 +- drivers/net/wireless/st/cw1200/sta.c | 2 +- drivers/pci/msi/msi.c | 3 + drivers/pcmcia/omap_cf.c | 2 + drivers/pcmcia/rsrc_iodyn.c | 3 + drivers/pcmcia/rsrc_nonstatic.c | 4 +- drivers/scsi/lpfc/lpfc_nvmet.c | 10 +- drivers/spi/spi-fsl-lpspi.c | 15 +- drivers/spi/spi-tegra114.c | 18 +- drivers/tee/optee/ffa_abi.c | 4 +- drivers/tee/tee_shm.c | 6 +- fs/btrfs/btrfs_inode.h | 2 +- fs/btrfs/extent_io.c | 2 +- fs/btrfs/inode.c | 1 + fs/btrfs/tree-log.c | 78 ++++--- fs/fs-writeback.c | 9 +- fs/notify/fdinfo.c | 4 +- fs/ocfs2/inode.c | 3 + fs/overlayfs/copy_up.c | 5 +- fs/proc/generic.c | 38 ++-- fs/smb/client/cifs_unicode.c | 3 + include/linux/bpf-cgroup.h | 5 - include/linux/bpf.h | 60 ++++-- include/linux/pci.h | 2 + include/linux/pgtable.h | 16 ++ include/linux/vmalloc.h | 16 -- kernel/bpf/core.c | 50 +++-- kernel/bpf/syscall.c | 19 +- kernel/sched/cpufreq_schedutil.c | 28 ++- mm/slub.c | 216 ++++++++++--------- net/atm/resources.c | 6 +- net/ax25/ax25_in.c | 4 + net/batman-adv/network-coding.c | 7 +- net/bluetooth/hci_sync.c | 2 +- net/bluetooth/l2cap_sock.c | 3 + net/bridge/br_netfilter_hooks.c | 3 - net/dsa/tag_ksz.c | 22 +- net/ipv4/devinet.c | 7 +- net/ipv4/icmp.c | 6 +- net/ipv6/ip6_icmp.c | 6 +- net/mctp/af_mctp.c | 2 +- net/netfilter/nf_conntrack_helper.c | 4 +- net/smc/smc_clc.c | 2 - net/smc/smc_ib.c | 3 + net/wireless/scan.c | 3 +- net/wireless/sme.c | 5 +- sound/pci/hda/patch_hdmi.c | 1 + sound/pci/hda/patch_realtek.c | 5 + sound/usb/mixer_quirks.c | 2 + tools/gpio/Makefile | 4 +- tools/testing/selftests/net/bind_bhash.c | 4 +- 86 files changed, 774 insertions(+), 560 deletions(-)

1 week, 4 days

8
7
0 0

Linux 6.16.6

by Greg Kroah-Hartman

I'm announcing the release of the 6.16.6 kernel. All users of the 6.16 kernel series must upgrade. The updated 6.16.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.16.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/microchip/at91-sama7d65_curiosity.dts | 2 arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts | 1 arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mp-ras314.dts | 13 - arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts | 13 - arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 22 + arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 arch/arm64/boot/dts/rockchip/rk3582-radxa-e52c.dts | 1 arch/arm64/boot/dts/rockchip/rk3588-orangepi-5-plus.dts | 2 arch/arm64/boot/dts/rockchip/rk3588-orangepi-5.dtsi | 2 arch/arm64/include/asm/module.h | 1 arch/arm64/include/asm/module.lds.h | 1 arch/arm64/kernel/ftrace.c | 13 - arch/arm64/kernel/module-plts.c | 12 arch/arm64/kernel/module.c | 11 arch/loongarch/kernel/signal.c | 10 arch/loongarch/kernel/time.c | 22 + arch/riscv/Kconfig | 2 arch/riscv/include/asm/asm.h | 2 arch/riscv/include/asm/uaccess.h | 8 arch/riscv/kernel/entry.S | 2 arch/riscv/kernel/kexec_elf.c | 4 arch/riscv/kernel/kexec_image.c | 2 arch/riscv/kernel/machine_kexec_file.c | 2 arch/riscv/net/bpf_jit_comp64.c | 4 arch/x86/include/asm/pgtable_64_types.h | 3 arch/x86/mm/init_64.c | 18 + drivers/accel/ivpu/ivpu_drv.c | 2 drivers/accel/ivpu/ivpu_pm.c | 4 drivers/accel/ivpu/ivpu_pm.h | 2 drivers/acpi/arm64/iort.c | 4 drivers/acpi/riscv/cppc.c | 4 drivers/bluetooth/hci_vhci.c | 57 +++- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 2 drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 5 drivers/gpu/drm/amd/amdgpu/sdma_v6_0.c | 6 drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c | 9 drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.h | 2 drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c | 1 drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c | 72 +++++ drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.h | 2 drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_init.c | 1 drivers/gpu/drm/amd/display/dc/inc/hw/dpp.h | 3 drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 drivers/gpu/drm/display/drm_dp_helper.c | 2 drivers/gpu/drm/nouveau/gv100_fence.c | 7 drivers/gpu/drm/nouveau/include/nvhw/class/clc36f.h | 85 ++++++ drivers/gpu/drm/nouveau/nvkm/engine/fifo/base.c | 2 drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c | 23 + drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga102.c | 1 drivers/gpu/drm/nouveau/nvkm/engine/fifo/priv.h | 2 drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/fifo.c | 1 drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 9 drivers/gpu/drm/xe/xe_bo.c | 3 drivers/hwmon/ina238.c | 9 drivers/hwmon/mlxreg-fan.c | 5 drivers/isdn/mISDN/dsp_hwec.c | 6 drivers/md/md.c | 5 drivers/md/raid1.c | 2 drivers/net/dsa/mv88e6xxx/leds.c | 17 + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 drivers/net/ethernet/cadence/macb_main.c | 28 +- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 - drivers/net/ethernet/intel/e1000e/ethtool.c | 10 drivers/net/ethernet/intel/i40e/i40e_client.c | 4 drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 123 +--------- drivers/net/ethernet/intel/ice/ice_main.c | 12 drivers/net/ethernet/intel/ice/ice_ptp.c | 13 - drivers/net/ethernet/intel/idpf/idpf_lib.c | 9 drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 12 drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 4 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 drivers/net/ethernet/mellanox/mlx4/en_rx.c | 4 drivers/net/ethernet/microchip/lan865x/lan865x.c | 7 drivers/net/ethernet/oa_tc6.c | 3 drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 10 drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 drivers/net/macsec.c | 8 drivers/net/mctp/mctp-usb.c | 1 drivers/net/pcs/pcs-rzn1-miic.c | 2 drivers/net/phy/mscc/mscc_ptp.c | 18 - drivers/net/ppp/ppp_generic.c | 6 drivers/net/usb/cdc_ncm.c | 7 drivers/net/vxlan/vxlan_core.c | 18 - drivers/net/vxlan/vxlan_private.h | 4 drivers/net/wireless/ath/ath11k/core.h | 2 drivers/net/wireless/ath/ath11k/mac.c | 111 ++++++++- drivers/net/wireless/ath/ath12k/wmi.c | 1 drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 25 +- drivers/net/wireless/intel/iwlwifi/fw/runtime.h | 8 drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 6 drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 22 + drivers/net/wireless/marvell/libertas/cfg.c | 9 drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 drivers/net/wireless/marvell/mwifiex/main.c | 4 drivers/net/wireless/mediatek/mt76/mac80211.c | 41 +++ drivers/net/wireless/mediatek/mt76/mt76.h | 1 drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 12 drivers/net/wireless/mediatek/mt76/mt7921/main.c | 5 drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 2 drivers/net/wireless/mediatek/mt76/mt7925/main.c | 7 drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 12 drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 56 ++-- drivers/net/wireless/mediatek/mt76/mt7996/main.c | 5 drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 15 - drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 1 drivers/net/wireless/mediatek/mt76/tx.c | 12 drivers/net/wireless/st/cw1200/sta.c | 2 drivers/of/of_numa.c | 5 drivers/pcmcia/omap_cf.c | 2 drivers/pcmcia/rsrc_iodyn.c | 3 drivers/pcmcia/rsrc_nonstatic.c | 4 drivers/platform/x86/acer-wmi.c | 71 ----- drivers/platform/x86/amd/pmc/pmc-quirks.c | 68 +++-- drivers/platform/x86/amd/pmc/pmc.c | 13 - drivers/platform/x86/asus-nb-wmi.c | 2 drivers/platform/x86/asus-wmi.c | 9 drivers/platform/x86/intel/tpmi_power_domains.c | 2 drivers/ptp/ptp_ocp.c | 3 drivers/scsi/lpfc/lpfc_nvmet.c | 10 drivers/scsi/sr.c | 16 - drivers/soc/qcom/mdt_loader.c | 12 drivers/spi/spi-fsl-lpspi.c | 24 + drivers/spi/spi-microchip-core-qspi.c | 12 drivers/spi/spi-qpic-snand.c | 6 drivers/tee/optee/ffa_abi.c | 4 drivers/tee/tee_shm.c | 14 - fs/btrfs/btrfs_inode.h | 2 fs/btrfs/extent_io.c | 17 + fs/btrfs/inode.c | 1 fs/btrfs/tree-log.c | 78 ++++-- fs/btrfs/zoned.c | 55 ++-- fs/fs-writeback.c | 9 fs/ocfs2/inode.c | 3 fs/proc/generic.c | 38 +-- fs/smb/client/cifs_unicode.c | 3 include/linux/cpuhotplug.h | 1 include/linux/pgalloc.h | 29 ++ include/linux/pgtable.h | 25 +- include/linux/vmalloc.h | 16 - include/net/sock.h | 17 - include/uapi/linux/netfilter/nf_tables.h | 2 kernel/auditfilter.c | 2 kernel/sched/topology.c | 2 mm/kasan/init.c | 12 mm/kasan/kasan_test_c.c | 2 mm/kmemleak.c | 27 +- mm/percpu.c | 6 mm/slub.c | 37 ++- mm/sparse-vmemmap.c | 11 mm/sparse.c | 15 - mm/userfaultfd.c | 9 net/appletalk/atalk_proc.c | 2 net/atm/resources.c | 6 net/ax25/ax25_in.c | 4 net/batman-adv/network-coding.c | 7 net/bluetooth/af_bluetooth.c | 2 net/bluetooth/hci_sync.c | 2 net/bluetooth/l2cap_sock.c | 3 net/bridge/br_netfilter_hooks.c | 3 net/core/gen_estimator.c | 2 net/core/sock.c | 33 -- net/ipv4/devinet.c | 7 net/ipv4/icmp.c | 6 net/ipv4/inet_connection_sock.c | 27 -- net/ipv4/inet_diag.c | 2 net/ipv4/inet_hashtables.c | 4 net/ipv4/ping.c | 2 net/ipv4/raw.c | 2 net/ipv4/tcp_ipv4.c | 8 net/ipv4/udp.c | 16 - net/ipv6/datagram.c | 2 net/ipv6/ip6_icmp.c | 6 net/ipv6/tcp_ipv6.c | 36 +- net/key/af_key.c | 2 net/llc/llc_proc.c | 2 net/mac80211/mlme.c | 8 net/mac80211/tests/chan-mode.c | 30 ++ net/mctp/af_mctp.c | 2 net/mctp/route.c | 35 +- net/mptcp/protocol.c | 1 net/netfilter/nf_conntrack_helper.c | 4 net/netfilter/nf_tables_api.c | 42 ++- net/netlink/diag.c | 2 net/packet/af_packet.c | 2 net/packet/diag.c | 2 net/phonet/socket.c | 4 net/sctp/input.c | 2 net/sctp/proc.c | 4 net/sctp/socket.c | 4 net/smc/smc_clc.c | 2 net/smc/smc_diag.c | 2 net/smc/smc_ib.c | 3 net/tipc/socket.c | 2 net/unix/af_unix.c | 2 net/unix/diag.c | 2 net/wireless/scan.c | 3 net/wireless/sme.c | 5 net/xdp/xsk_diag.c | 2 rust/kernel/mm/virt.rs | 1 scripts/Makefile.kasan | 12 scripts/generate_rust_target.rs | 12 sound/pci/hda/patch_hdmi.c | 1 sound/pci/hda/patch_realtek.c | 2 sound/pci/hda/tas2781_hda_i2c.c | 5 sound/soc/renesas/rcar/core.c | 2 sound/soc/soc-core.c | 5 sound/soc/sof/intel/ptl.c | 1 sound/usb/format.c | 12 sound/usb/mixer_quirks.c | 2 tools/gpio/Makefile | 2 tools/net/ynl/pyynl/ynl_gen_c.py | 2 tools/perf/util/bpf-event.c | 39 ++- tools/perf/util/bpf-utils.c | 61 +++- tools/power/cpupower/utils/cpupower-set.c | 4 tools/testing/selftests/drivers/net/hw/csum.py | 4 tools/testing/selftests/net/bind_bhash.c | 4 tools/testing/selftests/net/netfilter/conntrack_clash.sh | 2 tools/testing/selftests/net/netfilter/conntrack_resize.sh | 5 tools/testing/selftests/net/netfilter/nft_flowtable.sh | 113 ++++++--- tools/testing/selftests/net/netfilter/udpclash.c | 2 229 files changed, 1706 insertions(+), 917 deletions(-) Aaron Erhardt (1): ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY Abin Joseph (1): net: xilinx: axienet: Add error handling for RX metadata pointer retrieval Ada Couprie Diaz (1): kasan: fix GCC mem-intrinsic prefix with sw tags Ajye Huang (1): ASoC: SOF: Intel: WCL: Add the sdw_process_wakeen op Alex Deucher (2): drm/amdgpu: drop hw access in non-DC audio fini drm/amdgpu/mes11: make MES_MISC_OP_CHANGE_CONFIG failure non-fatal Alexandre Ghiti (2): riscv: Fix sparse warning in __get_user_error() riscv: Fix sparse warning about different address spaces Alok Tiwari (4): xirc2ps_cs: fix register access when enabling FullDuplex bnxt_en: fix incorrect page count in RX aggr ring log ixgbe: fix incorrect map used in eee linkmode mctp: return -ENOPROTOOPT for unknown getsockopt options Antheas Kapenekakis (1): platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk Anup Patel (1): ACPI: RISC-V: Fix FFH_CPPC_CSR error handling Armin Wolf (1): platform/x86: acer-wmi: Stop using ACPI bitmap for platform profile choices Asbjørn Sloth Tønnesen (1): tools: ynl-gen: fix nested array counting Aurelien Jarno (1): riscv: uaccess: fix __put_user_nocheck for unaligned accesses Baptiste Lepers (1): rust: mm: mark VmaNew as transparent Benjamin Berg (1): wifi: mac80211: do not permit 40 MHz EHT operation on 5/6 GHz Bjorn Andersson (1): soc: qcom: mdt_loader: Deal with zero e_shentsize Breno Leitao (1): riscv: kexec: Initialize kexec_buf struct Chad Monroe (1): wifi: mt76: mt7996: use the correct vif link for scanning/roc Chen Ni (1): pcmcia: omap: Add missing check for platform_get_resource Chen-Yu Tsai (1): arm64: dts: rockchip: Add supplies for eMMC on rk3588-orangepi-5 Chris Packham (1): hwmon: (ina238) Correctly clamp temperature Christian Loehle (1): sched: Fix sched_numa_find_nth_cpu() if mask offline Christoffer Sandberg (1): platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list Christoph Paasch (1): net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 Chukun Pan (1): arm64: dts: rockchip: mark eeprom as read-only for Radxa E52C Colin Ian King (1): drm/amd/amdgpu: Fix missing error return on kzalloc failure Conor Dooley (1): spi: microchip-core-qspi: stop checking viability of op->max_freq in supports_op callback Cryolitia PukNgae (1): ALSA: usb-audio: Add mute TLV for playback volumes on some devices Dan Carpenter (4): wifi: cw1200: cap SSID length in cw1200_do_join() wifi: libertas: cap SSID len in lbs_associate() wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Dave Airlie (1): nouveau: fix disabling the nonstall irq due to storm code David Arcari (1): platform/x86/intel: power-domains: Use topology_logical_package_id() for package ID Dmitry Antipov (1): wifi: cfg80211: fix use-after-free in cmp_bss() Duoming Zhou (2): wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog Edward Adam Davis (1): ocfs2: prevent release journal inode after journal shutdown Emil Tantilov (1): idpf: set mac type when adding and removing MAC filters Emmanuel Grumbach (1): wifi: iwlwifi: if scratch is ~0U, consider it a failure Eric Dumazet (4): net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y net: remove sock_i_uid() net: lockless sock_i_ino() ax25: properly unshare skbs in ax25_kiss_rcv() Fabian Bläse (1): icmp: fix icmp_ndo_send address translation for reply direction Faith Ekstrand (1): nouveau: Membar before between semaphore writes and the interrupt Felix Fietkau (7): wifi: mt76: prevent non-offchannel mgmt tx during scan/roc wifi: mt76: mt7996: disable beacons when going offchannel wifi: mt76: mt7996: add missing check for rx wcid entries wifi: mt76: mt7915: fix list corruption after hardware restart wifi: mt76: free pending offchannel tx frames on wcid cleanup wifi: mt76: fix linked list corruption net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Filipe Manana (3): btrfs: fix race between logging inode and checking if it was logged before btrfs: fix race between setting last_dir_index_offset and inode logging btrfs: avoid load/store tearing races when checking if an inode was logged Florian Westphal (2): netfilter: nft_flowtable.sh: re-run with random mtu sizes selftests: netfilter: fix udpclash tool hang Gabor Juhos (1): spi: spi-qpic-snand: unregister ECC engine on probe error and device remove Gergo Koteles (2): ALSA: hda: tas2781: fix tas2563 EFI data endianness ALSA: hda: tas2781: reorder tas2563 calibration variables Greg Kroah-Hartman (1): Linux 6.16.6 Gu Bowen (1): mm: fix possible deadlock in kmemleak Guenter Roeck (2): hwmon: (ina238) Correctly clamp shunt voltage limit hwmon: (ina238) Correctly clamp power limits Harry Yoo (3): x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() mm: move page table sync declarations to linux/pgtable.h mm: introduce and use {pgd,p4d}_populate_kernel() Harshit Mogalapalli (1): wifi: mt76: mt7925: fix locking in mt7925_change_vif_links() Horatiu Vultur (1): phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Huacai Chen (1): LoongArch: Save LBT before FPU in setup_sigcontext() Ian Rogers (3): perf bpf-event: Fix use-after-free in synthesis perf bpf-utils: Constify bpil_array_desc perf bpf-utils: Harden get_bpf_prog_info_linear Ido Schimmel (2): vxlan: Fix NPD when refreshing an FDB entry with a nexthop object vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects Imre Deak (1): drm/dp: Change AUX DPCD probe address from LANE0_1_STATUS to TRAINING_PATTERN_SET Ivan Lipski (1): drm/amd/display: Clear the CUR_ENABLE register on DCN314 w/out DPP PG Ivan Pravdin (1): Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Jacob Keller (3): ice: fix NULL access of tx->in_use in ice_ptp_ts_irq ice: fix NULL access of tx->in_use in ice_ll_ts_intr i40e: remove read access to debugfs files Jakub Kicinski (1): selftests: drv-net: csum: fix interface name for remote host Janusz Dziedzic (1): wifi: mt76: mt7921: don't disconnect when CSA to DFS chan Jeremy Kerr (2): net: mctp: mctp_fraq_queue should take ownership of passed skb net: mctp: usb: initialise mac header in RX path Jesse.Zhang (1): drm/amdgpu/sdma: bump firmware version checks for user queue support Jiufei Xue (1): fs: writeback: fix use-after-free in __mark_inode_dirty() Johannes Berg (4): wifi: iwlwifi: acpi: check DSM func validity wifi: iwlwifi: uefi: check DSM item validity wifi: iwlwifi: cfg: restore some 1000 series configs wifi: iwlwifi: cfg: add back more lost PCI IDs Johannes Thumshirn (1): btrfs: zoned: skip ZONE FINISH of conventional zones John Evans (1): scsi: lpfc: Fix buffer free/clear order in deferred receive path Joonas Lahtinen (1): Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1" Karol Wachowski (1): accel/ivpu: Prevent recovery work from being queued during device removal Kuninori Morimoto (2): ASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked() ASoC: rsnd: tidyup direction name on rsnd_dai_connect() Kuniyuki Iwashima (2): Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() selftest: net: Fix weird setsockopt() in bind_bhash.c. Lad Prabhakar (1): net: pcs: rzn1-miic: Correct MODCTRL register offset Larisa Grigore (4): spi: spi-fsl-lpspi: Fix transmissions when using CONT spi: spi-fsl-lpspi: Set correct chip-select polarity bit spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort spi: spi-fsl-lpspi: Clear status register after disabling the module Li Nan (1): md: prevent incorrect update of resync/recovery offset Li Qiong (1): mm/slub: avoid accessing metadata when pointer is invalid in object_err() Liu Jian (1): net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() Lubomir Rintel (1): cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN Ma Ke (1): pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Mahanta Jambigi (1): net/smc: Remove validation of reserved bits in CLC Decline message Makar Semyonov (1): cifs: prevent NULL pointer dereference in UTF16 conversion Marek Vasut (2): arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics i.MX8M Plus DHCOM arm64: dts: imx8mp: Fix missing microSD slot vqmmc on Data Modul i.MX8M Plus eDM SBC Mario Limonciello (1): platform/x86/amd: pmc: Drop SMU F/W match for Cezanne Markus Niebel (1): arm64: dts: imx8mp-tqma8mpql: fix LDO5 power off Maud Spierings (1): arm64: dts: rockchip: Fix the headphone detection on the orangepi 5 plus Miaoqian Lin (4): mISDN: Fix memory leak in dsp_hwec_enable() eth: mlx4: Fix IS_ERR() vs NULL check bug in mlx4_en_create_rx_ring ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() net: dsa: mv88e6xxx: Fix fwnode reference leaks in mv88e6xxx_port_setup_leds Michael Walle (1): drm/bridge: ti-sn65dsi86: fix REFCLK setting Miguel Ojeda (1): rust: support Rust >= 1.91.0 target spec Ming Lei (1): scsi: sr: Reinstate rotational media flag Ming Yen Hsieh (3): wifi: mt76: mt7925u: use connac3 tx aggr check in tx complete wifi: mt76: mt7925: fix the wrong bss cleanup for SAP wifi: mt76: mt7925: skip EHT MLD TLV on non-MLD and pass conn_state for sta_cmd Nathan Chancellor (2): wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() riscv: Only allow LTO with CMODEL_MEDANY Nishanth Menon (1): net: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for ndev Pei Xiao (2): tee: fix NULL pointer dereference in tee_shm_put tee: fix memory leak in tee_dyn_shm_alloc_helper Peter Robinson (1): arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Phil Sutter (2): netfilter: conntrack: helper: Replace -EEXIST by -EBUSY netfilter: nf_tables: Introduce NFTA_DEVICE_PREFIX Piotr Zalewski (1): drm/rockchip: vop2: make vp registers nonvolatile Qianfeng Rong (1): wifi: mwifiex: Initialize the chan_stats array to zero Qingfang Deng (1): ppp: fix memory leak in pad_compress_skb Qu Wenruo (1): btrfs: clear block dirty if submit_one_sector() failed Radim Krčmář (4): riscv: use lw when reading int cpu in new_vmalloc_check riscv: use lw when reading int cpu in asm_per_cpu riscv, bpf: use lw when reading int cpu in BPF_MOV64_PERCPU_REG riscv, bpf: use lw when reading int cpu in bpf_get_smp_processor_id Rameshkumar Sundaram (1): wifi: ath11k: fix group data packet drops during rekey Ramya Gnanasekar (1): wifi: ath12k: Set EMLSR support flag in MLO flags for EML-capable stations Rosen Penev (2): net: thunder_bgx: add a missing of_node_put net: thunder_bgx: decrement cleanup index before use Ryan Wanner (1): ARM: dts: microchip: sama7d65: Force SDMMC Legacy mode Sabrina Dubroca (1): macsec: read MACSEC_SA_ATTR_PN with nla_get_uint Sasha Levin (1): mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE Sean Anderson (1): net: macb: Fix tx_ptr_lock locking Shinji Nomoto (1): cpupower: Fix a bug where the -t option of the set subcommand was not working. Stanislav Fort (2): audit: fix out-of-bounds read in audit_compare_dname_path() batman-adv: fix OOB read/write in network-coding decode Stefan Wahren (3): net: ethernet: oa_tc6: Handle failure of spi_setup microchip: lan865x: Fix module autoloading microchip: lan865x: Fix LAN8651 autoloading Sumanth Korikkar (1): mm: fix accounting of memmap pages Sungbae Yoo (1): tee: optee: ffa: fix a typo of "optee_ffa_api_is_compatible" Takashi Iwai (2): ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model platform/x86: asus-wmi: Fix racy registrations Thomas Hellström (1): drm/xe: Fix incorrect migration of backed-up object to VRAM Timur Kristóf (1): drm/amd/display: Don't warn when missing DCE encoder caps Tina Wuest (1): ALSA: usb-audio: Allow Focusrite devices to use low samplerates Vadim Pasternak (1): hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM Ville Syrjälä (1): drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1 Vitaly Lifshits (1): e1000e: fix heap overflow in e1000_set_eeprom Wang Liang (2): netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm net: atm: fix memory leak in atm_register_sysfs when device_register fail Wentao Liang (1): pcmcia: Add error handling for add_interval() in do_validate_mem() Xianglai Li (1): LoongArch: Add cpuhotplug hooks to fix high cpu usage of vCPU threads Yang Li (1): Bluetooth: hci_sync: Avoid adding default advertising on startup Yeoreum Yun (1): kunit: kasan_test: disable fortify string checker on kasan_strings() test Yin Tirui (1): of_numa: fix uninitialized memory nodes causing kernel panic Yu Kuai (1): md/raid1: fix data lost for writemostly rdev Zhen Ni (1): i40e: Fix potential invalid access when MAC list is empty panfan (1): arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE wangzijie (1): proc: fix missing pde_set_flags() for net proc files yangshiguang (1): mm: slub: avoid wake up kswapd in set_track_prepare zhang jiao (1): tools: gpio: remove the include directory on make clean

1 week, 4 days

1
1
0 0

Linux 6.12.46

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.46 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts | 1 arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mp-ras314.dts | 13 arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql-mba8mpxl.dts | 13 arch/arm64/boot/dts/freescale/imx8mp-tqma8mpql.dtsi | 22 + arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 arch/arm64/include/asm/module.h | 1 arch/arm64/include/asm/module.lds.h | 1 arch/arm64/kernel/ftrace.c | 13 arch/arm64/kernel/module-plts.c | 12 arch/arm64/kernel/module.c | 11 arch/loongarch/kernel/signal.c | 10 arch/loongarch/vdso/Makefile | 3 arch/riscv/Kconfig | 2 arch/riscv/include/asm/asm.h | 2 arch/riscv/kernel/entry.S | 2 arch/riscv/net/bpf_jit_comp64.c | 4 arch/x86/include/asm/pgtable_64_types.h | 3 arch/x86/mm/init_64.c | 18 + block/blk-integrity.c | 4 block/blk-settings.c | 24 + block/blk-zoned.c | 7 drivers/accel/ivpu/ivpu_drv.c | 2 drivers/accel/ivpu/ivpu_pm.c | 4 drivers/accel/ivpu/ivpu_pm.h | 2 drivers/acpi/arm64/iort.c | 4 drivers/acpi/riscv/cppc.c | 4 drivers/block/virtio_blk.c | 4 drivers/bluetooth/hci_vhci.c | 57 ++-- drivers/dma/mediatek/mtk-cqdma.c | 10 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.c | 9 drivers/gpu/drm/amd/display/dc/dpp/dcn10/dcn10_dpp.h | 2 drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c | 1 drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.c | 72 +++++ drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_hwseq.h | 2 drivers/gpu/drm/amd/display/dc/hwss/dcn314/dcn314_init.c | 1 drivers/gpu/drm/amd/display/dc/inc/hw/dpp.h | 3 drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 drivers/gpu/drm/nouveau/nvkm/engine/fifo/base.c | 2 drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c | 23 + drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga102.c | 1 drivers/gpu/drm/nouveau/nvkm/engine/fifo/priv.h | 2 drivers/gpu/drm/nouveau/nvkm/engine/fifo/r535.c | 1 drivers/hid/hid-core.c | 74 ++--- drivers/hid/hid-logitech-hidpp.c | 6 drivers/hwmon/mlxreg-fan.c | 5 drivers/isdn/mISDN/dsp_hwec.c | 6 drivers/md/md-bitmap.c | 6 drivers/md/md.c | 5 drivers/md/raid1-10.c | 10 drivers/md/raid1.c | 28 - drivers/md/raid10.c | 20 - drivers/mmc/host/sdhci-of-arasan.c | 51 +++ drivers/net/dsa/b53/b53_common.c | 16 - drivers/net/dsa/b53/b53_priv.h | 1 drivers/net/dsa/bcm_sf2.c | 1 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 drivers/net/ethernet/cadence/macb_main.c | 28 + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 - drivers/net/ethernet/intel/e1000e/ethtool.c | 10 drivers/net/ethernet/intel/i40e/i40e_client.c | 4 drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 123 +------- drivers/net/ethernet/intel/ice/ice_main.c | 12 drivers/net/ethernet/intel/idpf/idpf_lib.c | 9 drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 12 drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 4 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 drivers/net/ethernet/microchip/lan865x/lan865x.c | 7 drivers/net/ethernet/oa_tc6.c | 3 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 10 drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 drivers/net/ipvlan/ipvlan_l3s.c | 1 drivers/net/macsec.c | 8 drivers/net/pcs/pcs-rzn1-miic.c | 2 drivers/net/phy/mscc/mscc_ptp.c | 18 - drivers/net/ppp/ppp_generic.c | 6 drivers/net/usb/cdc_ncm.c | 7 drivers/net/usb/qmi_wwan.c | 5 drivers/net/vxlan/vxlan_core.c | 122 +++++--- drivers/net/vxlan/vxlan_mdb.c | 2 drivers/net/vxlan/vxlan_private.h | 4 drivers/net/wireless/ath/ath11k/core.c | 1 drivers/net/wireless/ath/ath11k/core.h | 7 drivers/net/wireless/ath/ath11k/mac.c | 125 ++++++++ drivers/net/wireless/ath/ath11k/reg.c | 107 +++++-- drivers/net/wireless/ath/ath11k/reg.h | 3 drivers/net/wireless/ath/ath11k/wmi.h | 1 drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 6 drivers/net/wireless/marvell/libertas/cfg.c | 9 drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 drivers/net/wireless/marvell/mwifiex/main.c | 4 drivers/net/wireless/mediatek/mt76/mac80211.c | 4 drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 2 drivers/net/wireless/mediatek/mt76/mt7925/main.c | 7 drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 drivers/net/wireless/mediatek/mt76/tx.c | 12 drivers/net/wireless/st/cw1200/sta.c | 2 drivers/of/of_numa.c | 5 drivers/pcmcia/omap_cf.c | 2 drivers/pcmcia/rsrc_iodyn.c | 3 drivers/pcmcia/rsrc_nonstatic.c | 4 drivers/platform/x86/amd/pmc/pmc-quirks.c | 14 drivers/platform/x86/asus-nb-wmi.c | 2 drivers/platform/x86/intel/tpmi_power_domains.c | 2 drivers/scsi/lpfc/lpfc_nvmet.c | 10 drivers/scsi/sd.c | 17 - drivers/scsi/sr.c | 19 - drivers/soc/qcom/mdt_loader.c | 12 drivers/spi/spi-fsl-lpspi.c | 24 - drivers/tee/optee/ffa_abi.c | 4 drivers/tee/tee_shm.c | 14 drivers/thermal/mediatek/lvts_thermal.c | 50 ++- fs/btrfs/btrfs_inode.h | 2 fs/btrfs/inode.c | 1 fs/btrfs/tree-log.c | 78 +++-- fs/btrfs/zoned.c | 55 ++- fs/ext4/ext4.h | 3 fs/ext4/ext4_jbd2.h | 29 ++ fs/ext4/super.c | 32 -- fs/fs-writeback.c | 9 fs/namespace.c | 18 - fs/ocfs2/inode.c | 3 fs/proc/generic.c | 38 +- fs/smb/client/cifs_unicode.c | 3 include/linux/blkdev.h | 2 include/linux/bpf-cgroup.h | 5 include/linux/bpf.h | 60 ++-- include/linux/hid.h | 1 include/linux/io_uring_types.h | 12 include/linux/pgtable.h | 16 + include/linux/skbuff.h | 8 include/linux/vmalloc.h | 16 - include/net/dropreason-core.h | 40 ++ include/net/dsa.h | 2 include/net/ip_tunnels.h | 10 io_uring/msg_ring.c | 4 kernel/bpf/core.c | 50 ++- kernel/bpf/syscall.c | 19 - kernel/sched/topology.c | 2 mm/kasan/kasan_test_c.c | 1 mm/kmemleak.c | 27 + mm/slub.c | 142 ++++++---- mm/sparse-vmemmap.c | 5 mm/sparse.c | 15 - mm/userfaultfd.c | 9 net/atm/resources.c | 6 net/ax25/ax25_in.c | 4 net/batman-adv/network-coding.c | 7 net/bluetooth/hci_sync.c | 2 net/bluetooth/l2cap_sock.c | 3 net/bridge/br_netfilter_hooks.c | 3 net/core/gen_estimator.c | 2 net/dsa/port.c | 16 + net/dsa/user.c | 8 net/ipv4/devinet.c | 7 net/ipv4/icmp.c | 6 net/ipv6/ip6_icmp.c | 6 net/ipv6/tcp_ipv6.c | 32 +- net/mctp/af_mctp.c | 2 net/mctp/route.c | 35 +- net/netfilter/nf_conntrack_helper.c | 4 net/smc/smc_clc.c | 2 net/smc/smc_ib.c | 3 net/wireless/scan.c | 3 net/wireless/sme.c | 5 scripts/Makefile.kasan | 12 scripts/generate_rust_target.rs | 12 sound/pci/hda/patch_hdmi.c | 1 sound/pci/hda/patch_realtek.c | 2 sound/usb/mixer_quirks.c | 2 tools/gpio/Makefile | 2 tools/perf/util/bpf-event.c | 39 +- tools/perf/util/bpf-utils.c | 61 ++-- tools/power/cpupower/utils/cpupower-set.c | 4 tools/testing/selftests/drivers/net/hw/csum.py | 4 tools/testing/selftests/net/bind_bhash.c | 4 tools/testing/selftests/net/netfilter/nft_flowtable.sh | 113 +++++-- 186 files changed, 1778 insertions(+), 921 deletions(-) Aaron Erhardt (1): ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY Abin Joseph (1): net: xilinx: axienet: Add error handling for RX metadata pointer retrieval Ada Couprie Diaz (1): kasan: fix GCC mem-intrinsic prefix with sw tags Al Viro (1): fs/fhandle.c: fix a race in call of has_locked_children() Alan Stern (1): HID: core: Harden s32ton() against conversion to 0 bits Alex Deucher (2): drm/amdgpu: drop hw access in non-DC audio fini Revert "drm/amdgpu: Avoid extra evict-restore process." Alok Tiwari (4): xirc2ps_cs: fix register access when enabling FullDuplex bnxt_en: fix incorrect page count in RX aggr ring log ixgbe: fix incorrect map used in eee linkmode mctp: return -ENOPROTOOPT for unknown getsockopt options Antheas Kapenekakis (1): platform/x86: asus-wmi: Remove extra keys from ignore_key_wlan quirk Anup Patel (1): ACPI: RISC-V: Fix FFH_CPPC_CSR error handling Bjorn Andersson (1): soc: qcom: mdt_loader: Deal with zero e_shentsize Chen Ni (1): pcmcia: omap: Add missing check for platform_get_resource Christian Loehle (1): sched: Fix sched_numa_find_nth_cpu() if mask offline Christoffer Sandberg (1): platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list Christoph Hellwig (1): block: add a queue_limits_commit_update_frozen helper Christoph Paasch (1): net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 Colin Ian King (1): drm/amd/amdgpu: Fix missing error return on kzalloc failure Cryolitia PukNgae (1): ALSA: usb-audio: Add mute TLV for playback volumes on some devices Dan Carpenter (4): wifi: cw1200: cap SSID length in cw1200_do_join() wifi: libertas: cap SSID len in lbs_associate() wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Daniel Borkmann (4): bpf: Add cookie object to bpf maps bpf: Move bpf map owner out of common struct bpf: Move cgroup iterator helpers to bpf.h bpf: Fix oob access in cgroup local storage Dave Airlie (1): nouveau: fix disabling the nonstall irq due to storm code David Arcari (1): platform/x86/intel: power-domains: Use topology_logical_package_id() for package ID Dmitry Antipov (1): wifi: cfg80211: fix use-after-free in cmp_bss() Dmitry Torokhov (2): HID: simplify snto32() HID: stop exporting hid_snto32() Duoming Zhou (1): wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work Edward Adam Davis (1): ocfs2: prevent release journal inode after journal shutdown Emil Tantilov (1): idpf: set mac type when adding and removing MAC filters Eric Dumazet (2): net_sched: gen_estimator: fix est_timer() vs CONFIG_PREEMPT_RT=y ax25: properly unshare skbs in ax25_kiss_rcv() Fabian Bläse (1): icmp: fix icmp_ndo_send address translation for reply direction Fabio Porcedda (3): net: usb: qmi_wwan: fix Telit Cinterion FN990A name net: usb: qmi_wwan: fix Telit Cinterion FE990A name net: usb: qmi_wwan: add Telit Cinterion FN990A w/audio composition Felix Fietkau (4): wifi: mt76: prevent non-offchannel mgmt tx during scan/roc wifi: mt76: free pending offchannel tx frames on wcid cleanup wifi: mt76: fix linked list corruption net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Filipe Manana (3): btrfs: fix race between logging inode and checking if it was logged before btrfs: fix race between setting last_dir_index_offset and inode logging btrfs: avoid load/store tearing races when checking if an inode was logged Florian Westphal (1): netfilter: nft_flowtable.sh: re-run with random mtu sizes Greg Kroah-Hartman (1): Linux 6.12.46 Gu Bowen (1): mm: fix possible deadlock in kmemleak Harry Yoo (2): x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() mm: move page table sync declarations to linux/pgtable.h Harshit Mogalapalli (1): wifi: mt76: mt7925: fix locking in mt7925_change_vif_links() Horatiu Vultur (1): phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Huacai Chen (1): LoongArch: Save LBT before FPU in setup_sigcontext() Hyesoo Yu (2): mm: slub: Print the broken data before restoring them mm: slub: call WARN() when detecting a slab corruption Ian Rogers (3): perf bpf-event: Fix use-after-free in synthesis perf bpf-utils: Constify bpil_array_desc perf bpf-utils: Harden get_bpf_prog_info_linear Ido Schimmel (6): vxlan: Fix NPD when refreshing an FDB entry with a nexthop object vxlan: Refresh FDB 'updated' time upon 'NTF_USE' vxlan: Avoid unnecessary updates to FDB 'used' time vxlan: Add RCU read-side critical sections in the Tx path vxlan: Rename FDB Tx lookup function vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects Ivan Lipski (1): drm/amd/display: Clear the CUR_ENABLE register on DCN314 w/out DPP PG Ivan Pravdin (1): Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Jacob Keller (2): ice: fix NULL access of tx->in_use in ice_ll_ts_intr i40e: remove read access to debugfs files Jakub Kicinski (1): selftests: drv-net: csum: fix interface name for remote host Jens Axboe (1): io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU Jeremy Kerr (1): net: mctp: mctp_fraq_queue should take ownership of passed skb Jiufei Xue (1): fs: writeback: fix use-after-free in __mark_inode_dirty() Johannes Berg (1): wifi: iwlwifi: uefi: check DSM item validity Johannes Thumshirn (1): btrfs: zoned: skip ZONE FINISH of conventional zones John Evans (1): scsi: lpfc: Fix buffer free/clear order in deferred receive path Jonas Gorski (1): net: dsa: b53: do not enable EEE on bcm63xx Karol Wachowski (1): accel/ivpu: Prevent recovery work from being queued during device removal Kuniyuki Iwashima (2): Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() selftest: net: Fix weird setsockopt() in bind_bhash.c. Lad Prabhakar (1): net: pcs: rzn1-miic: Correct MODCTRL register offset Larisa Grigore (4): spi: spi-fsl-lpspi: Fix transmissions when using CONT spi: spi-fsl-lpspi: Set correct chip-select polarity bit spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort spi: spi-fsl-lpspi: Clear status register after disabling the module Li Nan (1): md: prevent incorrect update of resync/recovery offset Li Qiong (1): mm/slub: avoid accessing metadata when pointer is invalid in object_err() Liu Jian (1): net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() Lubomir Rintel (1): cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN Ma Ke (1): pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Mahanta Jambigi (1): net/smc: Remove validation of reserved bits in CLC Decline message Makar Semyonov (1): cifs: prevent NULL pointer dereference in UTF16 conversion Marek Vasut (2): arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics i.MX8M Plus DHCOM arm64: dts: imx8mp: Fix missing microSD slot vqmmc on Data Modul i.MX8M Plus eDM SBC Markus Niebel (1): arm64: dts: imx8mp-tqma8mpql: fix LDO5 power off Menglong Dong (7): net: skb: add pskb_network_may_pull_reason() helper net: tunnel: add pskb_inet_may_pull_reason() helper net: vxlan: add skb drop reasons to vxlan_rcv() net: vxlan: make vxlan_snoop() return drop reasons net: vxlan: make vxlan_set_mac() return drop reasons net: vxlan: use kfree_skb_reason() in vxlan_xmit() net: vxlan: use kfree_skb_reason() in vxlan_mdb_xmit() Miaoqian Lin (2): mISDN: Fix memory leak in dsp_hwec_enable() ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() Michael Walle (1): drm/bridge: ti-sn65dsi86: fix REFCLK setting Miguel Ojeda (1): rust: support Rust >= 1.91.0 target spec Ming Lei (1): scsi: sr: Reinstate rotational media flag Ming Yen Hsieh (2): wifi: mt76: mt7925u: use connac3 tx aggr check in tx complete wifi: mt76: mt7925: fix the wrong bss cleanup for SAP Nathan Chancellor (2): wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() riscv: Only allow LTO with CMODEL_MEDANY Nícolas F. R. A. Prado (1): thermal/drivers/mediatek/lvts: Disable low offset IRQ for minimum threshold Ojaswin Mujoo (2): ext4: define ext4_journal_destroy wrapper ext4: avoid journaling sb update on error if journal is destroying Paul Alvin (1): mmc: sdhci-of-arasan: Support for emmc hardware reset Pei Xiao (2): tee: fix NULL pointer dereference in tee_shm_put tee: fix memory leak in tee_dyn_shm_alloc_helper Peter Robinson (1): arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Phil Sutter (1): netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Qianfeng Rong (1): wifi: mwifiex: Initialize the chan_stats array to zero Qingfang Deng (1): ppp: fix memory leak in pad_compress_skb Qiu-ji Chen (2): dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Radim Krčmář (4): riscv: use lw when reading int cpu in new_vmalloc_check riscv: use lw when reading int cpu in asm_per_cpu riscv, bpf: use lw when reading int cpu in BPF_MOV64_PERCPU_REG riscv, bpf: use lw when reading int cpu in bpf_get_smp_processor_id Radu Rendec (1): net: vxlan: rename SKB_DROP_REASON_VXLAN_NO_REMOTE Rameshkumar Sundaram (1): wifi: ath11k: fix group data packet drops during rekey Rosen Penev (2): net: thunder_bgx: add a missing of_node_put net: thunder_bgx: decrement cleanup index before use Russell King (Oracle) (3): net: dsa: add hook to determine whether EEE is supported net: dsa: provide implementation of .support_eee() net: dsa: b53/bcm_sf2: implement .support_eee() method Sabrina Dubroca (1): macsec: read MACSEC_SA_ATTR_PN with nla_get_uint Sai Krishna Potthuri (1): mmc: sdhci-of-arasan: Ensure CD logic stabilization before power-up Sasha Levin (1): mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE Sean Anderson (1): net: macb: Fix tx_ptr_lock locking Shinji Nomoto (1): cpupower: Fix a bug where the -t option of the set subcommand was not working. Stanislav Fort (1): batman-adv: fix OOB read/write in network-coding decode Stefan Wahren (3): net: ethernet: oa_tc6: Handle failure of spi_setup microchip: lan865x: Fix module autoloading microchip: lan865x: Fix LAN8651 autoloading Su Yue (1): md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb Sumanth Korikkar (1): mm: fix accounting of memmap pages Sungbae Yoo (1): tee: optee: ffa: fix a typo of "optee_ffa_api_is_compatible" Takashi Iwai (1): ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Timur Kristóf (1): drm/amd/display: Don't warn when missing DCE encoder caps Vadim Pasternak (1): hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM Vitaly Lifshits (1): e1000e: fix heap overflow in e1000_set_eeprom Vlastimil Babka (1): mm, slab: cleanup slab_bug() parameters Wang Liang (3): netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm net: atm: fix memory leak in atm_register_sysfs when device_register fail net: fix NULL pointer dereference in l3mdev_l3_rcv Wen Gong (2): wifi: ath11k: update channel list in reg notifier instead reg worker wifi: ath11k: update channel list in worker when wait flag is set Wentao Guan (1): LoongArch: vDSO: Remove -nostdlib complier flag Wentao Liang (1): pcmcia: Add error handling for add_interval() in do_validate_mem() Xi Ruoyao (1): LoongArch: vDSO: Remove --hash-style=sysv Yang Li (1): Bluetooth: hci_sync: Avoid adding default advertising on startup Yeoreum Yun (1): kunit: kasan_test: disable fortify string checker on kasan_strings() test Yin Tirui (1): of_numa: fix uninitialized memory nodes causing kernel panic Yu Kuai (3): md/raid1,raid10: don't ignore IO flags md/raid1,raid10: don't handle IO error for REQ_RAHEAD and REQ_NOWAIT md/raid1: fix data lost for writemostly rdev Zhen Ni (1): i40e: Fix potential invalid access when MAC list is empty Zheng Qixing (1): md/raid1,raid10: strip REQ_NOWAIT from member bios panfan (1): arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE wangzijie (1): proc: fix missing pde_set_flags() for net proc files yangshiguang (1): mm: slub: avoid wake up kswapd in set_track_prepare zhang jiao (1): tools: gpio: remove the include directory on make clean

1 week, 4 days

1
1
0 0

Linux 6.6.105

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.105 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/userspace-api/netlink/specs.rst | 18 Makefile | 2 arch/arm64/boot/dts/freescale/imx8mp-data-modul-edm-sbc.dts | 1 arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 arch/arm64/include/asm/module.h | 1 arch/arm64/include/asm/module.lds.h | 1 arch/arm64/kernel/ftrace.c | 13 arch/arm64/kernel/module-plts.c | 12 arch/arm64/kernel/module.c | 11 arch/loongarch/kernel/signal.c | 10 arch/riscv/include/asm/asm.h | 2 arch/x86/include/asm/pgtable_64_types.h | 3 arch/x86/mm/init_64.c | 18 drivers/acpi/arm64/iort.c | 4 drivers/bluetooth/hci_vhci.c | 57 - drivers/cpufreq/intel_pstate.c | 122 -- drivers/dma/mediatek/mtk-cqdma.c | 10 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 146 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 42 drivers/gpu/drm/mediatek/mtk_drm_drv.h | 8 drivers/gpu/drm/nouveau/nvkm/engine/fifo/base.c | 2 drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c | 23 drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga102.c | 1 drivers/gpu/drm/nouveau/nvkm/engine/fifo/priv.h | 2 drivers/hwmon/mlxreg-fan.c | 5 drivers/iio/chemical/pms7003.c | 5 drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 2 drivers/iio/light/opt3001.c | 5 drivers/iio/pressure/mprls0025pa.c | 10 drivers/isdn/mISDN/dsp_hwec.c | 6 drivers/net/ethernet/cadence/macb_main.c | 28 drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 drivers/net/ethernet/intel/e1000e/ethtool.c | 10 drivers/net/ethernet/intel/i40e/i40e_client.c | 4 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 drivers/net/macsec.c | 8 drivers/net/pcs/pcs-rzn1-miic.c | 2 drivers/net/phy/mscc/mscc_ptp.c | 18 drivers/net/ppp/ppp_generic.c | 6 drivers/net/usb/cdc_ncm.c | 7 drivers/net/vmxnet3/vmxnet3_drv.c | 5 drivers/net/wireless/ath/ath11k/core.h | 7 drivers/net/wireless/ath/ath11k/debugfs.c | 4 drivers/net/wireless/ath/ath11k/debugfs_sta.c | 30 drivers/net/wireless/ath/ath11k/dp_rx.c | 8 drivers/net/wireless/ath/ath11k/dp_tx.c | 4 drivers/net/wireless/ath/ath11k/mac.c | 588 ++++++------ drivers/net/wireless/ath/ath11k/peer.c | 2 drivers/net/wireless/ath/ath11k/wmi.c | 6 drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 drivers/net/wireless/marvell/libertas/cfg.c | 9 drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 drivers/net/wireless/marvell/mwifiex/main.c | 4 drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 drivers/net/wireless/st/cw1200/sta.c | 2 drivers/pci/msi/msi.c | 3 drivers/pcmcia/omap_cf.c | 2 drivers/pcmcia/rsrc_iodyn.c | 3 drivers/pcmcia/rsrc_nonstatic.c | 4 drivers/platform/x86/amd/pmc/pmc-quirks.c | 14 drivers/scsi/lpfc/lpfc_nvmet.c | 10 drivers/soc/qcom/mdt_loader.c | 12 drivers/spi/spi-cadence-quadspi.c | 6 drivers/spi/spi-fsl-lpspi.c | 24 drivers/spi/spi-fsl-qspi.c | 36 drivers/tee/optee/ffa_abi.c | 4 drivers/tee/tee_shm.c | 6 drivers/thermal/mediatek/lvts_thermal.c | 50 - fs/btrfs/btrfs_inode.h | 2 fs/btrfs/extent_io.c | 2 fs/btrfs/inode.c | 1 fs/btrfs/tree-log.c | 78 + fs/fs-writeback.c | 9 fs/ocfs2/inode.c | 3 fs/proc/generic.c | 38 fs/smb/client/cifs_unicode.c | 3 include/linux/bpf-cgroup.h | 5 include/linux/bpf.h | 60 - include/linux/pci.h | 2 include/linux/pgtable.h | 16 include/linux/vmalloc.h | 16 include/net/netlink.h | 69 + include/uapi/linux/netlink.h | 5 kernel/bpf/core.c | 50 - kernel/bpf/syscall.c | 20 kernel/sched/topology.c | 2 lib/nlattr.c | 22 mm/slub.c | 66 - net/atm/resources.c | 6 net/ax25/ax25_in.c | 4 net/batman-adv/network-coding.c | 7 net/bluetooth/hci_sync.c | 2 net/bluetooth/l2cap_sock.c | 3 net/bridge/br_netfilter_hooks.c | 3 net/dsa/tag_ksz.c | 22 net/ipv4/devinet.c | 7 net/ipv4/icmp.c | 6 net/ipv6/ip6_icmp.c | 6 net/mctp/af_mctp.c | 2 net/netfilter/nf_conntrack_helper.c | 4 net/netlink/policy.c | 14 net/smc/smc_clc.c | 2 net/smc/smc_ib.c | 3 net/wireless/scan.c | 3 net/wireless/sme.c | 5 sound/pci/hda/patch_hdmi.c | 1 sound/pci/hda/patch_realtek.c | 5 sound/usb/mixer_quirks.c | 2 tools/gpio/Makefile | 4 tools/perf/util/bpf-event.c | 39 tools/power/cpupower/utils/cpupower-set.c | 4 tools/testing/selftests/net/bind_bhash.c | 4 121 files changed, 1354 insertions(+), 835 deletions(-) Aaron Erhardt (1): ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY Alex Deucher (2): drm/amdgpu: drop hw access in non-DC audio fini Revert "drm/amdgpu: Avoid extra evict-restore process." Alok Tiwari (2): xirc2ps_cs: fix register access when enabling FullDuplex mctp: return -ENOPROTOOPT for unknown getsockopt options Baochen Qiang (2): wifi: ath11k: rename ath11k_start_vdev_delay() wifi: ath11k: avoid forward declaration of ath11k_mac_start_vdev_delay() Bjorn Andersson (1): soc: qcom: mdt_loader: Deal with zero e_shentsize Chen Ni (1): pcmcia: omap: Add missing check for platform_get_resource Chengming Zhou (1): slub: Reflow ___slab_alloc() Chris Chiu (1): ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup Christian Loehle (1): sched: Fix sched_numa_find_nth_cpu() if mask offline Christoffer Sandberg (1): platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list Colin Ian King (1): drm/amd/amdgpu: Fix missing error return on kzalloc failure Cryolitia PukNgae (1): ALSA: usb-audio: Add mute TLV for playback volumes on some devices Dan Carpenter (4): wifi: cw1200: cap SSID length in cw1200_do_join() wifi: libertas: cap SSID len in lbs_associate() wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Daniel Borkmann (4): bpf: Add cookie object to bpf maps bpf: Move cgroup iterator helpers to bpf.h bpf: Move bpf map owner out of common struct bpf: Fix oob access in cgroup local storage Dave Airlie (1): nouveau: fix disabling the nonstall irq due to storm code David Lechner (3): iio: imu: inv_mpu6050: align buffer for timestamp iio: chemical: pms7003: use aligned_s64 for timestamp iio: pressure: mprls0025pa: use aligned_s64 for timestamp Dmitry Antipov (1): wifi: cfg80211: fix use-after-free in cmp_bss() Duoming Zhou (1): wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work Edward Adam Davis (1): ocfs2: prevent release journal inode after journal shutdown Eric Dumazet (1): ax25: properly unshare skbs in ax25_kiss_rcv() Fabian Bläse (1): icmp: fix icmp_ndo_send address translation for reply direction Felix Fietkau (1): net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Filipe Manana (3): btrfs: fix race between logging inode and checking if it was logged before btrfs: fix race between setting last_dir_index_offset and inode logging btrfs: avoid load/store tearing races when checking if an inode was logged Greg Kroah-Hartman (1): Linux 6.6.105 Han Xu (1): spi: fsl-qspi: use devm function instead of driver remove Harry Yoo (2): x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() mm: move page table sync declarations to linux/pgtable.h Hawking Zhang (1): drm/amdgpu: Replace DRM_* with dev_* in amdgpu_psp.c Horatiu Vultur (1): phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Huacai Chen (1): LoongArch: Save LBT before FPU in setup_sigcontext() Ian Rogers (1): perf bpf-event: Fix use-after-free in synthesis Ivan Pravdin (1): Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Jakob Unterwurzacher (1): net: dsa: microchip: linearize skb for tail-tagging switches Jakub Kicinski (1): netlink: add variable-length / auto integers Jason-JH.Lin (2): drm/mediatek: Add crtc path enum for all_drm_priv array drm/mediatek: Fix using wrong drm private data to bind mediatek-drm Jeff Johnson (1): wifi: ath11k: Introduce and use ath11k_sta_to_arsta() Jinfeng Wang (2): Revert "spi: cadence-quadspi: fix cleanup of rx_chan on failure paths" Revert "spi: spi-cadence-quadspi: Fix pm runtime unbalance" Jiufei Xue (1): fs: writeback: fix use-after-free in __mark_inode_dirty() John Evans (1): scsi: lpfc: Fix buffer free/clear order in deferred receive path Jonathan Currier (1): PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads Josef Bacik (1): btrfs: adjust subpage bit start based on sectorsize Kevin Hao (1): spi: fsl-qspi: Fix double cleanup in probe error path Kuniyuki Iwashima (2): Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() selftest: net: Fix weird setsockopt() in bind_bhash.c. Lad Prabhakar (1): net: pcs: rzn1-miic: Correct MODCTRL register offset Larisa Grigore (4): spi: spi-fsl-lpspi: Fix transmissions when using CONT spi: spi-fsl-lpspi: Set correct chip-select polarity bit spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort spi: spi-fsl-lpspi: Clear status register after disabling the module Li Qiong (1): mm/slub: avoid accessing metadata when pointer is invalid in object_err() Liu Jian (1): net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() Lubomir Rintel (1): cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN Luca Ceresoli (1): iio: light: opt3001: fix deadlock due to concurrent flag access Ma Ke (2): pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv Mahanta Jambigi (1): net/smc: Remove validation of reserved bits in CLC Decline message Makar Semyonov (1): cifs: prevent NULL pointer dereference in UTF16 conversion Marek Vasut (2): arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics i.MX8M Plus DHCOM arm64: dts: imx8mp: Fix missing microSD slot vqmmc on Data Modul i.MX8M Plus eDM SBC Miaoqian Lin (2): mISDN: Fix memory leak in dsp_hwec_enable() ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() Michael Walle (1): drm/bridge: ti-sn65dsi86: fix REFCLK setting Nathan Chancellor (1): wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() Nícolas F. R. A. Prado (1): thermal/drivers/mediatek/lvts: Disable low offset IRQ for minimum threshold Pei Xiao (1): tee: fix NULL pointer dereference in tee_shm_put Peter Robinson (1): arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Phil Sutter (1): netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Pieter Van Trappen (1): net: dsa: microchip: update tag_ksz masks for KSZ9477 family Qianfeng Rong (1): wifi: mwifiex: Initialize the chan_stats array to zero Qingfang Deng (1): ppp: fix memory leak in pad_compress_skb Qiu-ji Chen (2): dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Radim Krčmář (1): riscv: use lw when reading int cpu in asm_per_cpu Rafael J. Wysocki (5): cpufreq: intel_pstate: Fold intel_pstate_max_within_limits() into caller cpufreq: intel_pstate: Do not update global.turbo_disabled after initialization cpufreq: intel_pstate: Rearrange show_no_turbo() and store_no_turbo() cpufreq: intel_pstate: Read global.no_turbo under READ_ONCE() cpufreq: intel_pstate: Check turbo_is_disabled() in store_no_turbo() Rameshkumar Sundaram (1): wifi: ath11k: fix group data packet drops during rekey Ronak Doshi (1): vmxnet3: update MTU after device quiesce Rosen Penev (2): net: thunder_bgx: add a missing of_node_put net: thunder_bgx: decrement cleanup index before use Sabrina Dubroca (1): macsec: read MACSEC_SA_ATTR_PN with nla_get_uint Sean Anderson (1): net: macb: Fix tx_ptr_lock locking Shinji Nomoto (1): cpupower: Fix a bug where the -t option of the set subcommand was not working. Srinivas Pandruvada (2): cpufreq: intel_pstate: Revise global turbo disable check cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode Stanislav Fort (1): batman-adv: fix OOB read/write in network-coding decode Stefan Binding (1): ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA Sungbae Yoo (1): tee: optee: ffa: fix a typo of "optee_ffa_api_is_compatible" Takashi Iwai (1): ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Timur Kristóf (1): drm/amd/display: Don't warn when missing DCE encoder caps Vadim Pasternak (1): hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM Vitaly Lifshits (1): e1000e: fix heap overflow in e1000_set_eeprom Wang Liang (2): netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm net: atm: fix memory leak in atm_register_sysfs when device_register fail Wentao Liang (1): pcmcia: Add error handling for add_interval() in do_validate_mem() Yang Li (1): Bluetooth: hci_sync: Avoid adding default advertising on startup Zhen Ni (1): i40e: Fix potential invalid access when MAC list is empty panfan (1): arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE wangzijie (1): proc: fix missing pde_set_flags() for net proc files yangshiguang (1): mm: slub: avoid wake up kswapd in set_track_prepare zhang jiao (1): tools: gpio: remove the include directory on make clean zhangjiao (1): tools: gpio: rm .*.cmd on make clean

1 week, 4 days

1
1
0 0

Linux 6.1.151

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.151 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 arch/x86/include/asm/pgtable_64_types.h | 3 arch/x86/mm/init_64.c | 18 + drivers/acpi/arm64/iort.c | 4 drivers/cpufreq/intel_pstate.c | 122 +++----- drivers/dma/mediatek/mtk-cqdma.c | 10 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 235 +++++++++-------- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 drivers/gpu/drm/amd/display/dc/link/link_hwss_hpo_dp.c | 7 drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 drivers/hwmon/mlxreg-fan.c | 5 drivers/i2c/busses/i2c-designware-pcidrv.c | 4 drivers/iio/chemical/pms7003.c | 5 drivers/iio/light/opt3001.c | 5 drivers/isdn/mISDN/dsp_hwec.c | 6 drivers/net/ethernet/cadence/macb_main.c | 28 +- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 - drivers/net/ethernet/intel/e1000e/ethtool.c | 10 drivers/net/ethernet/intel/i40e/i40e_client.c | 4 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 drivers/net/pcs/pcs-rzn1-miic.c | 2 drivers/net/phy/mscc/mscc_ptp.c | 18 - drivers/net/ppp/ppp_generic.c | 6 drivers/net/usb/cdc_ncm.c | 7 drivers/net/vmxnet3/vmxnet3_drv.c | 5 drivers/net/wireless/marvell/libertas/cfg.c | 9 drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 drivers/net/wireless/marvell/mwifiex/main.c | 4 drivers/net/wireless/st/cw1200/sta.c | 2 drivers/pci/msi/msi.c | 3 drivers/pcmcia/omap_cf.c | 2 drivers/pcmcia/rsrc_iodyn.c | 3 drivers/pcmcia/rsrc_nonstatic.c | 4 drivers/scsi/lpfc/lpfc_nvmet.c | 10 drivers/spi/spi-fsl-lpspi.c | 15 - drivers/spi/spi-tegra114.c | 18 - drivers/tee/optee/ffa_abi.c | 4 drivers/tee/tee_shm.c | 6 fs/btrfs/btrfs_inode.h | 2 fs/btrfs/extent_io.c | 2 fs/btrfs/inode.c | 1 fs/btrfs/tree-log.c | 78 +++-- fs/fs-writeback.c | 9 fs/notify/fdinfo.c | 4 fs/ocfs2/inode.c | 3 fs/overlayfs/copy_up.c | 5 fs/proc/generic.c | 38 +- fs/smb/client/cifs_unicode.c | 3 include/linux/bpf-cgroup.h | 5 include/linux/bpf.h | 60 ++-- include/linux/pci.h | 2 include/linux/pgtable.h | 16 + include/linux/vmalloc.h | 16 - kernel/bpf/core.c | 50 ++- kernel/bpf/syscall.c | 19 - kernel/sched/cpufreq_schedutil.c | 28 +- mm/slub.c | 216 ++++++++------- net/atm/resources.c | 6 net/ax25/ax25_in.c | 4 net/batman-adv/network-coding.c | 7 net/bluetooth/hci_sync.c | 2 net/bluetooth/l2cap_sock.c | 3 net/bridge/br_netfilter_hooks.c | 3 net/dsa/tag_ksz.c | 22 + net/ipv4/devinet.c | 7 net/ipv4/icmp.c | 6 net/ipv6/ip6_icmp.c | 6 net/mctp/af_mctp.c | 2 net/netfilter/nf_conntrack_helper.c | 4 net/smc/smc_clc.c | 2 net/smc/smc_ib.c | 3 net/wireless/scan.c | 3 net/wireless/sme.c | 5 sound/pci/hda/patch_hdmi.c | 1 sound/pci/hda/patch_realtek.c | 5 sound/usb/mixer_quirks.c | 2 tools/gpio/Makefile | 4 tools/testing/selftests/net/bind_bhash.c | 4 86 files changed, 771 insertions(+), 557 deletions(-) Aaron Erhardt (1): ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY Aaron Kling (2): spi: tegra114: Don't fail set_cs_timing when delays are zero spi: tegra114: Use value to check for invalid delays Alex Deucher (2): drm/amdgpu: drop hw access in non-DC audio fini Revert "drm/amdgpu: Avoid extra evict-restore process." Alex Hung (1): drm/amd/display: Check link_res->hpo_dp_link_enc before using it Alexander Danilenko (1): spi: tegra114: Remove unnecessary NULL-pointer checks Alok Tiwari (2): xirc2ps_cs: fix register access when enabling FullDuplex mctp: return -ENOPROTOOPT for unknown getsockopt options Amir Goldstein (1): fs: relax assertions on failure to encode file handles Candice Li (1): drm/amdgpu: Optimize RAS TA initialization and TA unload funcs Chen Ni (1): pcmcia: omap: Add missing check for platform_get_resource Chengming Zhou (1): slub: Reflow ___slab_alloc() Chris Chiu (1): ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup Christophe JAILLET (1): i2c: designware: Fix an error handling path in i2c_dw_pci_probe() Colin Ian King (1): drm/amd/amdgpu: Fix missing error return on kzalloc failure Cryolitia PukNgae (1): ALSA: usb-audio: Add mute TLV for playback volumes on some devices Dan Carpenter (4): wifi: cw1200: cap SSID length in cw1200_do_join() wifi: libertas: cap SSID len in lbs_associate() wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Daniel Borkmann (4): bpf: Add cookie object to bpf maps bpf: Move cgroup iterator helpers to bpf.h bpf: Move bpf map owner out of common struct bpf: Fix oob access in cgroup local storage David Lechner (1): iio: chemical: pms7003: use aligned_s64 for timestamp Dmitry Antipov (1): wifi: cfg80211: fix use-after-free in cmp_bss() Edward Adam Davis (1): ocfs2: prevent release journal inode after journal shutdown Eric Dumazet (1): ax25: properly unshare skbs in ax25_kiss_rcv() Fabian Bläse (1): icmp: fix icmp_ndo_send address translation for reply direction Felix Fietkau (1): net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Filipe Manana (3): btrfs: fix race between logging inode and checking if it was logged before btrfs: fix race between setting last_dir_index_offset and inode logging btrfs: avoid load/store tearing races when checking if an inode was logged Greg Kroah-Hartman (1): Linux 6.1.151 Harry Yoo (2): x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() mm: move page table sync declarations to linux/pgtable.h Hawking Zhang (1): drm/amdgpu: Replace DRM_* with dev_* in amdgpu_psp.c Horatiu Vultur (1): phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Jakob Unterwurzacher (1): net: dsa: microchip: linearize skb for tail-tagging switches Jiufei Xue (1): fs: writeback: fix use-after-free in __mark_inode_dirty() John Evans (1): scsi: lpfc: Fix buffer free/clear order in deferred receive path Jonathan Currier (1): PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads Josef Bacik (1): btrfs: adjust subpage bit start based on sectorsize Kuniyuki Iwashima (2): Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() selftest: net: Fix weird setsockopt() in bind_bhash.c. Lad Prabhakar (1): net: pcs: rzn1-miic: Correct MODCTRL register offset Larisa Grigore (3): spi: spi-fsl-lpspi: Fix transmissions when using CONT spi: spi-fsl-lpspi: Set correct chip-select polarity bit spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Li Qiong (1): mm/slub: avoid accessing metadata when pointer is invalid in object_err() Lijo Lazar (1): drm/amdgpu: Skip TMR allocation if not required Liu Jian (1): net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() Lubomir Rintel (1): cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN Luca Ceresoli (1): iio: light: opt3001: fix deadlock due to concurrent flag access Ma Ke (1): pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Mahanta Jambigi (1): net/smc: Remove validation of reserved bits in CLC Decline message Makar Semyonov (1): cifs: prevent NULL pointer dereference in UTF16 conversion Marek Vasut (1): arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics i.MX8M Plus DHCOM Mario Limonciello (1): drm/amd: Make flashing messages quieter Miaoqian Lin (2): mISDN: Fix memory leak in dsp_hwec_enable() ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() Michael Walle (1): drm/bridge: ti-sn65dsi86: fix REFCLK setting Pei Xiao (1): tee: fix NULL pointer dereference in tee_shm_put Peter Robinson (1): arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Phil Sutter (1): netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Pieter Van Trappen (1): net: dsa: microchip: update tag_ksz masks for KSZ9477 family Qianfeng Rong (1): wifi: mwifiex: Initialize the chan_stats array to zero Qingfang Deng (1): ppp: fix memory leak in pad_compress_skb Qiu-ji Chen (2): dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Rafael J. Wysocki (6): cpufreq/sched: Explicitly synchronize limits_changed flag handling cpufreq: intel_pstate: Fold intel_pstate_max_within_limits() into caller cpufreq: intel_pstate: Do not update global.turbo_disabled after initialization cpufreq: intel_pstate: Rearrange show_no_turbo() and store_no_turbo() cpufreq: intel_pstate: Read global.no_turbo under READ_ONCE() cpufreq: intel_pstate: Check turbo_is_disabled() in store_no_turbo() Ronak Doshi (1): vmxnet3: update MTU after device quiesce Rosen Penev (2): net: thunder_bgx: add a missing of_node_put net: thunder_bgx: decrement cleanup index before use Sean Anderson (1): net: macb: Fix tx_ptr_lock locking Srinivas Pandruvada (2): cpufreq: intel_pstate: Revise global turbo disable check cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode Srinivasan Shanmugam (1): drm/amd/amdgpu: Fix style problems in amdgpu_psp.c Stanislav Fort (1): batman-adv: fix OOB read/write in network-coding decode Stefan Binding (1): ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA Sungbae Yoo (1): tee: optee: ffa: fix a typo of "optee_ffa_api_is_compatible" Takashi Iwai (1): ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Tao Zhou (1): drm/amdgpu: remove the check of init status in psp_ras_initialize Timur Kristóf (1): drm/amd/display: Don't warn when missing DCE encoder caps Vadim Pasternak (1): hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM Vitaly Lifshits (1): e1000e: fix heap overflow in e1000_set_eeprom Vlastimil Babka (1): mm, slub: refactor free debug processing Wang Liang (2): netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm net: atm: fix memory leak in atm_register_sysfs when device_register fail Wentao Liang (1): pcmcia: Add error handling for add_interval() in do_validate_mem() Yang Li (1): Bluetooth: hci_sync: Avoid adding default advertising on startup Zhen Ni (1): i40e: Fix potential invalid access when MAC list is empty wangzijie (1): proc: fix missing pde_set_flags() for net proc files yangshiguang (1): mm: slub: avoid wake up kswapd in set_track_prepare zhang jiao (1): tools: gpio: remove the include directory on make clean zhangjiao (1): tools: gpio: rm .*.cmd on make clean

1 week, 4 days

1
1
0 0

Linux 5.15.192

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.192 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/marvell/armada-3720-uDPU.dts | 9 - arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 arch/x86/include/asm/pgtable_64_types.h | 3 arch/x86/kvm/x86.c | 18 ++ arch/x86/mm/init_64.c | 18 ++ drivers/clk/qcom/gdsc.c | 21 +- drivers/dma-buf/dma-resv.c | 5 drivers/dma/mediatek/mtk-cqdma.c | 10 - drivers/gpio/gpio-pca953x.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 - drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 + drivers/iio/chemical/pms7003.c | 5 drivers/iio/light/opt3001.c | 5 drivers/isdn/mISDN/dsp_hwec.c | 6 drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 +- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 - drivers/net/ethernet/intel/i40e/i40e_client.c | 4 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 + drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 drivers/net/phy/mscc/mscc_ptp.c | 34 ++-- drivers/net/ppp/ppp_generic.c | 6 drivers/net/vmxnet3/vmxnet3_drv.c | 5 drivers/net/wireless/marvell/libertas/cfg.c | 9 - drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 drivers/net/wireless/marvell/mwifiex/main.c | 4 drivers/net/wireless/st/cw1200/sta.c | 2 drivers/pcmcia/rsrc_iodyn.c | 3 drivers/pcmcia/rsrc_nonstatic.c | 4 drivers/scsi/lpfc/lpfc_nvmet.c | 10 - drivers/spi/spi-fsl-lpspi.c | 15 +- drivers/spi/spi-tegra114.c | 18 -- drivers/tee/tee_shm.c | 6 fs/fs-writeback.c | 9 - include/linux/bpf-cgroup.h | 5 include/linux/bpf.h | 134 +++++++++++++++--- include/linux/pgtable.h | 16 ++ include/linux/ptp_classify.h | 15 ++ include/linux/vmalloc.h | 16 -- kernel/bpf/arraymap.c | 1 kernel/bpf/core.c | 73 +++++++-- kernel/bpf/syscall.c | 22 +- kernel/sched/cpufreq_schedutil.c | 28 +++ mm/khugepaged.c | 15 +- mm/slub.c | 7 net/atm/resources.c | 6 net/ax25/ax25_in.c | 4 net/batman-adv/network-coding.c | 7 net/bluetooth/l2cap_sock.c | 3 net/bridge/br_netfilter_hooks.c | 3 net/core/ptp_classifier.c | 12 + net/dsa/tag_ksz.c | 22 ++ net/ipv4/devinet.c | 7 net/ipv4/icmp.c | 6 net/ipv6/ip6_icmp.c | 6 net/netfilter/nf_conntrack_helper.c | 4 net/wireless/scan.c | 3 scripts/gcc-plugins/gcc-common.h | 32 ++++ scripts/gcc-plugins/randomize_layout_plugin.c | 40 +---- sound/pci/hda/patch_hdmi.c | 1 sound/usb/mixer_quirks.c | 2 tools/perf/util/bpf-event.c | 39 +++-- 66 files changed, 594 insertions(+), 258 deletions(-) Aaron Kling (2): spi: tegra114: Don't fail set_cs_timing when delays are zero spi: tegra114: Use value to check for invalid delays Alex Deucher (1): drm/amdgpu: drop hw access in non-DC audio fini Alexander Danilenko (1): spi: tegra114: Remove unnecessary NULL-pointer checks Alok Tiwari (1): xirc2ps_cs: fix register access when enabling FullDuplex Cryolitia PukNgae (1): ALSA: usb-audio: Add mute TLV for playback volumes on some devices Dan Carpenter (3): wifi: cw1200: cap SSID length in cw1200_do_join() wifi: libertas: cap SSID len in lbs_associate() ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Daniel Borkmann (4): bpf: Add cookie object to bpf maps bpf: Move cgroup iterator helpers to bpf.h bpf: Move bpf map owner out of common struct bpf: Fix oob access in cgroup local storage David Lechner (1): iio: chemical: pms7003: use aligned_s64 for timestamp Dmitry Antipov (1): wifi: cfg80211: fix use-after-free in cmp_bss() Emanuele Ghidoli (1): gpio: pca953x: fix IRQ storm on system wake up Eric Dumazet (1): ax25: properly unshare skbs in ax25_kiss_rcv() Fabian Bläse (1): icmp: fix icmp_ndo_send address translation for reply direction Felix Fietkau (1): net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Gabor Juhos (1): arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs Greg Kroah-Hartman (1): Linux 5.15.192 Harry Yoo (2): x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() mm: move page table sync declarations to linux/pgtable.h Horatiu Vultur (2): net: phy: mscc: Fix memory leak when using one step timestamping phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Hyejeong Choi (1): dma-buf: insert memory barrier before updating num_fences Ian Rogers (1): perf bpf-event: Fix use-after-free in synthesis Jakob Unterwurzacher (1): net: dsa: microchip: linearize skb for tail-tagging switches Jann Horn (1): mm/khugepaged: fix ->anon_vma race Jiufei Xue (1): fs: writeback: fix use-after-free in __mark_inode_dirty() John Evans (1): scsi: lpfc: Fix buffer free/clear order in deferred receive path Kees Cook (2): randstruct: gcc-plugin: Remove bogus void member randstruct: gcc-plugin: Fix attribute addition Kuniyuki Iwashima (1): Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Kurt Kanzenbach (1): ptp: Add generic PTP is_sync() function Larisa Grigore (3): spi: spi-fsl-lpspi: Fix transmissions when using CONT spi: spi-fsl-lpspi: Set correct chip-select polarity bit spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Li Qiong (1): mm/slub: avoid accessing metadata when pointer is invalid in object_err() Luca Ceresoli (1): iio: light: opt3001: fix deadlock due to concurrent flag access Ma Ke (1): pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Miaoqian Lin (1): mISDN: Fix memory leak in dsp_hwec_enable() Michael Walle (1): drm/bridge: ti-sn65dsi86: fix REFCLK setting Pei Xiao (1): tee: fix NULL pointer dereference in tee_shm_put Peter Robinson (1): arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Phil Sutter (1): netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Pieter Van Trappen (1): net: dsa: microchip: update tag_ksz masks for KSZ9477 family Qianfeng Rong (1): wifi: mwifiex: Initialize the chan_stats array to zero Qingfang Deng (1): ppp: fix memory leak in pad_compress_skb Qiu-ji Chen (2): dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Rafael J. Wysocki (1): cpufreq/sched: Explicitly synchronize limits_changed flag handling Ronak Doshi (1): vmxnet3: update MTU after device quiesce Rosen Penev (2): net: thunder_bgx: add a missing of_node_put net: thunder_bgx: decrement cleanup index before use Sean Christopherson (1): KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Stanislav Fort (1): batman-adv: fix OOB read/write in network-coding decode Takashi Iwai (1): ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Taniya Das (1): clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Timur Kristóf (1): drm/amd/display: Don't warn when missing DCE encoder caps Vitaly Lifshits (1): e1000e: fix heap overflow in e1000_set_eeprom Wang Liang (2): netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm net: atm: fix memory leak in atm_register_sysfs when device_register fail Wentao Liang (1): pcmcia: Add error handling for add_interval() in do_validate_mem() Zhen Ni (1): i40e: Fix potential invalid access when MAC list is empty

1 week, 4 days

1
1
0 0

Linux 5.10.243

by Greg Kroah-Hartman

I'm announcing the release of the 5.10.243 kernel. All users of the 5.10 kernel series must upgrade. The updated 5.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/marvell/armada-3720-uDPU.dts | 9 ++-- arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 arch/x86/kvm/x86.c | 18 ++++++-- drivers/clk/qcom/gdsc.c | 21 ++++----- drivers/dma/mediatek/mtk-cqdma.c | 10 +--- drivers/gpio/gpio-pca953x.c | 5 ++ drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 -- drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 -- drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 -- drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 -- drivers/gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 +-- drivers/iio/chemical/pms7003.c | 5 +- drivers/iio/light/opt3001.c | 5 +- drivers/isdn/mISDN/dsp_hwec.c | 6 +- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 +++++---- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +++- drivers/net/ethernet/intel/i40e/i40e_client.c | 4 - drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 ++++ drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 drivers/net/phy/microchip.c | 30 +------------ drivers/net/phy/microchip_t1.c | 28 +++++++++--- drivers/net/ppp/ppp_generic.c | 6 +- drivers/net/vmxnet3/vmxnet3_drv.c | 5 +- drivers/net/wireless/marvell/libertas/cfg.c | 9 ++-- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +- drivers/net/wireless/marvell/mwifiex/main.c | 4 - drivers/net/wireless/st/cw1200/sta.c | 2 drivers/pcmcia/rsrc_iodyn.c | 3 + drivers/pcmcia/rsrc_nonstatic.c | 4 + drivers/scsi/lpfc/lpfc_nvmet.c | 10 ++-- drivers/spi/spi-fsl-lpspi.c | 15 +++--- drivers/tee/tee_shm.c | 6 ++ fs/cifs/connect.c | 5 ++ kernel/sched/cpufreq_schedutil.c | 28 ++++++++++-- mm/khugepaged.c | 15 ++++++ mm/slub.c | 7 ++- net/atm/resources.c | 6 +- net/ax25/ax25_in.c | 4 + net/batman-adv/network-coding.c | 7 ++- net/bluetooth/l2cap_sock.c | 3 + net/dsa/tag_ksz.c | 22 +++++++-- net/ipv4/devinet.c | 7 +-- net/ipv4/icmp.c | 6 +- net/ipv6/ip6_icmp.c | 6 +- net/netfilter/nf_conntrack_helper.c | 4 - net/wireless/scan.c | 3 - scripts/gcc-plugins/gcc-common.h | 32 ++++++++++++++ scripts/gcc-plugins/randomize_layout_plugin.c | 40 +++++------------- sound/pci/hda/patch_hdmi.c | 1 sound/pci/hda/patch_realtek.c | 1 sound/usb/mixer_quirks.c | 2 52 files changed, 301 insertions(+), 181 deletions(-) Alex Deucher (1): drm/amdgpu: drop hw access in non-DC audio fini Alok Tiwari (1): xirc2ps_cs: fix register access when enabling FullDuplex Chris Chiu (1): ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup Cryolitia PukNgae (1): ALSA: usb-audio: Add mute TLV for playback volumes on some devices Dan Carpenter (3): wifi: cw1200: cap SSID length in cw1200_do_join() wifi: libertas: cap SSID len in lbs_associate() ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() David Lechner (1): iio: chemical: pms7003: use aligned_s64 for timestamp Dmitry Antipov (1): wifi: cfg80211: fix use-after-free in cmp_bss() Emanuele Ghidoli (1): gpio: pca953x: fix IRQ storm on system wake up Eric Dumazet (1): ax25: properly unshare skbs in ax25_kiss_rcv() Fabian Bläse (1): icmp: fix icmp_ndo_send address translation for reply direction Felix Fietkau (1): net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Fiona Klute (1): net: phy: microchip: force IRQ polling mode for lan88xx Gabor Juhos (1): arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs Greg Kroah-Hartman (1): Linux 5.10.243 Ioana Ciornei (2): net: phy: microchip: implement generic .handle_interrupt() callback net: phy: microchip: remove the use of .ack_interrupt() Jakob Unterwurzacher (1): net: dsa: microchip: linearize skb for tail-tagging switches Jann Horn (1): mm/khugepaged: fix ->anon_vma race John Evans (1): scsi: lpfc: Fix buffer free/clear order in deferred receive path Kees Cook (2): randstruct: gcc-plugin: Remove bogus void member randstruct: gcc-plugin: Fix attribute addition Kuniyuki Iwashima (1): Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Larisa Grigore (3): spi: spi-fsl-lpspi: Fix transmissions when using CONT spi: spi-fsl-lpspi: Set correct chip-select polarity bit spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Li Qiong (1): mm/slub: avoid accessing metadata when pointer is invalid in object_err() Luca Ceresoli (1): iio: light: opt3001: fix deadlock due to concurrent flag access Ma Ke (1): pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Miaoqian Lin (1): mISDN: Fix memory leak in dsp_hwec_enable() Pei Xiao (1): tee: fix NULL pointer dereference in tee_shm_put Peter Robinson (1): arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Phil Sutter (1): netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Pieter Van Trappen (1): net: dsa: microchip: update tag_ksz masks for KSZ9477 family Qianfeng Rong (1): wifi: mwifiex: Initialize the chan_stats array to zero Qingfang Deng (1): ppp: fix memory leak in pad_compress_skb Qiu-ji Chen (2): dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Rafael J. Wysocki (1): cpufreq/sched: Explicitly synchronize limits_changed flag handling Roman Smirnov (1): cifs: fix integer overflow in match_server() Ronak Doshi (1): vmxnet3: update MTU after device quiesce Rosen Penev (2): net: thunder_bgx: add a missing of_node_put net: thunder_bgx: decrement cleanup index before use Sean Christopherson (1): KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Stanislav Fort (1): batman-adv: fix OOB read/write in network-coding decode Takashi Iwai (1): ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Taniya Das (1): clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Timur Kristóf (1): drm/amd/display: Don't warn when missing DCE encoder caps Vitaly Lifshits (1): e1000e: fix heap overflow in e1000_set_eeprom Wang Liang (1): net: atm: fix memory leak in atm_register_sysfs when device_register fail Wentao Liang (1): pcmcia: Add error handling for add_interval() in do_validate_mem() Zhen Ni (1): i40e: Fix potential invalid access when MAC list is empty

1 week, 4 days

1
1
0 0

Linux 5.4.299

by Greg Kroah-Hartman

I'm announcing the release of the 5.4.299 kernel. All users of the 5.4 kernel series must upgrade. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 - arch/powerpc/boot/util.S | 4 +- arch/x86/kvm/x86.c | 16 +++++++- drivers/dma/mediatek/mtk-cqdma.c | 10 ++--- drivers/gpio/gpio-pca953x.c | 5 ++ drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 -- drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 -- drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 -- drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 -- drivers/iio/chemical/pms7003.c | 5 +- drivers/iio/light/opt3001.c | 5 +- drivers/isdn/mISDN/dsp_hwec.c | 6 +-- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 ++++++----- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +++-- drivers/net/ethernet/intel/i40e/i40e_client.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 ++++- drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 - drivers/net/ppp/ppp_generic.c | 6 +-- drivers/net/vmxnet3/vmxnet3_drv.c | 5 +- drivers/net/wireless/marvell/libertas/cfg.c | 9 +++- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +- drivers/net/wireless/marvell/mwifiex/main.c | 4 +- drivers/net/wireless/st/cw1200/sta.c | 2 - drivers/pcmcia/rsrc_iodyn.c | 3 + drivers/pcmcia/rsrc_nonstatic.c | 4 +- drivers/scsi/lpfc/lpfc_nvmet.c | 10 +++-- drivers/spi/spi-fsl-lpspi.c | 15 ++++---- fs/cifs/connect.c | 5 ++ kernel/sched/cpufreq_schedutil.c | 28 +++++++++++++-- mm/khugepaged.c | 14 +++++++ mm/slub.c | 7 +++ net/atm/resources.c | 6 ++- net/ax25/ax25_in.c | 4 ++ net/batman-adv/network-coding.c | 7 +++ net/bluetooth/l2cap_sock.c | 3 + net/dsa/tag_ksz.c | 22 +++++++++--- net/ipv4/devinet.c | 7 +-- net/ipv4/icmp.c | 6 ++- net/ipv6/ip6_icmp.c | 6 ++- net/netfilter/nf_conntrack_helper.c | 4 +- net/wireless/scan.c | 3 + scripts/gcc-plugins/gcc-common.h | 32 +++++++++++++++++ scripts/gcc-plugins/randomize_layout_plugin.c | 40 ++++++---------------- sound/pci/hda/patch_hdmi.c | 1 sound/pci/hda/patch_realtek.c | 1 sound/usb/mixer_quirks.c | 2 + 46 files changed, 249 insertions(+), 131 deletions(-) Alex Deucher (1): drm/amdgpu: drop hw access in non-DC audio fini Alok Tiwari (1): xirc2ps_cs: fix register access when enabling FullDuplex Chris Chiu (1): ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup Cryolitia PukNgae (1): ALSA: usb-audio: Add mute TLV for playback volumes on some devices Dan Carpenter (3): wifi: cw1200: cap SSID length in cw1200_do_join() wifi: libertas: cap SSID len in lbs_associate() ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() David Lechner (1): iio: chemical: pms7003: use aligned_s64 for timestamp Dmitry Antipov (1): wifi: cfg80211: fix use-after-free in cmp_bss() Emanuele Ghidoli (1): gpio: pca953x: fix IRQ storm on system wake up Eric Dumazet (1): ax25: properly unshare skbs in ax25_kiss_rcv() Fabian Bläse (1): icmp: fix icmp_ndo_send address translation for reply direction Felix Fietkau (1): net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Greg Kroah-Hartman (1): Linux 5.4.299 Jakob Unterwurzacher (1): net: dsa: microchip: linearize skb for tail-tagging switches Jann Horn (1): mm/khugepaged: fix ->anon_vma race John Evans (1): scsi: lpfc: Fix buffer free/clear order in deferred receive path Kees Cook (2): randstruct: gcc-plugin: Remove bogus void member randstruct: gcc-plugin: Fix attribute addition Kuniyuki Iwashima (1): Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Larisa Grigore (3): spi: spi-fsl-lpspi: Fix transmissions when using CONT spi: spi-fsl-lpspi: Set correct chip-select polarity bit spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Li Qiong (1): mm/slub: avoid accessing metadata when pointer is invalid in object_err() Luca Ceresoli (1): iio: light: opt3001: fix deadlock due to concurrent flag access Ma Ke (1): pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Miaoqian Lin (1): mISDN: Fix memory leak in dsp_hwec_enable() Nathan Chancellor (1): powerpc: boot: Remove leading zero in label in udelay() Phil Sutter (1): netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Pieter Van Trappen (1): net: dsa: microchip: update tag_ksz masks for KSZ9477 family Qianfeng Rong (1): wifi: mwifiex: Initialize the chan_stats array to zero Qingfang Deng (1): ppp: fix memory leak in pad_compress_skb Qiu-ji Chen (2): dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Rafael J. Wysocki (1): cpufreq/sched: Explicitly synchronize limits_changed flag handling Roman Smirnov (1): cifs: fix integer overflow in match_server() Ronak Doshi (1): vmxnet3: update MTU after device quiesce Rosen Penev (2): net: thunder_bgx: add a missing of_node_put net: thunder_bgx: decrement cleanup index before use Sean Christopherson (1): KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Stanislav Fort (1): batman-adv: fix OOB read/write in network-coding decode Takashi Iwai (1): ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Vitaly Lifshits (1): e1000e: fix heap overflow in e1000_set_eeprom Wang Liang (1): net: atm: fix memory leak in atm_register_sysfs when device_register fail Wentao Liang (1): pcmcia: Add error handling for add_interval() in do_validate_mem() Zhen Ni (1): i40e: Fix potential invalid access when MAC list is empty

1 week, 4 days

1
1
0 0

[PATCH 5.4 00/45] 5.4.299-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.299 release. There are 45 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 09 Sep 2025 19:55:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.299-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.299-rc1 Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Roman Smirnov <r.smirnov(a)omp.ru> cifs: fix integer overflow in match_server() Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Set correct chip-select polarity bit Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Fix transmissions when using CONT Wentao Liang <vulab(a)iscas.ac.cn> pcmcia: Add error handling for add_interval() in do_validate_mem() Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Kees Cook <kees(a)kernel.org> randstruct: gcc-plugin: Fix attribute addition Kees Cook <kees(a)kernel.org> randstruct: gcc-plugin: Remove bogus void member Ronak Doshi <ronak.doshi(a)broadcom.com> vmxnet3: update MTU after device quiesce Jakob Unterwurzacher <jakobunt(a)gmail.com> net: dsa: microchip: linearize skb for tail-tagging switches Pieter Van Trappen <pieter.van.trappen(a)cern.ch> net: dsa: microchip: update tag_ksz masks for KSZ9477 family Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> gpio: pca953x: fix IRQ storm on system wake up Luca Ceresoli <luca.ceresoli(a)bootlin.com> iio: light: opt3001: fix deadlock due to concurrent flag access David Lechner <dlechner(a)baylibre.com> iio: chemical: pms7003: use aligned_s64 for timestamp Sean Christopherson <seanjc(a)google.com> KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Explicitly synchronize limits_changed flag handling Li Qiong <liqiong(a)nfschina.com> mm/slub: avoid accessing metadata when pointer is invalid in object_err() John Evans <evans1210144(a)gmail.com> scsi: lpfc: Fix buffer free/clear order in deferred receive path Jann Horn <jannh(a)google.com> mm/khugepaged: fix ->anon_vma race Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: fix heap overflow in e1000_set_eeprom Stanislav Fort <stanislav.fort(a)aisle.com> batman-adv: fix OOB read/write in network-coding decode Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: drop hw access in non-DC audio fini Qianfeng Rong <rongqianfeng(a)vivo.com> wifi: mwifiex: Initialize the chan_stats array to zero Ma Ke <make24(a)iscas.ac.cn> pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on some devices Qingfang Deng <dqfext(a)gmail.com> ppp: fix memory leak in pad_compress_skb Wang Liang <wangliang74(a)huawei.com> net: atm: fix memory leak in atm_register_sysfs when device_register fail Eric Dumazet <edumazet(a)google.com> ax25: properly unshare skbs in ax25_kiss_rcv() Dan Carpenter <dan.carpenter(a)linaro.org> ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: decrement cleanup index before use Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: add a missing of_node_put Dan Carpenter <dan.carpenter(a)linaro.org> wifi: libertas: cap SSID len in lbs_associate() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cw1200: cap SSID length in cw1200_do_join() Felix Fietkau <nbd(a)nbd.name> net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Zhen Ni <zhen.ni(a)easystack.cn> i40e: Fix potential invalid access when MAC list is empty Fabian Bläse <fabian(a)blaese.de> icmp: fix icmp_ndo_send address translation for reply direction Miaoqian Lin <linmq006(a)gmail.com> mISDN: Fix memory leak in dsp_hwec_enable() Alok Tiwari <alok.a.tiwari(a)oracle.com> xirc2ps_cs: fix register access when enabling FullDuplex Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Phil Sutter <phil(a)nwl.cc> netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix use-after-free in cmp_bss() Nathan Chancellor <nathan(a)kernel.org> powerpc: boot: Remove leading zero in label in udelay() ------------- Diffstat: Makefile | 4 +-- arch/powerpc/boot/util.S | 4 +-- arch/x86/kvm/x86.c | 16 +++++++-- drivers/dma/mediatek/mtk-cqdma.c | 10 +++--- drivers/gpio/gpio-pca953x.c | 5 +++ drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 --- drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 --- drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 --- drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 --- drivers/iio/chemical/pms7003.c | 5 +-- drivers/iio/light/opt3001.c | 5 +-- drivers/isdn/mISDN/dsp_hwec.c | 6 ++-- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 +++++++----- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 ++++-- drivers/net/ethernet/intel/i40e/i40e_client.c | 4 +-- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +++++- drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- drivers/net/ppp/ppp_generic.c | 6 ++-- drivers/net/vmxnet3/vmxnet3_drv.c | 5 +-- drivers/net/wireless/marvell/libertas/cfg.c | 9 +++-- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +-- drivers/net/wireless/marvell/mwifiex/main.c | 4 +-- drivers/net/wireless/st/cw1200/sta.c | 2 +- drivers/pcmcia/rsrc_iodyn.c | 3 ++ drivers/pcmcia/rsrc_nonstatic.c | 4 ++- drivers/scsi/lpfc/lpfc_nvmet.c | 10 +++--- drivers/spi/spi-fsl-lpspi.c | 15 +++++---- fs/cifs/connect.c | 5 +++ kernel/sched/cpufreq_schedutil.c | 28 +++++++++++++--- mm/khugepaged.c | 14 +++++++- mm/slub.c | 7 +++- net/atm/resources.c | 6 ++-- net/ax25/ax25_in.c | 4 +++ net/batman-adv/network-coding.c | 7 +++- net/bluetooth/l2cap_sock.c | 3 ++ net/dsa/tag_ksz.c | 22 ++++++++++--- net/ipv4/devinet.c | 7 ++-- net/ipv4/icmp.c | 6 ++-- net/ipv6/ip6_icmp.c | 6 ++-- net/netfilter/nf_conntrack_helper.c | 4 +-- net/wireless/scan.c | 3 +- scripts/gcc-plugins/gcc-common.h | 32 ++++++++++++++++++ scripts/gcc-plugins/randomize_layout_plugin.c | 40 +++++++---------------- sound/pci/hda/patch_hdmi.c | 1 + sound/pci/hda/patch_realtek.c | 1 + sound/usb/mixer_quirks.c | 2 ++ 46 files changed, 250 insertions(+), 132 deletions(-)

1 week, 4 days

7
54
0 0

[PATCH 1/2] PCI: rcar-host: Drop PMSR spinlock

by Marek Vasut

The pmsr_lock spinlock used to be necessary to synchronize access to the PMSR register, because that access could have been triggered from either config space access in rcar_pcie_config_access() or an exception handler rcar_pcie_aarch32_abort_handler(). The rcar_pcie_aarch32_abort_handler() case is no longer applicable since commit 6e36203bc14c ("PCI: rcar: Use PCI_SET_ERROR_RESPONSE after read which triggered an exception"), which performs more accurate, controlled invocation of the exception, and a fixup. This leaves rcar_pcie_config_access() as the only call site from which rcar_pcie_wakeup() is called. The rcar_pcie_config_access() can only be called from the controller struct pci_ops .read and .write callbacks, and those are serialized in drivers/pci/access.c using raw spinlock 'pci_lock' . CONFIG_PCI_LOCKLESS_CONFIG is never set on this platform. Since the 'pci_lock' is a raw spinlock , and the 'pmsr_lock' is not a raw spinlock, this constellation triggers 'BUG: Invalid wait context' with CONFIG_PROVE_RAW_LOCK_NESTING=y . Remove the pmsr_lock to fix the locking. Fixes: a115b1bd3af0 ("PCI: rcar: Add L1 link state fix into data abort hook") Reported-by: Duy Nguyen <duy.nguyen.rh(a)renesas.com> Reported-by: Thuan Nguyen <thuan.nguyen-hong(a)banvien.com.vn> Cc: stable(a)vger.kernel.org Signed-off-by: Marek Vasut <marek.vasut+renesas(a)mailbox.org> --- ============================= [ BUG: Invalid wait context ] 6.17.0-rc4-next-20250905-00048-ga08e553145e7-dirty #1116 Not tainted ----------------------------- swapper/0/1 is trying to lock: ffffffd92cf69c30 (pmsr_lock){....}-{3:3}, at: rcar_pcie_config_access+0x48/0x260 other info that might help us debug this: context-{5:5} 3 locks held by swapper/0/1: #0: ffffff84c0f890f8 (&dev->mutex){....}-{4:4}, at: device_lock+0x14/0x1c #1: ffffffd92cf675b0 (pci_rescan_remove_lock){+.+.}-{4:4}, at: pci_lock_rescan_remove+0x18/0x20 #2: ffffffd92cf674a0 (pci_lock){....}-{2:2}, at: pci_bus_read_config_dword+0x54/0xd8 stack backtrace: CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-next-20250905-00048-ga08e553145e7-dirty #1116 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT) Call trace: dump_backtrace+0x6c/0x7c (C) show_stack+0x14/0x1c dump_stack_lvl+0x68/0x8c dump_stack+0x14/0x1c __lock_acquire+0x3e8/0x1064 lock_acquire+0x17c/0x2ac _raw_spin_lock_irqsave+0x54/0x70 rcar_pcie_config_access+0x48/0x260 rcar_pcie_read_conf+0x44/0xd8 pci_bus_read_config_dword+0x78/0xd8 pci_bus_generic_read_dev_vendor_id+0x30/0x138 pci_bus_read_dev_vendor_id+0x60/0x68 pci_scan_single_device+0x11c/0x1ec pci_scan_slot+0x7c/0x170 pci_scan_child_bus_extend+0x5c/0x29c pci_scan_child_bus+0x10/0x18 pci_scan_root_bus_bridge+0x90/0xc8 pci_host_probe+0x24/0xc4 rcar_pcie_probe+0x5e8/0x650 platform_probe+0x58/0x88 really_probe+0x190/0x350 __driver_probe_device+0x120/0x138 driver_probe_device+0x38/0xec __driver_attach+0x158/0x168 bus_for_each_dev+0x7c/0xd0 driver_attach+0x20/0x28 bus_add_driver+0xe0/0x1d8 driver_register+0xac/0xe8 __platform_driver_register+0x1c/0x24 rcar_pcie_driver_init+0x18/0x20 do_one_initcall+0xd4/0x220 kernel_init_freeable+0x308/0x30c kernel_init+0x20/0x11c ret_from_fork+0x10/0x20 --- Cc: "Krzysztof Wilczyński" <kwilczynski(a)kernel.org> Cc: Bjorn Helgaas <bhelgaas(a)google.com> Cc: Geert Uytterhoeven <geert+renesas(a)glider.be> Cc: Lorenzo Pieralisi <lpieralisi(a)kernel.org> Cc: Magnus Damm <magnus.damm(a)gmail.com> Cc: Manivannan Sadhasivam <mani(a)kernel.org> Cc: Marc Zyngier <maz(a)kernel.org> Cc: Rob Herring <robh(a)kernel.org> Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> Cc: linux-pci(a)vger.kernel.org Cc: linux-renesas-soc(a)vger.kernel.org --- drivers/pci/controller/pcie-rcar-host.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/drivers/pci/controller/pcie-rcar-host.c b/drivers/pci/controller/pcie-rcar-host.c index 4780e0109e583..625a00f3b2230 100644 --- a/drivers/pci/controller/pcie-rcar-host.c +++ b/drivers/pci/controller/pcie-rcar-host.c @@ -52,20 +52,13 @@ struct rcar_pcie_host { int (*phy_init_fn)(struct rcar_pcie_host *host); }; -static DEFINE_SPINLOCK(pmsr_lock); - static int rcar_pcie_wakeup(struct device *pcie_dev, void __iomem *pcie_base) { - unsigned long flags; u32 pmsr, val; int ret = 0; - spin_lock_irqsave(&pmsr_lock, flags); - - if (!pcie_base || pm_runtime_suspended(pcie_dev)) { - ret = -EINVAL; - goto unlock_exit; - } + if (!pcie_base || pm_runtime_suspended(pcie_dev)) + return -EINVAL; pmsr = readl(pcie_base + PMSR); @@ -87,8 +80,6 @@ static int rcar_pcie_wakeup(struct device *pcie_dev, void __iomem *pcie_base) writel(L1FAEG | PMEL1RX, pcie_base + PMSR); } -unlock_exit: - spin_unlock_irqrestore(&pmsr_lock, flags); return ret; } -- 2.51.0

1 week, 4 days

1
1
0 0

FAILED: patch "[PATCH] mm: introduce and use {pgd,p4d}_populate_kernel()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x f2d2f9598ebb0158a3fe17cda0106d7752e654a2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025090608-wages-saloon-a401@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f2d2f9598ebb0158a3fe17cda0106d7752e654a2 Mon Sep 17 00:00:00 2001 From: Harry Yoo <harry.yoo(a)oracle.com> Date: Mon, 18 Aug 2025 11:02:05 +0900 Subject: [PATCH] mm: introduce and use {pgd,p4d}_populate_kernel() Introduce and use {pgd,p4d}_populate_kernel() in core MM code when populating PGD and P4D entries for the kernel address space. These helpers ensure proper synchronization of page tables when updating the kernel portion of top-level page tables. Until now, the kernel has relied on each architecture to handle synchronization of top-level page tables in an ad-hoc manner. For example, see commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct mapping and vmemmap mapping changes"). However, this approach has proven fragile for following reasons: 1) It is easy to forget to perform the necessary page table synchronization when introducing new changes. For instance, commit 4917f55b4ef9 ("mm/sparse-vmemmap: improve memory savings for compound devmaps") overlooked the need to synchronize page tables for the vmemmap area. 2) It is also easy to overlook that the vmemmap and direct mapping areas must not be accessed before explicit page table synchronization. For example, commit 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges")) caused crashes by accessing the vmemmap area before calling sync_global_pgds(). To address this, as suggested by Dave Hansen, introduce _kernel() variants of the page table population helpers, which invoke architecture-specific hooks to properly synchronize page tables. These are introduced in a new header file, include/linux/pgalloc.h, so they can be called from common code. They reuse existing infrastructure for vmalloc and ioremap. Synchronization requirements are determined by ARCH_PAGE_TABLE_SYNC_MASK, and the actual synchronization is performed by arch_sync_kernel_mappings(). This change currently targets only x86_64, so only PGD and P4D level helpers are introduced. Currently, these helpers are no-ops since no architecture sets PGTBL_{PGD,P4D}_MODIFIED in ARCH_PAGE_TABLE_SYNC_MASK. In theory, PUD and PMD level helpers can be added later if needed by other architectures. For now, 32-bit architectures (x86-32 and arm) only handle PGTBL_PMD_MODIFIED, so p*d_populate_kernel() will never affect them unless we introduce a PMD level helper. [harry.yoo(a)oracle.com: fix KASAN build error due to p*d_populate_kernel()] Link: https://lkml.kernel.org/r/20250822020727.202749-1-harry.yoo@oracle.com Link: https://lkml.kernel.org/r/20250818020206.4517-3-harry.yoo@oracle.com Fixes: 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)linux.ibm.com> Cc: Anshuman Khandual <anshuman.khandual(a)arm.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: bibo mao <maobibo(a)loongson.cn> Cc: Borislav Betkov <bp(a)alien8.de> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Gwan-gyeong Mun <gwan-gyeong.mun(a)intel.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Kevin Brodsky <kevin.brodsky(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Peter Xu <peterx(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: Thomas Huth <thuth(a)redhat.com> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/pgalloc.h b/include/linux/pgalloc.h new file mode 100644 index 000000000000..9174fa59bbc5 --- /dev/null +++ b/include/linux/pgalloc.h @@ -0,0 +1,29 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_PGALLOC_H +#define _LINUX_PGALLOC_H + +#include <linux/pgtable.h> +#include <asm/pgalloc.h> + +/* + * {pgd,p4d}_populate_kernel() are defined as macros to allow + * compile-time optimization based on the configured page table levels. + * Without this, linking may fail because callers (e.g., KASAN) may rely + * on calls to these functions being optimized away when passing symbols + * that exist only for certain page table levels. + */ +#define pgd_populate_kernel(addr, pgd, p4d) \ + do { \ + pgd_populate(&init_mm, pgd, p4d); \ + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) \ + arch_sync_kernel_mappings(addr, addr); \ + } while (0) + +#define p4d_populate_kernel(addr, p4d, pud) \ + do { \ + p4d_populate(&init_mm, p4d, pud); \ + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_P4D_MODIFIED) \ + arch_sync_kernel_mappings(addr, addr); \ + } while (0) + +#endif /* _LINUX_PGALLOC_H */ diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h index ba699df6ef69..2b80fd456c8b 100644 --- a/include/linux/pgtable.h +++ b/include/linux/pgtable.h @@ -1469,8 +1469,8 @@ static inline void modify_prot_commit_ptes(struct vm_area_struct *vma, unsigned /* * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values - * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() - * needs to be called. + * and let generic vmalloc, ioremap and page table update code know when + * arch_sync_kernel_mappings() needs to be called. */ #ifndef ARCH_PAGE_TABLE_SYNC_MASK #define ARCH_PAGE_TABLE_SYNC_MASK 0 @@ -1954,10 +1954,11 @@ static inline bool arch_has_pfn_modify_check(void) /* * Page Table Modification bits for pgtbl_mod_mask. * - * These are used by the p?d_alloc_track*() set of functions an in the generic - * vmalloc/ioremap code to track at which page-table levels entries have been - * modified. Based on that the code can better decide when vmalloc and ioremap - * mapping changes need to be synchronized to other page-tables in the system. + * These are used by the p?d_alloc_track*() and p*d_populate_kernel() + * functions in the generic vmalloc, ioremap and page table update code + * to track at which page-table levels entries have been modified. + * Based on that the code can better decide when page table changes need + * to be synchronized to other page-tables in the system. */ #define __PGTBL_PGD_MODIFIED 0 #define __PGTBL_P4D_MODIFIED 1 diff --git a/mm/kasan/init.c b/mm/kasan/init.c index ced6b29fcf76..8fce3370c84e 100644 --- a/mm/kasan/init.c +++ b/mm/kasan/init.c @@ -13,9 +13,9 @@ #include <linux/mm.h> #include <linux/pfn.h> #include <linux/slab.h> +#include <linux/pgalloc.h> #include <asm/page.h> -#include <asm/pgalloc.h> #include "kasan.h" @@ -191,7 +191,7 @@ static int __ref zero_p4d_populate(pgd_t *pgd, unsigned long addr, pud_t *pud; pmd_t *pmd; - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -212,7 +212,7 @@ static int __ref zero_p4d_populate(pgd_t *pgd, unsigned long addr, } else { p = early_alloc(PAGE_SIZE, NUMA_NO_NODE); pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } } zero_pud_populate(p4d, addr, next); @@ -251,10 +251,10 @@ int __ref kasan_populate_early_shadow(const void *shadow_start, * puds,pmds, so pgd_populate(), pud_populate() * is noops. */ - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, lm_alias(kasan_early_shadow_p4d)); p4d = p4d_offset(pgd, addr); - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -273,7 +273,7 @@ int __ref kasan_populate_early_shadow(const void *shadow_start, if (!p) return -ENOMEM; } else { - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, early_alloc(PAGE_SIZE, NUMA_NO_NODE)); } } diff --git a/mm/percpu.c b/mm/percpu.c index d9cbaee92b60..a56f35dcc417 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -3108,7 +3108,7 @@ int __init pcpu_embed_first_chunk(size_t reserved_size, size_t dyn_size, #endif /* BUILD_EMBED_FIRST_CHUNK */ #ifdef BUILD_PAGE_FIRST_CHUNK -#include <asm/pgalloc.h> +#include <linux/pgalloc.h> #ifndef P4D_TABLE_SIZE #define P4D_TABLE_SIZE PAGE_SIZE @@ -3134,13 +3134,13 @@ void __init __weak pcpu_populate_pte(unsigned long addr) if (pgd_none(*pgd)) { p4d = memblock_alloc_or_panic(P4D_TABLE_SIZE, P4D_TABLE_SIZE); - pgd_populate(&init_mm, pgd, p4d); + pgd_populate_kernel(addr, pgd, p4d); } p4d = p4d_offset(pgd, addr); if (p4d_none(*p4d)) { pud = memblock_alloc_or_panic(PUD_TABLE_SIZE, PUD_TABLE_SIZE); - p4d_populate(&init_mm, p4d, pud); + p4d_populate_kernel(addr, p4d, pud); } pud = pud_offset(p4d, addr); diff --git a/mm/sparse-vmemmap.c b/mm/sparse-vmemmap.c index 41aa0493eb03..dbd8daccade2 100644 --- a/mm/sparse-vmemmap.c +++ b/mm/sparse-vmemmap.c @@ -27,9 +27,9 @@ #include <linux/spinlock.h> #include <linux/vmalloc.h> #include <linux/sched.h> +#include <linux/pgalloc.h> #include <asm/dma.h> -#include <asm/pgalloc.h> #include <asm/tlbflush.h> #include "hugetlb_vmemmap.h" @@ -229,7 +229,7 @@ p4d_t * __meminit vmemmap_p4d_populate(pgd_t *pgd, unsigned long addr, int node) if (!p) return NULL; pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } return p4d; } @@ -241,7 +241,7 @@ pgd_t * __meminit vmemmap_pgd_populate(unsigned long addr, int node) void *p = vmemmap_alloc_block_zero(PAGE_SIZE, node); if (!p) return NULL; - pgd_populate(&init_mm, pgd, p); + pgd_populate_kernel(addr, pgd, p); } return pgd; }

1 week, 4 days

2
3
0 0

FAILED: patch "[PATCH] mm: introduce and use {pgd,p4d}_populate_kernel()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f2d2f9598ebb0158a3fe17cda0106d7752e654a2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025090606-overthrow-bagginess-c68f@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f2d2f9598ebb0158a3fe17cda0106d7752e654a2 Mon Sep 17 00:00:00 2001 From: Harry Yoo <harry.yoo(a)oracle.com> Date: Mon, 18 Aug 2025 11:02:05 +0900 Subject: [PATCH] mm: introduce and use {pgd,p4d}_populate_kernel() Introduce and use {pgd,p4d}_populate_kernel() in core MM code when populating PGD and P4D entries for the kernel address space. These helpers ensure proper synchronization of page tables when updating the kernel portion of top-level page tables. Until now, the kernel has relied on each architecture to handle synchronization of top-level page tables in an ad-hoc manner. For example, see commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct mapping and vmemmap mapping changes"). However, this approach has proven fragile for following reasons: 1) It is easy to forget to perform the necessary page table synchronization when introducing new changes. For instance, commit 4917f55b4ef9 ("mm/sparse-vmemmap: improve memory savings for compound devmaps") overlooked the need to synchronize page tables for the vmemmap area. 2) It is also easy to overlook that the vmemmap and direct mapping areas must not be accessed before explicit page table synchronization. For example, commit 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges")) caused crashes by accessing the vmemmap area before calling sync_global_pgds(). To address this, as suggested by Dave Hansen, introduce _kernel() variants of the page table population helpers, which invoke architecture-specific hooks to properly synchronize page tables. These are introduced in a new header file, include/linux/pgalloc.h, so they can be called from common code. They reuse existing infrastructure for vmalloc and ioremap. Synchronization requirements are determined by ARCH_PAGE_TABLE_SYNC_MASK, and the actual synchronization is performed by arch_sync_kernel_mappings(). This change currently targets only x86_64, so only PGD and P4D level helpers are introduced. Currently, these helpers are no-ops since no architecture sets PGTBL_{PGD,P4D}_MODIFIED in ARCH_PAGE_TABLE_SYNC_MASK. In theory, PUD and PMD level helpers can be added later if needed by other architectures. For now, 32-bit architectures (x86-32 and arm) only handle PGTBL_PMD_MODIFIED, so p*d_populate_kernel() will never affect them unless we introduce a PMD level helper. [harry.yoo(a)oracle.com: fix KASAN build error due to p*d_populate_kernel()] Link: https://lkml.kernel.org/r/20250822020727.202749-1-harry.yoo@oracle.com Link: https://lkml.kernel.org/r/20250818020206.4517-3-harry.yoo@oracle.com Fixes: 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)linux.ibm.com> Cc: Anshuman Khandual <anshuman.khandual(a)arm.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: bibo mao <maobibo(a)loongson.cn> Cc: Borislav Betkov <bp(a)alien8.de> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Gwan-gyeong Mun <gwan-gyeong.mun(a)intel.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Kevin Brodsky <kevin.brodsky(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Peter Xu <peterx(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: Thomas Huth <thuth(a)redhat.com> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/pgalloc.h b/include/linux/pgalloc.h new file mode 100644 index 000000000000..9174fa59bbc5 --- /dev/null +++ b/include/linux/pgalloc.h @@ -0,0 +1,29 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_PGALLOC_H +#define _LINUX_PGALLOC_H + +#include <linux/pgtable.h> +#include <asm/pgalloc.h> + +/* + * {pgd,p4d}_populate_kernel() are defined as macros to allow + * compile-time optimization based on the configured page table levels. + * Without this, linking may fail because callers (e.g., KASAN) may rely + * on calls to these functions being optimized away when passing symbols + * that exist only for certain page table levels. + */ +#define pgd_populate_kernel(addr, pgd, p4d) \ + do { \ + pgd_populate(&init_mm, pgd, p4d); \ + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) \ + arch_sync_kernel_mappings(addr, addr); \ + } while (0) + +#define p4d_populate_kernel(addr, p4d, pud) \ + do { \ + p4d_populate(&init_mm, p4d, pud); \ + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_P4D_MODIFIED) \ + arch_sync_kernel_mappings(addr, addr); \ + } while (0) + +#endif /* _LINUX_PGALLOC_H */ diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h index ba699df6ef69..2b80fd456c8b 100644 --- a/include/linux/pgtable.h +++ b/include/linux/pgtable.h @@ -1469,8 +1469,8 @@ static inline void modify_prot_commit_ptes(struct vm_area_struct *vma, unsigned /* * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values - * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() - * needs to be called. + * and let generic vmalloc, ioremap and page table update code know when + * arch_sync_kernel_mappings() needs to be called. */ #ifndef ARCH_PAGE_TABLE_SYNC_MASK #define ARCH_PAGE_TABLE_SYNC_MASK 0 @@ -1954,10 +1954,11 @@ static inline bool arch_has_pfn_modify_check(void) /* * Page Table Modification bits for pgtbl_mod_mask. * - * These are used by the p?d_alloc_track*() set of functions an in the generic - * vmalloc/ioremap code to track at which page-table levels entries have been - * modified. Based on that the code can better decide when vmalloc and ioremap - * mapping changes need to be synchronized to other page-tables in the system. + * These are used by the p?d_alloc_track*() and p*d_populate_kernel() + * functions in the generic vmalloc, ioremap and page table update code + * to track at which page-table levels entries have been modified. + * Based on that the code can better decide when page table changes need + * to be synchronized to other page-tables in the system. */ #define __PGTBL_PGD_MODIFIED 0 #define __PGTBL_P4D_MODIFIED 1 diff --git a/mm/kasan/init.c b/mm/kasan/init.c index ced6b29fcf76..8fce3370c84e 100644 --- a/mm/kasan/init.c +++ b/mm/kasan/init.c @@ -13,9 +13,9 @@ #include <linux/mm.h> #include <linux/pfn.h> #include <linux/slab.h> +#include <linux/pgalloc.h> #include <asm/page.h> -#include <asm/pgalloc.h> #include "kasan.h" @@ -191,7 +191,7 @@ static int __ref zero_p4d_populate(pgd_t *pgd, unsigned long addr, pud_t *pud; pmd_t *pmd; - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -212,7 +212,7 @@ static int __ref zero_p4d_populate(pgd_t *pgd, unsigned long addr, } else { p = early_alloc(PAGE_SIZE, NUMA_NO_NODE); pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } } zero_pud_populate(p4d, addr, next); @@ -251,10 +251,10 @@ int __ref kasan_populate_early_shadow(const void *shadow_start, * puds,pmds, so pgd_populate(), pud_populate() * is noops. */ - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, lm_alias(kasan_early_shadow_p4d)); p4d = p4d_offset(pgd, addr); - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -273,7 +273,7 @@ int __ref kasan_populate_early_shadow(const void *shadow_start, if (!p) return -ENOMEM; } else { - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, early_alloc(PAGE_SIZE, NUMA_NO_NODE)); } } diff --git a/mm/percpu.c b/mm/percpu.c index d9cbaee92b60..a56f35dcc417 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -3108,7 +3108,7 @@ int __init pcpu_embed_first_chunk(size_t reserved_size, size_t dyn_size, #endif /* BUILD_EMBED_FIRST_CHUNK */ #ifdef BUILD_PAGE_FIRST_CHUNK -#include <asm/pgalloc.h> +#include <linux/pgalloc.h> #ifndef P4D_TABLE_SIZE #define P4D_TABLE_SIZE PAGE_SIZE @@ -3134,13 +3134,13 @@ void __init __weak pcpu_populate_pte(unsigned long addr) if (pgd_none(*pgd)) { p4d = memblock_alloc_or_panic(P4D_TABLE_SIZE, P4D_TABLE_SIZE); - pgd_populate(&init_mm, pgd, p4d); + pgd_populate_kernel(addr, pgd, p4d); } p4d = p4d_offset(pgd, addr); if (p4d_none(*p4d)) { pud = memblock_alloc_or_panic(PUD_TABLE_SIZE, PUD_TABLE_SIZE); - p4d_populate(&init_mm, p4d, pud); + p4d_populate_kernel(addr, p4d, pud); } pud = pud_offset(p4d, addr); diff --git a/mm/sparse-vmemmap.c b/mm/sparse-vmemmap.c index 41aa0493eb03..dbd8daccade2 100644 --- a/mm/sparse-vmemmap.c +++ b/mm/sparse-vmemmap.c @@ -27,9 +27,9 @@ #include <linux/spinlock.h> #include <linux/vmalloc.h> #include <linux/sched.h> +#include <linux/pgalloc.h> #include <asm/dma.h> -#include <asm/pgalloc.h> #include <asm/tlbflush.h> #include "hugetlb_vmemmap.h" @@ -229,7 +229,7 @@ p4d_t * __meminit vmemmap_p4d_populate(pgd_t *pgd, unsigned long addr, int node) if (!p) return NULL; pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } return p4d; } @@ -241,7 +241,7 @@ pgd_t * __meminit vmemmap_pgd_populate(unsigned long addr, int node) void *p = vmemmap_alloc_block_zero(PAGE_SIZE, node); if (!p) return NULL; - pgd_populate(&init_mm, pgd, p); + pgd_populate_kernel(addr, pgd, p); } return pgd; }

1 week, 4 days

2
3
0 0

[PATCH net 1/2] rds: ib: Increment i_fastreg_wrs before bailing out

by Håkon Bugge

We need to increment i_fastreg_wrs before we bail out from rds_ib_post_reg_frmr(). Fixes: 1659185fb4d0 ("RDS: IB: Support Fastreg MR (FRMR) memory registration mode") Fixes: 3a2886cca703 ("net/rds: Keep track of and wait for FRWR segments in use upon shutdown") Signed-off-by: Håkon Bugge <haakon.bugge(a)oracle.com> --- net/rds/ib_frmr.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/net/rds/ib_frmr.c b/net/rds/ib_frmr.c index 28c1b00221780..7e3b04a83904d 100644 --- a/net/rds/ib_frmr.c +++ b/net/rds/ib_frmr.c @@ -133,12 +133,15 @@ static int rds_ib_post_reg_frmr(struct rds_ib_mr *ibmr) ret = ib_map_mr_sg_zbva(frmr->mr, ibmr->sg, ibmr->sg_dma_len, &off, PAGE_SIZE); - if (unlikely(ret != ibmr->sg_dma_len)) - return ret < 0 ? ret : -EINVAL; + if (unlikely(ret != ibmr->sg_dma_len)) { + ret = ret < 0 ? ret : -EINVAL; + goto out_inc; + } - if (cmpxchg(&frmr->fr_state, - FRMR_IS_FREE, FRMR_IS_INUSE) != FRMR_IS_FREE) - return -EBUSY; + if (cmpxchg(&frmr->fr_state, FRMR_IS_FREE, FRMR_IS_INUSE) != FRMR_IS_FREE) { + ret = -EBUSY; + goto out_inc; + } atomic_inc(&ibmr->ic->i_fastreg_inuse_count); @@ -178,9 +181,11 @@ static int rds_ib_post_reg_frmr(struct rds_ib_mr *ibmr) * being accessed while registration is still pending. */ wait_event(frmr->fr_reg_done, !frmr->fr_reg); - out: + return ret; +out_inc: + atomic_inc(&ibmr->ic->i_fastreg_wrs); return ret; } -- 2.43.5

1 week, 4 days

5
8
0 0

FAILED: patch "[PATCH] mm: introduce and use {pgd,p4d}_populate_kernel()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f2d2f9598ebb0158a3fe17cda0106d7752e654a2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025090604-obnoxious-bronco-1690@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f2d2f9598ebb0158a3fe17cda0106d7752e654a2 Mon Sep 17 00:00:00 2001 From: Harry Yoo <harry.yoo(a)oracle.com> Date: Mon, 18 Aug 2025 11:02:05 +0900 Subject: [PATCH] mm: introduce and use {pgd,p4d}_populate_kernel() Introduce and use {pgd,p4d}_populate_kernel() in core MM code when populating PGD and P4D entries for the kernel address space. These helpers ensure proper synchronization of page tables when updating the kernel portion of top-level page tables. Until now, the kernel has relied on each architecture to handle synchronization of top-level page tables in an ad-hoc manner. For example, see commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct mapping and vmemmap mapping changes"). However, this approach has proven fragile for following reasons: 1) It is easy to forget to perform the necessary page table synchronization when introducing new changes. For instance, commit 4917f55b4ef9 ("mm/sparse-vmemmap: improve memory savings for compound devmaps") overlooked the need to synchronize page tables for the vmemmap area. 2) It is also easy to overlook that the vmemmap and direct mapping areas must not be accessed before explicit page table synchronization. For example, commit 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges")) caused crashes by accessing the vmemmap area before calling sync_global_pgds(). To address this, as suggested by Dave Hansen, introduce _kernel() variants of the page table population helpers, which invoke architecture-specific hooks to properly synchronize page tables. These are introduced in a new header file, include/linux/pgalloc.h, so they can be called from common code. They reuse existing infrastructure for vmalloc and ioremap. Synchronization requirements are determined by ARCH_PAGE_TABLE_SYNC_MASK, and the actual synchronization is performed by arch_sync_kernel_mappings(). This change currently targets only x86_64, so only PGD and P4D level helpers are introduced. Currently, these helpers are no-ops since no architecture sets PGTBL_{PGD,P4D}_MODIFIED in ARCH_PAGE_TABLE_SYNC_MASK. In theory, PUD and PMD level helpers can be added later if needed by other architectures. For now, 32-bit architectures (x86-32 and arm) only handle PGTBL_PMD_MODIFIED, so p*d_populate_kernel() will never affect them unless we introduce a PMD level helper. [harry.yoo(a)oracle.com: fix KASAN build error due to p*d_populate_kernel()] Link: https://lkml.kernel.org/r/20250822020727.202749-1-harry.yoo@oracle.com Link: https://lkml.kernel.org/r/20250818020206.4517-3-harry.yoo@oracle.com Fixes: 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)linux.ibm.com> Cc: Anshuman Khandual <anshuman.khandual(a)arm.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: bibo mao <maobibo(a)loongson.cn> Cc: Borislav Betkov <bp(a)alien8.de> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Gwan-gyeong Mun <gwan-gyeong.mun(a)intel.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Kevin Brodsky <kevin.brodsky(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Peter Xu <peterx(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: Thomas Huth <thuth(a)redhat.com> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/pgalloc.h b/include/linux/pgalloc.h new file mode 100644 index 000000000000..9174fa59bbc5 --- /dev/null +++ b/include/linux/pgalloc.h @@ -0,0 +1,29 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_PGALLOC_H +#define _LINUX_PGALLOC_H + +#include <linux/pgtable.h> +#include <asm/pgalloc.h> + +/* + * {pgd,p4d}_populate_kernel() are defined as macros to allow + * compile-time optimization based on the configured page table levels. + * Without this, linking may fail because callers (e.g., KASAN) may rely + * on calls to these functions being optimized away when passing symbols + * that exist only for certain page table levels. + */ +#define pgd_populate_kernel(addr, pgd, p4d) \ + do { \ + pgd_populate(&init_mm, pgd, p4d); \ + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) \ + arch_sync_kernel_mappings(addr, addr); \ + } while (0) + +#define p4d_populate_kernel(addr, p4d, pud) \ + do { \ + p4d_populate(&init_mm, p4d, pud); \ + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_P4D_MODIFIED) \ + arch_sync_kernel_mappings(addr, addr); \ + } while (0) + +#endif /* _LINUX_PGALLOC_H */ diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h index ba699df6ef69..2b80fd456c8b 100644 --- a/include/linux/pgtable.h +++ b/include/linux/pgtable.h @@ -1469,8 +1469,8 @@ static inline void modify_prot_commit_ptes(struct vm_area_struct *vma, unsigned /* * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values - * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() - * needs to be called. + * and let generic vmalloc, ioremap and page table update code know when + * arch_sync_kernel_mappings() needs to be called. */ #ifndef ARCH_PAGE_TABLE_SYNC_MASK #define ARCH_PAGE_TABLE_SYNC_MASK 0 @@ -1954,10 +1954,11 @@ static inline bool arch_has_pfn_modify_check(void) /* * Page Table Modification bits for pgtbl_mod_mask. * - * These are used by the p?d_alloc_track*() set of functions an in the generic - * vmalloc/ioremap code to track at which page-table levels entries have been - * modified. Based on that the code can better decide when vmalloc and ioremap - * mapping changes need to be synchronized to other page-tables in the system. + * These are used by the p?d_alloc_track*() and p*d_populate_kernel() + * functions in the generic vmalloc, ioremap and page table update code + * to track at which page-table levels entries have been modified. + * Based on that the code can better decide when page table changes need + * to be synchronized to other page-tables in the system. */ #define __PGTBL_PGD_MODIFIED 0 #define __PGTBL_P4D_MODIFIED 1 diff --git a/mm/kasan/init.c b/mm/kasan/init.c index ced6b29fcf76..8fce3370c84e 100644 --- a/mm/kasan/init.c +++ b/mm/kasan/init.c @@ -13,9 +13,9 @@ #include <linux/mm.h> #include <linux/pfn.h> #include <linux/slab.h> +#include <linux/pgalloc.h> #include <asm/page.h> -#include <asm/pgalloc.h> #include "kasan.h" @@ -191,7 +191,7 @@ static int __ref zero_p4d_populate(pgd_t *pgd, unsigned long addr, pud_t *pud; pmd_t *pmd; - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -212,7 +212,7 @@ static int __ref zero_p4d_populate(pgd_t *pgd, unsigned long addr, } else { p = early_alloc(PAGE_SIZE, NUMA_NO_NODE); pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } } zero_pud_populate(p4d, addr, next); @@ -251,10 +251,10 @@ int __ref kasan_populate_early_shadow(const void *shadow_start, * puds,pmds, so pgd_populate(), pud_populate() * is noops. */ - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, lm_alias(kasan_early_shadow_p4d)); p4d = p4d_offset(pgd, addr); - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -273,7 +273,7 @@ int __ref kasan_populate_early_shadow(const void *shadow_start, if (!p) return -ENOMEM; } else { - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, early_alloc(PAGE_SIZE, NUMA_NO_NODE)); } } diff --git a/mm/percpu.c b/mm/percpu.c index d9cbaee92b60..a56f35dcc417 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -3108,7 +3108,7 @@ int __init pcpu_embed_first_chunk(size_t reserved_size, size_t dyn_size, #endif /* BUILD_EMBED_FIRST_CHUNK */ #ifdef BUILD_PAGE_FIRST_CHUNK -#include <asm/pgalloc.h> +#include <linux/pgalloc.h> #ifndef P4D_TABLE_SIZE #define P4D_TABLE_SIZE PAGE_SIZE @@ -3134,13 +3134,13 @@ void __init __weak pcpu_populate_pte(unsigned long addr) if (pgd_none(*pgd)) { p4d = memblock_alloc_or_panic(P4D_TABLE_SIZE, P4D_TABLE_SIZE); - pgd_populate(&init_mm, pgd, p4d); + pgd_populate_kernel(addr, pgd, p4d); } p4d = p4d_offset(pgd, addr); if (p4d_none(*p4d)) { pud = memblock_alloc_or_panic(PUD_TABLE_SIZE, PUD_TABLE_SIZE); - p4d_populate(&init_mm, p4d, pud); + p4d_populate_kernel(addr, p4d, pud); } pud = pud_offset(p4d, addr); diff --git a/mm/sparse-vmemmap.c b/mm/sparse-vmemmap.c index 41aa0493eb03..dbd8daccade2 100644 --- a/mm/sparse-vmemmap.c +++ b/mm/sparse-vmemmap.c @@ -27,9 +27,9 @@ #include <linux/spinlock.h> #include <linux/vmalloc.h> #include <linux/sched.h> +#include <linux/pgalloc.h> #include <asm/dma.h> -#include <asm/pgalloc.h> #include <asm/tlbflush.h> #include "hugetlb_vmemmap.h" @@ -229,7 +229,7 @@ p4d_t * __meminit vmemmap_p4d_populate(pgd_t *pgd, unsigned long addr, int node) if (!p) return NULL; pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } return p4d; } @@ -241,7 +241,7 @@ pgd_t * __meminit vmemmap_pgd_populate(unsigned long addr, int node) void *p = vmemmap_alloc_block_zero(PAGE_SIZE, node); if (!p) return NULL; - pgd_populate(&init_mm, pgd, p); + pgd_populate_kernel(addr, pgd, p); } return pgd; }

1 week, 4 days

2
3
0 0

FAILED: patch "[PATCH] mm: introduce and use {pgd,p4d}_populate_kernel()" failed to apply to 6.12-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x f2d2f9598ebb0158a3fe17cda0106d7752e654a2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025090602-bullwhip-runner-63fe@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f2d2f9598ebb0158a3fe17cda0106d7752e654a2 Mon Sep 17 00:00:00 2001 From: Harry Yoo <harry.yoo(a)oracle.com> Date: Mon, 18 Aug 2025 11:02:05 +0900 Subject: [PATCH] mm: introduce and use {pgd,p4d}_populate_kernel() Introduce and use {pgd,p4d}_populate_kernel() in core MM code when populating PGD and P4D entries for the kernel address space. These helpers ensure proper synchronization of page tables when updating the kernel portion of top-level page tables. Until now, the kernel has relied on each architecture to handle synchronization of top-level page tables in an ad-hoc manner. For example, see commit 9b861528a801 ("x86-64, mem: Update all PGDs for direct mapping and vmemmap mapping changes"). However, this approach has proven fragile for following reasons: 1) It is easy to forget to perform the necessary page table synchronization when introducing new changes. For instance, commit 4917f55b4ef9 ("mm/sparse-vmemmap: improve memory savings for compound devmaps") overlooked the need to synchronize page tables for the vmemmap area. 2) It is also easy to overlook that the vmemmap and direct mapping areas must not be accessed before explicit page table synchronization. For example, commit 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges")) caused crashes by accessing the vmemmap area before calling sync_global_pgds(). To address this, as suggested by Dave Hansen, introduce _kernel() variants of the page table population helpers, which invoke architecture-specific hooks to properly synchronize page tables. These are introduced in a new header file, include/linux/pgalloc.h, so they can be called from common code. They reuse existing infrastructure for vmalloc and ioremap. Synchronization requirements are determined by ARCH_PAGE_TABLE_SYNC_MASK, and the actual synchronization is performed by arch_sync_kernel_mappings(). This change currently targets only x86_64, so only PGD and P4D level helpers are introduced. Currently, these helpers are no-ops since no architecture sets PGTBL_{PGD,P4D}_MODIFIED in ARCH_PAGE_TABLE_SYNC_MASK. In theory, PUD and PMD level helpers can be added later if needed by other architectures. For now, 32-bit architectures (x86-32 and arm) only handle PGTBL_PMD_MODIFIED, so p*d_populate_kernel() will never affect them unless we introduce a PMD level helper. [harry.yoo(a)oracle.com: fix KASAN build error due to p*d_populate_kernel()] Link: https://lkml.kernel.org/r/20250822020727.202749-1-harry.yoo@oracle.com Link: https://lkml.kernel.org/r/20250818020206.4517-3-harry.yoo@oracle.com Fixes: 8d400913c231 ("x86/vmemmap: handle unpopulated sub-pmd ranges") Signed-off-by: Harry Yoo <harry.yoo(a)oracle.com> Suggested-by: Dave Hansen <dave.hansen(a)linux.intel.com> Acked-by: Kiryl Shutsemau <kas(a)kernel.org> Reviewed-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Alistair Popple <apopple(a)nvidia.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)linux.ibm.com> Cc: Anshuman Khandual <anshuman.khandual(a)arm.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: bibo mao <maobibo(a)loongson.cn> Cc: Borislav Betkov <bp(a)alien8.de> Cc: Christoph Lameter (Ampere) <cl(a)gentwo.org> Cc: Dennis Zhou <dennis(a)kernel.org> Cc: Dev Jain <dev.jain(a)arm.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Gwan-gyeong Mun <gwan-gyeong.mun(a)intel.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Jane Chu <jane.chu(a)oracle.com> Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Kevin Brodsky <kevin.brodsky(a)arm.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Peter Xu <peterx(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: Thomas Gleinxer <tglx(a)linutronix.de> Cc: Thomas Huth <thuth(a)redhat.com> Cc: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/pgalloc.h b/include/linux/pgalloc.h new file mode 100644 index 000000000000..9174fa59bbc5 --- /dev/null +++ b/include/linux/pgalloc.h @@ -0,0 +1,29 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_PGALLOC_H +#define _LINUX_PGALLOC_H + +#include <linux/pgtable.h> +#include <asm/pgalloc.h> + +/* + * {pgd,p4d}_populate_kernel() are defined as macros to allow + * compile-time optimization based on the configured page table levels. + * Without this, linking may fail because callers (e.g., KASAN) may rely + * on calls to these functions being optimized away when passing symbols + * that exist only for certain page table levels. + */ +#define pgd_populate_kernel(addr, pgd, p4d) \ + do { \ + pgd_populate(&init_mm, pgd, p4d); \ + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_PGD_MODIFIED) \ + arch_sync_kernel_mappings(addr, addr); \ + } while (0) + +#define p4d_populate_kernel(addr, p4d, pud) \ + do { \ + p4d_populate(&init_mm, p4d, pud); \ + if (ARCH_PAGE_TABLE_SYNC_MASK & PGTBL_P4D_MODIFIED) \ + arch_sync_kernel_mappings(addr, addr); \ + } while (0) + +#endif /* _LINUX_PGALLOC_H */ diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h index ba699df6ef69..2b80fd456c8b 100644 --- a/include/linux/pgtable.h +++ b/include/linux/pgtable.h @@ -1469,8 +1469,8 @@ static inline void modify_prot_commit_ptes(struct vm_area_struct *vma, unsigned /* * Architectures can set this mask to a combination of PGTBL_P?D_MODIFIED values - * and let generic vmalloc and ioremap code know when arch_sync_kernel_mappings() - * needs to be called. + * and let generic vmalloc, ioremap and page table update code know when + * arch_sync_kernel_mappings() needs to be called. */ #ifndef ARCH_PAGE_TABLE_SYNC_MASK #define ARCH_PAGE_TABLE_SYNC_MASK 0 @@ -1954,10 +1954,11 @@ static inline bool arch_has_pfn_modify_check(void) /* * Page Table Modification bits for pgtbl_mod_mask. * - * These are used by the p?d_alloc_track*() set of functions an in the generic - * vmalloc/ioremap code to track at which page-table levels entries have been - * modified. Based on that the code can better decide when vmalloc and ioremap - * mapping changes need to be synchronized to other page-tables in the system. + * These are used by the p?d_alloc_track*() and p*d_populate_kernel() + * functions in the generic vmalloc, ioremap and page table update code + * to track at which page-table levels entries have been modified. + * Based on that the code can better decide when page table changes need + * to be synchronized to other page-tables in the system. */ #define __PGTBL_PGD_MODIFIED 0 #define __PGTBL_P4D_MODIFIED 1 diff --git a/mm/kasan/init.c b/mm/kasan/init.c index ced6b29fcf76..8fce3370c84e 100644 --- a/mm/kasan/init.c +++ b/mm/kasan/init.c @@ -13,9 +13,9 @@ #include <linux/mm.h> #include <linux/pfn.h> #include <linux/slab.h> +#include <linux/pgalloc.h> #include <asm/page.h> -#include <asm/pgalloc.h> #include "kasan.h" @@ -191,7 +191,7 @@ static int __ref zero_p4d_populate(pgd_t *pgd, unsigned long addr, pud_t *pud; pmd_t *pmd; - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -212,7 +212,7 @@ static int __ref zero_p4d_populate(pgd_t *pgd, unsigned long addr, } else { p = early_alloc(PAGE_SIZE, NUMA_NO_NODE); pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } } zero_pud_populate(p4d, addr, next); @@ -251,10 +251,10 @@ int __ref kasan_populate_early_shadow(const void *shadow_start, * puds,pmds, so pgd_populate(), pud_populate() * is noops. */ - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, lm_alias(kasan_early_shadow_p4d)); p4d = p4d_offset(pgd, addr); - p4d_populate(&init_mm, p4d, + p4d_populate_kernel(addr, p4d, lm_alias(kasan_early_shadow_pud)); pud = pud_offset(p4d, addr); pud_populate(&init_mm, pud, @@ -273,7 +273,7 @@ int __ref kasan_populate_early_shadow(const void *shadow_start, if (!p) return -ENOMEM; } else { - pgd_populate(&init_mm, pgd, + pgd_populate_kernel(addr, pgd, early_alloc(PAGE_SIZE, NUMA_NO_NODE)); } } diff --git a/mm/percpu.c b/mm/percpu.c index d9cbaee92b60..a56f35dcc417 100644 --- a/mm/percpu.c +++ b/mm/percpu.c @@ -3108,7 +3108,7 @@ int __init pcpu_embed_first_chunk(size_t reserved_size, size_t dyn_size, #endif /* BUILD_EMBED_FIRST_CHUNK */ #ifdef BUILD_PAGE_FIRST_CHUNK -#include <asm/pgalloc.h> +#include <linux/pgalloc.h> #ifndef P4D_TABLE_SIZE #define P4D_TABLE_SIZE PAGE_SIZE @@ -3134,13 +3134,13 @@ void __init __weak pcpu_populate_pte(unsigned long addr) if (pgd_none(*pgd)) { p4d = memblock_alloc_or_panic(P4D_TABLE_SIZE, P4D_TABLE_SIZE); - pgd_populate(&init_mm, pgd, p4d); + pgd_populate_kernel(addr, pgd, p4d); } p4d = p4d_offset(pgd, addr); if (p4d_none(*p4d)) { pud = memblock_alloc_or_panic(PUD_TABLE_SIZE, PUD_TABLE_SIZE); - p4d_populate(&init_mm, p4d, pud); + p4d_populate_kernel(addr, p4d, pud); } pud = pud_offset(p4d, addr); diff --git a/mm/sparse-vmemmap.c b/mm/sparse-vmemmap.c index 41aa0493eb03..dbd8daccade2 100644 --- a/mm/sparse-vmemmap.c +++ b/mm/sparse-vmemmap.c @@ -27,9 +27,9 @@ #include <linux/spinlock.h> #include <linux/vmalloc.h> #include <linux/sched.h> +#include <linux/pgalloc.h> #include <asm/dma.h> -#include <asm/pgalloc.h> #include <asm/tlbflush.h> #include "hugetlb_vmemmap.h" @@ -229,7 +229,7 @@ p4d_t * __meminit vmemmap_p4d_populate(pgd_t *pgd, unsigned long addr, int node) if (!p) return NULL; pud_init(p); - p4d_populate(&init_mm, p4d, p); + p4d_populate_kernel(addr, p4d, p); } return p4d; } @@ -241,7 +241,7 @@ pgd_t * __meminit vmemmap_pgd_populate(unsigned long addr, int node) void *p = vmemmap_alloc_block_zero(PAGE_SIZE, node); if (!p) return NULL; - pgd_populate(&init_mm, pgd, p); + pgd_populate_kernel(addr, pgd, p); } return pgd; }

1 week, 4 days

3
9
0 0

[PATCH v1] rust: cfi: only 64-bit arm and x86 support CFI_CLANG

by Conor Dooley

From: Conor Dooley <conor.dooley(a)microchip.com> The kernel uses the standard rustc targets for non-x86 targets, and out of those only 64-bit arm's target has kcfi support enabled. For x86, the custom 64-bit target enables kcfi. The HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC config option that allows CFI_CLANG to be used in combination with RUST does not check whether the rustc target supports kcfi. This breaks the build on riscv (and presumably 32-bit arm) when CFI_CLANG and RUST are enabled at the same time. Ordinarily, a rustc-option check would be used to detect target support but unfortunately rustc-option filters out the target for reasons given in commit 46e24a545cdb4 ("rust: kasan/kbuild: fix missing flags on first build"). As a result, if the host supports kcfi but the target does not, e.g. when building for riscv on x86_64, the build would remain broken. Instead, make HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC depend on the only two architectures where the target used supports it to fix the build. CC: stable(a)vger.kernel.org Fixes: ca627e636551e ("rust: cfi: add support for CFI_CLANG with Rust") Signed-off-by: Conor Dooley <conor.dooley(a)microchip.com> --- CC: Paul Walmsley <paul.walmsley(a)sifive.com> CC: Palmer Dabbelt <palmer(a)dabbelt.com> CC: Alexandre Ghiti <alex(a)ghiti.fr> CC: Miguel Ojeda <ojeda(a)kernel.org> CC: Alex Gaynor <alex.gaynor(a)gmail.com> CC: Boqun Feng <boqun.feng(a)gmail.com> CC: Gary Guo <gary(a)garyguo.net> CC: "Björn Roy Baron" <bjorn3_gh(a)protonmail.com> CC: Benno Lossin <lossin(a)kernel.org> CC: Andreas Hindborg <a.hindborg(a)kernel.org> CC: Alice Ryhl <aliceryhl(a)google.com> CC: Trevor Gross <tmgross(a)umich.edu> CC: Danilo Krummrich <dakr(a)kernel.org> CC: Kees Cook <kees(a)kernel.org> CC: Sami Tolvanen <samitolvanen(a)google.com> CC: Matthew Maurer <mmaurer(a)google.com> CC: "Peter Zijlstra (Intel)" <peterz(a)infradead.org> CC: linux-kernel(a)vger.kernel.org CC: linux-riscv(a)lists.infradead.org CC: rust-for-linux(a)vger.kernel.org --- arch/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/Kconfig b/arch/Kconfig index d1b4ffd6e0856..880cddff5eda7 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -917,6 +917,7 @@ config HAVE_CFI_ICALL_NORMALIZE_INTEGERS_RUSTC def_bool y depends on HAVE_CFI_ICALL_NORMALIZE_INTEGERS_CLANG depends on RUSTC_VERSION >= 107900 + depends on ARM64 || X86_64 # With GCOV/KASAN we need this fix: https://github.com/rust-lang/rust/pull/129373 depends on (RUSTC_LLVM_VERSION >= 190103 && RUSTC_VERSION >= 108200) || \ (!GCOV_KERNEL && !KASAN_GENERIC && !KASAN_SW_TAGS) -- 2.47.2

1 week, 4 days

4
4
0 0

[PATCH rdma-next 1/1] RDMA/core: Fix socket leak in rdma_dev_init_net

by Håkon Bugge

If rdma_dev_init_net() has an early return because the supplied net is the default init_net, we need to call rdma_nl_net_exit() before returning. Fixes: 4e0f7b907072 ("RDMA/core: Implement compat device/sysfs tree in net namespace") Cc: stable(a)vger.kernel.org Signed-off-by: Håkon Bugge <haakon.bugge(a)oracle.com> --- drivers/infiniband/core/device.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c index 3145cb34a1d20..ec5642e70c5db 100644 --- a/drivers/infiniband/core/device.c +++ b/drivers/infiniband/core/device.c @@ -1203,8 +1203,10 @@ static __net_init int rdma_dev_init_net(struct net *net) return ret; /* No need to create any compat devices in default init_net. */ - if (net_eq(net, &init_net)) + if (net_eq(net, &init_net)) { + rdma_nl_net_exit(rnet); return 0; + } ret = xa_alloc(&rdma_nets, &rnet->id, rnet, xa_limit_32b, GFP_KERNEL); if (ret) { -- 2.43.5

1 week, 4 days

4
3
0 0

Re: [PATCH net v4] netrom: linearize and validate lengths in nr_rx_frame()

by Jakub Kicinski

On Sun, 7 Sep 2025 16:32:03 +0200 Bernard Pidoux wrote: > While applying netrom PATCH net v4 > patch says that > it is malformed on line 12. FWIW the version I received is completely mangled. There's a leading space before each +. You can try B4 relay if your mail server is giving you grief.

1 week, 4 days

2
1
0 0

[PATCH v5 02/13] ASoC: codecs: wcd937x: make stub functions inline

by Srinivas Kandagatla

For some reason we ended up with stub functions that are not inline, this can result in build error if its included multiple places, as we will be redefining the same function Fixes: c99a515ff153 ("ASoC: codecs: wcd937x-sdw: add SoundWire driver") Cc: <Stable(a)vger.kernel.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)oss.qualcomm.com> --- sound/soc/codecs/wcd937x.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sound/soc/codecs/wcd937x.h b/sound/soc/codecs/wcd937x.h index 3ab21bb5846e..d20886a2803a 100644 --- a/sound/soc/codecs/wcd937x.h +++ b/sound/soc/codecs/wcd937x.h @@ -552,21 +552,21 @@ int wcd937x_sdw_hw_params(struct wcd937x_sdw_priv *wcd, struct device *wcd937x_sdw_device_get(struct device_node *np); #else -int wcd937x_sdw_free(struct wcd937x_sdw_priv *wcd, +static inline int wcd937x_sdw_free(struct wcd937x_sdw_priv *wcd, struct snd_pcm_substream *substream, struct snd_soc_dai *dai) { return -EOPNOTSUPP; } -int wcd937x_sdw_set_sdw_stream(struct wcd937x_sdw_priv *wcd, +static inline int wcd937x_sdw_set_sdw_stream(struct wcd937x_sdw_priv *wcd, struct snd_soc_dai *dai, void *stream, int direction) { return -EOPNOTSUPP; } -int wcd937x_sdw_hw_params(struct wcd937x_sdw_priv *wcd, +static inline int wcd937x_sdw_hw_params(struct wcd937x_sdw_priv *wcd, struct snd_pcm_substream *substream, struct snd_pcm_hw_params *params, struct snd_soc_dai *dai) -- 2.50.0

1 week, 4 days

1
0
0 0

FAILED: patch "[PATCH] tracing: Do not add length to print format in synthetic" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x e1a453a57bc76be678bd746f84e3d73f378a9511 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041706-ambiance-zen-5f4e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e1a453a57bc76be678bd746f84e3d73f378a9511 Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Mon, 7 Apr 2025 15:41:39 -0400 Subject: [PATCH] tracing: Do not add length to print format in synthetic events The following causes a vsnprintf fault: # echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events # echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger # echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger Because the synthetic event's "wakee" field is created as a dynamic string (even though the string copied is not). The print format to print the dynamic string changed from "%*s" to "%s" because another location (__set_synth_event_print_fmt()) exported this to user space, and user space did not need that. But it is still used in print_synth_event(), and the output looks like: <idle>-0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155 sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58 <idle>-0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91 bash-880 [002] d..5. 193.811371: wake_lat: wakee=(efault)kworker/u35:2delta=21 <idle>-0 [001] d..5. 193.811516: wake_lat: wakee=(efault)sshd-sessiondelta=129 sshd-session-879 [001] d..5. 193.967576: wake_lat: wakee=(efault)kworker/u34:5delta=50 The length isn't needed as the string is always nul terminated. Just print the string and not add the length (which was hard coded to the max string length anyway). Cc: stable(a)vger.kernel.org Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Tom Zanussi <zanussi(a)kernel.org> Cc: Douglas Raillard <douglas.raillard(a)arm.com> Acked-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Link: https://lore.kernel.org/20250407154139.69955768@gandalf.local.home Fixes: 4d38328eb442d ("tracing: Fix synth event printk format for str fields"); Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c index 969f48742d72..33cfbd4ed76d 100644 --- a/kernel/trace/trace_events_synth.c +++ b/kernel/trace/trace_events_synth.c @@ -370,7 +370,6 @@ static enum print_line_t print_synth_event(struct trace_iterator *iter, union trace_synth_field *data = &entry->fields[n_u64]; trace_seq_printf(s, print_fmt, se->fields[i]->name, - STR_VAR_LEN_MAX, (char *)entry + data->as_dynamic.offset, i == se->n_fields - 1 ? "" : " "); n_u64++;

1 week, 4 days

3
2
0 0

[PATCH v6 1/3] drm/buddy: Optimize free block management with RB tree

by Arunpravin Paneer Selvam

Replace the freelist (O(n)) used for free block management with a red-black tree, providing more efficient O(log n) search, insert, and delete operations. This improves scalability and performance when managing large numbers of free blocks per order (e.g., hundreds or thousands). In the VK-CTS memory stress subtest, the buddy manager merges fragmented memory and inserts freed blocks into the freelist. Since freelist insertion is O(n), this becomes a bottleneck as fragmentation increases. Benchmarking shows list_insert_sorted() consumes ~52.69% CPU with the freelist, compared to just 0.03% with the RB tree (rbtree_insert.isra.0), despite performing the same sorted insert. This also improves performance in heavily fragmented workloads, such as games or graphics tests that stress memory. As the buddy allocator evolves with new features such as clear-page tracking, the resulting fragmentation and complexity have grown. These RB-tree based design changes are introduced to address that growth and ensure the allocator continues to perform efficiently under fragmented conditions. The RB tree implementation with separate clear/dirty trees provides: - O(n log n) aggregate complexity for all operations instead of O(n^2) - Elimination of soft lockups and system instability - Improved code maintainability and clarity - Better scalability for large memory systems - Predictable performance under fragmentation v3(Matthew): - Remove RB_EMPTY_NODE check in force_merge function. - Rename rb for loop macros to have less generic names and move to .c file. - Make the rb node rb and link field as union. v4(Jani Nikula): - The kernel-doc comment should be "/**" - Move all the rbtree macros to rbtree.h and add parens to ensure correct precedence. v5: - Remove the inline in a .c file (Jani Nikula). v6(Peter Zijlstra): - Add rb_add() function replacing the existing rbtree_insert() code. Cc: stable(a)vger.kernel.org Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality") Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> --- drivers/gpu/drm/drm_buddy.c | 144 ++++++++++++++++++++++-------------- include/drm/drm_buddy.h | 11 ++- include/linux/rbtree.h | 56 ++++++++++++++ 3 files changed, 153 insertions(+), 58 deletions(-) diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index a94061f373de..89f4b49ae3fb 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -14,6 +14,8 @@ static struct kmem_cache *slab_blocks; +#define rbtree_get_free_block(node) rb_entry((node), struct drm_buddy_block, rb) + static struct drm_buddy_block *drm_block_alloc(struct drm_buddy *mm, struct drm_buddy_block *parent, unsigned int order, @@ -31,6 +33,8 @@ static struct drm_buddy_block *drm_block_alloc(struct drm_buddy *mm, block->header |= order; block->parent = parent; + RB_CLEAR_NODE(&block->rb); + BUG_ON(block->header & DRM_BUDDY_HEADER_UNUSED); return block; } @@ -41,23 +45,49 @@ static void drm_block_free(struct drm_buddy *mm, kmem_cache_free(slab_blocks, block); } -static void list_insert_sorted(struct drm_buddy *mm, - struct drm_buddy_block *block) +static bool drm_buddy_block_offset_less(const struct drm_buddy_block *block, + const struct drm_buddy_block *node) { - struct drm_buddy_block *node; - struct list_head *head; + return drm_buddy_block_offset(block) < drm_buddy_block_offset(node); +} - head = &mm->free_list[drm_buddy_block_order(block)]; - if (list_empty(head)) { - list_add(&block->link, head); - return; - } +static bool rbtree_block_offset_less(struct rb_node *block, + const struct rb_node *node) +{ + return drm_buddy_block_offset_less(rbtree_get_free_block(block), + rbtree_get_free_block(node)); +} - list_for_each_entry(node, head, link) - if (drm_buddy_block_offset(block) < drm_buddy_block_offset(node)) - break; +static void rbtree_insert(struct drm_buddy *mm, + struct drm_buddy_block *block) +{ + rb_add(&block->rb, + &mm->free_tree[drm_buddy_block_order(block)], + rbtree_block_offset_less); +} + +static void rbtree_remove(struct drm_buddy *mm, + struct drm_buddy_block *block) +{ + struct rb_root *root; + + root = &mm->free_tree[drm_buddy_block_order(block)]; + rb_erase(&block->rb, root); - __list_add(&block->link, node->link.prev, &node->link); + RB_CLEAR_NODE(&block->rb); +} + +static struct drm_buddy_block * +rbtree_last_entry(struct drm_buddy *mm, unsigned int order) +{ + struct rb_node *node = rb_last(&mm->free_tree[order]); + + return node ? rb_entry(node, struct drm_buddy_block, rb) : NULL; +} + +static bool rbtree_is_empty(struct drm_buddy *mm, unsigned int order) +{ + return RB_EMPTY_ROOT(&mm->free_tree[order]); } static void clear_reset(struct drm_buddy_block *block) @@ -70,12 +100,13 @@ static void mark_cleared(struct drm_buddy_block *block) block->header |= DRM_BUDDY_HEADER_CLEAR; } -static void mark_allocated(struct drm_buddy_block *block) +static void mark_allocated(struct drm_buddy *mm, + struct drm_buddy_block *block) { block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_ALLOCATED; - list_del(&block->link); + rbtree_remove(mm, block); } static void mark_free(struct drm_buddy *mm, @@ -84,15 +115,16 @@ static void mark_free(struct drm_buddy *mm, block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_FREE; - list_insert_sorted(mm, block); + rbtree_insert(mm, block); } -static void mark_split(struct drm_buddy_block *block) +static void mark_split(struct drm_buddy *mm, + struct drm_buddy_block *block) { block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_SPLIT; - list_del(&block->link); + rbtree_remove(mm, block); } static inline bool overlaps(u64 s1, u64 e1, u64 s2, u64 e2) @@ -148,7 +180,7 @@ static unsigned int __drm_buddy_free(struct drm_buddy *mm, mark_cleared(parent); } - list_del(&buddy->link); + rbtree_remove(mm, buddy); if (force_merge && drm_buddy_block_is_clear(buddy)) mm->clear_avail -= drm_buddy_block_size(mm, buddy); @@ -179,9 +211,11 @@ static int __force_merge(struct drm_buddy *mm, return -EINVAL; for (i = min_order - 1; i >= 0; i--) { - struct drm_buddy_block *block, *prev; + struct drm_buddy_block *block, *prev_block, *first_block; + + first_block = rb_entry(rb_first(&mm->free_tree[i]), struct drm_buddy_block, rb); - list_for_each_entry_safe_reverse(block, prev, &mm->free_list[i], link) { + rbtree_reverse_for_each_entry_safe(block, prev_block, &mm->free_tree[i], rb) { struct drm_buddy_block *buddy; u64 block_start, block_end; @@ -206,10 +240,14 @@ static int __force_merge(struct drm_buddy *mm, * block in the next iteration as we would free the * buddy block as part of the free function. */ - if (prev == buddy) - prev = list_prev_entry(prev, link); + if (prev_block && prev_block == buddy) { + if (prev_block != first_block) + prev_block = rb_entry(rb_prev(&prev_block->rb), + struct drm_buddy_block, + rb); + } - list_del(&block->link); + rbtree_remove(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -258,14 +296,14 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) BUG_ON(mm->max_order > DRM_BUDDY_MAX_ORDER); - mm->free_list = kmalloc_array(mm->max_order + 1, - sizeof(struct list_head), + mm->free_tree = kmalloc_array(mm->max_order + 1, + sizeof(struct rb_root), GFP_KERNEL); - if (!mm->free_list) + if (!mm->free_tree) return -ENOMEM; for (i = 0; i <= mm->max_order; ++i) - INIT_LIST_HEAD(&mm->free_list[i]); + mm->free_tree[i] = RB_ROOT; mm->n_roots = hweight64(size); @@ -273,7 +311,7 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) sizeof(struct drm_buddy_block *), GFP_KERNEL); if (!mm->roots) - goto out_free_list; + goto out_free_tree; offset = 0; i = 0; @@ -312,8 +350,8 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) while (i--) drm_block_free(mm, mm->roots[i]); kfree(mm->roots); -out_free_list: - kfree(mm->free_list); +out_free_tree: + kfree(mm->free_tree); return -ENOMEM; } EXPORT_SYMBOL(drm_buddy_init); @@ -323,7 +361,7 @@ EXPORT_SYMBOL(drm_buddy_init); * * @mm: DRM buddy manager to free * - * Cleanup memory manager resources and the freelist + * Cleanup memory manager resources and the freetree */ void drm_buddy_fini(struct drm_buddy *mm) { @@ -350,7 +388,7 @@ void drm_buddy_fini(struct drm_buddy *mm) WARN_ON(mm->avail != mm->size); kfree(mm->roots); - kfree(mm->free_list); + kfree(mm->free_tree); } EXPORT_SYMBOL(drm_buddy_fini); @@ -383,7 +421,7 @@ static int split_block(struct drm_buddy *mm, clear_reset(block); } - mark_split(block); + mark_split(mm, block); return 0; } @@ -412,7 +450,7 @@ EXPORT_SYMBOL(drm_get_buddy); * @is_clear: blocks clear state * * Reset the clear state based on @is_clear value for each block - * in the freelist. + * in the freetree. */ void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) { @@ -433,7 +471,7 @@ void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) for (i = 0; i <= mm->max_order; ++i) { struct drm_buddy_block *block; - list_for_each_entry_reverse(block, &mm->free_list[i], link) { + rbtree_reverse_for_each_entry(block, &mm->free_tree[i], rb) { if (is_clear != drm_buddy_block_is_clear(block)) { if (is_clear) { mark_cleared(block); @@ -641,7 +679,7 @@ get_maxblock(struct drm_buddy *mm, unsigned int order, for (i = order; i <= mm->max_order; ++i) { struct drm_buddy_block *tmp_block; - list_for_each_entry_reverse(tmp_block, &mm->free_list[i], link) { + rbtree_reverse_for_each_entry(tmp_block, &mm->free_tree[i], rb) { if (block_incompatible(tmp_block, flags)) continue; @@ -667,7 +705,7 @@ get_maxblock(struct drm_buddy *mm, unsigned int order, } static struct drm_buddy_block * -alloc_from_freelist(struct drm_buddy *mm, +alloc_from_freetree(struct drm_buddy *mm, unsigned int order, unsigned long flags) { @@ -684,7 +722,7 @@ alloc_from_freelist(struct drm_buddy *mm, for (tmp = order; tmp <= mm->max_order; ++tmp) { struct drm_buddy_block *tmp_block; - list_for_each_entry_reverse(tmp_block, &mm->free_list[tmp], link) { + rbtree_reverse_for_each_entry(tmp_block, &mm->free_tree[tmp], rb) { if (block_incompatible(tmp_block, flags)) continue; @@ -700,10 +738,8 @@ alloc_from_freelist(struct drm_buddy *mm, if (!block) { /* Fallback method */ for (tmp = order; tmp <= mm->max_order; ++tmp) { - if (!list_empty(&mm->free_list[tmp])) { - block = list_last_entry(&mm->free_list[tmp], - struct drm_buddy_block, - link); + if (!rbtree_is_empty(mm, tmp)) { + block = rbtree_last_entry(mm, tmp); if (block) break; } @@ -771,7 +807,7 @@ static int __alloc_range(struct drm_buddy *mm, if (contains(start, end, block_start, block_end)) { if (drm_buddy_block_is_free(block)) { - mark_allocated(block); + mark_allocated(mm, block); total_allocated += drm_buddy_block_size(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) @@ -849,7 +885,6 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, { u64 rhs_offset, lhs_offset, lhs_size, filled; struct drm_buddy_block *block; - struct list_head *list; LIST_HEAD(blocks_lhs); unsigned long pages; unsigned int order; @@ -862,11 +897,10 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, if (order == 0) return -ENOSPC; - list = &mm->free_list[order]; - if (list_empty(list)) + if (rbtree_is_empty(mm, order)) return -ENOSPC; - list_for_each_entry_reverse(block, list, link) { + rbtree_reverse_for_each_entry(block, &mm->free_tree[order], rb) { /* Allocate blocks traversing RHS */ rhs_offset = drm_buddy_block_offset(block); err = __drm_buddy_alloc_range(mm, rhs_offset, size, @@ -976,7 +1010,7 @@ int drm_buddy_block_trim(struct drm_buddy *mm, list_add(&block->tmp_link, &dfs); err = __alloc_range(mm, &dfs, new_start, new_size, blocks, NULL); if (err) { - mark_allocated(block); + mark_allocated(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -999,8 +1033,8 @@ __drm_buddy_alloc_blocks(struct drm_buddy *mm, return __drm_buddy_alloc_range_bias(mm, start, end, order, flags); else - /* Allocate from freelist */ - return alloc_from_freelist(mm, order, flags); + /* Allocate from freetree */ + return alloc_from_freetree(mm, order, flags); } /** @@ -1017,8 +1051,8 @@ __drm_buddy_alloc_blocks(struct drm_buddy *mm, * alloc_range_bias() called on range limitations, which traverses * the tree and returns the desired block. * - * alloc_from_freelist() called when *no* range restrictions - * are enforced, which picks the block from the freelist. + * alloc_from_freetree() called when *no* range restrictions + * are enforced, which picks the block from the freetree. * * Returns: * 0 on success, error code on failure. @@ -1120,7 +1154,7 @@ int drm_buddy_alloc_blocks(struct drm_buddy *mm, } } while (1); - mark_allocated(block); + mark_allocated(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -1204,7 +1238,7 @@ void drm_buddy_print(struct drm_buddy *mm, struct drm_printer *p) struct drm_buddy_block *block; u64 count = 0, free; - list_for_each_entry(block, &mm->free_list[order], link) { + rbtree_for_each_entry(block, &mm->free_tree[order], rb) { BUG_ON(!drm_buddy_block_is_free(block)); count++; } diff --git a/include/drm/drm_buddy.h b/include/drm/drm_buddy.h index 513837632b7d..9ee105d4309f 100644 --- a/include/drm/drm_buddy.h +++ b/include/drm/drm_buddy.h @@ -10,6 +10,7 @@ #include <linux/list.h> #include <linux/slab.h> #include <linux/sched.h> +#include <linux/rbtree.h> #include <drm/drm_print.h> @@ -53,7 +54,11 @@ struct drm_buddy_block { * a list, if so desired. As soon as the block is freed with * drm_buddy_free* ownership is given back to the mm. */ - struct list_head link; + union { + struct rb_node rb; + struct list_head link; + }; + struct list_head tmp_link; }; @@ -68,7 +73,7 @@ struct drm_buddy_block { */ struct drm_buddy { /* Maintain a free list for each order. */ - struct list_head *free_list; + struct rb_root *free_tree; /* * Maintain explicit binary tree(s) to track the allocation of the @@ -94,7 +99,7 @@ struct drm_buddy { }; static inline u64 -drm_buddy_block_offset(struct drm_buddy_block *block) +drm_buddy_block_offset(const struct drm_buddy_block *block) { return block->header & DRM_BUDDY_HEADER_OFFSET; } diff --git a/include/linux/rbtree.h b/include/linux/rbtree.h index 8d2ba3749866..17190bb4837c 100644 --- a/include/linux/rbtree.h +++ b/include/linux/rbtree.h @@ -79,6 +79,62 @@ static inline void rb_link_node_rcu(struct rb_node *node, struct rb_node *parent ____ptr ? rb_entry(____ptr, type, member) : NULL; \ }) +/** + * rbtree_for_each_entry - iterate in-order over rb_root of given type + * + * @pos: the 'type *' to use as a loop cursor. + * @root: 'rb_root *' of the rbtree. + * @member: the name of the rb_node field within 'type'. + */ +#define rbtree_for_each_entry(pos, root, member) \ + for ((pos) = rb_entry_safe(rb_first(root), typeof(*(pos)), member); \ + (pos); \ + (pos) = rb_entry_safe(rb_next(&(pos)->member), typeof(*(pos)), member)) + +/** + * rbtree_reverse_for_each_entry - iterate in reverse in-order over rb_root + * of given type + * + * @pos: the 'type *' to use as a loop cursor. + * @root: 'rb_root *' of the rbtree. + * @member: the name of the rb_node field within 'type'. + */ +#define rbtree_reverse_for_each_entry(pos, root, member) \ + for ((pos) = rb_entry_safe(rb_last(root), typeof(*(pos)), member); \ + (pos); \ + (pos) = rb_entry_safe(rb_prev(&(pos)->member), typeof(*(pos)), member)) + +/** + * rbtree_for_each_entry_safe - iterate in-order over rb_root safe against removal + * + * @pos: the 'type *' to use as a loop cursor + * @n: another 'type *' to use as temporary storage + * @root: 'rb_root *' of the rbtree + * @member: the name of the rb_node field within 'type' + */ +#define rbtree_for_each_entry_safe(pos, n, root, member) \ + for ((pos) = rb_entry_safe(rb_first(root), typeof(*(pos)), member), \ + (n) = (pos) ? rb_entry_safe(rb_next(&(pos)->member), typeof(*(pos)), member) : NULL; \ + (pos); \ + (pos) = (n), \ + (n) = (pos) ? rb_entry_safe(rb_next(&(pos)->member), typeof(*(pos)), member) : NULL) + +/** + * rbtree_reverse_for_each_entry_safe - iterate in reverse in-order over rb_root + * safe against removal + * + * @pos: the struct type * to use as a loop cursor. + * @n: another struct type * to use as temporary storage. + * @root: pointer to struct rb_root to iterate. + * @member: name of the rb_node field within the struct. + */ +#define rbtree_reverse_for_each_entry_safe(pos, n, root, member) \ + for ((pos) = rb_entry_safe(rb_last(root), typeof(*(pos)), member), \ + (n) = (pos) ? rb_entry_safe(rb_prev(&(pos)->member), typeof(*(pos)), member) : NULL; \ + (pos); \ + (pos) = (n), \ + (n) = (pos) ? rb_entry_safe(rb_prev(&(pos)->member), typeof(*(pos)), member) : NULL) + /** * rbtree_postorder_for_each_entry_safe - iterate in post-order over rb_root of * given type allowing the backing memory of @pos to be invalidated base-commit: 7156602d56e5ad689ae11e03680ab6326238b5e3 -- 2.34.1

1 week, 4 days

1
1
0 0

[PATCH net v2] rds: ib: Increment i_fastreg_wrs before bailing out

by Håkon Bugge

We need to increment i_fastreg_wrs before we bail out from rds_ib_post_reg_frmr(). Fixes: 1659185fb4d0 ("RDS: IB: Support Fastreg MR (FRMR) memory registration mode") Fixes: 3a2886cca703 ("net/rds: Keep track of and wait for FRWR segments in use upon shutdown") Cc: stable(a)vger.kernel.org Signed-off-by: Håkon Bugge <haakon.bugge(a)oracle.com> --- v1 -> v2: Added Cc: stable(a)vger.kernel.org --- net/rds/ib_frmr.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/net/rds/ib_frmr.c b/net/rds/ib_frmr.c index 28c1b00221780..7e3b04a83904d 100644 --- a/net/rds/ib_frmr.c +++ b/net/rds/ib_frmr.c @@ -133,12 +133,15 @@ static int rds_ib_post_reg_frmr(struct rds_ib_mr *ibmr) ret = ib_map_mr_sg_zbva(frmr->mr, ibmr->sg, ibmr->sg_dma_len, &off, PAGE_SIZE); - if (unlikely(ret != ibmr->sg_dma_len)) - return ret < 0 ? ret : -EINVAL; + if (unlikely(ret != ibmr->sg_dma_len)) { + ret = ret < 0 ? ret : -EINVAL; + goto out_inc; + } - if (cmpxchg(&frmr->fr_state, - FRMR_IS_FREE, FRMR_IS_INUSE) != FRMR_IS_FREE) - return -EBUSY; + if (cmpxchg(&frmr->fr_state, FRMR_IS_FREE, FRMR_IS_INUSE) != FRMR_IS_FREE) { + ret = -EBUSY; + goto out_inc; + } atomic_inc(&ibmr->ic->i_fastreg_inuse_count); @@ -178,9 +181,11 @@ static int rds_ib_post_reg_frmr(struct rds_ib_mr *ibmr) * being accessed while registration is still pending. */ wait_event(frmr->fr_reg_done, !frmr->fr_reg); - out: + return ret; +out_inc: + atomic_inc(&ibmr->ic->i_fastreg_wrs); return ret; } -- 2.43.5

1 week, 4 days

2
1
0 0

[PATCH v5 2/3] drm/buddy: Separate clear and dirty free block trees

by Arunpravin Paneer Selvam

Maintain two separate RB trees per order - one for clear (zeroed) blocks and another for dirty (uncleared) blocks. This separation improves code clarity and makes it more obvious which tree is being searched during allocation. It also improves scalability and efficiency when searching for a specific type of block, avoiding unnecessary checks and making the allocator more predictable under fragmentation. The changes have been validated using the existing drm_buddy_test KUnit test cases, along with selected graphics workloads, to ensure correctness and avoid regressions. v2: Missed adding the suggested-by tag. Added it in v2. v3(Matthew): - Remove the double underscores from the internal functions. - Rename the internal functions to have less generic names. - Fix the error handling code. - Pass tree argument for the tree macro. - Use the existing dirty/free bit instead of new tree field. - Make free_trees[] instead of clear_tree and dirty_tree for more cleaner approach. v4: - A bug was reported by Intel CI and it is fixed by Matthew Auld. - Replace the get_root function with &mm->free_trees[tree][order] (Matthew) - Remove the unnecessary rbtree_is_empty() check (Matthew) - Remove the unnecessary get_tree_for_flags() function. - Rename get_tree_for_block() name with get_block_tree() for more clarity. v5(Jani Nikula): - Don't use static inline in .c files. - enum free_tree and enumerator names are quite generic for a header and usage and the whole enum should be an implementation detail. Cc: stable(a)vger.kernel.org Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> Suggested-by: Matthew Auld <matthew.auld(a)intel.com> Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4260 --- drivers/gpu/drm/drm_buddy.c | 336 +++++++++++++++++++++--------------- include/drm/drm_buddy.h | 2 +- 2 files changed, 201 insertions(+), 137 deletions(-) diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index 8b340f47f73d..4f96e2e17d08 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -12,8 +12,17 @@ #include <drm/drm_buddy.h> +enum drm_buddy_free_tree { + DRM_BUDDY_CLEAR_TREE = 0, + DRM_BUDDY_DIRTY_TREE, + DRM_BUDDY_MAX_FREE_TREES, +}; + static struct kmem_cache *slab_blocks; +#define for_each_free_tree(tree) \ + for ((tree) = 0; (tree) < DRM_BUDDY_MAX_FREE_TREES; (tree)++) + static struct drm_buddy_block *drm_block_alloc(struct drm_buddy *mm, struct drm_buddy_block *parent, unsigned int order, @@ -43,22 +52,61 @@ static void drm_block_free(struct drm_buddy *mm, kmem_cache_free(slab_blocks, block); } +static enum drm_buddy_free_tree +get_block_tree(struct drm_buddy_block *block) +{ + return drm_buddy_block_is_clear(block) ? + DRM_BUDDY_CLEAR_TREE : DRM_BUDDY_DIRTY_TREE; +} + +static struct drm_buddy_block * +rbtree_get_free_block(struct rb_node *node) +{ + return node ? rb_entry(node, struct drm_buddy_block, rb) : NULL; +} + +static struct drm_buddy_block * +rbtree_prev_free_block(struct rb_node *node) +{ + return rbtree_get_free_block(rb_prev(node)); +} + +static struct drm_buddy_block * +rbtree_first_free_block(struct rb_root *root) +{ + return rbtree_get_free_block(rb_first(root)); +} + +static struct drm_buddy_block * +rbtree_last_free_block(struct rb_root *root) +{ + return rbtree_get_free_block(rb_last(root)); +} + +static bool rbtree_is_empty(struct rb_root *root) +{ + return RB_EMPTY_ROOT(root); +} + static void rbtree_insert(struct drm_buddy *mm, - struct drm_buddy_block *block) + struct drm_buddy_block *block, + enum drm_buddy_free_tree tree) { - struct rb_root *root = &mm->free_tree[drm_buddy_block_order(block)]; - struct rb_node **link = &root->rb_node; - struct rb_node *parent = NULL; + struct rb_node **link, *parent = NULL; struct drm_buddy_block *node; - u64 offset; + struct rb_root *root; + unsigned int order; - offset = drm_buddy_block_offset(block); + order = drm_buddy_block_order(block); + + root = &mm->free_trees[tree][order]; + link = &root->rb_node; while (*link) { parent = *link; - node = rb_entry(parent, struct drm_buddy_block, rb); + node = rbtree_get_free_block(parent); - if (offset < drm_buddy_block_offset(node)) + if (drm_buddy_block_offset(block) < drm_buddy_block_offset(node)) link = &parent->rb_left; else link = &parent->rb_right; @@ -71,27 +119,17 @@ static void rbtree_insert(struct drm_buddy *mm, static void rbtree_remove(struct drm_buddy *mm, struct drm_buddy_block *block) { + unsigned int order = drm_buddy_block_order(block); struct rb_root *root; + enum drm_buddy_free_tree tree; - root = &mm->free_tree[drm_buddy_block_order(block)]; - rb_erase(&block->rb, root); + tree = get_block_tree(block); + root = &mm->free_trees[tree][order]; + rb_erase(&block->rb, root); RB_CLEAR_NODE(&block->rb); } -static struct drm_buddy_block * -rbtree_last_entry(struct drm_buddy *mm, unsigned int order) -{ - struct rb_node *node = rb_last(&mm->free_tree[order]); - - return node ? rb_entry(node, struct drm_buddy_block, rb) : NULL; -} - -static bool rbtree_is_empty(struct drm_buddy *mm, unsigned int order) -{ - return RB_EMPTY_ROOT(&mm->free_tree[order]); -} - static void clear_reset(struct drm_buddy_block *block) { block->header &= ~DRM_BUDDY_HEADER_CLEAR; @@ -114,10 +152,13 @@ static void mark_allocated(struct drm_buddy *mm, static void mark_free(struct drm_buddy *mm, struct drm_buddy_block *block) { + enum drm_buddy_free_tree tree; + block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_FREE; - rbtree_insert(mm, block); + tree = get_block_tree(block); + rbtree_insert(mm, block, tree); } static void mark_split(struct drm_buddy *mm, @@ -203,6 +244,7 @@ static int __force_merge(struct drm_buddy *mm, u64 end, unsigned int min_order) { + enum drm_buddy_free_tree tree; unsigned int order; int i; @@ -212,50 +254,49 @@ static int __force_merge(struct drm_buddy *mm, if (min_order > mm->max_order) return -EINVAL; - for (i = min_order - 1; i >= 0; i--) { - struct drm_buddy_block *block, *prev_block, *first_block; - - first_block = rb_entry(rb_first(&mm->free_tree[i]), struct drm_buddy_block, rb); + for_each_free_tree(tree) { + for (i = min_order - 1; i >= 0; i--) { + struct rb_root *root = &mm->free_trees[tree][i]; + struct drm_buddy_block *block, *prev_block; - rbtree_reverse_for_each_entry_safe(block, prev_block, &mm->free_tree[i], rb) { - struct drm_buddy_block *buddy; - u64 block_start, block_end; + rbtree_reverse_for_each_entry_safe(block, prev_block, root, rb) { + struct drm_buddy_block *buddy; + u64 block_start, block_end; - if (!block->parent) - continue; + if (!block->parent) + continue; - block_start = drm_buddy_block_offset(block); - block_end = block_start + drm_buddy_block_size(mm, block) - 1; + block_start = drm_buddy_block_offset(block); + block_end = block_start + drm_buddy_block_size(mm, block) - 1; - if (!contains(start, end, block_start, block_end)) - continue; + if (!contains(start, end, block_start, block_end)) + continue; - buddy = __get_buddy(block); - if (!drm_buddy_block_is_free(buddy)) - continue; + buddy = __get_buddy(block); + if (!drm_buddy_block_is_free(buddy)) + continue; - WARN_ON(drm_buddy_block_is_clear(block) == - drm_buddy_block_is_clear(buddy)); + WARN_ON(drm_buddy_block_is_clear(block) == + drm_buddy_block_is_clear(buddy)); - /* - * If the prev block is same as buddy, don't access the - * block in the next iteration as we would free the - * buddy block as part of the free function. - */ - if (prev_block && prev_block == buddy) { - if (prev_block != first_block) - prev_block = rb_entry(rb_prev(&prev_block->rb), - struct drm_buddy_block, - rb); - } + /* + * If the prev block is same as buddy, don't access the + * block in the next iteration as we would free the + * buddy block as part of the free function. + */ + if (prev_block && prev_block == buddy) { + if (prev_block != rbtree_first_free_block(root)) + prev_block = rbtree_prev_free_block(&prev_block->rb); + } - rbtree_remove(mm, block); - if (drm_buddy_block_is_clear(block)) - mm->clear_avail -= drm_buddy_block_size(mm, block); + rbtree_remove(mm, block); + if (drm_buddy_block_is_clear(block)) + mm->clear_avail -= drm_buddy_block_size(mm, block); - order = __drm_buddy_free(mm, block, true); - if (order >= min_order) - return 0; + order = __drm_buddy_free(mm, block, true); + if (order >= min_order) + return 0; + } } } @@ -276,7 +317,7 @@ static int __force_merge(struct drm_buddy *mm, */ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) { - unsigned int i; + unsigned int i, j; u64 offset; if (size < chunk_size) @@ -298,14 +339,22 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) BUG_ON(mm->max_order > DRM_BUDDY_MAX_ORDER); - mm->free_tree = kmalloc_array(mm->max_order + 1, - sizeof(struct rb_root), - GFP_KERNEL); - if (!mm->free_tree) + mm->free_trees = kmalloc_array(DRM_BUDDY_MAX_FREE_TREES, + sizeof(*mm->free_trees), + GFP_KERNEL); + if (!mm->free_trees) return -ENOMEM; - for (i = 0; i <= mm->max_order; ++i) - mm->free_tree[i] = RB_ROOT; + for (i = 0; i < DRM_BUDDY_MAX_FREE_TREES; i++) { + mm->free_trees[i] = kmalloc_array(mm->max_order + 1, + sizeof(struct rb_root), + GFP_KERNEL); + if (!mm->free_trees[i]) + goto out_free_tree; + + for (j = 0; j <= mm->max_order; ++j) + mm->free_trees[i][j] = RB_ROOT; + } mm->n_roots = hweight64(size); @@ -353,7 +402,9 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) drm_block_free(mm, mm->roots[i]); kfree(mm->roots); out_free_tree: - kfree(mm->free_tree); + while (i--) + kfree(mm->free_trees[i]); + kfree(mm->free_trees); return -ENOMEM; } EXPORT_SYMBOL(drm_buddy_init); @@ -389,8 +440,9 @@ void drm_buddy_fini(struct drm_buddy *mm) WARN_ON(mm->avail != mm->size); + for (i = 0; i < DRM_BUDDY_MAX_FREE_TREES; i++) + kfree(mm->free_trees[i]); kfree(mm->roots); - kfree(mm->free_tree); } EXPORT_SYMBOL(drm_buddy_fini); @@ -414,8 +466,7 @@ static int split_block(struct drm_buddy *mm, return -ENOMEM; } - mark_free(mm, block->left); - mark_free(mm, block->right); + mark_split(mm, block); if (drm_buddy_block_is_clear(block)) { mark_cleared(block->left); @@ -423,7 +474,8 @@ static int split_block(struct drm_buddy *mm, clear_reset(block); } - mark_split(mm, block); + mark_free(mm, block->left); + mark_free(mm, block->right); return 0; } @@ -456,6 +508,7 @@ EXPORT_SYMBOL(drm_get_buddy); */ void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) { + enum drm_buddy_free_tree src_tree, dst_tree; u64 root_size, size, start; unsigned int order; int i; @@ -470,19 +523,24 @@ void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) size -= root_size; } + src_tree = is_clear ? DRM_BUDDY_DIRTY_TREE : DRM_BUDDY_CLEAR_TREE; + dst_tree = is_clear ? DRM_BUDDY_CLEAR_TREE : DRM_BUDDY_DIRTY_TREE; + for (i = 0; i <= mm->max_order; ++i) { + struct rb_root *root = &mm->free_trees[src_tree][i]; struct drm_buddy_block *block; - rbtree_reverse_for_each_entry(block, &mm->free_tree[i], rb) { - if (is_clear != drm_buddy_block_is_clear(block)) { - if (is_clear) { - mark_cleared(block); - mm->clear_avail += drm_buddy_block_size(mm, block); - } else { - clear_reset(block); - mm->clear_avail -= drm_buddy_block_size(mm, block); - } + rbtree_reverse_for_each_entry(block, root, rb) { + rbtree_remove(mm, block); + if (is_clear) { + mark_cleared(block); + mm->clear_avail += drm_buddy_block_size(mm, block); + } else { + clear_reset(block); + mm->clear_avail -= drm_buddy_block_size(mm, block); } + + rbtree_insert(mm, block, dst_tree); } } } @@ -672,23 +730,17 @@ __drm_buddy_alloc_range_bias(struct drm_buddy *mm, } static struct drm_buddy_block * -get_maxblock(struct drm_buddy *mm, unsigned int order, - unsigned long flags) +get_maxblock(struct drm_buddy *mm, + unsigned int order, + enum drm_buddy_free_tree tree) { struct drm_buddy_block *max_block = NULL, *block = NULL; + struct rb_root *root; unsigned int i; for (i = order; i <= mm->max_order; ++i) { - struct drm_buddy_block *tmp_block; - - rbtree_reverse_for_each_entry(tmp_block, &mm->free_tree[i], rb) { - if (block_incompatible(tmp_block, flags)) - continue; - - block = tmp_block; - break; - } - + root = &mm->free_trees[tree][i]; + block = rbtree_last_free_block(root); if (!block) continue; @@ -712,39 +764,39 @@ alloc_from_freetree(struct drm_buddy *mm, unsigned long flags) { struct drm_buddy_block *block = NULL; + struct rb_root *root; + enum drm_buddy_free_tree tree; unsigned int tmp; int err; + tree = (flags & DRM_BUDDY_CLEAR_ALLOCATION) ? + DRM_BUDDY_CLEAR_TREE : DRM_BUDDY_DIRTY_TREE; + if (flags & DRM_BUDDY_TOPDOWN_ALLOCATION) { - block = get_maxblock(mm, order, flags); + block = get_maxblock(mm, order, tree); if (block) /* Store the obtained block order */ tmp = drm_buddy_block_order(block); } else { for (tmp = order; tmp <= mm->max_order; ++tmp) { - struct drm_buddy_block *tmp_block; - - rbtree_reverse_for_each_entry(tmp_block, &mm->free_tree[tmp], rb) { - if (block_incompatible(tmp_block, flags)) - continue; - - block = tmp_block; - break; - } - + /* Get RB tree root for this order and tree */ + root = &mm->free_trees[tree][tmp]; + block = rbtree_last_free_block(root); if (block) break; } } if (!block) { - /* Fallback method */ + /* Try allocating from the other tree */ + tree = (tree == DRM_BUDDY_CLEAR_TREE) ? + DRM_BUDDY_DIRTY_TREE : DRM_BUDDY_CLEAR_TREE; + for (tmp = order; tmp <= mm->max_order; ++tmp) { - if (!rbtree_is_empty(mm, tmp)) { - block = rbtree_last_entry(mm, tmp); - if (block) - break; - } + root = &mm->free_trees[tree][tmp]; + block = rbtree_last_free_block(root); + if (block) + break; } if (!block) @@ -888,6 +940,7 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, u64 rhs_offset, lhs_offset, lhs_size, filled; struct drm_buddy_block *block; LIST_HEAD(blocks_lhs); + enum drm_buddy_free_tree tree; unsigned long pages; unsigned int order; u64 modify_size; @@ -899,34 +952,39 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, if (order == 0) return -ENOSPC; - if (rbtree_is_empty(mm, order)) + if (rbtree_is_empty(&mm->free_trees[DRM_BUDDY_CLEAR_TREE][order]) && + rbtree_is_empty(&mm->free_trees[DRM_BUDDY_DIRTY_TREE][order])) return -ENOSPC; - rbtree_reverse_for_each_entry(block, &mm->free_tree[order], rb) { - /* Allocate blocks traversing RHS */ - rhs_offset = drm_buddy_block_offset(block); - err = __drm_buddy_alloc_range(mm, rhs_offset, size, - &filled, blocks); - if (!err || err != -ENOSPC) - return err; - - lhs_size = max((size - filled), min_block_size); - if (!IS_ALIGNED(lhs_size, min_block_size)) - lhs_size = round_up(lhs_size, min_block_size); - - /* Allocate blocks traversing LHS */ - lhs_offset = drm_buddy_block_offset(block) - lhs_size; - err = __drm_buddy_alloc_range(mm, lhs_offset, lhs_size, - NULL, &blocks_lhs); - if (!err) { - list_splice(&blocks_lhs, blocks); - return 0; - } else if (err != -ENOSPC) { + for_each_free_tree(tree) { + struct rb_root *root = &mm->free_trees[tree][order]; + + rbtree_reverse_for_each_entry(block, root, rb) { + /* Allocate blocks traversing RHS */ + rhs_offset = drm_buddy_block_offset(block); + err = __drm_buddy_alloc_range(mm, rhs_offset, size, + &filled, blocks); + if (!err || err != -ENOSPC) + return err; + + lhs_size = max((size - filled), min_block_size); + if (!IS_ALIGNED(lhs_size, min_block_size)) + lhs_size = round_up(lhs_size, min_block_size); + + /* Allocate blocks traversing LHS */ + lhs_offset = drm_buddy_block_offset(block) - lhs_size; + err = __drm_buddy_alloc_range(mm, lhs_offset, lhs_size, + NULL, &blocks_lhs); + if (!err) { + list_splice(&blocks_lhs, blocks); + return 0; + } else if (err != -ENOSPC) { + drm_buddy_free_list_internal(mm, blocks); + return err; + } + /* Free blocks for the next iteration */ drm_buddy_free_list_internal(mm, blocks); - return err; } - /* Free blocks for the next iteration */ - drm_buddy_free_list_internal(mm, blocks); } return -ENOSPC; @@ -1231,6 +1289,7 @@ EXPORT_SYMBOL(drm_buddy_block_print); */ void drm_buddy_print(struct drm_buddy *mm, struct drm_printer *p) { + enum drm_buddy_free_tree tree; int order; drm_printf(p, "chunk_size: %lluKiB, total: %lluMiB, free: %lluMiB, clear_free: %lluMiB\n", @@ -1238,11 +1297,16 @@ void drm_buddy_print(struct drm_buddy *mm, struct drm_printer *p) for (order = mm->max_order; order >= 0; order--) { struct drm_buddy_block *block; + struct rb_root *root; u64 count = 0, free; - rbtree_for_each_entry(block, &mm->free_tree[order], rb) { - BUG_ON(!drm_buddy_block_is_free(block)); - count++; + for_each_free_tree(tree) { + root = &mm->free_trees[tree][order]; + + rbtree_for_each_entry(block, root, rb) { + BUG_ON(!drm_buddy_block_is_free(block)); + count++; + } } drm_printf(p, "order-%2d ", order); diff --git a/include/drm/drm_buddy.h b/include/drm/drm_buddy.h index 091823592034..a2189a92bb7a 100644 --- a/include/drm/drm_buddy.h +++ b/include/drm/drm_buddy.h @@ -73,7 +73,7 @@ struct drm_buddy_block { */ struct drm_buddy { /* Maintain a free list for each order. */ - struct rb_root *free_tree; + struct rb_root **free_trees; /* * Maintain explicit binary tree(s) to track the allocation of the -- 2.34.1

1 week, 4 days

1
0
0 0

[PATCH net v5] selftests: net: add test for destination in broadcast packets

by Oscar Maes

Add test to check the broadcast ethernet destination field is set correctly. This test sends a broadcast ping, captures it using tcpdump and ensures that all bits of the 6 octet ethernet destination address are correctly set by examining the output capture file. Co-developed-by: Brett A C Sheffield <bacs(a)librecast.net> Signed-off-by: Brett A C Sheffield <bacs(a)librecast.net> Signed-off-by: Oscar Maes <oscmaes92(a)gmail.com> --- v4 -> v5: - Fixed Signed-off-by chain v3 -> v4: - Added Brett as co-author - Wait for tcpdump to bind using slowwait Links: - Discussion: https://lore.kernel.org/netdev/20250822165231.4353-4-bacs@librecast.net/ - Previous version: https://lore.kernel.org/netdev/20250828114242.6433-1-oscmaes92@gmail.com/ Thanks to Brett Sheffield for co-developing this selftest! tools/testing/selftests/net/Makefile | 1 + .../selftests/net/broadcast_ether_dst.sh | 83 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100755 tools/testing/selftests/net/broadcast_ether_dst.sh diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile index b31a71f2b372..56ad10ea6628 100644 --- a/tools/testing/selftests/net/Makefile +++ b/tools/testing/selftests/net/Makefile @@ -115,6 +115,7 @@ TEST_PROGS += skf_net_off.sh TEST_GEN_FILES += skf_net_off TEST_GEN_FILES += tfo TEST_PROGS += tfo_passive.sh +TEST_PROGS += broadcast_ether_dst.sh TEST_PROGS += broadcast_pmtu.sh TEST_PROGS += ipv6_force_forwarding.sh diff --git a/tools/testing/selftests/net/broadcast_ether_dst.sh b/tools/testing/selftests/net/broadcast_ether_dst.sh new file mode 100755 index 000000000000..334a7eca8a80 --- /dev/null +++ b/tools/testing/selftests/net/broadcast_ether_dst.sh @@ -0,0 +1,83 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +# +# Author: Brett A C Sheffield <bacs(a)librecast.net> +# Author: Oscar Maes <oscmaes92(a)gmail.com> +# +# Ensure destination ethernet field is correctly set for +# broadcast packets + +source lib.sh + +CLIENT_IP4="192.168.0.1" +GW_IP4="192.168.0.2" + +setup() { + setup_ns CLIENT_NS SERVER_NS + + ip -net "${SERVER_NS}" link add link1 type veth \ + peer name link0 netns "${CLIENT_NS}" + + ip -net "${CLIENT_NS}" link set link0 up + ip -net "${CLIENT_NS}" addr add "${CLIENT_IP4}"/24 dev link0 + + ip -net "${SERVER_NS}" link set link1 up + + ip -net "${CLIENT_NS}" route add default via "${GW_IP4}" + ip netns exec "${CLIENT_NS}" arp -s "${GW_IP4}" 00:11:22:33:44:55 +} + +cleanup() { + rm -f "${CAPFILE}" "${OUTPUT}" + ip -net "${SERVER_NS}" link del link1 + cleanup_ns "${CLIENT_NS}" "${SERVER_NS}" +} + +test_broadcast_ether_dst() { + local rc=0 + CAPFILE=$(mktemp -u cap.XXXXXXXXXX) + OUTPUT=$(mktemp -u out.XXXXXXXXXX) + + echo "Testing ethernet broadcast destination" + + # start tcpdump listening for icmp + # tcpdump will exit after receiving a single packet + # timeout will kill tcpdump if it is still running after 2s + timeout 2s ip netns exec "${CLIENT_NS}" \ + tcpdump -i link0 -c 1 -w "${CAPFILE}" icmp &> "${OUTPUT}" & + pid=$! + slowwait 1 grep -qs "listening" "${OUTPUT}" + + # send broadcast ping + ip netns exec "${CLIENT_NS}" \ + ping -W0.01 -c1 -b 255.255.255.255 &> /dev/null + + # wait for tcpdump for exit after receiving packet + wait "${pid}" + + # compare ethernet destination field to ff:ff:ff:ff:ff:ff + ether_dst=$(tcpdump -r "${CAPFILE}" -tnne 2>/dev/null | \ + awk '{sub(/,/,"",$3); print $3}') + if [[ "${ether_dst}" == "ff:ff:ff:ff:ff:ff" ]]; then + echo "[ OK ]" + rc="${ksft_pass}" + else + echo "[FAIL] expected dst ether addr to be ff:ff:ff:ff:ff:ff," \ + "got ${ether_dst}" + rc="${ksft_fail}" + fi + + return "${rc}" +} + +if [ ! -x "$(command -v tcpdump)" ]; then + echo "SKIP: Could not run test without tcpdump tool" + exit "${ksft_skip}" +fi + +trap cleanup EXIT + +setup +test_broadcast_ether_dst + +exit $? -- 2.39.5

1 week, 4 days

3
2
0 0

[PATCH iwlwifi-fixes] wifi: iwlwifi: fix 130/1030 configs

by Miri Korenblit

From: Johannes Berg <johannes.berg(a)intel.com> The 130/1030 devices are really derivatives of 6030, with some small differences not pertaining to the MAC, so they must use the 6030 MAC config. Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220472 Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220517 Fixes: 35ac275ebe0c ("wifi: iwlwifi: cfg: finish config split") Cc: stable(a)vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit(a)intel.com> --- drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c index f9e2095d6490..7e56e4ff7642 100644 --- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c @@ -124,13 +124,13 @@ VISIBLE_IF_IWLWIFI_KUNIT const struct pci_device_id iwl_hw_card_ids[] = { {IWL_PCI_DEVICE(0x0082, 0x1304, iwl6005_mac_cfg)},/* low 5GHz active */ {IWL_PCI_DEVICE(0x0082, 0x1305, iwl6005_mac_cfg)},/* high 5GHz active */ -/* 6x30 Series */ - {IWL_PCI_DEVICE(0x008A, 0x5305, iwl1000_mac_cfg)}, - {IWL_PCI_DEVICE(0x008A, 0x5307, iwl1000_mac_cfg)}, - {IWL_PCI_DEVICE(0x008A, 0x5325, iwl1000_mac_cfg)}, - {IWL_PCI_DEVICE(0x008A, 0x5327, iwl1000_mac_cfg)}, - {IWL_PCI_DEVICE(0x008B, 0x5315, iwl1000_mac_cfg)}, - {IWL_PCI_DEVICE(0x008B, 0x5317, iwl1000_mac_cfg)}, +/* 1030/6x30 Series */ + {IWL_PCI_DEVICE(0x008A, 0x5305, iwl6030_mac_cfg)}, + {IWL_PCI_DEVICE(0x008A, 0x5307, iwl6030_mac_cfg)}, + {IWL_PCI_DEVICE(0x008A, 0x5325, iwl6030_mac_cfg)}, + {IWL_PCI_DEVICE(0x008A, 0x5327, iwl6030_mac_cfg)}, + {IWL_PCI_DEVICE(0x008B, 0x5315, iwl6030_mac_cfg)}, + {IWL_PCI_DEVICE(0x008B, 0x5317, iwl6030_mac_cfg)}, {IWL_PCI_DEVICE(0x0090, 0x5211, iwl6030_mac_cfg)}, {IWL_PCI_DEVICE(0x0090, 0x5215, iwl6030_mac_cfg)}, {IWL_PCI_DEVICE(0x0090, 0x5216, iwl6030_mac_cfg)}, @@ -181,12 +181,12 @@ VISIBLE_IF_IWLWIFI_KUNIT const struct pci_device_id iwl_hw_card_ids[] = { {IWL_PCI_DEVICE(0x08AE, 0x1027, iwl1000_mac_cfg)}, /* 130 Series WiFi */ - {IWL_PCI_DEVICE(0x0896, 0x5005, iwl1000_mac_cfg)}, - {IWL_PCI_DEVICE(0x0896, 0x5007, iwl1000_mac_cfg)}, - {IWL_PCI_DEVICE(0x0897, 0x5015, iwl1000_mac_cfg)}, - {IWL_PCI_DEVICE(0x0897, 0x5017, iwl1000_mac_cfg)}, - {IWL_PCI_DEVICE(0x0896, 0x5025, iwl1000_mac_cfg)}, - {IWL_PCI_DEVICE(0x0896, 0x5027, iwl1000_mac_cfg)}, + {IWL_PCI_DEVICE(0x0896, 0x5005, iwl6030_mac_cfg)}, + {IWL_PCI_DEVICE(0x0896, 0x5007, iwl6030_mac_cfg)}, + {IWL_PCI_DEVICE(0x0897, 0x5015, iwl6030_mac_cfg)}, + {IWL_PCI_DEVICE(0x0897, 0x5017, iwl6030_mac_cfg)}, + {IWL_PCI_DEVICE(0x0896, 0x5025, iwl6030_mac_cfg)}, + {IWL_PCI_DEVICE(0x0896, 0x5027, iwl6030_mac_cfg)}, /* 2x00 Series */ {IWL_PCI_DEVICE(0x0890, 0x4022, iwl2000_mac_cfg)}, -- 2.34.1

1 week, 4 days

1
0
0 0

[PATCH 0/3] Fix the NULL pointer deference issue in QMP USB drivers

by Kathiravan Thirumoorthy

In the suspend / resume callbacks, qmp->phy could be NULL because PHY is created after the PM ops are enabled, which lead to the NULL pointer deference. Internally issue is reported on qcom-qmp-usb driver. Since the fix is applicable to legacy and usbc drivers, incoporated the fixes for those driver as well. qcom-qmp-usb-legacy and qcom-qmp-usbc drivers are splitted out from qcom-qmp-usb driver in v6.6 and v6.9 respectively. So splitted the changes into 3, for ease of backporting. Signed-off-by: Kathiravan Thirumoorthy <kathiravan.thirumoorthy(a)oss.qualcomm.com> --- Poovendhan Selvaraj (3): phy: qcom-qmp-usb: fix NULL pointer dereference in PM callbacks phy: qcom-qmp-usb-legacy: fix NULL pointer dereference in PM callbacks phy: qcom-qmp-usbc: fix NULL pointer dereference in PM callbacks drivers/phy/qualcomm/phy-qcom-qmp-usb-legacy.c | 4 ++-- drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 4 ++-- drivers/phy/qualcomm/phy-qcom-qmp-usbc.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) --- base-commit: 0f4c93f7eb861acab537dbe94441817a270537bf change-id: 20250825-qmp-null-deref-on-pm-fd98a91c775b Best regards, -- Kathiravan Thirumoorthy <kathiravan.thirumoorthy(a)oss.qualcomm.com>

1 week, 4 days

3
7
0 0

[merged mm-hotfixes-stable] mm-damon-sysfs-fix-use-after-free-in-state_show.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/damon/sysfs: fix use-after-free in state_show() has been removed from the -mm tree. Its filename was mm-damon-sysfs-fix-use-after-free-in-state_show.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Stanislav Fort <stanislav.fort(a)aisle.com> Subject: mm/damon/sysfs: fix use-after-free in state_show() Date: Fri, 5 Sep 2025 13:10:46 +0300 state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock. This allows a use-after-free race: CPU 0 CPU 1 ----- ----- state_show() damon_sysfs_turn_damon_on() ctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock); damon_destroy_ctx(kdamond->damon_ctx); kdamond->damon_ctx = NULL; mutex_unlock(&damon_sysfs_lock); damon_is_running(ctx); /* ctx is freed */ mutex_lock(&ctx->kdamond_lock); /* UAF */ (The race can also occur with damon_sysfs_kdamonds_rm_dirs() and damon_sysfs_kdamond_release(), which free or replace the context under damon_sysfs_lock.) Fix by taking damon_sysfs_lock before dereferencing the context, mirroring the locking used in pid_show(). The bug has existed since state_show() first accessed kdamond->damon_ctx. Link: https://lkml.kernel.org/r/20250905101046.2288-1-disclosure@aisle.com Fixes: a61ea561c871 ("mm/damon/sysfs: link DAMON for virtual address spaces monitoring") Signed-off-by: Stanislav Fort <disclosure(a)aisle.com> Reported-by: Stanislav Fort <disclosure(a)aisle.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/sysfs.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) --- a/mm/damon/sysfs.c~mm-damon-sysfs-fix-use-after-free-in-state_show +++ a/mm/damon/sysfs.c @@ -1260,14 +1260,18 @@ static ssize_t state_show(struct kobject { struct damon_sysfs_kdamond *kdamond = container_of(kobj, struct damon_sysfs_kdamond, kobj); - struct damon_ctx *ctx = kdamond->damon_ctx; - bool running; + struct damon_ctx *ctx; + bool running = false; - if (!ctx) - running = false; - else + if (!mutex_trylock(&damon_sysfs_lock)) + return -EBUSY; + + ctx = kdamond->damon_ctx; + if (ctx) running = damon_is_running(ctx); + mutex_unlock(&damon_sysfs_lock); + return sysfs_emit(buf, "%s\n", running ? damon_sysfs_cmd_strs[DAMON_SYSFS_CMD_ON] : damon_sysfs_cmd_strs[DAMON_SYSFS_CMD_OFF]); _ Patches currently in -mm which might be from stanislav.fort(a)aisle.com are mm-memcg-v1-account-event-registrations-and-drop-world-writable-cgroupevent_control.patch

1 week, 4 days

1
0
0 0

[merged mm-hotfixes-stable] proc-fix-type-confusion-in-pde_set_flags.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: proc: fix type confusion in pde_set_flags() has been removed from the -mm tree. Its filename was proc-fix-type-confusion-in-pde_set_flags.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: wangzijie <wangzijie1(a)honor.com> Subject: proc: fix type confusion in pde_set_flags() Date: Thu, 4 Sep 2025 21:57:15 +0800 Commit 2ce3d282bd50 ("proc: fix missing pde_set_flags() for net proc files") missed a key part in the definition of proc_dir_entry: union { const struct proc_ops *proc_ops; const struct file_operations *proc_dir_ops; }; So dereference of ->proc_ops assumes it is a proc_ops structure results in type confusion and make NULL check for 'proc_ops' not work for proc dir. Add !S_ISDIR(dp->mode) test before calling pde_set_flags() to fix it. Link: https://lkml.kernel.org/r/20250904135715.3972782-1-wangzijie1@honor.com Fixes: 2ce3d282bd50 ("proc: fix missing pde_set_flags() for net proc files") Signed-off-by: wangzijie <wangzijie1(a)honor.com> Reported-by: Brad Spengler <spender(a)grsecurity.net> Closes: https://lore.kernel.org/all/20250903065758.3678537-1-wangzijie1@honor.com/ Cc: Alexey Dobriyan <adobriyan(a)gmail.com> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Christian Brauner <brauner(a)kernel.org> Cc: Jiri Slaby <jirislaby(a)kernel.org> Cc: Stefano Brivio <sbrivio(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/generic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/proc/generic.c~proc-fix-type-confusion-in-pde_set_flags +++ a/fs/proc/generic.c @@ -393,7 +393,8 @@ struct proc_dir_entry *proc_register(str if (proc_alloc_inum(&dp->low_ino)) goto out_free_entry; - pde_set_flags(dp); + if (!S_ISDIR(dp->mode)) + pde_set_flags(dp); write_lock(&proc_subdir_lock); dp->parent = dir; _ Patches currently in -mm which might be from wangzijie1(a)honor.com are

1 week, 4 days

1
0
0 0

[merged mm-hotfixes-stable] compiler-clangh-define-__sanitize___-macros-only-when-undefined.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: compiler-clang.h: define __SANITIZE_*__ macros only when undefined has been removed from the -mm tree. Its filename was compiler-clangh-define-__sanitize___-macros-only-when-undefined.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Nathan Chancellor <nathan(a)kernel.org> Subject: compiler-clang.h: define __SANITIZE_*__ macros only when undefined Date: Tue, 02 Sep 2025 15:49:26 -0700 Clang 22 recently added support for defining __SANITIZE__ macros similar to GCC [1], which causes warnings (or errors with CONFIG_WERROR=y or W=e) with the existing defines that the kernel creates to emulate this behavior with existing clang versions. In file included from <built-in>:3: In file included from include/linux/compiler_types.h:171: include/linux/compiler-clang.h:37:9: error: '__SANITIZE_THREAD__' macro redefined [-Werror,-Wmacro-redefined] 37 | #define __SANITIZE_THREAD__ | ^ <built-in>:352:9: note: previous definition is here 352 | #define __SANITIZE_THREAD__ 1 | ^ Refactor compiler-clang.h to only define the sanitizer macros when they are undefined and adjust the rest of the code to use these macros for checking if the sanitizers are enabled, clearing up the warnings and allowing the kernel to easily drop these defines when the minimum supported version of LLVM for building the kernel becomes 22.0.0 or newer. Link: https://lkml.kernel.org/r/20250902-clang-update-sanitize-defines-v1-1-cf370… Link: https://github.com/llvm/llvm-project/commit/568c23bbd3303518c5056d7f03444da… [1] Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> Reviewed-by: Justin Stitt <justinstitt(a)google.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Bill Wendling <morbo(a)google.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: Marco Elver <elver(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/compiler-clang.h | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) --- a/include/linux/compiler-clang.h~compiler-clangh-define-__sanitize___-macros-only-when-undefined +++ a/include/linux/compiler-clang.h @@ -18,23 +18,42 @@ #define KASAN_ABI_VERSION 5 /* + * Clang 22 added preprocessor macros to match GCC, in hopes of eventually + * dropping __has_feature support for sanitizers: + * https://github.com/llvm/llvm-project/commit/568c23bbd3303518c5056d7f03444da… + * Create these macros for older versions of clang so that it is easy to clean + * up once the minimum supported version of LLVM for building the kernel always + * creates these macros. + * * Note: Checking __has_feature(*_sanitizer) is only true if the feature is * enabled. Therefore it is not required to additionally check defined(CONFIG_*) * to avoid adding redundant attributes in other configurations. */ +#if __has_feature(address_sanitizer) && !defined(__SANITIZE_ADDRESS__) +#define __SANITIZE_ADDRESS__ +#endif +#if __has_feature(hwaddress_sanitizer) && !defined(__SANITIZE_HWADDRESS__) +#define __SANITIZE_HWADDRESS__ +#endif +#if __has_feature(thread_sanitizer) && !defined(__SANITIZE_THREAD__) +#define __SANITIZE_THREAD__ +#endif -#if __has_feature(address_sanitizer) || __has_feature(hwaddress_sanitizer) -/* Emulate GCC's __SANITIZE_ADDRESS__ flag */ +/* + * Treat __SANITIZE_HWADDRESS__ the same as __SANITIZE_ADDRESS__ in the kernel. + */ +#ifdef __SANITIZE_HWADDRESS__ #define __SANITIZE_ADDRESS__ +#endif + +#ifdef __SANITIZE_ADDRESS__ #define __no_sanitize_address \ __attribute__((no_sanitize("address", "hwaddress"))) #else #define __no_sanitize_address #endif -#if __has_feature(thread_sanitizer) -/* emulate gcc's __SANITIZE_THREAD__ flag */ -#define __SANITIZE_THREAD__ +#ifdef __SANITIZE_THREAD__ #define __no_sanitize_thread \ __attribute__((no_sanitize("thread"))) #else _ Patches currently in -mm which might be from nathan(a)kernel.org are nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch mm-rmap-convert-enum-rmap_level-to-enum-pgtable_level-fix.patch

1 week, 4 days

1
0
0 0

[merged mm-hotfixes-stable] mm-vmalloc-mm-kasan-respect-gfp-mask-in-kasan_populate_vmalloc.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() has been removed from the -mm tree. Its filename was mm-vmalloc-mm-kasan-respect-gfp-mask-in-kasan_populate_vmalloc.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: "Uladzislau Rezki (Sony)" <urezki(a)gmail.com> Subject: mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() Date: Sun, 31 Aug 2025 14:10:58 +0200 kasan_populate_vmalloc() and its helpers ignore the caller's gfp_mask and always allocate memory using the hardcoded GFP_KERNEL flag. This makes them inconsistent with vmalloc(), which was recently extended to support GFP_NOFS and GFP_NOIO allocations. Page table allocations performed during shadow population also ignore the external gfp_mask. To preserve the intended semantics of GFP_NOFS and GFP_NOIO, wrap the apply_to_page_range() calls into the appropriate memalloc scope. xfs calls vmalloc with GFP_NOFS, so this bug could lead to deadlock. There was a report here https://lkml.kernel.org/r/686ea951.050a0220.385921.0016.GAE@google.com This patch: - Extends kasan_populate_vmalloc() and helpers to take gfp_mask; - Passes gfp_mask down to alloc_pages_bulk() and __get_free_page(); - Enforces GFP_NOFS/NOIO semantics with memalloc_*_save()/restore() around apply_to_page_range(); - Updates vmalloc.c and percpu allocator call sites accordingly. Link: https://lkml.kernel.org/r/20250831121058.92971-1-urezki@gmail.com Fixes: 451769ebb7e7 ("mm/vmalloc: alloc GFP_NO{FS,IO} for vmalloc") Signed-off-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Reported-by: syzbot+3470c9ffee63e4abafeb(a)syzkaller.appspotmail.com Reviewed-by: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Baoquan He <bhe(a)redhat.com> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/kasan.h | 6 +++--- mm/kasan/shadow.c | 31 ++++++++++++++++++++++++------- mm/vmalloc.c | 8 ++++---- 3 files changed, 31 insertions(+), 14 deletions(-) --- a/include/linux/kasan.h~mm-vmalloc-mm-kasan-respect-gfp-mask-in-kasan_populate_vmalloc +++ a/include/linux/kasan.h @@ -562,7 +562,7 @@ static inline void kasan_init_hw_tags(vo #if defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS) void kasan_populate_early_vm_area_shadow(void *start, unsigned long size); -int kasan_populate_vmalloc(unsigned long addr, unsigned long size); +int kasan_populate_vmalloc(unsigned long addr, unsigned long size, gfp_t gfp_mask); void kasan_release_vmalloc(unsigned long start, unsigned long end, unsigned long free_region_start, unsigned long free_region_end, @@ -574,7 +574,7 @@ static inline void kasan_populate_early_ unsigned long size) { } static inline int kasan_populate_vmalloc(unsigned long start, - unsigned long size) + unsigned long size, gfp_t gfp_mask) { return 0; } @@ -610,7 +610,7 @@ static __always_inline void kasan_poison static inline void kasan_populate_early_vm_area_shadow(void *start, unsigned long size) { } static inline int kasan_populate_vmalloc(unsigned long start, - unsigned long size) + unsigned long size, gfp_t gfp_mask) { return 0; } --- a/mm/kasan/shadow.c~mm-vmalloc-mm-kasan-respect-gfp-mask-in-kasan_populate_vmalloc +++ a/mm/kasan/shadow.c @@ -336,13 +336,13 @@ static void ___free_pages_bulk(struct pa } } -static int ___alloc_pages_bulk(struct page **pages, int nr_pages) +static int ___alloc_pages_bulk(struct page **pages, int nr_pages, gfp_t gfp_mask) { unsigned long nr_populated, nr_total = nr_pages; struct page **page_array = pages; while (nr_pages) { - nr_populated = alloc_pages_bulk(GFP_KERNEL, nr_pages, pages); + nr_populated = alloc_pages_bulk(gfp_mask, nr_pages, pages); if (!nr_populated) { ___free_pages_bulk(page_array, nr_total - nr_pages); return -ENOMEM; @@ -354,25 +354,42 @@ static int ___alloc_pages_bulk(struct pa return 0; } -static int __kasan_populate_vmalloc(unsigned long start, unsigned long end) +static int __kasan_populate_vmalloc(unsigned long start, unsigned long end, gfp_t gfp_mask) { unsigned long nr_pages, nr_total = PFN_UP(end - start); struct vmalloc_populate_data data; + unsigned int flags; int ret = 0; - data.pages = (struct page **)__get_free_page(GFP_KERNEL | __GFP_ZERO); + data.pages = (struct page **)__get_free_page(gfp_mask | __GFP_ZERO); if (!data.pages) return -ENOMEM; while (nr_total) { nr_pages = min(nr_total, PAGE_SIZE / sizeof(data.pages[0])); - ret = ___alloc_pages_bulk(data.pages, nr_pages); + ret = ___alloc_pages_bulk(data.pages, nr_pages, gfp_mask); if (ret) break; data.start = start; + + /* + * page tables allocations ignore external gfp mask, enforce it + * by the scope API + */ + if ((gfp_mask & (__GFP_FS | __GFP_IO)) == __GFP_IO) + flags = memalloc_nofs_save(); + else if ((gfp_mask & (__GFP_FS | __GFP_IO)) == 0) + flags = memalloc_noio_save(); + ret = apply_to_page_range(&init_mm, start, nr_pages * PAGE_SIZE, kasan_populate_vmalloc_pte, &data); + + if ((gfp_mask & (__GFP_FS | __GFP_IO)) == __GFP_IO) + memalloc_nofs_restore(flags); + else if ((gfp_mask & (__GFP_FS | __GFP_IO)) == 0) + memalloc_noio_restore(flags); + ___free_pages_bulk(data.pages, nr_pages); if (ret) break; @@ -386,7 +403,7 @@ static int __kasan_populate_vmalloc(unsi return ret; } -int kasan_populate_vmalloc(unsigned long addr, unsigned long size) +int kasan_populate_vmalloc(unsigned long addr, unsigned long size, gfp_t gfp_mask) { unsigned long shadow_start, shadow_end; int ret; @@ -415,7 +432,7 @@ int kasan_populate_vmalloc(unsigned long shadow_start = PAGE_ALIGN_DOWN(shadow_start); shadow_end = PAGE_ALIGN(shadow_end); - ret = __kasan_populate_vmalloc(shadow_start, shadow_end); + ret = __kasan_populate_vmalloc(shadow_start, shadow_end, gfp_mask); if (ret) return ret; --- a/mm/vmalloc.c~mm-vmalloc-mm-kasan-respect-gfp-mask-in-kasan_populate_vmalloc +++ a/mm/vmalloc.c @@ -2026,6 +2026,8 @@ static struct vmap_area *alloc_vmap_area if (unlikely(!vmap_initialized)) return ERR_PTR(-EBUSY); + /* Only reclaim behaviour flags are relevant. */ + gfp_mask = gfp_mask & GFP_RECLAIM_MASK; might_sleep(); /* @@ -2038,8 +2040,6 @@ static struct vmap_area *alloc_vmap_area */ va = node_alloc(size, align, vstart, vend, &addr, &vn_id); if (!va) { - gfp_mask = gfp_mask & GFP_RECLAIM_MASK; - va = kmem_cache_alloc_node(vmap_area_cachep, gfp_mask, node); if (unlikely(!va)) return ERR_PTR(-ENOMEM); @@ -2089,7 +2089,7 @@ retry: BUG_ON(va->va_start < vstart); BUG_ON(va->va_end > vend); - ret = kasan_populate_vmalloc(addr, size); + ret = kasan_populate_vmalloc(addr, size, gfp_mask); if (ret) { free_vmap_area(va); return ERR_PTR(ret); @@ -4826,7 +4826,7 @@ retry: /* populate the kasan shadow space */ for (area = 0; area < nr_vms; area++) { - if (kasan_populate_vmalloc(vas[area]->va_start, sizes[area])) + if (kasan_populate_vmalloc(vas[area]->va_start, sizes[area], GFP_KERNEL)) goto err_free_shadow; } _ Patches currently in -mm which might be from urezki(a)gmail.com are

1 week, 4 days

1
0
0 0

[merged mm-hotfixes-stable] ocfs2-fix-recursive-semaphore-deadlock-in-fiemap-call.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: fix recursive semaphore deadlock in fiemap call has been removed from the -mm tree. Its filename was ocfs2-fix-recursive-semaphore-deadlock-in-fiemap-call.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Mark Tinguely <mark.tinguely(a)oracle.com> Subject: ocfs2: fix recursive semaphore deadlock in fiemap call Date: Fri, 29 Aug 2025 10:18:15 -0500 syzbot detected a OCFS2 hang due to a recursive semaphore on a FS_IOC_FIEMAP of the extent list on a specially crafted mmap file. context_switch kernel/sched/core.c:5357 [inline] __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961 __schedule_loop kernel/sched/core.c:7043 [inline] schedule+0x165/0x360 kernel/sched/core.c:7058 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115 rwsem_down_write_slowpath+0x872/0xfe0 kernel/locking/rwsem.c:1185 __down_write_common kernel/locking/rwsem.c:1317 [inline] __down_write kernel/locking/rwsem.c:1326 [inline] down_write+0x1ab/0x1f0 kernel/locking/rwsem.c:1591 ocfs2_page_mkwrite+0x2ff/0xc40 fs/ocfs2/mmap.c:142 do_page_mkwrite+0x14d/0x310 mm/memory.c:3361 wp_page_shared mm/memory.c:3762 [inline] do_wp_page+0x268d/0x5800 mm/memory.c:3981 handle_pte_fault mm/memory.c:6068 [inline] __handle_mm_fault+0x1033/0x5440 mm/memory.c:6195 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364 do_user_addr_fault+0x764/0x1390 arch/x86/mm/fault.c:1387 handle_page_fault arch/x86/mm/fault.c:1476 [inline] exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline] RIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline] RIP: 0010:_inline_copy_to_user include/linux/uaccess.h:197 [inline] RIP: 0010:_copy_to_user+0x85/0xb0 lib/usercopy.c:26 Code: e8 00 bc f7 fc 4d 39 fc 72 3d 4d 39 ec 77 38 e8 91 b9 f7 fc 4c 89 f7 89 de e8 47 25 5b fd 0f 01 cb 4c 89 ff 48 89 d9 4c 89 f6 <f3> a4 0f 1f 00 48 89 cb 0f 01 ca 48 89 d8 5b 41 5c 41 5d 41 5e 41 RSP: 0018:ffffc9000403f950 EFLAGS: 00050256 RAX: ffffffff84c7f101 RBX: 0000000000000038 RCX: 0000000000000038 RDX: 0000000000000000 RSI: ffffc9000403f9e0 RDI: 0000200000000060 RBP: ffffc9000403fa90 R08: ffffc9000403fa17 R09: 1ffff92000807f42 R10: dffffc0000000000 R11: fffff52000807f43 R12: 0000200000000098 R13: 00007ffffffff000 R14: ffffc9000403f9e0 R15: 0000200000000060 copy_to_user include/linux/uaccess.h:225 [inline] fiemap_fill_next_extent+0x1c0/0x390 fs/ioctl.c:145 ocfs2_fiemap+0x888/0xc90 fs/ocfs2/extent_map.c:806 ioctl_fiemap fs/ioctl.c:220 [inline] do_vfs_ioctl+0x1173/0x1430 fs/ioctl.c:532 __do_sys_ioctl fs/ioctl.c:596 [inline] __se_sys_ioctl+0x82/0x170 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5f13850fd9 RSP: 002b:00007ffe3b3518b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000200000000000 RCX: 00007f5f13850fd9 RDX: 0000200000000040 RSI: 00000000c020660b RDI: 0000000000000004 RBP: 6165627472616568 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3b3518f0 R13: 00007ffe3b351b18 R14: 431bde82d7b634db R15: 00007f5f1389a03b ocfs2_fiemap() takes a read lock of the ip_alloc_sem semaphore (since v2.6.22-527-g7307de80510a) and calls fiemap_fill_next_extent() to read the extent list of this running mmap executable. The user supplied buffer to hold the fiemap information page faults calling ocfs2_page_mkwrite() which will take a write lock (since v2.6.27-38-g00dc417fa3e7) of the same semaphore. This recursive semaphore will hold filesystem locks and causes a hang of the fileystem. The ip_alloc_sem protects the inode extent list and size. Release the read semphore before calling fiemap_fill_next_extent() in ocfs2_fiemap() and ocfs2_fiemap_inline(). This does an unnecessary semaphore lock/unlock on the last extent but simplifies the error path. Link: https://lkml.kernel.org/r/61d1a62b-2631-4f12-81e2-cd689914360b@oracle.com Fixes: 00dc417fa3e7 ("ocfs2: fiemap support") Signed-off-by: Mark Tinguely <mark.tinguely(a)oracle.com> Reported-by: syzbot+541dcc6ee768f77103e7(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=541dcc6ee768f77103e7 Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/extent_map.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/fs/ocfs2/extent_map.c~ocfs2-fix-recursive-semaphore-deadlock-in-fiemap-call +++ a/fs/ocfs2/extent_map.c @@ -706,6 +706,8 @@ out: * it not only handles the fiemap for inlined files, but also deals * with the fast symlink, cause they have no difference for extent * mapping per se. + * + * Must be called with ip_alloc_sem semaphore held. */ static int ocfs2_fiemap_inline(struct inode *inode, struct buffer_head *di_bh, struct fiemap_extent_info *fieinfo, @@ -717,6 +719,7 @@ static int ocfs2_fiemap_inline(struct in u64 phys; u32 flags = FIEMAP_EXTENT_DATA_INLINE|FIEMAP_EXTENT_LAST; struct ocfs2_inode_info *oi = OCFS2_I(inode); + lockdep_assert_held_read(&oi->ip_alloc_sem); di = (struct ocfs2_dinode *)di_bh->b_data; if (ocfs2_inode_is_fast_symlink(inode)) @@ -732,8 +735,11 @@ static int ocfs2_fiemap_inline(struct in phys += offsetof(struct ocfs2_dinode, id2.i_data.id_data); + /* Release the ip_alloc_sem to prevent deadlock on page fault */ + up_read(&OCFS2_I(inode)->ip_alloc_sem); ret = fiemap_fill_next_extent(fieinfo, 0, phys, id_count, flags); + down_read(&OCFS2_I(inode)->ip_alloc_sem); if (ret < 0) return ret; } @@ -802,9 +808,11 @@ int ocfs2_fiemap(struct inode *inode, st len_bytes = (u64)le16_to_cpu(rec.e_leaf_clusters) << osb->s_clustersize_bits; phys_bytes = le64_to_cpu(rec.e_blkno) << osb->sb->s_blocksize_bits; virt_bytes = (u64)le32_to_cpu(rec.e_cpos) << osb->s_clustersize_bits; - + /* Release the ip_alloc_sem to prevent deadlock on page fault */ + up_read(&OCFS2_I(inode)->ip_alloc_sem); ret = fiemap_fill_next_extent(fieinfo, virt_bytes, phys_bytes, len_bytes, fe_flags); + down_read(&OCFS2_I(inode)->ip_alloc_sem); if (ret) break; _ Patches currently in -mm which might be from mark.tinguely(a)oracle.com are

1 week, 4 days

1
0
0 0

[merged mm-hotfixes-stable] mm-memory-failure-fix-vm_bug_on_pagepagepoisonedpage-when-unpoison-memory.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory has been removed from the -mm tree. Its filename was mm-memory-failure-fix-vm_bug_on_pagepagepoisonedpage-when-unpoison-memory.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Miaohe Lin <linmiaohe(a)huawei.com> Subject: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Date: Thu, 28 Aug 2025 10:46:18 +0800 When I did memory failure tests, below panic occurs: page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page)) kernel BUG at include/linux/page-flags.h:616! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40 RIP: 0010:unpoison_memory+0x2f3/0x590 RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0 RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000 R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0 Call Trace: <TASK> unpoison_memory+0x2f3/0x590 simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110 debugfs_attr_write+0x42/0x60 full_proxy_write+0x5b/0x80 vfs_write+0xd5/0x540 ksys_write+0x64/0xe0 do_syscall_64+0xb9/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08f0314887 RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887 RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001 RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009 R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00 </TASK> Modules linked in: hwpoison_inject ---[ end trace 0000000000000000 ]--- RIP: 0010:unpoison_memory+0x2f3/0x590 RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0 RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000 R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- The root cause is that unpoison_memory() tries to check the PG_HWPoison flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is triggered. This can be reproduced by below steps: 1.Offline memory block: echo offline > /sys/devices/system/memory/memory12/state 2.Get offlined memory pfn: page-types -b n -rlN 3.Write pfn to unpoison-pfn echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn This scenario can be identified by pfn_to_online_page() returning NULL. And ZONE_DEVICE pages are never expected, so we can simply fail if pfn_to_online_page() == NULL to fix the bug. Link: https://lkml.kernel.org/r/20250828024618.1744895-1-linmiaohe@huawei.com Fixes: f1dd2cd13c4b ("mm, memory_hotplug: do not associate hotadded memory to zones until online") Signed-off-by: Miaohe Lin <linmiaohe(a)huawei.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory-failure.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) --- a/mm/memory-failure.c~mm-memory-failure-fix-vm_bug_on_pagepagepoisonedpage-when-unpoison-memory +++ a/mm/memory-failure.c @@ -2568,10 +2568,9 @@ int unpoison_memory(unsigned long pfn) static DEFINE_RATELIMIT_STATE(unpoison_rs, DEFAULT_RATELIMIT_INTERVAL, DEFAULT_RATELIMIT_BURST); - if (!pfn_valid(pfn)) - return -ENXIO; - - p = pfn_to_page(pfn); + p = pfn_to_online_page(pfn); + if (!p) + return -EIO; folio = page_folio(p); mutex_lock(&mf_mutex); _ Patches currently in -mm which might be from linmiaohe(a)huawei.com are revert-hugetlb-make-hugetlb-depends-on-sysfs-or-sysctl.patch mm-hwpoison-decouple-hwpoison_filter-from-mm-memory-failurec.patch

1 week, 4 days

1
0
0 0

[PATCH v5 1/2] drm/buddy: Optimize free block management with RB tree

by Arunpravin Paneer Selvam

Replace the freelist (O(n)) used for free block management with a red-black tree, providing more efficient O(log n) search, insert, and delete operations. This improves scalability and performance when managing large numbers of free blocks per order (e.g., hundreds or thousands). In the VK-CTS memory stress subtest, the buddy manager merges fragmented memory and inserts freed blocks into the freelist. Since freelist insertion is O(n), this becomes a bottleneck as fragmentation increases. Benchmarking shows list_insert_sorted() consumes ~52.69% CPU with the freelist, compared to just 0.03% with the RB tree (rbtree_insert.isra.0), despite performing the same sorted insert. This also improves performance in heavily fragmented workloads, such as games or graphics tests that stress memory. v3(Matthew): - Remove RB_EMPTY_NODE check in force_merge function. - Rename rb for loop macros to have less generic names and move to .c file. - Make the rb node rb and link field as union. v4(Jani Nikula): - The kernel-doc comment should be "/**" - Move all the rbtree macros to rbtree.h and add parens to ensure correct precedence. Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam(a)amd.com> --- drivers/gpu/drm/drm_buddy.c | 142 ++++++++++++++++++++++-------------- include/drm/drm_buddy.h | 9 ++- include/linux/rbtree.h | 56 ++++++++++++++ 3 files changed, 152 insertions(+), 55 deletions(-) diff --git a/drivers/gpu/drm/drm_buddy.c b/drivers/gpu/drm/drm_buddy.c index a94061f373de..978cabfbcf0f 100644 --- a/drivers/gpu/drm/drm_buddy.c +++ b/drivers/gpu/drm/drm_buddy.c @@ -31,6 +31,8 @@ static struct drm_buddy_block *drm_block_alloc(struct drm_buddy *mm, block->header |= order; block->parent = parent; + RB_CLEAR_NODE(&block->rb); + BUG_ON(block->header & DRM_BUDDY_HEADER_UNUSED); return block; } @@ -41,23 +43,53 @@ static void drm_block_free(struct drm_buddy *mm, kmem_cache_free(slab_blocks, block); } -static void list_insert_sorted(struct drm_buddy *mm, - struct drm_buddy_block *block) +static void rbtree_insert(struct drm_buddy *mm, + struct drm_buddy_block *block) { + struct rb_root *root = &mm->free_tree[drm_buddy_block_order(block)]; + struct rb_node **link = &root->rb_node; + struct rb_node *parent = NULL; struct drm_buddy_block *node; - struct list_head *head; + u64 offset; + + offset = drm_buddy_block_offset(block); - head = &mm->free_list[drm_buddy_block_order(block)]; - if (list_empty(head)) { - list_add(&block->link, head); - return; + while (*link) { + parent = *link; + node = rb_entry(parent, struct drm_buddy_block, rb); + + if (offset < drm_buddy_block_offset(node)) + link = &parent->rb_left; + else + link = &parent->rb_right; } - list_for_each_entry(node, head, link) - if (drm_buddy_block_offset(block) < drm_buddy_block_offset(node)) - break; + rb_link_node(&block->rb, parent, link); + rb_insert_color(&block->rb, root); +} + +static void rbtree_remove(struct drm_buddy *mm, + struct drm_buddy_block *block) +{ + struct rb_root *root; + + root = &mm->free_tree[drm_buddy_block_order(block)]; + rb_erase(&block->rb, root); - __list_add(&block->link, node->link.prev, &node->link); + RB_CLEAR_NODE(&block->rb); +} + +static inline struct drm_buddy_block * +rbtree_last_entry(struct drm_buddy *mm, unsigned int order) +{ + struct rb_node *node = rb_last(&mm->free_tree[order]); + + return node ? rb_entry(node, struct drm_buddy_block, rb) : NULL; +} + +static bool rbtree_is_empty(struct drm_buddy *mm, unsigned int order) +{ + return RB_EMPTY_ROOT(&mm->free_tree[order]); } static void clear_reset(struct drm_buddy_block *block) @@ -70,12 +102,13 @@ static void mark_cleared(struct drm_buddy_block *block) block->header |= DRM_BUDDY_HEADER_CLEAR; } -static void mark_allocated(struct drm_buddy_block *block) +static void mark_allocated(struct drm_buddy *mm, + struct drm_buddy_block *block) { block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_ALLOCATED; - list_del(&block->link); + rbtree_remove(mm, block); } static void mark_free(struct drm_buddy *mm, @@ -84,15 +117,16 @@ static void mark_free(struct drm_buddy *mm, block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_FREE; - list_insert_sorted(mm, block); + rbtree_insert(mm, block); } -static void mark_split(struct drm_buddy_block *block) +static void mark_split(struct drm_buddy *mm, + struct drm_buddy_block *block) { block->header &= ~DRM_BUDDY_HEADER_STATE; block->header |= DRM_BUDDY_SPLIT; - list_del(&block->link); + rbtree_remove(mm, block); } static inline bool overlaps(u64 s1, u64 e1, u64 s2, u64 e2) @@ -148,7 +182,7 @@ static unsigned int __drm_buddy_free(struct drm_buddy *mm, mark_cleared(parent); } - list_del(&buddy->link); + rbtree_remove(mm, buddy); if (force_merge && drm_buddy_block_is_clear(buddy)) mm->clear_avail -= drm_buddy_block_size(mm, buddy); @@ -179,9 +213,11 @@ static int __force_merge(struct drm_buddy *mm, return -EINVAL; for (i = min_order - 1; i >= 0; i--) { - struct drm_buddy_block *block, *prev; + struct drm_buddy_block *block, *prev_block, *first_block; + + first_block = rb_entry(rb_first(&mm->free_tree[i]), struct drm_buddy_block, rb); - list_for_each_entry_safe_reverse(block, prev, &mm->free_list[i], link) { + rbtree_reverse_for_each_entry_safe(block, prev_block, &mm->free_tree[i], rb) { struct drm_buddy_block *buddy; u64 block_start, block_end; @@ -206,10 +242,14 @@ static int __force_merge(struct drm_buddy *mm, * block in the next iteration as we would free the * buddy block as part of the free function. */ - if (prev == buddy) - prev = list_prev_entry(prev, link); + if (prev_block && prev_block == buddy) { + if (prev_block != first_block) + prev_block = rb_entry(rb_prev(&prev_block->rb), + struct drm_buddy_block, + rb); + } - list_del(&block->link); + rbtree_remove(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -258,14 +298,14 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) BUG_ON(mm->max_order > DRM_BUDDY_MAX_ORDER); - mm->free_list = kmalloc_array(mm->max_order + 1, - sizeof(struct list_head), + mm->free_tree = kmalloc_array(mm->max_order + 1, + sizeof(struct rb_root), GFP_KERNEL); - if (!mm->free_list) + if (!mm->free_tree) return -ENOMEM; for (i = 0; i <= mm->max_order; ++i) - INIT_LIST_HEAD(&mm->free_list[i]); + mm->free_tree[i] = RB_ROOT; mm->n_roots = hweight64(size); @@ -273,7 +313,7 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) sizeof(struct drm_buddy_block *), GFP_KERNEL); if (!mm->roots) - goto out_free_list; + goto out_free_tree; offset = 0; i = 0; @@ -312,8 +352,8 @@ int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size) while (i--) drm_block_free(mm, mm->roots[i]); kfree(mm->roots); -out_free_list: - kfree(mm->free_list); +out_free_tree: + kfree(mm->free_tree); return -ENOMEM; } EXPORT_SYMBOL(drm_buddy_init); @@ -323,7 +363,7 @@ EXPORT_SYMBOL(drm_buddy_init); * * @mm: DRM buddy manager to free * - * Cleanup memory manager resources and the freelist + * Cleanup memory manager resources and the freetree */ void drm_buddy_fini(struct drm_buddy *mm) { @@ -350,7 +390,7 @@ void drm_buddy_fini(struct drm_buddy *mm) WARN_ON(mm->avail != mm->size); kfree(mm->roots); - kfree(mm->free_list); + kfree(mm->free_tree); } EXPORT_SYMBOL(drm_buddy_fini); @@ -383,7 +423,7 @@ static int split_block(struct drm_buddy *mm, clear_reset(block); } - mark_split(block); + mark_split(mm, block); return 0; } @@ -412,7 +452,7 @@ EXPORT_SYMBOL(drm_get_buddy); * @is_clear: blocks clear state * * Reset the clear state based on @is_clear value for each block - * in the freelist. + * in the freetree. */ void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) { @@ -433,7 +473,7 @@ void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear) for (i = 0; i <= mm->max_order; ++i) { struct drm_buddy_block *block; - list_for_each_entry_reverse(block, &mm->free_list[i], link) { + rbtree_reverse_for_each_entry(block, &mm->free_tree[i], rb) { if (is_clear != drm_buddy_block_is_clear(block)) { if (is_clear) { mark_cleared(block); @@ -641,7 +681,7 @@ get_maxblock(struct drm_buddy *mm, unsigned int order, for (i = order; i <= mm->max_order; ++i) { struct drm_buddy_block *tmp_block; - list_for_each_entry_reverse(tmp_block, &mm->free_list[i], link) { + rbtree_reverse_for_each_entry(tmp_block, &mm->free_tree[i], rb) { if (block_incompatible(tmp_block, flags)) continue; @@ -667,7 +707,7 @@ get_maxblock(struct drm_buddy *mm, unsigned int order, } static struct drm_buddy_block * -alloc_from_freelist(struct drm_buddy *mm, +alloc_from_freetree(struct drm_buddy *mm, unsigned int order, unsigned long flags) { @@ -684,7 +724,7 @@ alloc_from_freelist(struct drm_buddy *mm, for (tmp = order; tmp <= mm->max_order; ++tmp) { struct drm_buddy_block *tmp_block; - list_for_each_entry_reverse(tmp_block, &mm->free_list[tmp], link) { + rbtree_reverse_for_each_entry(tmp_block, &mm->free_tree[tmp], rb) { if (block_incompatible(tmp_block, flags)) continue; @@ -700,10 +740,8 @@ alloc_from_freelist(struct drm_buddy *mm, if (!block) { /* Fallback method */ for (tmp = order; tmp <= mm->max_order; ++tmp) { - if (!list_empty(&mm->free_list[tmp])) { - block = list_last_entry(&mm->free_list[tmp], - struct drm_buddy_block, - link); + if (!rbtree_is_empty(mm, tmp)) { + block = rbtree_last_entry(mm, tmp); if (block) break; } @@ -771,7 +809,7 @@ static int __alloc_range(struct drm_buddy *mm, if (contains(start, end, block_start, block_end)) { if (drm_buddy_block_is_free(block)) { - mark_allocated(block); + mark_allocated(mm, block); total_allocated += drm_buddy_block_size(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) @@ -849,7 +887,6 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, { u64 rhs_offset, lhs_offset, lhs_size, filled; struct drm_buddy_block *block; - struct list_head *list; LIST_HEAD(blocks_lhs); unsigned long pages; unsigned int order; @@ -862,11 +899,10 @@ static int __alloc_contig_try_harder(struct drm_buddy *mm, if (order == 0) return -ENOSPC; - list = &mm->free_list[order]; - if (list_empty(list)) + if (rbtree_is_empty(mm, order)) return -ENOSPC; - list_for_each_entry_reverse(block, list, link) { + rbtree_reverse_for_each_entry(block, &mm->free_tree[order], rb) { /* Allocate blocks traversing RHS */ rhs_offset = drm_buddy_block_offset(block); err = __drm_buddy_alloc_range(mm, rhs_offset, size, @@ -976,7 +1012,7 @@ int drm_buddy_block_trim(struct drm_buddy *mm, list_add(&block->tmp_link, &dfs); err = __alloc_range(mm, &dfs, new_start, new_size, blocks, NULL); if (err) { - mark_allocated(block); + mark_allocated(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -999,8 +1035,8 @@ __drm_buddy_alloc_blocks(struct drm_buddy *mm, return __drm_buddy_alloc_range_bias(mm, start, end, order, flags); else - /* Allocate from freelist */ - return alloc_from_freelist(mm, order, flags); + /* Allocate from freetree */ + return alloc_from_freetree(mm, order, flags); } /** @@ -1017,8 +1053,8 @@ __drm_buddy_alloc_blocks(struct drm_buddy *mm, * alloc_range_bias() called on range limitations, which traverses * the tree and returns the desired block. * - * alloc_from_freelist() called when *no* range restrictions - * are enforced, which picks the block from the freelist. + * alloc_from_freetree() called when *no* range restrictions + * are enforced, which picks the block from the freetree. * * Returns: * 0 on success, error code on failure. @@ -1120,7 +1156,7 @@ int drm_buddy_alloc_blocks(struct drm_buddy *mm, } } while (1); - mark_allocated(block); + mark_allocated(mm, block); mm->avail -= drm_buddy_block_size(mm, block); if (drm_buddy_block_is_clear(block)) mm->clear_avail -= drm_buddy_block_size(mm, block); @@ -1204,7 +1240,7 @@ void drm_buddy_print(struct drm_buddy *mm, struct drm_printer *p) struct drm_buddy_block *block; u64 count = 0, free; - list_for_each_entry(block, &mm->free_list[order], link) { + rbtree_for_each_entry(block, &mm->free_tree[order], rb) { BUG_ON(!drm_buddy_block_is_free(block)); count++; } diff --git a/include/drm/drm_buddy.h b/include/drm/drm_buddy.h index 513837632b7d..091823592034 100644 --- a/include/drm/drm_buddy.h +++ b/include/drm/drm_buddy.h @@ -10,6 +10,7 @@ #include <linux/list.h> #include <linux/slab.h> #include <linux/sched.h> +#include <linux/rbtree.h> #include <drm/drm_print.h> @@ -53,7 +54,11 @@ struct drm_buddy_block { * a list, if so desired. As soon as the block is freed with * drm_buddy_free* ownership is given back to the mm. */ - struct list_head link; + union { + struct rb_node rb; + struct list_head link; + }; + struct list_head tmp_link; }; @@ -68,7 +73,7 @@ struct drm_buddy_block { */ struct drm_buddy { /* Maintain a free list for each order. */ - struct list_head *free_list; + struct rb_root *free_tree; /* * Maintain explicit binary tree(s) to track the allocation of the diff --git a/include/linux/rbtree.h b/include/linux/rbtree.h index 8d2ba3749866..17190bb4837c 100644 --- a/include/linux/rbtree.h +++ b/include/linux/rbtree.h @@ -79,6 +79,62 @@ static inline void rb_link_node_rcu(struct rb_node *node, struct rb_node *parent ____ptr ? rb_entry(____ptr, type, member) : NULL; \ }) +/** + * rbtree_for_each_entry - iterate in-order over rb_root of given type + * + * @pos: the 'type *' to use as a loop cursor. + * @root: 'rb_root *' of the rbtree. + * @member: the name of the rb_node field within 'type'. + */ +#define rbtree_for_each_entry(pos, root, member) \ + for ((pos) = rb_entry_safe(rb_first(root), typeof(*(pos)), member); \ + (pos); \ + (pos) = rb_entry_safe(rb_next(&(pos)->member), typeof(*(pos)), member)) + +/** + * rbtree_reverse_for_each_entry - iterate in reverse in-order over rb_root + * of given type + * + * @pos: the 'type *' to use as a loop cursor. + * @root: 'rb_root *' of the rbtree. + * @member: the name of the rb_node field within 'type'. + */ +#define rbtree_reverse_for_each_entry(pos, root, member) \ + for ((pos) = rb_entry_safe(rb_last(root), typeof(*(pos)), member); \ + (pos); \ + (pos) = rb_entry_safe(rb_prev(&(pos)->member), typeof(*(pos)), member)) + +/** + * rbtree_for_each_entry_safe - iterate in-order over rb_root safe against removal + * + * @pos: the 'type *' to use as a loop cursor + * @n: another 'type *' to use as temporary storage + * @root: 'rb_root *' of the rbtree + * @member: the name of the rb_node field within 'type' + */ +#define rbtree_for_each_entry_safe(pos, n, root, member) \ + for ((pos) = rb_entry_safe(rb_first(root), typeof(*(pos)), member), \ + (n) = (pos) ? rb_entry_safe(rb_next(&(pos)->member), typeof(*(pos)), member) : NULL; \ + (pos); \ + (pos) = (n), \ + (n) = (pos) ? rb_entry_safe(rb_next(&(pos)->member), typeof(*(pos)), member) : NULL) + +/** + * rbtree_reverse_for_each_entry_safe - iterate in reverse in-order over rb_root + * safe against removal + * + * @pos: the struct type * to use as a loop cursor. + * @n: another struct type * to use as temporary storage. + * @root: pointer to struct rb_root to iterate. + * @member: name of the rb_node field within the struct. + */ +#define rbtree_reverse_for_each_entry_safe(pos, n, root, member) \ + for ((pos) = rb_entry_safe(rb_last(root), typeof(*(pos)), member), \ + (n) = (pos) ? rb_entry_safe(rb_prev(&(pos)->member), typeof(*(pos)), member) : NULL; \ + (pos); \ + (pos) = (n), \ + (n) = (pos) ? rb_entry_safe(rb_prev(&(pos)->member), typeof(*(pos)), member) : NULL) + /** * rbtree_postorder_for_each_entry_safe - iterate in post-order over rb_root of * given type allowing the backing memory of @pos to be invalidated base-commit: f4c75f975cf50fa2e1fd96c5aafe5aa62e55fbe4 -- 2.34.1

1 week, 4 days

5
6
0 0

[PATCH v2] media: staging/ipu7: fix isys device runtime PM usage in firmware closing

by bingbu.cao＠intel.com

From: Bingbu Cao <bingbu.cao(a)intel.com> The PM usage counter of isys was bumped up when start camera stream (opening firmware) but it was not dropped after stream stop(closing firmware), it forbids system fail to suspend due to the wrong PM state of ISYS. This patch drop the PM usage counter in firmware close to fix it. Cc: Stable(a)vger.kernel.org Fixes: a516d36bdc3d ("media: staging/ipu7: add IPU7 input system device driver") Signed-off-by: Bingbu Cao <bingbu.cao(a)intel.com> --- drivers/staging/media/ipu7/ipu7-isys-video.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/media/ipu7/ipu7-isys-video.c b/drivers/staging/media/ipu7/ipu7-isys-video.c index 8756da3a8fb0..173afd405d9b 100644 --- a/drivers/staging/media/ipu7/ipu7-isys-video.c +++ b/drivers/staging/media/ipu7/ipu7-isys-video.c @@ -946,6 +946,7 @@ void ipu7_isys_fw_close(struct ipu7_isys *isys) ipu7_fw_isys_close(isys); mutex_unlock(&isys->mutex); + pm_runtime_put(&isys->adev->auxdev.dev); } int ipu7_isys_setup_video(struct ipu7_isys_video *av, -- 2.34.1

1 week, 4 days

1
0
0 0

[PATCH v2 0/2] media: az6007: overall refactor to fix bugs

by Jeongjun Park

This patch series refactors the az6007 driver to address root causes of persistent bugs that have persisted for some time. Jeongjun Park (2): media: az6007: fix out-of-bounds in az6007_i2c_xfer() media: az6007: refactor to properly use dvb-usb-v2 drivers/media/usb/dvb-usb-v2/az6007.c | 211 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------------------------------------------------------------------------------------------- 1 file changed, 107 insertions(+), 104 deletions(-)

1 week, 4 days

2
3
0 0

[PATCH] media: staging/ipu7: fix isys device runtime PM usage in firmware closing

by bingbu.cao＠intel.com

From: Bingbu Cao <bingbu.cao(a)intel.com> The PM usage counter of isys was bumped up when start camera stream (opening firmware) but it was not dropped after stream stop(closing firmware), it forbids system fail to suspend due to the wrong PM state of ISYS. This patch drop the PM usage counter in firmware close to fix it. Cc: Stable(a)vger.kernel.org Signed-off-by: Bingbu Cao <bingbu.cao(a)intel.com> --- drivers/staging/media/ipu7/ipu7-isys-video.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/media/ipu7/ipu7-isys-video.c b/drivers/staging/media/ipu7/ipu7-isys-video.c index 8756da3a8fb0..173afd405d9b 100644 --- a/drivers/staging/media/ipu7/ipu7-isys-video.c +++ b/drivers/staging/media/ipu7/ipu7-isys-video.c @@ -946,6 +946,7 @@ void ipu7_isys_fw_close(struct ipu7_isys *isys) ipu7_fw_isys_close(isys); mutex_unlock(&isys->mutex); + pm_runtime_put(&isys->adev->auxdev.dev); } int ipu7_isys_setup_video(struct ipu7_isys_video *av, -- 2.34.1

1 week, 4 days

2
1
0 0

[PATCH] zram: fix slot write race condition

by Sergey Senozhatsky

Parallel concurrent writes to the same zram index result in leaked zsmalloc handles. Schematically we can have something like this: CPU0 CPU1 zram_slot_lock() zs_free(handle) zram_slot_lock() zram_slot_lock() zs_free(handle) zram_slot_lock() compress compress handle = zs_malloc() handle = zs_malloc() zram_slot_lock zram_set_handle(handle) zram_slot_lock zram_slot_lock zram_set_handle(handle) zram_slot_lock Either CPU0 or CPU1 zsmalloc handle will leak because zs_free() is done too early. In fact, we need to reset zram entry right before we set its new handle, all under the same slot lock scope. Cc: stable(a)vger.kernel.org Reported-by: Changhui Zhong <czhong(a)redhat.com> Closes: https://lore.kernel.org/all/CAGVVp+UtpGoW5WEdEU7uVTtsSCjPN=ksN6EcvyypAtFDOU… Fixes: 71268035f5d73 ("zram: free slot memory early during write") Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> --- drivers/block/zram/zram_drv.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index 9ac271b82780..dc4a1cdfaf98 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -1788,6 +1788,7 @@ static int write_same_filled_page(struct zram *zram, unsigned long fill, u32 index) { zram_slot_lock(zram, index); + zram_free_page(zram, index); zram_set_flag(zram, index, ZRAM_SAME); zram_set_handle(zram, index, fill); zram_slot_unlock(zram, index); @@ -1820,11 +1821,13 @@ static int write_incompressible_page(struct zram *zram, struct page *page, return -ENOMEM; } + zram_slot_lock(zram, index); + zram_free_page(zram, index); + src = kmap_local_page(page); zs_obj_write(zram->mem_pool, handle, src, PAGE_SIZE); kunmap_local(src); - zram_slot_lock(zram, index); zram_set_flag(zram, index, ZRAM_HUGE); zram_set_handle(zram, index, handle); zram_set_obj_size(zram, index, PAGE_SIZE); @@ -1848,11 +1851,6 @@ static int zram_write_page(struct zram *zram, struct page *page, u32 index) unsigned long element; bool same_filled; - /* First, free memory allocated to this slot (if any) */ - zram_slot_lock(zram, index); - zram_free_page(zram, index); - zram_slot_unlock(zram, index); - mem = kmap_local_page(page); same_filled = page_same_filled(mem, &element); kunmap_local(mem); @@ -1890,10 +1888,11 @@ static int zram_write_page(struct zram *zram, struct page *page, u32 index) return -ENOMEM; } + zram_slot_lock(zram, index); + zram_free_page(zram, index); zs_obj_write(zram->mem_pool, handle, zstrm->buffer, comp_len); zcomp_stream_put(zstrm); - zram_slot_lock(zram, index); zram_set_handle(zram, index, handle); zram_set_obj_size(zram, index, comp_len); zram_slot_unlock(zram, index); -- 2.51.0.384.g4c02a37b29-goog

1 week, 4 days

1
1
0 0

[PATCH 0/3] samples/damon: fix boot time enable handling fixup merge mistakes

by SeongJae Park

First three patches of the patch series "mm/damon: fix misc bugs in DAMON modules" [1] was trying to fix boot time DAMON sample modules enabling issues by avoiding starting DAMON before the module initialization phase. However, probably by a mistake during a merge, only half of the change is merged, and the part for avoiding the starting of DAMON before the module initialized is missed. So the problem is not solved. Fix those. Note that the broken commits are merged into 6.17-rc1, but also backported to relevant stable kernels. So this series also need to be merged into the stable kernels. Hence Cc-ing stable@. [1] https://lore.kernel.org/20250706193207.39810-1-sj@kernel.org SeongJae Park (3): samples/damon/wsse: avoid starting DAMON before initialization samples/damon/prcl: avoid starting DAMON before initialization samples/damon/mtier: avoid starting DAMON before initialization samples/damon/mtier.c | 3 +++ samples/damon/prcl.c | 3 +++ samples/damon/wsse.c | 3 +++ 3 files changed, 9 insertions(+) base-commit: 186951910f4e44e20738d85c0421032634ddb298 -- 2.39.5

1 week, 4 days

2
7
0 0

+ nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* has been added to the -mm mm-hotfixes-unstable branch. Its filename is nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Nathan Chancellor <nathan(a)kernel.org> Subject: nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Date: Sat, 6 Sep 2025 23:43:34 +0900 When accessing one of the files under /sys/fs/nilfs2/features when CONFIG_CFI_CLANG is enabled, there is a CFI violation: CFI failure at kobj_attr_show+0x59/0x80 (target: nilfs_feature_revision_show+0x0/0x30; expected type: 0xfc392c4d) ... Call Trace: <TASK> sysfs_kf_seq_show+0x2a6/0x390 ? __cfi_kobj_attr_show+0x10/0x10 kernfs_seq_show+0x104/0x15b seq_read_iter+0x580/0xe2b ... When the kobject of the kset for /sys/fs/nilfs2 is initialized, its ktype is set to kset_ktype, which has a ->sysfs_ops of kobj_sysfs_ops. When nilfs_feature_attr_group is added to that kobject via sysfs_create_group(), the kernfs_ops of each files is sysfs_file_kfops_rw, which will call sysfs_kf_seq_show() when ->seq_show() is called. sysfs_kf_seq_show() in turn calls kobj_attr_show() through ->sysfs_ops->show(). kobj_attr_show() casts the provided attribute out to a 'struct kobj_attribute' via container_of() and calls ->show(), resulting in the CFI violation since neither nilfs_feature_revision_show() nor nilfs_feature_README_show() match the prototype of ->show() in 'struct kobj_attribute'. Resolve the CFI violation by adjusting the second parameter in nilfs_feature_{revision,README}_show() from 'struct attribute' to 'struct kobj_attribute' to match the expected prototype. Link: https://lkml.kernel.org/r/20250906144410.22511-1-konishi.ryusuke@gmail.com Fixes: aebe17f68444 ("nilfs2: add /sys/fs/nilfs2/features group") Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: kernel test robot <oliver.sang(a)intel.com> Closes: https://lore.kernel.org/oe-lkp/202509021646.bc78d9ef-lkp@intel.com/ Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/sysfs.c | 4 ++-- fs/nilfs2/sysfs.h | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) --- a/fs/nilfs2/sysfs.c~nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features +++ a/fs/nilfs2/sysfs.c @@ -1075,7 +1075,7 @@ void nilfs_sysfs_delete_device_group(str ************************************************************************/ static ssize_t nilfs_feature_revision_show(struct kobject *kobj, - struct attribute *attr, char *buf) + struct kobj_attribute *attr, char *buf) { return sysfs_emit(buf, "%d.%d\n", NILFS_CURRENT_REV, NILFS_MINOR_REV); @@ -1087,7 +1087,7 @@ static const char features_readme_str[] "(1) revision\n\tshow current revision of NILFS file system driver.\n"; static ssize_t nilfs_feature_README_show(struct kobject *kobj, - struct attribute *attr, + struct kobj_attribute *attr, char *buf) { return sysfs_emit(buf, features_readme_str); --- a/fs/nilfs2/sysfs.h~nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features +++ a/fs/nilfs2/sysfs.h @@ -50,16 +50,16 @@ struct nilfs_sysfs_dev_subgroups { struct completion sg_segments_kobj_unregister; }; -#define NILFS_COMMON_ATTR_STRUCT(name) \ +#define NILFS_KOBJ_ATTR_STRUCT(name) \ struct nilfs_##name##_attr { \ struct attribute attr; \ - ssize_t (*show)(struct kobject *, struct attribute *, \ + ssize_t (*show)(struct kobject *, struct kobj_attribute *, \ char *); \ - ssize_t (*store)(struct kobject *, struct attribute *, \ + ssize_t (*store)(struct kobject *, struct kobj_attribute *, \ const char *, size_t); \ } -NILFS_COMMON_ATTR_STRUCT(feature); +NILFS_KOBJ_ATTR_STRUCT(feature); #define NILFS_DEV_ATTR_STRUCT(name) \ struct nilfs_##name##_attr { \ _ Patches currently in -mm which might be from nathan(a)kernel.org are compiler-clangh-define-__sanitize___-macros-only-when-undefined.patch nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch mm-rmap-convert-enum-rmap_level-to-enum-pgtable_level-fix.patch

1 week, 4 days

1
0
0 0

[PATCH] KVM: x86: Latch INITs only in specific CPU states in KVM_SET_VCPU_EVENTS

by Fei Li

Commit ff90afa75573 ("KVM: x86: Evaluate latched_init in KVM_SET_VCPU_EVENTS when vCPU not in SMM") changes KVM_SET_VCPU_EVENTS handler to set pending LAPIC INIT event regardless of if vCPU is in SMM mode or not. However, latch INIT without checking CPU state exists race condition, which causes the loss of INIT event. This is fatal during the VM startup process because it will cause some AP to never switch to non-root mode. Just as commit f4ef19108608 ("KVM: X86: Fix loss of pending INIT due to race") said: BSP AP kvm_vcpu_ioctl_x86_get_vcpu_events events->smi.latched_init = 0 kvm_vcpu_block kvm_vcpu_check_block schedule send INIT to AP kvm_vcpu_ioctl_x86_set_vcpu_events (e.g. `info registers -a` when VM starts/reboots) if (events->smi.latched_init == 0) clear INIT in pending_events kvm_apic_accept_events test_bit(KVM_APIC_INIT, &pe) == false vcpu->arch.mp_state maintains UNINITIALIZED send SIPI to AP kvm_apic_accept_events test_bit(KVM_APIC_SIPI, &pe) == false vcpu->arch.mp_state will never change to RUNNABLE (defy: UNINITIALIZED => INIT_RECEIVED => RUNNABLE) AP will never switch to non-root operation In such race result, VM hangs. E.g., BSP loops in SeaBIOS's SMPLock and AP will never be reset, and qemu hmp "info registers -a" shows: CPU#0 EAX=00000002 EBX=00000002 ECX=00000000 EDX=00020000 ESI=00000000 EDI=00000000 EBP=00000008 ESP=00006c6c EIP=000ef570 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 ...... CPU#1 EAX=00000000 EBX=00000000 ECX=00000000 EDX=00080660 ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000 EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 00000000 0000ffff 00009300 CS =f000 ffff0000 0000ffff 00009b00 ...... Fix this by handling latched INITs only in specific CPU states (SMM, VMX non-root mode, SVM with GIF=0) in KVM_SET_VCPU_EVENTS. Cc: stable(a)vger.kernel.org Fixes: ff90afa75573 ("KVM: x86: Evaluate latched_init in KVM_SET_VCPU_EVENTS when vCPU not in SMM") Signed-off-by: Fei Li <lifei.shirley(a)bytedance.com> --- arch/x86/kvm/x86.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index a1c49bc681c46..7001b2af00ed1 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -5556,7 +5556,7 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu, return -EINVAL; #endif - if (lapic_in_kernel(vcpu)) { + if (!kvm_apic_init_sipi_allowed(vcpu) && lapic_in_kernel(vcpu)) { if (events->smi.latched_init) set_bit(KVM_APIC_INIT, &vcpu->arch.apic->pending_events); else -- 2.39.2 (Apple Git-143)

1 week, 4 days

3
8
0 0

[PATCH net v2] net: mana: Remove redundant netdev_lock_ops_to_full() calls

by Saurabh Sengar

NET_SHAPER is always selected for MANA driver. When NET_SHAPER is enabled, netdev_lock_ops_to_full() reduces effectively to only an assert for lock, which is always held in the path when NET_SHAPER is enabled. Remove the redundant netdev_lock_ops_to_full() call. Signed-off-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> --- [v2] - removed Fixes tag and stable CC drivers/net/ethernet/microsoft/mana/mana_en.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c index 550843e2164b..f0dbf4e82e0b 100644 --- a/drivers/net/ethernet/microsoft/mana/mana_en.c +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c @@ -2100,10 +2100,8 @@ static void mana_destroy_txq(struct mana_port_context *apc) napi = &apc->tx_qp[i].tx_cq.napi; if (apc->tx_qp[i].txq.napi_initialized) { napi_synchronize(napi); - netdev_lock_ops_to_full(napi->dev); napi_disable_locked(napi); netif_napi_del_locked(napi); - netdev_unlock_full_to_ops(napi->dev); apc->tx_qp[i].txq.napi_initialized = false; } mana_destroy_wq_obj(apc, GDMA_SQ, apc->tx_qp[i].tx_object); @@ -2256,10 +2254,8 @@ static int mana_create_txq(struct mana_port_context *apc, mana_create_txq_debugfs(apc, i); set_bit(NAPI_STATE_NO_BUSY_POLL, &cq->napi.state); - netdev_lock_ops_to_full(net); netif_napi_add_locked(net, &cq->napi, mana_poll); napi_enable_locked(&cq->napi); - netdev_unlock_full_to_ops(net); txq->napi_initialized = true; mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT); @@ -2295,10 +2291,8 @@ static void mana_destroy_rxq(struct mana_port_context *apc, if (napi_initialized) { napi_synchronize(napi); - netdev_lock_ops_to_full(napi->dev); napi_disable_locked(napi); netif_napi_del_locked(napi); - netdev_unlock_full_to_ops(napi->dev); } xdp_rxq_info_unreg(&rxq->xdp_rxq); @@ -2549,18 +2543,14 @@ static struct mana_rxq *mana_create_rxq(struct mana_port_context *apc, gc->cq_table[cq->gdma_id] = cq->gdma_cq; - netdev_lock_ops_to_full(ndev); netif_napi_add_weight_locked(ndev, &cq->napi, mana_poll, 1); - netdev_unlock_full_to_ops(ndev); WARN_ON(xdp_rxq_info_reg(&rxq->xdp_rxq, ndev, rxq_idx, cq->napi.napi_id)); WARN_ON(xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq, MEM_TYPE_PAGE_POOL, rxq->page_pool)); - netdev_lock_ops_to_full(ndev); napi_enable_locked(&cq->napi); - netdev_unlock_full_to_ops(ndev); mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT); out: -- 2.43.0

1 week, 4 days

2
1
0 0

+ samples-damon-mtier-avoid-starting-damon-before-initialization.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: samples/damon/mtier: avoid starting DAMON before initialization has been added to the -mm mm-hotfixes-unstable branch. Its filename is samples-damon-mtier-avoid-starting-damon-before-initialization.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: samples/damon/mtier: avoid starting DAMON before initialization Date: Mon, 8 Sep 2025 19:22:38 -0700 Commit 964314344eab ("samples/damon/mtier: support boot time enable setup") is somehow incompletely applying the origin patch [1]. It is missing the part that avoids starting DAMON before module initialization. Probably a mistake during a merge has happened. Fix it by applying the missed part again. Link: https://lkml.kernel.org/r/20250909022238.2989-4-sj@kernel.org Link: https://lore.kernel.org/20250706193207.39810-4-sj@kernel.org [1] Fixes: 964314344eab ("samples/damon/mtier: support boot time enable setup") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- samples/damon/mtier.c | 3 +++ 1 file changed, 3 insertions(+) --- a/samples/damon/mtier.c~samples-damon-mtier-avoid-starting-damon-before-initialization +++ a/samples/damon/mtier.c @@ -208,6 +208,9 @@ static int damon_sample_mtier_enable_sto if (enabled == is_enabled) return 0; + if (!init_called) + return 0; + if (enabled) { err = damon_sample_mtier_start(); if (err) _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-introduce-damon_call_control-dealloc_on_cancel.patch mm-damon-sysfs-use-dynamically-allocated-repeat-mode-damon_call_control.patch samples-damon-wsse-avoid-starting-damon-before-initialization.patch samples-damon-prcl-avoid-starting-damon-before-initialization.patch samples-damon-mtier-avoid-starting-damon-before-initialization.patch mm-zswap-store-page_size-compression-failed-page-as-is.patch mm-zswap-store-page_size-compression-failed-page-as-is-fix.patch mm-zswap-store-page_size-compression-failed-page-as-is-v5.patch mm-zswap-store-page_size-compression-failed-page-as-is-fix-2.patch mm-damon-core-add-damon_ctx-addr_unit.patch mm-damon-paddr-support-addr_unit-for-access-monitoring.patch mm-damon-paddr-support-addr_unit-for-damos_pageout.patch mm-damon-paddr-support-addr_unit-for-damos_lru_prio.patch mm-damon-paddr-support-addr_unit-for-migrate_hotcold.patch mm-damon-paddr-support-addr_unit-for-damos_stat.patch mm-damon-sysfs-implement-addr_unit-file-under-context-dir.patch docs-mm-damon-design-document-address-unit-parameter.patch docs-admin-guide-mm-damon-usage-document-addr_unit-file.patch docs-abi-damon-document-addr_unit-file.patch

1 week, 4 days

1
0
0 0

+ samples-damon-prcl-avoid-starting-damon-before-initialization.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: samples/damon/prcl: avoid starting DAMON before initialization has been added to the -mm mm-hotfixes-unstable branch. Its filename is samples-damon-prcl-avoid-starting-damon-before-initialization.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: samples/damon/prcl: avoid starting DAMON before initialization Date: Mon, 8 Sep 2025 19:22:37 -0700 Commit 2780505ec2b4 ("samples/damon/prcl: fix boot time enable crash") is somehow incompletely applying the origin patch [1]. It is missing the part that avoids starting DAMON before module initialization. Probably a mistake during a merge has happened. Fix it by applying the missed part again. Link: https://lkml.kernel.org/r/20250909022238.2989-3-sj@kernel.org Link: https://lore.kernel.org/20250706193207.39810-3-sj@kernel.org [1] Fixes: 2780505ec2b4 ("samples/damon/prcl: fix boot time enable crash") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- samples/damon/prcl.c | 3 +++ 1 file changed, 3 insertions(+) --- a/samples/damon/prcl.c~samples-damon-prcl-avoid-starting-damon-before-initialization +++ a/samples/damon/prcl.c @@ -137,6 +137,9 @@ static int damon_sample_prcl_enable_stor if (enabled == is_enabled) return 0; + if (!init_called) + return 0; + if (enabled) { err = damon_sample_prcl_start(); if (err) _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-introduce-damon_call_control-dealloc_on_cancel.patch mm-damon-sysfs-use-dynamically-allocated-repeat-mode-damon_call_control.patch samples-damon-wsse-avoid-starting-damon-before-initialization.patch samples-damon-prcl-avoid-starting-damon-before-initialization.patch samples-damon-mtier-avoid-starting-damon-before-initialization.patch mm-zswap-store-page_size-compression-failed-page-as-is.patch mm-zswap-store-page_size-compression-failed-page-as-is-fix.patch mm-zswap-store-page_size-compression-failed-page-as-is-v5.patch mm-zswap-store-page_size-compression-failed-page-as-is-fix-2.patch mm-damon-core-add-damon_ctx-addr_unit.patch mm-damon-paddr-support-addr_unit-for-access-monitoring.patch mm-damon-paddr-support-addr_unit-for-damos_pageout.patch mm-damon-paddr-support-addr_unit-for-damos_lru_prio.patch mm-damon-paddr-support-addr_unit-for-migrate_hotcold.patch mm-damon-paddr-support-addr_unit-for-damos_stat.patch mm-damon-sysfs-implement-addr_unit-file-under-context-dir.patch docs-mm-damon-design-document-address-unit-parameter.patch docs-admin-guide-mm-damon-usage-document-addr_unit-file.patch docs-abi-damon-document-addr_unit-file.patch

1 week, 4 days

1
0
0 0

+ samples-damon-wsse-avoid-starting-damon-before-initialization.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: samples/damon/wsse: avoid starting DAMON before initialization has been added to the -mm mm-hotfixes-unstable branch. Its filename is samples-damon-wsse-avoid-starting-damon-before-initialization.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: SeongJae Park <sj(a)kernel.org> Subject: samples/damon/wsse: avoid starting DAMON before initialization Date: Mon, 8 Sep 2025 19:22:36 -0700 Patch series "samples/damon: fix boot time enable handling fixup merge mistakes". This patch (of 3): Commit 0ed1165c3727 ("samples/damon/wsse: fix boot time enable handling") is somehow incompletely applying the origin patch [1]. It is missing the part that avoids starting DAMON before module initialization. Probably a mistake during a merge has happened. Fix it by applying the missed part again. Link: https://lkml.kernel.org/r/20250909022238.2989-1-sj@kernel.org Link: https://lkml.kernel.org/r/20250909022238.2989-2-sj@kernel.org Link: https://lore.kernel.org/20250706193207.39810-2-sj@kernel.org [1] Fixes: 0ed1165c3727 ("samples/damon/wsse: fix boot time enable handling") Signed-off-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- samples/damon/wsse.c | 3 +++ 1 file changed, 3 insertions(+) --- a/samples/damon/wsse.c~samples-damon-wsse-avoid-starting-damon-before-initialization +++ a/samples/damon/wsse.c @@ -118,6 +118,9 @@ static int damon_sample_wsse_enable_stor return 0; if (enabled) { + if (!init_called) + return 0; + err = damon_sample_wsse_start(); if (err) enabled = false; _ Patches currently in -mm which might be from sj(a)kernel.org are mm-damon-core-introduce-damon_call_control-dealloc_on_cancel.patch mm-damon-sysfs-use-dynamically-allocated-repeat-mode-damon_call_control.patch samples-damon-wsse-avoid-starting-damon-before-initialization.patch samples-damon-prcl-avoid-starting-damon-before-initialization.patch samples-damon-mtier-avoid-starting-damon-before-initialization.patch mm-zswap-store-page_size-compression-failed-page-as-is.patch mm-zswap-store-page_size-compression-failed-page-as-is-fix.patch mm-zswap-store-page_size-compression-failed-page-as-is-v5.patch mm-zswap-store-page_size-compression-failed-page-as-is-fix-2.patch mm-damon-core-add-damon_ctx-addr_unit.patch mm-damon-paddr-support-addr_unit-for-access-monitoring.patch mm-damon-paddr-support-addr_unit-for-damos_pageout.patch mm-damon-paddr-support-addr_unit-for-damos_lru_prio.patch mm-damon-paddr-support-addr_unit-for-migrate_hotcold.patch mm-damon-paddr-support-addr_unit-for-damos_stat.patch mm-damon-sysfs-implement-addr_unit-file-under-context-dir.patch docs-mm-damon-design-document-address-unit-parameter.patch docs-admin-guide-mm-damon-usage-document-addr_unit-file.patch docs-abi-damon-document-addr_unit-file.patch

1 week, 4 days

1
0
0 0

[PATCH net-next v4] rds: ib: Remove unused extern definition

by Håkon Bugge

In the old days, RDS used FMR (Fast Memory Registration) to register IB MRs to be used by RDMA. A newer and better verbs based registration/de-registration method called FRWR (Fast Registration Work Request) was added to RDS by commit 1659185fb4d0 ("RDS: IB: Support Fastreg MR (FRMR) memory registration mode") in 2016. Detection and enablement of FRWR was done in commit 2cb2912d6563 ("RDS: IB: add Fastreg MR (FRMR) detection support"). But said commit added an extern bool prefer_frmr, which was not used by said commit - nor used by later commits. Hence, remove it. Signed-off-by: Håkon Bugge <haakon.bugge(a)oracle.com> Reviewed-by: Allison Henderson <allison.henderson(a)oracle.com> --- v3 -> v4: * Added Allison's r-b * Removed indentation for this section v2 -> v3: * As per Jakub's request, removed Cc: and Fixes: tags * Subject to net-next (instead of net) v1 -> v2: * Added commit message * Added Cc: stable(a)vger.kernel.org --- net/rds/ib_mr.h | 1 - 1 file changed, 1 deletion(-) diff --git a/net/rds/ib_mr.h b/net/rds/ib_mr.h index ea5e9aee4959e..5884de8c6f45b 100644 --- a/net/rds/ib_mr.h +++ b/net/rds/ib_mr.h @@ -108,7 +108,6 @@ struct rds_ib_mr_pool { }; extern struct workqueue_struct *rds_ib_mr_wq; -extern bool prefer_frmr; struct rds_ib_mr_pool *rds_ib_create_mr_pool(struct rds_ib_device *rds_dev, int npages); -- 2.43.5

1 week, 4 days

2
1
0 0

FAILED: patch "[PATCH] NFSD: nfsd_unlink() clobbers non-zero status returned from" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x d7d8e3169b56e7696559a2427c922c0d55debcec # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040835-legroom-backshift-766c@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d7d8e3169b56e7696559a2427c922c0d55debcec Mon Sep 17 00:00:00 2001 From: Chuck Lever <chuck.lever(a)oracle.com> Date: Sun, 26 Jan 2025 16:50:17 -0500 Subject: [PATCH] NFSD: nfsd_unlink() clobbers non-zero status returned from fh_fill_pre_attrs() If fh_fill_pre_attrs() returns a non-zero status, the error flow takes it through out_unlock, which then overwrites the returned status code with err = nfserrno(host_err); Fixes: a332018a91c4 ("nfsd: handle failure to collect pre/post-op attrs more sanely") Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Cc: stable(a)vger.kernel.org Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index 188c978a0c79..749dd84bdb41 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -2010,11 +2010,9 @@ nfsd_unlink(struct svc_rqst *rqstp, struct svc_fh *fhp, int type, * error status. */ err = nfserr_file_open; - } else { - err = nfserrno(host_err); } out: - return err; + return err != nfs_ok ? err : nfserrno(host_err); out_unlock: inode_unlock(dirp); goto out_drop_write;

1 week, 4 days

2
2
0 0

[PATCH AUTOSEL 6.16-6.1] wifi: mac80211: increase scan_ies_len for S1G

by Sasha Levin

From: Lachlan Hodges <lachlan.hodges(a)morsemicro.com> [ Upstream commit 7e2f3213e85eba00acb4cfe6d71647892d63c3a1 ] Currently the S1G capability element is not taken into account for the scan_ies_len, which leads to a buffer length validation failure in ieee80211_prep_hw_scan() and subsequent WARN in __ieee80211_start_scan(). This prevents hw scanning from functioning. To fix ensure we accommodate for the S1G capability length. Signed-off-by: Lachlan Hodges <lachlan.hodges(a)morsemicro.com> Link: https://patch.msgid.link/20250826085437.3493-1-lachlan.hodges@morsemicro.com Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Perfect! Now I have all the context I need. Let me provide my analysis: ## Backport Status: **YES** ### Extensive Analysis: **This commit fixes a real bug that causes hardware scanning to fail for S1G (802.11ah) WiFi devices.** #### The Bug Details: 1. **Root Cause**: When commit `0333a81bc8343` ("wifi: mac80211: S1G capabilities information element in probe request") was merged in February 2023, it added S1G capability elements to probe requests. However, it failed to update the buffer size calculation (`scan_ies_len`) to account for these additional 17 bytes (2 byte element header + 15 byte `struct ieee80211_s1g_cap`). 2. **Failure Mechanism**: - In `__ieee80211_start_scan()` at net/mac80211/scan.c:755, the buffer size is calculated as `local->scan_ies_len + req->ie_len` - When `ieee80211_prep_hw_scan()` is called at line 870, it attempts to build probe request IEs using `ieee80211_build_preq_ies()` - The function `ieee80211_build_preq_ies_band()` checks buffer space and adds S1G capability for S1G bands (lines 1963-1965 in util.c) - Without the fix, the buffer is 17 bytes too small, causing `-ENOBUFS` to be returned - This triggers the `WARN_ON(!ieee80211_prep_hw_scan(sdata))` at line 870, producing a kernel warning and aborting the scan 3. **User Impact**: - Produces a visible kernel WARNING in dmesg - Hardware scanning completely fails for S1G devices - The device cannot perform network discovery - This is a **functional regression** introduced in kernel 6.3 (when commit 0333a81bc8343 was merged) #### Why This Should Be Backported: 1. **Fixes a Real Bug**: This is not a theoretical issue - it causes actual hardware scanning failures with kernel warnings for any S1G-capable hardware. 2. **Regression Fix**: This fixes a regression introduced by commit 0333a81bc8343 in kernel 6.3. Any stable kernel that includes that commit needs this fix. 3. **Small and Contained**: The fix is minimal - just 4 lines of actual code changes: - Adding `supp_s1g` boolean variable - Setting it based on S1G capability presence - Adding 17 bytes to buffer calculation when S1G is supported 4. **No Side Effects**: The change only affects S1G-capable devices and simply ensures adequate buffer space. It cannot negatively impact non-S1G devices. 5. **Clear Bug Pattern**: This is a classic "forgot to update buffer size calculation" bug that's straightforward to understand and verify. 6. **Vendor Support**: MorseMicro is actively developing S1G hardware and drivers, making this functionality important for emerging IoT/long-range WiFi deployments. #### Stable Tree Considerations: - Should be backported to **kernel 6.3 and later** (where commit 0333a81bc8343 exists) - The fix applies cleanly as it only adds to existing initialization code - No dependencies on other commits - Follows stable tree rules: fixes an important bug with minimal risk The commit message could have been clearer by mentioning this was a regression from commit 0333a81bc8343, but the fix itself is correct and necessary for S1G hardware to function properly. net/mac80211/main.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/mac80211/main.c b/net/mac80211/main.c index 1bad353d8a772..35c6755b817a8 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -1136,7 +1136,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) int result, i; enum nl80211_band band; int channels, max_bitrates; - bool supp_ht, supp_vht, supp_he, supp_eht; + bool supp_ht, supp_vht, supp_he, supp_eht, supp_s1g; struct cfg80211_chan_def dflt_chandef = {}; if (ieee80211_hw_check(hw, QUEUE_CONTROL) && @@ -1252,6 +1252,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) supp_vht = false; supp_he = false; supp_eht = false; + supp_s1g = false; for (band = 0; band < NUM_NL80211_BANDS; band++) { const struct ieee80211_sband_iftype_data *iftd; struct ieee80211_supported_band *sband; @@ -1299,6 +1300,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) max_bitrates = sband->n_bitrates; supp_ht = supp_ht || sband->ht_cap.ht_supported; supp_vht = supp_vht || sband->vht_cap.vht_supported; + supp_s1g = supp_s1g || sband->s1g_cap.s1g; for_each_sband_iftype_data(sband, i, iftd) { u8 he_40_mhz_cap; @@ -1432,6 +1434,9 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) local->scan_ies_len += 2 + sizeof(struct ieee80211_vht_cap); + if (supp_s1g) + local->scan_ies_len += 2 + sizeof(struct ieee80211_s1g_cap); + /* * HE cap element is variable in size - set len to allow max size */ if (supp_he) { -- 2.51.0

1 week, 4 days

1
6
0 0

[PATCH 6.1 000/104] 6.1.151-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.151 release. There are 104 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 09 Sep 2025 19:55:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.151-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.151-rc1 Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Check turbo_is_disabled() in store_no_turbo() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Read global.no_turbo under READ_ONCE() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Rearrange show_no_turbo() and store_no_turbo() Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Use value to check for invalid delays Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() yangshiguang <yangshiguang(a)xiaomi.com> mm: slub: avoid wake up kswapd in set_track_prepare Chengming Zhou <zhouchengming(a)bytedance.com> slub: Reflow ___slab_alloc() Vlastimil Babka <vbabka(a)suse.cz> mm, slub: refactor free debug processing zhang jiao <zhangjiao2(a)cmss.chinamobile.com> tools: gpio: remove the include directory on make clean zhangjiao <zhangjiao2(a)cmss.chinamobile.com> tools: gpio: rm .*.cmd on make clean Colin Ian King <colin.i.king(a)gmail.com> drm/amd/amdgpu: Fix missing error return on kzalloc failure Hawking Zhang <Hawking.Zhang(a)amd.com> drm/amdgpu: Replace DRM_* with dev_* in amdgpu_psp.c Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Make flashing messages quieter Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Skip TMR allocation if not required Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/amdgpu: Fix style problems in amdgpu_psp.c Tao Zhou <tao.zhou1(a)amd.com> drm/amdgpu: remove the check of init status in psp_ras_initialize Candice Li <candice.li(a)amd.com> drm/amdgpu: Optimize RAS TA initialization and TA unload funcs Ian Rogers <irogers(a)google.com> perf bpf-utils: Harden get_bpf_prog_info_linear Ian Rogers <irogers(a)google.com> perf bpf-utils: Constify bpil_array_desc Michael Walle <mwalle(a)kernel.org> drm/bridge: ti-sn65dsi86: fix REFCLK setting Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Set correct chip-select polarity bit Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Fix transmissions when using CONT Vadim Pasternak <vadimp(a)nvidia.com> hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM Wentao Liang <vulab(a)iscas.ac.cn> pcmcia: Add error handling for add_interval() in do_validate_mem() Chen Ni <nichen(a)iscas.ac.cn> pcmcia: omap: Add missing check for platform_get_resource Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amdgpu: Avoid extra evict-restore process." Aaron Erhardt <aer(a)tuxedocomputers.com> ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Alex Hung <alex.hung(a)amd.com> drm/amd/display: Check link_res->hpo_dp_link_enc before using it Amir Goldstein <amir73il(a)gmail.com> fs: relax assertions on failure to encode file handles Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Do not update global.turbo_disabled after initialization Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Fold intel_pstate_max_within_limits() into caller Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Revise global turbo disable check Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Don't fail set_cs_timing when delays are zero Alexander Danilenko <al.b.danilenko(a)gmail.com> spi: tegra114: Remove unnecessary NULL-pointer checks Ronak Doshi <ronak.doshi(a)broadcom.com> vmxnet3: update MTU after device quiesce Jakob Unterwurzacher <jakobunt(a)gmail.com> net: dsa: microchip: linearize skb for tail-tagging switches Pieter Van Trappen <pieter.van.trappen(a)cern.ch> net: dsa: microchip: update tag_ksz masks for KSZ9477 family Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: designware: Fix an error handling path in i2c_dw_pci_probe() Luca Ceresoli <luca.ceresoli(a)bootlin.com> iio: light: opt3001: fix deadlock due to concurrent flag access David Lechner <dlechner(a)baylibre.com> iio: chemical: pms7003: use aligned_s64 for timestamp Josef Bacik <josef(a)toxicpanda.com> btrfs: adjust subpage bit start based on sectorsize Shakeel Butt <shakeel.butt(a)linux.dev> memcg: drain obj stock on cpu hotplug teardown Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Explicitly synchronize limits_changed flag handling Jonathan Currier <dullfire(a)yahoo.com> PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads Li Qiong <liqiong(a)nfschina.com> mm/slub: avoid accessing metadata when pointer is invalid in object_err() Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> net: pcs: rzn1-miic: Correct MODCTRL register offset Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: fix heap overflow in e1000_set_eeprom Makar Semyonov <m.semenov(a)tssltd.ru> cifs: prevent NULL pointer dereference in UTF16 conversion Stanislav Fort <stanislav.fort(a)aisle.com> batman-adv: fix OOB read/write in network-coding decode John Evans <evans1210144(a)gmail.com> scsi: lpfc: Fix buffer free/clear order in deferred receive path Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: drop hw access in non-DC audio fini Qianfeng Rong <rongqianfeng(a)vivo.com> wifi: mwifiex: Initialize the chan_stats array to zero wangzijie <wangzijie1(a)honor.com> proc: fix missing pde_set_flags() for net proc files Edward Adam Davis <eadavis(a)qq.com> ocfs2: prevent release journal inode after journal shutdown Harry Yoo <harry.yoo(a)oracle.com> mm: move page table sync declarations to linux/pgtable.h Harry Yoo <harry.yoo(a)oracle.com> x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Ma Ke <make24(a)iscas.ac.cn> pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Miaoqian Lin <linmq006(a)gmail.com> ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on some devices Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Kuniyuki Iwashima <kuniyu(a)google.com> selftest: net: Fix weird setsockopt() in bind_bhash.c. Qingfang Deng <dqfext(a)gmail.com> ppp: fix memory leak in pad_compress_skb Wang Liang <wangliang74(a)huawei.com> net: atm: fix memory leak in atm_register_sysfs when device_register fail Eric Dumazet <edumazet(a)google.com> ax25: properly unshare skbs in ax25_kiss_rcv() Alok Tiwari <alok.a.tiwari(a)oracle.com> mctp: return -ENOPROTOOPT for unknown getsockopt options Mahanta Jambigi <mjambigi(a)linux.ibm.com> net/smc: Remove validation of reserved bits in CLC Decline message Dan Carpenter <dan.carpenter(a)linaro.org> ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: decrement cleanup index before use Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: add a missing of_node_put Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: libertas: cap SSID len in lbs_associate() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cw1200: cap SSID length in cw1200_do_join() Felix Fietkau <nbd(a)nbd.name> net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Zhen Ni <zhen.ni(a)easystack.cn> i40e: Fix potential invalid access when MAC list is empty Liu Jian <liujian56(a)huawei.com> net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() Sean Anderson <sean.anderson(a)linux.dev> net: macb: Fix tx_ptr_lock locking Fabian Bläse <fabian(a)blaese.de> icmp: fix icmp_ndo_send address translation for reply direction Miaoqian Lin <linmq006(a)gmail.com> mISDN: Fix memory leak in dsp_hwec_enable() Alok Tiwari <alok.a.tiwari(a)oracle.com> xirc2ps_cs: fix register access when enabling FullDuplex Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Phil Sutter <phil(a)nwl.cc> netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Wang Liang <wangliang74(a)huawei.com> netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix use-after-free in cmp_bss() Marek Vasut <marek.vasut(a)mailbox.org> arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics i.MX8M Plus DHCOM Sungbae Yoo <sungbaey(a)nvidia.com> tee: optee: ffa: fix a typo of "optee_ffa_api_is_compatible" Peter Robinson <pbrobinson(a)gmail.com> arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Pei Xiao <xiaopei01(a)kylinos.cn> tee: fix NULL pointer dereference in tee_shm_put Jiufei Xue <jiufei.xue(a)samsung.com> fs: writeback: fix use-after-free in __mark_inode_dirty() Yang Li <yang.li(a)amlogic.com> Bluetooth: hci_sync: Avoid adding default advertising on startup Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't warn when missing DCE encoder caps Lubomir Rintel <lkundrak(a)v3.sk> cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN Filipe Manana <fdmanana(a)suse.com> btrfs: avoid load/store tearing races when checking if an inode was logged Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between setting last_dir_index_offset and inode logging Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between logging inode and checking if it was logged before Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix oob access in cgroup local storage Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move bpf map owner out of common struct Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move cgroup iterator helpers to bpf.h Daniel Borkmann <daniel(a)iogearbox.net> bpf: Add cookie object to bpf maps ------------- Diffstat: Makefile | 4 +- .../arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 + .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 + arch/x86/include/asm/pgtable_64_types.h | 3 + arch/x86/mm/init_64.c | 18 ++ drivers/acpi/arm64/iort.c | 4 +- drivers/cpufreq/intel_pstate.c | 126 ++++------- drivers/dma/mediatek/mtk-cqdma.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 235 +++++++++++---------- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +- drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 - .../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 +- .../gpu/drm/amd/display/dc/link/link_hwss_hpo_dp.c | 7 + drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 + drivers/hwmon/mlxreg-fan.c | 5 +- drivers/i2c/busses/i2c-designware-pcidrv.c | 4 +- drivers/iio/chemical/pms7003.c | 5 +- drivers/iio/light/opt3001.c | 5 +- drivers/isdn/mISDN/dsp_hwec.c | 6 +- drivers/net/ethernet/cadence/macb_main.c | 28 +-- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 +- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +- drivers/net/ethernet/intel/i40e/i40e_client.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +- drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- drivers/net/pcs/pcs-rzn1-miic.c | 2 +- drivers/net/phy/mscc/mscc_ptp.c | 18 +- drivers/net/ppp/ppp_generic.c | 6 +- drivers/net/usb/cdc_ncm.c | 7 + drivers/net/vmxnet3/vmxnet3_drv.c | 5 +- drivers/net/wireless/marvell/libertas/cfg.c | 9 +- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +- drivers/net/wireless/marvell/mwifiex/main.c | 4 +- drivers/net/wireless/st/cw1200/sta.c | 2 +- drivers/pci/msi/msi.c | 3 + drivers/pcmcia/omap_cf.c | 2 + drivers/pcmcia/rsrc_iodyn.c | 3 + drivers/pcmcia/rsrc_nonstatic.c | 4 +- drivers/scsi/lpfc/lpfc_nvmet.c | 10 +- drivers/spi/spi-fsl-lpspi.c | 15 +- drivers/spi/spi-tegra114.c | 18 +- drivers/tee/optee/ffa_abi.c | 4 +- drivers/tee/tee_shm.c | 6 +- fs/btrfs/btrfs_inode.h | 2 +- fs/btrfs/extent_io.c | 2 +- fs/btrfs/inode.c | 1 + fs/btrfs/tree-log.c | 78 ++++--- fs/fs-writeback.c | 9 +- fs/notify/fdinfo.c | 4 +- fs/ocfs2/inode.c | 3 + fs/overlayfs/copy_up.c | 5 +- fs/proc/generic.c | 38 ++-- fs/smb/client/cifs_unicode.c | 3 + include/linux/bpf-cgroup.h | 5 - include/linux/bpf.h | 60 ++++-- include/linux/pci.h | 2 + include/linux/pgtable.h | 16 ++ include/linux/vmalloc.h | 16 -- kernel/bpf/core.c | 50 +++-- kernel/bpf/syscall.c | 19 +- kernel/sched/cpufreq_schedutil.c | 28 ++- mm/memcontrol.c | 9 + mm/slub.c | 216 ++++++++++--------- net/atm/resources.c | 6 +- net/ax25/ax25_in.c | 4 + net/batman-adv/network-coding.c | 7 +- net/bluetooth/hci_sync.c | 2 +- net/bluetooth/l2cap_sock.c | 3 + net/bridge/br_netfilter_hooks.c | 3 - net/dsa/tag_ksz.c | 22 +- net/ipv4/devinet.c | 7 +- net/ipv4/icmp.c | 6 +- net/ipv6/ip6_icmp.c | 6 +- net/mctp/af_mctp.c | 2 +- net/netfilter/nf_conntrack_helper.c | 4 +- net/smc/smc_clc.c | 2 - net/smc/smc_ib.c | 3 + net/wireless/scan.c | 3 +- net/wireless/sme.c | 5 +- sound/pci/hda/patch_hdmi.c | 1 + sound/pci/hda/patch_realtek.c | 5 + sound/usb/mixer_quirks.c | 2 + tools/gpio/Makefile | 4 +- tools/perf/util/bpf-utils.c | 61 ++++-- tools/testing/selftests/net/bind_bhash.c | 4 +- 88 files changed, 822 insertions(+), 582 deletions(-)

1 week, 5 days

7
113
0 0

[PATCH 6.6 000/121] 6.6.105-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.105 release. There are 121 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 09 Sep 2025 19:55:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.105-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.105-rc1 Kevin Hao <haokexin(a)gmail.com> spi: fsl-qspi: Fix double cleanup in probe error path Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Check turbo_is_disabled() in store_no_turbo() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Read global.no_turbo under READ_ONCE() Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Rearrange show_no_turbo() and store_no_turbo() Radim Krčmář <rkrcmar(a)ventanamicro.com> riscv: use lw when reading int cpu in asm_per_cpu yangshiguang <yangshiguang(a)xiaomi.com> mm: slub: avoid wake up kswapd in set_track_prepare Chengming Zhou <zhouchengming(a)bytedance.com> slub: Reflow ___slab_alloc() zhang jiao <zhangjiao2(a)cmss.chinamobile.com> tools: gpio: remove the include directory on make clean zhangjiao <zhangjiao2(a)cmss.chinamobile.com> tools: gpio: rm .*.cmd on make clean Colin Ian King <colin.i.king(a)gmail.com> drm/amd/amdgpu: Fix missing error return on kzalloc failure Hawking Zhang <Hawking.Zhang(a)amd.com> drm/amdgpu: Replace DRM_* with dev_* in amdgpu_psp.c Ian Rogers <irogers(a)google.com> perf bpf-utils: Harden get_bpf_prog_info_linear Ian Rogers <irogers(a)google.com> perf bpf-utils: Constify bpil_array_desc Ian Rogers <irogers(a)google.com> perf bpf-event: Fix use-after-free in synthesis Michael Walle <mwalle(a)kernel.org> drm/bridge: ti-sn65dsi86: fix REFCLK setting Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Clear status register after disabling the module Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Set correct chip-select polarity bit Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Fix transmissions when using CONT Vadim Pasternak <vadimp(a)nvidia.com> hwmon: mlxreg-fan: Prevent fans from getting stuck at 0 RPM Wentao Liang <vulab(a)iscas.ac.cn> pcmcia: Add error handling for add_interval() in do_validate_mem() Chen Ni <nichen(a)iscas.ac.cn> pcmcia: omap: Add missing check for platform_get_resource Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amdgpu: Avoid extra evict-restore process." Aaron Erhardt <aer(a)tuxedocomputers.com> ALSA: hda/realtek: Fix headset mic for TongFang X6[AF]R5xxY Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Ma Ke <make24(a)iscas.ac.cn> drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv Jason-JH.Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Fix using wrong drm private data to bind mediatek-drm Jason-JH.Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Add crtc path enum for all_drm_priv array Ronak Doshi <ronak.doshi(a)broadcom.com> vmxnet3: update MTU after device quiesce Jakob Unterwurzacher <jakobunt(a)gmail.com> net: dsa: microchip: linearize skb for tail-tagging switches Pieter Van Trappen <pieter.van.trappen(a)cern.ch> net: dsa: microchip: update tag_ksz masks for KSZ9477 family Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() Chris Chiu <chris.chiu(a)canonical.com> ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA David Lechner <dlechner(a)baylibre.com> iio: pressure: mprls0025pa: use aligned_s64 for timestamp Luca Ceresoli <luca.ceresoli(a)bootlin.com> iio: light: opt3001: fix deadlock due to concurrent flag access David Lechner <dlechner(a)baylibre.com> iio: chemical: pms7003: use aligned_s64 for timestamp David Lechner <dlechner(a)baylibre.com> iio: imu: inv_mpu6050: align buffer for timestamp Josef Bacik <josef(a)toxicpanda.com> btrfs: adjust subpage bit start based on sectorsize Shakeel Butt <shakeel.butt(a)linux.dev> memcg: drain obj stock on cpu hotplug teardown Jonathan Currier <dullfire(a)yahoo.com> PCI/MSI: Add an option to write MSIX ENTRY_DATA before any reads Nícolas F. R. A. Prado <nfraprado(a)collabora.com> thermal/drivers/mediatek/lvts: Disable low offset IRQ for minimum threshold Han Xu <han.xu(a)nxp.com> spi: fsl-qspi: use devm function instead of driver remove Li Qiong <liqiong(a)nfschina.com> mm/slub: avoid accessing metadata when pointer is invalid in object_err() Dave Airlie <airlied(a)redhat.com> nouveau: fix disabling the nonstall irq due to storm code Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Do not update global.turbo_disabled after initialization Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Fold intel_pstate_max_within_limits() into caller Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> cpufreq: intel_pstate: Revise global turbo disable check Jinfeng Wang <jinfeng.wang.cn(a)windriver.com> Revert "spi: spi-cadence-quadspi: Fix pm runtime unbalance" Jinfeng Wang <jinfeng.wang.cn(a)windriver.com> Revert "spi: cadence-quadspi: fix cleanup of rx_chan on failure paths" Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> net: pcs: rzn1-miic: Correct MODCTRL register offset Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: fix heap overflow in e1000_set_eeprom Makar Semyonov <m.semenov(a)tssltd.ru> cifs: prevent NULL pointer dereference in UTF16 conversion Stanislav Fort <stanislav.fort(a)aisle.com> batman-adv: fix OOB read/write in network-coding decode John Evans <evans1210144(a)gmail.com> scsi: lpfc: Fix buffer free/clear order in deferred receive path Christoffer Sandberg <cs(a)tuxedo.de> platform/x86/amd/pmc: Add TUXEDO IB Pro Gen10 AMD to spurious 8042 quirks list Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: drop hw access in non-DC audio fini Nathan Chancellor <nathan(a)kernel.org> wifi: mt76: mt7996: Initialize hdr before passing to skb_put_data() Qianfeng Rong <rongqianfeng(a)vivo.com> wifi: mwifiex: Initialize the chan_stats array to zero Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> soc: qcom: mdt_loader: Deal with zero e_shentsize wangzijie <wangzijie1(a)honor.com> proc: fix missing pde_set_flags() for net proc files Edward Adam Davis <eadavis(a)qq.com> ocfs2: prevent release journal inode after journal shutdown Christian Loehle <christian.loehle(a)arm.com> sched: Fix sched_numa_find_nth_cpu() if mask offline Harry Yoo <harry.yoo(a)oracle.com> mm: move page table sync declarations to linux/pgtable.h Harry Yoo <harry.yoo(a)oracle.com> x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Ma Ke <make24(a)iscas.ac.cn> pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() panfan <panfan(a)qti.qualcomm.com> arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE Miaoqian Lin <linmq006(a)gmail.com> ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on some devices Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Kuniyuki Iwashima <kuniyu(a)google.com> selftest: net: Fix weird setsockopt() in bind_bhash.c. Qingfang Deng <dqfext(a)gmail.com> ppp: fix memory leak in pad_compress_skb Wang Liang <wangliang74(a)huawei.com> net: atm: fix memory leak in atm_register_sysfs when device_register fail Eric Dumazet <edumazet(a)google.com> ax25: properly unshare skbs in ax25_kiss_rcv() Alok Tiwari <alok.a.tiwari(a)oracle.com> mctp: return -ENOPROTOOPT for unknown getsockopt options Mahanta Jambigi <mjambigi(a)linux.ibm.com> net/smc: Remove validation of reserved bits in CLC Decline message Dan Carpenter <dan.carpenter(a)linaro.org> ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: decrement cleanup index before use Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: add a missing of_node_put Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: libertas: cap SSID len in lbs_associate() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cw1200: cap SSID length in cw1200_do_join() Felix Fietkau <nbd(a)nbd.name> net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Rameshkumar Sundaram <rameshkumar.sundaram(a)oss.qualcomm.com> wifi: ath11k: fix group data packet drops during rekey Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath11k: avoid forward declaration of ath11k_mac_start_vdev_delay() Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath11k: rename ath11k_start_vdev_delay() Jeff Johnson <quic_jjohnson(a)quicinc.com> wifi: ath11k: Introduce and use ath11k_sta_to_arsta() Zhen Ni <zhen.ni(a)easystack.cn> i40e: Fix potential invalid access when MAC list is empty Liu Jian <liujian56(a)huawei.com> net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() Sabrina Dubroca <sd(a)queasysnail.net> macsec: read MACSEC_SA_ATTR_PN with nla_get_uint Jakub Kicinski <kuba(a)kernel.org> netlink: add variable-length / auto integers Sean Anderson <sean.anderson(a)linux.dev> net: macb: Fix tx_ptr_lock locking Fabian Bläse <fabian(a)blaese.de> icmp: fix icmp_ndo_send address translation for reply direction Miaoqian Lin <linmq006(a)gmail.com> mISDN: Fix memory leak in dsp_hwec_enable() Alok Tiwari <alok.a.tiwari(a)oracle.com> xirc2ps_cs: fix register access when enabling FullDuplex Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Ivan Pravdin <ipravdin.official(a)gmail.com> Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Phil Sutter <phil(a)nwl.cc> netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Wang Liang <wangliang74(a)huawei.com> netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Duoming Zhou <duoming(a)zju.edu.cn> wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix use-after-free in cmp_bss() Marek Vasut <marek.vasut(a)mailbox.org> arm64: dts: imx8mp: Fix missing microSD slot vqmmc on Data Modul i.MX8M Plus eDM SBC Marek Vasut <marek.vasut(a)mailbox.org> arm64: dts: imx8mp: Fix missing microSD slot vqmmc on DH electronics i.MX8M Plus DHCOM Sungbae Yoo <sungbaey(a)nvidia.com> tee: optee: ffa: fix a typo of "optee_ffa_api_is_compatible" Peter Robinson <pbrobinson(a)gmail.com> arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Pei Xiao <xiaopei01(a)kylinos.cn> tee: fix NULL pointer dereference in tee_shm_put Jiufei Xue <jiufei.xue(a)samsung.com> fs: writeback: fix use-after-free in __mark_inode_dirty() Yang Li <yang.li(a)amlogic.com> Bluetooth: hci_sync: Avoid adding default advertising on startup Shinji Nomoto <fj5851bi(a)fujitsu.com> cpupower: Fix a bug where the -t option of the set subcommand was not working. Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't warn when missing DCE encoder caps Lubomir Rintel <lkundrak(a)v3.sk> cdc_ncm: Flag Intel OEM version of Fibocom L850-GL as WWAN Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Save LBT before FPU in setup_sigcontext() Filipe Manana <fdmanana(a)suse.com> btrfs: avoid load/store tearing races when checking if an inode was logged Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between setting last_dir_index_offset and inode logging Filipe Manana <fdmanana(a)suse.com> btrfs: fix race between logging inode and checking if it was logged before Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix oob access in cgroup local storage Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move bpf map owner out of common struct Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move cgroup iterator helpers to bpf.h Daniel Borkmann <daniel(a)iogearbox.net> bpf: Add cookie object to bpf maps ------------- Diffstat: Documentation/userspace-api/netlink/specs.rst | 18 +- Makefile | 4 +- .../dts/freescale/imx8mp-data-modul-edm-sbc.dts | 1 + .../arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 + .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 + arch/arm64/include/asm/module.h | 1 + arch/arm64/include/asm/module.lds.h | 1 + arch/arm64/kernel/ftrace.c | 13 +- arch/arm64/kernel/module-plts.c | 12 +- arch/arm64/kernel/module.c | 11 + arch/loongarch/kernel/signal.c | 10 +- arch/riscv/include/asm/asm.h | 2 +- arch/x86/include/asm/pgtable_64_types.h | 3 + arch/x86/mm/init_64.c | 18 + drivers/acpi/arm64/iort.c | 4 +- drivers/bluetooth/hci_vhci.c | 57 +- drivers/cpufreq/intel_pstate.c | 126 ++--- drivers/dma/mediatek/mtk-cqdma.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 146 ++--- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +- drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 - .../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 +- drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 42 +- drivers/gpu/drm/mediatek/mtk_drm_drv.h | 8 +- drivers/gpu/drm/nouveau/nvkm/engine/fifo/base.c | 2 + drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga100.c | 23 +- drivers/gpu/drm/nouveau/nvkm/engine/fifo/ga102.c | 1 + drivers/gpu/drm/nouveau/nvkm/engine/fifo/priv.h | 2 + drivers/hwmon/mlxreg-fan.c | 5 +- drivers/iio/chemical/pms7003.c | 5 +- drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 2 +- drivers/iio/light/opt3001.c | 5 +- drivers/iio/pressure/mprls0025pa.c | 10 +- drivers/isdn/mISDN/dsp_hwec.c | 6 +- drivers/net/ethernet/cadence/macb_main.c | 28 +- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 +- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +- drivers/net/ethernet/intel/i40e/i40e_client.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +- drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- drivers/net/macsec.c | 8 +- drivers/net/pcs/pcs-rzn1-miic.c | 2 +- drivers/net/phy/mscc/mscc_ptp.c | 18 +- drivers/net/ppp/ppp_generic.c | 6 +- drivers/net/usb/cdc_ncm.c | 7 + drivers/net/vmxnet3/vmxnet3_drv.c | 5 +- drivers/net/wireless/ath/ath11k/core.h | 7 + drivers/net/wireless/ath/ath11k/debugfs.c | 4 +- drivers/net/wireless/ath/ath11k/debugfs_sta.c | 30 +- drivers/net/wireless/ath/ath11k/dp_rx.c | 8 +- drivers/net/wireless/ath/ath11k/dp_tx.c | 4 +- drivers/net/wireless/ath/ath11k/mac.c | 588 ++++++++++++--------- drivers/net/wireless/ath/ath11k/peer.c | 2 +- drivers/net/wireless/ath/ath11k/wmi.c | 6 +- .../wireless/broadcom/brcm80211/brcmfmac/btcoex.c | 6 +- drivers/net/wireless/marvell/libertas/cfg.c | 9 +- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +- drivers/net/wireless/marvell/mwifiex/main.c | 4 +- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 4 +- drivers/net/wireless/st/cw1200/sta.c | 2 +- drivers/pci/msi/msi.c | 3 + drivers/pcmcia/omap_cf.c | 2 + drivers/pcmcia/rsrc_iodyn.c | 3 + drivers/pcmcia/rsrc_nonstatic.c | 4 +- drivers/platform/x86/amd/pmc/pmc-quirks.c | 14 + drivers/scsi/lpfc/lpfc_nvmet.c | 10 +- drivers/soc/qcom/mdt_loader.c | 12 +- drivers/spi/spi-cadence-quadspi.c | 6 +- drivers/spi/spi-fsl-lpspi.c | 24 +- drivers/spi/spi-fsl-qspi.c | 36 +- drivers/tee/optee/ffa_abi.c | 4 +- drivers/tee/tee_shm.c | 6 +- drivers/thermal/mediatek/lvts_thermal.c | 50 +- fs/btrfs/btrfs_inode.h | 2 +- fs/btrfs/extent_io.c | 2 +- fs/btrfs/inode.c | 1 + fs/btrfs/tree-log.c | 78 ++- fs/fs-writeback.c | 9 +- fs/ocfs2/inode.c | 3 + fs/proc/generic.c | 38 +- fs/smb/client/cifs_unicode.c | 3 + include/linux/bpf-cgroup.h | 5 - include/linux/bpf.h | 60 ++- include/linux/pci.h | 2 + include/linux/pgtable.h | 16 + include/linux/vmalloc.h | 16 - include/net/netlink.h | 69 ++- include/uapi/linux/netlink.h | 5 + kernel/bpf/core.c | 50 +- kernel/bpf/syscall.c | 20 +- kernel/sched/topology.c | 2 + lib/nlattr.c | 22 + mm/memcontrol.c | 9 + mm/slub.c | 66 ++- net/atm/resources.c | 6 +- net/ax25/ax25_in.c | 4 + net/batman-adv/network-coding.c | 7 +- net/bluetooth/hci_sync.c | 2 +- net/bluetooth/l2cap_sock.c | 3 + net/bridge/br_netfilter_hooks.c | 3 - net/dsa/tag_ksz.c | 22 +- net/ipv4/devinet.c | 7 +- net/ipv4/icmp.c | 6 +- net/ipv6/ip6_icmp.c | 6 +- net/mctp/af_mctp.c | 2 +- net/netfilter/nf_conntrack_helper.c | 4 +- net/netlink/policy.c | 14 +- net/smc/smc_clc.c | 2 - net/smc/smc_ib.c | 3 + net/wireless/scan.c | 3 +- net/wireless/sme.c | 5 +- sound/pci/hda/patch_hdmi.c | 1 + sound/pci/hda/patch_realtek.c | 5 + sound/usb/mixer_quirks.c | 2 + tools/gpio/Makefile | 4 +- tools/perf/util/bpf-event.c | 39 +- tools/perf/util/bpf-utils.c | 61 ++- tools/power/cpupower/utils/cpupower-set.c | 4 +- tools/testing/selftests/net/bind_bhash.c | 4 +- 123 files changed, 1405 insertions(+), 860 deletions(-)

1 week, 5 days

7
127
0 0

+ mm-folio_may_be_lru_cached-unless-folio_test_large.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: folio_may_be_lru_cached() unless folio_test_large() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-folio_may_be_lru_cached-unless-folio_test_large.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Hugh Dickins <hughd(a)google.com> Subject: mm: folio_may_be_lru_cached() unless folio_test_large() Date: Mon, 8 Sep 2025 15:23:15 -0700 (PDT) mm/swap.c and mm/mlock.c agree to drain any per-CPU batch as soon as a large folio is added: so collect_longterm_unpinnable_folios() just wastes effort when calling lru_add_drain[_all]() on a large folio. But although there is good reason not to batch up PMD-sized folios, we might well benefit from batching a small number of low-order mTHPs (though unclear how that "small number" limitation will be implemented). So ask if folio_may_be_lru_cached() rather than !folio_test_large(), to insulate those particular checks from future change. Name preferred to "folio_is_batchable" because large folios can well be put on a batch: it's just the per-CPU LRU caches, drained much later, which need care. Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Link: https://lkml.kernel.org/r/57d2eaf8-3607-f318-e0c5-be02dce61ad0@google.com Signed-off-by: Hugh Dickins <hughd(a)google.com> Suggested-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/swap.h | 10 ++++++++++ mm/gup.c | 4 ++-- mm/mlock.c | 6 +++--- mm/swap.c | 2 +- 4 files changed, 16 insertions(+), 6 deletions(-) --- a/include/linux/swap.h~mm-folio_may_be_lru_cached-unless-folio_test_large +++ a/include/linux/swap.h @@ -385,6 +385,16 @@ void folio_add_lru_vma(struct folio *, s void mark_page_accessed(struct page *); void folio_mark_accessed(struct folio *); +static inline bool folio_may_be_lru_cached(struct folio *folio) +{ + /* + * Holding PMD-sized folios in per-CPU LRU cache unbalances accounting. + * Holding small numbers of low-order mTHP folios in per-CPU LRU cache + * will be sensible, but nobody has implemented and tested that yet. + */ + return !folio_test_large(folio); +} + extern atomic_t lru_disable_count; static inline bool lru_cache_disabled(void) --- a/mm/gup.c~mm-folio_may_be_lru_cached-unless-folio_test_large +++ a/mm/gup.c @@ -2307,13 +2307,13 @@ static unsigned long collect_longterm_un continue; } - if (drained == 0 && + if (drained == 0 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain(); drained = 1; } - if (drained == 1 && + if (drained == 1 && folio_may_be_lru_cached(folio) && folio_ref_count(folio) != folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); --- a/mm/mlock.c~mm-folio_may_be_lru_cached-unless-folio_test_large +++ a/mm/mlock.c @@ -255,7 +255,7 @@ void mlock_folio(struct folio *folio) folio_get(folio); if (!folio_batch_add(fbatch, mlock_lru(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -278,7 +278,7 @@ void mlock_new_folio(struct folio *folio folio_get(folio); if (!folio_batch_add(fbatch, mlock_new(folio)) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } @@ -299,7 +299,7 @@ void munlock_folio(struct folio *folio) */ folio_get(folio); if (!folio_batch_add(fbatch, folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) mlock_folio_batch(fbatch); local_unlock(&mlock_fbatch.lock); } --- a/mm/swap.c~mm-folio_may_be_lru_cached-unless-folio_test_large +++ a/mm/swap.c @@ -192,7 +192,7 @@ static void __folio_batch_add_and_move(s local_lock(&cpu_fbatches.lock); if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || - folio_test_large(folio) || lru_cache_disabled()) + !folio_may_be_lru_cached(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq) _ Patches currently in -mm which might be from hughd(a)google.com are mm-gup-check-ref_count-instead-of-lru-before-migration.patch mm-gup-local-lru_add_drain-to-avoid-lru_add_drain_all.patch mm-revert-mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch mm-revert-mm-vmscanc-fix-oom-on-swap-stress-test.patch mm-folio_may_be_lru_cached-unless-folio_test_large.patch mm-lru_add_drain_all-do-local-lru_add_drain-first.patch

1 week, 5 days

1
0
0 0

+ mm-revert-mm-vmscanc-fix-oom-on-swap-stress-test.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: revert "mm: vmscan.c: fix OOM on swap stress test" has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-revert-mm-vmscanc-fix-oom-on-swap-stress-test.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Hugh Dickins <hughd(a)google.com> Subject: mm: revert "mm: vmscan.c: fix OOM on swap stress test" Date: Mon, 8 Sep 2025 15:21:12 -0700 (PDT) This reverts commit 0885ef470560: that was a fix to the reverted 33dfe9204f29b415bbc0abb1a50642d1ba94f5e9. Link: https://lkml.kernel.org/r/aa0e9d67-fbcd-9d79-88a1-641dfbe1d9d1@google.com Signed-off-by: Hugh Dickins <hughd(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/vmscan.c~mm-revert-mm-vmscanc-fix-oom-on-swap-stress-test +++ a/mm/vmscan.c @@ -4507,7 +4507,7 @@ static bool sort_folio(struct lruvec *lr } /* ineligible */ - if (!folio_test_lru(folio) || zone > sc->reclaim_idx) { + if (zone > sc->reclaim_idx) { gen = folio_inc_gen(lruvec, folio, false); list_move_tail(&folio->lru, &lrugen->folios[gen][type][zone]); return true; _ Patches currently in -mm which might be from hughd(a)google.com are mm-gup-check-ref_count-instead-of-lru-before-migration.patch mm-gup-local-lru_add_drain-to-avoid-lru_add_drain_all.patch mm-revert-mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch mm-revert-mm-vmscanc-fix-oom-on-swap-stress-test.patch mm-folio_may_be_lru_cached-unless-folio_test_large.patch mm-lru_add_drain_all-do-local-lru_add_drain-first.patch

1 week, 5 days

1
0
0 0

+ mm-revert-mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: Revert "mm/gup: clear the LRU flag of a page before adding to LRU batch" has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-revert-mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Hugh Dickins <hughd(a)google.com> Subject: mm: Revert "mm/gup: clear the LRU flag of a page before adding to LRU batch" Date: Mon, 8 Sep 2025 15:19:17 -0700 (PDT) This reverts commit 33dfe9204f29: now that collect_longterm_unpinnable_folios() is checking ref_count instead of lru, and mlock/munlock do not participate in the revised LRU flag clearing, those changes are misleading, and enlarge the window during which mlock/munlock may miss an mlock_count update. It is possible (I'd hesitate to claim probable) that the greater likelihood of missed mlock_count updates would explain the "Realtime threads delayed due to kcompactd0" observed on 6.12 in the Link below. If that is the case, this reversion will help; but a complete solution needs also a further patch, beyond the scope of this series. Included some 80-column cleanup around folio_batch_add_and_move(). The role of folio_test_clear_lru() (before taking per-memcg lru_lock) is questionable since 6.13 removed mem_cgroup_move_account() etc; but perhaps there are still some races which need it - not examined here. Link: https://lore.kernel.org/linux-mm/DU0PR01MB10385345F7153F334100981888259A@DU… Link: https://lkml.kernel.org/r/05905d7b-ed14-68b1-79d8-bdec30367eba@google.com Signed-off-by: Hugh Dickins <hughd(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swap.c | 50 ++++++++++++++++++++++++++------------------------ 1 file changed, 26 insertions(+), 24 deletions(-) --- a/mm/swap.c~mm-revert-mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch +++ a/mm/swap.c @@ -164,6 +164,10 @@ static void folio_batch_move_lru(struct for (i = 0; i < folio_batch_count(fbatch); i++) { struct folio *folio = fbatch->folios[i]; + /* block memcg migration while the folio moves between lru */ + if (move_fn != lru_add && !folio_test_clear_lru(folio)) + continue; + folio_lruvec_relock_irqsave(folio, &lruvec, &flags); move_fn(lruvec, folio); @@ -176,14 +180,10 @@ static void folio_batch_move_lru(struct } static void __folio_batch_add_and_move(struct folio_batch __percpu *fbatch, - struct folio *folio, move_fn_t move_fn, - bool on_lru, bool disable_irq) + struct folio *folio, move_fn_t move_fn, bool disable_irq) { unsigned long flags; - if (on_lru && !folio_test_clear_lru(folio)) - return; - folio_get(folio); if (disable_irq) @@ -191,8 +191,8 @@ static void __folio_batch_add_and_move(s else local_lock(&cpu_fbatches.lock); - if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || folio_test_large(folio) || - lru_cache_disabled()) + if (!folio_batch_add(this_cpu_ptr(fbatch), folio) || + folio_test_large(folio) || lru_cache_disabled()) folio_batch_move_lru(this_cpu_ptr(fbatch), move_fn); if (disable_irq) @@ -201,13 +201,13 @@ static void __folio_batch_add_and_move(s local_unlock(&cpu_fbatches.lock); } -#define folio_batch_add_and_move(folio, op, on_lru) \ - __folio_batch_add_and_move( \ - &cpu_fbatches.op, \ - folio, \ - op, \ - on_lru, \ - offsetof(struct cpu_fbatches, op) >= offsetof(struct cpu_fbatches, lock_irq) \ +#define folio_batch_add_and_move(folio, op) \ + __folio_batch_add_and_move( \ + &cpu_fbatches.op, \ + folio, \ + op, \ + offsetof(struct cpu_fbatches, op) >= \ + offsetof(struct cpu_fbatches, lock_irq) \ ) static void lru_move_tail(struct lruvec *lruvec, struct folio *folio) @@ -231,10 +231,10 @@ static void lru_move_tail(struct lruvec void folio_rotate_reclaimable(struct folio *folio) { if (folio_test_locked(folio) || folio_test_dirty(folio) || - folio_test_unevictable(folio)) + folio_test_unevictable(folio) || !folio_test_lru(folio)) return; - folio_batch_add_and_move(folio, lru_move_tail, true); + folio_batch_add_and_move(folio, lru_move_tail); } void lru_note_cost_unlock_irq(struct lruvec *lruvec, bool file, @@ -328,10 +328,11 @@ static void folio_activate_drain(int cpu void folio_activate(struct folio *folio) { - if (folio_test_active(folio) || folio_test_unevictable(folio)) + if (folio_test_active(folio) || folio_test_unevictable(folio) || + !folio_test_lru(folio)) return; - folio_batch_add_and_move(folio, lru_activate, true); + folio_batch_add_and_move(folio, lru_activate); } #else @@ -507,7 +508,7 @@ void folio_add_lru(struct folio *folio) lru_gen_in_fault() && !(current->flags & PF_MEMALLOC)) folio_set_active(folio); - folio_batch_add_and_move(folio, lru_add, false); + folio_batch_add_and_move(folio, lru_add); } EXPORT_SYMBOL(folio_add_lru); @@ -685,13 +686,13 @@ void lru_add_drain_cpu(int cpu) void deactivate_file_folio(struct folio *folio) { /* Deactivating an unevictable folio will not accelerate reclaim */ - if (folio_test_unevictable(folio)) + if (folio_test_unevictable(folio) || !folio_test_lru(folio)) return; if (lru_gen_enabled() && lru_gen_clear_refs(folio)) return; - folio_batch_add_and_move(folio, lru_deactivate_file, true); + folio_batch_add_and_move(folio, lru_deactivate_file); } /* @@ -704,13 +705,13 @@ void deactivate_file_folio(struct folio */ void folio_deactivate(struct folio *folio) { - if (folio_test_unevictable(folio)) + if (folio_test_unevictable(folio) || !folio_test_lru(folio)) return; if (lru_gen_enabled() ? lru_gen_clear_refs(folio) : !folio_test_active(folio)) return; - folio_batch_add_and_move(folio, lru_deactivate, true); + folio_batch_add_and_move(folio, lru_deactivate); } /** @@ -723,10 +724,11 @@ void folio_deactivate(struct folio *foli void folio_mark_lazyfree(struct folio *folio) { if (!folio_test_anon(folio) || !folio_test_swapbacked(folio) || + !folio_test_lru(folio) || folio_test_swapcache(folio) || folio_test_unevictable(folio)) return; - folio_batch_add_and_move(folio, lru_lazyfree, true); + folio_batch_add_and_move(folio, lru_lazyfree); } void lru_add_drain(void) _ Patches currently in -mm which might be from hughd(a)google.com are mm-gup-check-ref_count-instead-of-lru-before-migration.patch mm-gup-local-lru_add_drain-to-avoid-lru_add_drain_all.patch mm-revert-mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch mm-revert-mm-vmscanc-fix-oom-on-swap-stress-test.patch mm-folio_may_be_lru_cached-unless-folio_test_large.patch mm-lru_add_drain_all-do-local-lru_add_drain-first.patch

1 week, 5 days

1
0
0 0

+ mm-gup-local-lru_add_drain-to-avoid-lru_add_drain_all.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/gup: local lru_add_drain() to avoid lru_add_drain_all() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-gup-local-lru_add_drain-to-avoid-lru_add_drain_all.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Hugh Dickins <hughd(a)google.com> Subject: mm/gup: local lru_add_drain() to avoid lru_add_drain_all() Date: Mon, 8 Sep 2025 15:16:53 -0700 (PDT) In many cases, if collect_longterm_unpinnable_folios() does need to drain the LRU cache to release a reference, the cache in question is on this same CPU, and much more efficiently drained by a preliminary local lru_add_drain(), than the later cross-CPU lru_add_drain_all(). Marked for stable, to counter the increase in lru_add_drain_all()s from "mm/gup: check ref_count instead of lru before migration". Note for clean backports: can take 6.16 commit a03db236aebf ("gup: optimize longterm pin_user_pages() for large folio") first. Link: https://lkml.kernel.org/r/66f2751f-283e-816d-9530-765db7edc465@google.com Signed-off-by: Hugh Dickins <hughd(a)google.com> Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: Will Deacon <will(a)kernel.org> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) --- a/mm/gup.c~mm-gup-local-lru_add_drain-to-avoid-lru_add_drain_all +++ a/mm/gup.c @@ -2287,8 +2287,8 @@ static unsigned long collect_longterm_un struct pages_or_folios *pofs) { unsigned long collected = 0; - bool drain_allow = true; struct folio *folio; + int drained = 0; long i = 0; for (folio = pofs_get_folio(pofs, i); folio; @@ -2307,10 +2307,17 @@ static unsigned long collect_longterm_un continue; } - if (drain_allow && folio_ref_count(folio) != - folio_expected_ref_count(folio) + 1) { + if (drained == 0 && + folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { + lru_add_drain(); + drained = 1; + } + if (drained == 1 && + folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); - drain_allow = false; + drained = 2; } if (!folio_isolate_lru(folio)) _ Patches currently in -mm which might be from hughd(a)google.com are mm-gup-check-ref_count-instead-of-lru-before-migration.patch mm-gup-local-lru_add_drain-to-avoid-lru_add_drain_all.patch mm-revert-mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch mm-revert-mm-vmscanc-fix-oom-on-swap-stress-test.patch mm-folio_may_be_lru_cached-unless-folio_test_large.patch mm-lru_add_drain_all-do-local-lru_add_drain-first.patch

1 week, 5 days

1
0
0 0

+ mm-gup-check-ref_count-instead-of-lru-before-migration.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/gup: check ref_count instead of lru before migration has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-gup-check-ref_count-instead-of-lru-before-migration.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Hugh Dickins <hughd(a)google.com> Subject: mm/gup: check ref_count instead of lru before migration Date: Mon, 8 Sep 2025 15:15:03 -0700 (PDT) Patch series "mm: better GUP pin lru_add_drain_all()", v2. Series of lru_add_drain_all()-related patches, arising from recent mm/gup migration report from Will Deacon. This patch (of 6): Will Deacon reports:- When taking a longterm GUP pin via pin_user_pages(), __gup_longterm_locked() tries to migrate target folios that should not be longterm pinned, for example because they reside in a CMA region or movable zone. This is done by first pinning all of the target folios anyway, collecting all of the longterm-unpinnable target folios into a list, dropping the pins that were just taken and finally handing the list off to migrate_pages() for the actual migration. It is critically important that no unexpected references are held on the folios being migrated, otherwise the migration will fail and pin_user_pages() will return -ENOMEM to its caller. Unfortunately, it is relatively easy to observe migration failures when running pKVM (which uses pin_user_pages() on crosvm's virtual address space to resolve stage-2 page faults from the guest) on a 6.15-based Pixel 6 device and this results in the VM terminating prematurely. In the failure case, 'crosvm' has called mlock(MLOCK_ONFAULT) on its mapping of guest memory prior to the pinning. Subsequently, when pin_user_pages() walks the page-table, the relevant 'pte' is not present and so the faulting logic allocates a new folio, mlocks it with mlock_folio() and maps it in the page-table. Since commit 2fbb0c10d1e8 ("mm/munlock: mlock_page() munlock_page() batch by pagevec"), mlock/munlock operations on a folio (formerly page), are deferred. For example, mlock_folio() takes an additional reference on the target folio before placing it into a per-cpu 'folio_batch' for later processing by mlock_folio_batch(), which drops the refcount once the operation is complete. Processing of the batches is coupled with the LRU batch logic and can be forcefully drained with lru_add_drain_all() but as long as a folio remains unprocessed on the batch, its refcount will be elevated. This deferred batching therefore interacts poorly with the pKVM pinning scenario as we can find ourselves in a situation where the migration code fails to migrate a folio due to the elevated refcount from the pending mlock operation. Hugh Dickins adds:- !folio_test_lru() has never been a very reliable way to tell if an lru_add_drain_all() is worth calling, to remove LRU cache references to make the folio migratable: the LRU flag may be set even while the folio is held with an extra reference in a per-CPU LRU cache. 5.18 commit 2fbb0c10d1e8 may have made it more unreliable. Then 6.11 commit 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") tried to make it reliable, by moving LRU flag clearing; but missed the mlock/munlock batches, so still unreliable as reported. And it turns out to be difficult to extend 33dfe9204f29's LRU flag clearing to the mlock/munlock batches: if they do benefit from batching, mlock/munlock cannot be so effective when easily suppressed while !LRU. Instead, switch to an expected ref_count check, which was more reliable all along: some more false positives (unhelpful drains) than before, and never a guarantee that the folio will prove migratable, but better. Note on PG_private_2: ceph and nfs are still using the deprecated PG_private_2 flag, with the aid of netfs and filemap support functions. Although it is consistently matched by an increment of folio ref_count, folio_expected_ref_count() intentionally does not recognize it, and ceph folio migration currently depends on that for PG_private_2 folios to be rejected. New references to the deprecated flag are discouraged, so do not add it into the collect_longterm_unpinnable_folios() calculation: but longterm pinning of transiently PG_private_2 ceph and nfs folios (an uncommon case) may invoke a redundant lru_add_drain_all(). And this makes easy the backport to earlier releases: up to and including 6.12, btrfs also used PG_private_2, but without a ref_count increment. Note for stable backports: requires 6.16 commit 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation"). Link: https://lkml.kernel.org/r/41395944-b0e3-c3ac-d648-8ddd70451d28@google.com Link: https://lkml.kernel.org/r/bd1f314a-fca1-8f19-cac0-b936c9614557@google.com Fixes: 9a4e9f3b2d73 ("mm: update get_user_pages_longterm to migrate pages allocated from CMA region") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: Will Deacon <will(a)kernel.org> Closes: https://lore.kernel.org/linux-mm/20250815101858.24352-1-will@kernel.org/ Cc: "Aneesh Kumar K.V" <aneesh.kumar(a)kernel.org> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: Keir Fraser <keirf(a)google.com> Cc: Konstantin Khlebnikov <koct9i(a)gmail.com> Cc: Li Zhe <lizhe.67(a)bytedance.com> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Peter Xu <peterx(a)redhat.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Shivank Garg <shivankg(a)amd.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Wei Xu <weixugc(a)google.com> Cc: yangge <yangge1116(a)126.com> Cc: Yuanchu Xie <yuanchu(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/mm/gup.c~mm-gup-check-ref_count-instead-of-lru-before-migration +++ a/mm/gup.c @@ -2307,7 +2307,8 @@ static unsigned long collect_longterm_un continue; } - if (!folio_test_lru(folio) && drain_allow) { + if (drain_allow && folio_ref_count(folio) != + folio_expected_ref_count(folio) + 1) { lru_add_drain_all(); drain_allow = false; } _ Patches currently in -mm which might be from hughd(a)google.com are mm-gup-check-ref_count-instead-of-lru-before-migration.patch mm-gup-local-lru_add_drain-to-avoid-lru_add_drain_all.patch mm-revert-mm-gup-clear-the-lru-flag-of-a-page-before-adding-to-lru-batch.patch mm-revert-mm-vmscanc-fix-oom-on-swap-stress-test.patch mm-folio_may_be_lru_cached-unless-folio_test_large.patch mm-lru_add_drain_all-do-local-lru_add_drain-first.patch

1 week, 5 days

1
0
0 0

[PATCH] Revert "drm/amdgpu: Add more checks to PSP mailbox"

by Alex Deucher

This reverts commit 165a69a87d6bde85cac2c051fa6da611ca4524f6. This commit is not applicable for stable kernels and results in the driver failing to load on some chips on kernel 6.16.x. Revert from 6.16.x. Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org # 6.16.x --- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 4 --- drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h | 11 --------- drivers/gpu/drm/amd/amdgpu/psp_v10_0.c | 4 +-- drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 31 +++++++++--------------- drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c | 25 ++++++++----------- drivers/gpu/drm/amd/amdgpu/psp_v12_0.c | 18 ++++++-------- drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 25 ++++++++----------- drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c | 25 ++++++++----------- drivers/gpu/drm/amd/amdgpu/psp_v14_0.c | 25 ++++++++----------- 9 files changed, 61 insertions(+), 107 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c index 7d8b98aa5271..c14f63cefe67 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c @@ -596,10 +596,6 @@ int psp_wait_for(struct psp_context *psp, uint32_t reg_index, udelay(1); } - dev_err(adev->dev, - "psp reg (0x%x) wait timed out, mask: %x, read: %x exp: %x", - reg_index, mask, val, reg_val); - return -ETIME; } diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h index a4a00855d0b2..428adc7f741d 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h @@ -51,17 +51,6 @@ #define C2PMSG_CMD_SPI_GET_ROM_IMAGE_ADDR_HI 0x10 #define C2PMSG_CMD_SPI_GET_FLASH_IMAGE 0x11 -/* Command register bit 31 set to indicate readiness */ -#define MBOX_TOS_READY_FLAG (GFX_FLAG_RESPONSE) -#define MBOX_TOS_READY_MASK (GFX_CMD_RESPONSE_MASK | GFX_CMD_STATUS_MASK) - -/* Values to check for a successful GFX_CMD response wait. Check against - * both status bits and response state - helps to detect a command failure - * or other unexpected cases like a device drop reading all 0xFFs - */ -#define MBOX_TOS_RESP_FLAG (GFX_FLAG_RESPONSE) -#define MBOX_TOS_RESP_MASK (GFX_CMD_RESPONSE_MASK | GFX_CMD_STATUS_MASK) - extern const struct attribute_group amdgpu_flash_attr_group; enum psp_shared_mem_size { diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v10_0.c b/drivers/gpu/drm/amd/amdgpu/psp_v10_0.c index 2c4ebd98927f..145186a1e48f 100644 --- a/drivers/gpu/drm/amd/amdgpu/psp_v10_0.c +++ b/drivers/gpu/drm/amd/amdgpu/psp_v10_0.c @@ -94,7 +94,7 @@ static int psp_v10_0_ring_create(struct psp_context *psp, /* Wait for response flag (bit 31) in C2PMSG_64 */ ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + 0x80000000, 0x8000FFFF, false); return ret; } @@ -115,7 +115,7 @@ static int psp_v10_0_ring_stop(struct psp_context *psp, /* Wait for response flag (bit 31) in C2PMSG_64 */ ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + 0x80000000, 0x80000000, false); return ret; } diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c b/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c index 1a4a26e6ffd2..215543575f47 100644 --- a/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c +++ b/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c @@ -277,13 +277,11 @@ static int psp_v11_0_ring_stop(struct psp_context *psp, /* Wait for response flag (bit 31) */ if (amdgpu_sriov_vf(adev)) - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_101), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_101), + 0x80000000, 0x80000000, false); else - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), + 0x80000000, 0x80000000, false); return ret; } @@ -319,15 +317,13 @@ static int psp_v11_0_ring_create(struct psp_context *psp, mdelay(20); /* Wait for response flag (bit 31) in C2PMSG_101 */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_101), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_101), + 0x80000000, 0x8000FFFF, false); } else { /* Wait for sOS ready for ring creation */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), - MBOX_TOS_READY_FLAG, MBOX_TOS_READY_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), + 0x80000000, 0x80000000, false); if (ret) { DRM_ERROR("Failed to wait for sOS ready for ring creation\n"); return ret; @@ -351,9 +347,8 @@ static int psp_v11_0_ring_create(struct psp_context *psp, mdelay(20); /* Wait for response flag (bit 31) in C2PMSG_64 */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), + 0x80000000, 0x8000FFFF, false); } return ret; @@ -386,8 +381,7 @@ static int psp_v11_0_mode1_reset(struct psp_context *psp) offset = SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64); - ret = psp_wait_for(psp, offset, MBOX_TOS_READY_FLAG, - MBOX_TOS_READY_MASK, false); + ret = psp_wait_for(psp, offset, 0x80000000, 0x8000FFFF, false); if (ret) { DRM_INFO("psp is not working correctly before mode1 reset!\n"); @@ -401,8 +395,7 @@ static int psp_v11_0_mode1_reset(struct psp_context *psp) offset = SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_33); - ret = psp_wait_for(psp, offset, MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, - false); + ret = psp_wait_for(psp, offset, 0x80000000, 0x80000000, false); if (ret) { DRM_INFO("psp mode 1 reset failed!\n"); diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c b/drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c index 338d015c0f2e..5697760a819b 100644 --- a/drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c +++ b/drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c @@ -41,9 +41,8 @@ static int psp_v11_0_8_ring_stop(struct psp_context *psp, /* there might be handshake issue with hardware which needs delay */ mdelay(20); /* Wait for response flag (bit 31) */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_101), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_101), + 0x80000000, 0x80000000, false); } else { /* Write the ring destroy command*/ WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_64, @@ -51,9 +50,8 @@ static int psp_v11_0_8_ring_stop(struct psp_context *psp, /* there might be handshake issue with hardware which needs delay */ mdelay(20); /* Wait for response flag (bit 31) */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), + 0x80000000, 0x80000000, false); } return ret; @@ -89,15 +87,13 @@ static int psp_v11_0_8_ring_create(struct psp_context *psp, mdelay(20); /* Wait for response flag (bit 31) in C2PMSG_101 */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_101), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_101), + 0x80000000, 0x8000FFFF, false); } else { /* Wait for sOS ready for ring creation */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), - MBOX_TOS_READY_FLAG, MBOX_TOS_READY_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), + 0x80000000, 0x80000000, false); if (ret) { DRM_ERROR("Failed to wait for trust OS ready for ring creation\n"); return ret; @@ -121,9 +117,8 @@ static int psp_v11_0_8_ring_create(struct psp_context *psp, mdelay(20); /* Wait for response flag (bit 31) in C2PMSG_64 */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), + 0x80000000, 0x8000FFFF, false); } return ret; diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v12_0.c b/drivers/gpu/drm/amd/amdgpu/psp_v12_0.c index d54b3e0fabaf..80153f837470 100644 --- a/drivers/gpu/drm/amd/amdgpu/psp_v12_0.c +++ b/drivers/gpu/drm/amd/amdgpu/psp_v12_0.c @@ -163,7 +163,7 @@ static int psp_v12_0_ring_create(struct psp_context *psp, /* Wait for response flag (bit 31) in C2PMSG_64 */ ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + 0x80000000, 0x8000FFFF, false); return ret; } @@ -184,13 +184,11 @@ static int psp_v12_0_ring_stop(struct psp_context *psp, /* Wait for response flag (bit 31) */ if (amdgpu_sriov_vf(adev)) - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_101), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_101), + 0x80000000, 0x80000000, false); else - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64), + 0x80000000, 0x80000000, false); return ret; } @@ -221,8 +219,7 @@ static int psp_v12_0_mode1_reset(struct psp_context *psp) offset = SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_64); - ret = psp_wait_for(psp, offset, MBOX_TOS_READY_FLAG, - MBOX_TOS_READY_MASK, false); + ret = psp_wait_for(psp, offset, 0x80000000, 0x8000FFFF, false); if (ret) { DRM_INFO("psp is not working correctly before mode1 reset!\n"); @@ -236,8 +233,7 @@ static int psp_v12_0_mode1_reset(struct psp_context *psp) offset = SOC15_REG_OFFSET(MP0, 0, mmMP0_SMN_C2PMSG_33); - ret = psp_wait_for(psp, offset, MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, - false); + ret = psp_wait_for(psp, offset, 0x80000000, 0x80000000, false); if (ret) { DRM_INFO("psp mode 1 reset failed!\n"); diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v13_0.c b/drivers/gpu/drm/amd/amdgpu/psp_v13_0.c index 58b6b64dcd68..ead616c11705 100644 --- a/drivers/gpu/drm/amd/amdgpu/psp_v13_0.c +++ b/drivers/gpu/drm/amd/amdgpu/psp_v13_0.c @@ -384,9 +384,8 @@ static int psp_v13_0_ring_stop(struct psp_context *psp, /* there might be handshake issue with hardware which needs delay */ mdelay(20); /* Wait for response flag (bit 31) */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_101), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_101), + 0x80000000, 0x80000000, false); } else { /* Write the ring destroy command*/ WREG32_SOC15(MP0, 0, regMP0_SMN_C2PMSG_64, @@ -394,9 +393,8 @@ static int psp_v13_0_ring_stop(struct psp_context *psp, /* there might be handshake issue with hardware which needs delay */ mdelay(20); /* Wait for response flag (bit 31) */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_64), + 0x80000000, 0x80000000, false); } return ret; @@ -432,15 +430,13 @@ static int psp_v13_0_ring_create(struct psp_context *psp, mdelay(20); /* Wait for response flag (bit 31) in C2PMSG_101 */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_101), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_101), + 0x80000000, 0x8000FFFF, false); } else { /* Wait for sOS ready for ring creation */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_64), - MBOX_TOS_READY_FLAG, MBOX_TOS_READY_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_64), + 0x80000000, 0x80000000, false); if (ret) { DRM_ERROR("Failed to wait for trust OS ready for ring creation\n"); return ret; @@ -464,9 +460,8 @@ static int psp_v13_0_ring_create(struct psp_context *psp, mdelay(20); /* Wait for response flag (bit 31) in C2PMSG_64 */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_64), + 0x80000000, 0x8000FFFF, false); } return ret; diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c b/drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c index f65af52c1c19..eaa5512a21da 100644 --- a/drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c +++ b/drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c @@ -204,9 +204,8 @@ static int psp_v13_0_4_ring_stop(struct psp_context *psp, /* there might be handshake issue with hardware which needs delay */ mdelay(20); /* Wait for response flag (bit 31) */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_101), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_101), + 0x80000000, 0x80000000, false); } else { /* Write the ring destroy command*/ WREG32_SOC15(MP0, 0, regMP0_SMN_C2PMSG_64, @@ -214,9 +213,8 @@ static int psp_v13_0_4_ring_stop(struct psp_context *psp, /* there might be handshake issue with hardware which needs delay */ mdelay(20); /* Wait for response flag (bit 31) */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_64), + 0x80000000, 0x80000000, false); } return ret; @@ -252,15 +250,13 @@ static int psp_v13_0_4_ring_create(struct psp_context *psp, mdelay(20); /* Wait for response flag (bit 31) in C2PMSG_101 */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_101), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_101), + 0x80000000, 0x8000FFFF, false); } else { /* Wait for sOS ready for ring creation */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_64), - MBOX_TOS_READY_FLAG, MBOX_TOS_READY_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_64), + 0x80000000, 0x80000000, false); if (ret) { DRM_ERROR("Failed to wait for trust OS ready for ring creation\n"); return ret; @@ -284,9 +280,8 @@ static int psp_v13_0_4_ring_create(struct psp_context *psp, mdelay(20); /* Wait for response flag (bit 31) in C2PMSG_64 */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMP0_SMN_C2PMSG_64), + 0x80000000, 0x8000FFFF, false); } return ret; diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v14_0.c b/drivers/gpu/drm/amd/amdgpu/psp_v14_0.c index b029f301aacc..30d8eecc5674 100644 --- a/drivers/gpu/drm/amd/amdgpu/psp_v14_0.c +++ b/drivers/gpu/drm/amd/amdgpu/psp_v14_0.c @@ -250,9 +250,8 @@ static int psp_v14_0_ring_stop(struct psp_context *psp, /* there might be handshake issue with hardware which needs delay */ mdelay(20); /* Wait for response flag (bit 31) */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMPASP_SMN_C2PMSG_101), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMPASP_SMN_C2PMSG_101), + 0x80000000, 0x80000000, false); } else { /* Write the ring destroy command*/ WREG32_SOC15(MP0, 0, regMPASP_SMN_C2PMSG_64, @@ -260,9 +259,8 @@ static int psp_v14_0_ring_stop(struct psp_context *psp, /* there might be handshake issue with hardware which needs delay */ mdelay(20); /* Wait for response flag (bit 31) */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMPASP_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMPASP_SMN_C2PMSG_64), + 0x80000000, 0x80000000, false); } return ret; @@ -298,15 +296,13 @@ static int psp_v14_0_ring_create(struct psp_context *psp, mdelay(20); /* Wait for response flag (bit 31) in C2PMSG_101 */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMPASP_SMN_C2PMSG_101), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMPASP_SMN_C2PMSG_101), + 0x80000000, 0x8000FFFF, false); } else { /* Wait for sOS ready for ring creation */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMPASP_SMN_C2PMSG_64), - MBOX_TOS_READY_FLAG, MBOX_TOS_READY_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMPASP_SMN_C2PMSG_64), + 0x80000000, 0x80000000, false); if (ret) { DRM_ERROR("Failed to wait for trust OS ready for ring creation\n"); return ret; @@ -330,9 +326,8 @@ static int psp_v14_0_ring_create(struct psp_context *psp, mdelay(20); /* Wait for response flag (bit 31) in C2PMSG_64 */ - ret = psp_wait_for( - psp, SOC15_REG_OFFSET(MP0, 0, regMPASP_SMN_C2PMSG_64), - MBOX_TOS_RESP_FLAG, MBOX_TOS_RESP_MASK, false); + ret = psp_wait_for(psp, SOC15_REG_OFFSET(MP0, 0, regMPASP_SMN_C2PMSG_64), + 0x80000000, 0x8000FFFF, false); } return ret; -- 2.51.0

1 week, 5 days

3
2
0 0

You have received a completed document. Agreement.

by Completed Document via Document Signature Docu_Sign_lists.linaro.org

Your document has been completed VIEW COMPLETED DOCUMENT https://docucompleteandsigned.drr.ac/ linux-stable-mirror linux-stable-mirror(a)lists.linaro.org All parties have completed Complete with Docusign. Do Not Share This Email This email contains a secure link to Docusign. Please do not share this email, link, or access code with others. Alternate Signing Method Visit Docusign.com, click 'Access Documents', and enter the security code: 27CF116EB55240BB8CC8A9B2003BC0A41 About Docusign Sign documents electronically in just minutes. It's safe, secure, and legally binding. Whether you're in an office, at home, on-the-go -- or even across the globe -- Docusign provides a professional trusted solution for Digital Transaction ManagementT. Questions about the Document? If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly. Stop receiving this email Report this email https://protect.docusign.net/report-abuse?e=AUtomjpFak9GlbPL0zFFi13hh8bLDb3… or read more about Declining to sign https://support.docusign.com/en/guides/Declining-to-sign-DocuSign-Signer-Gu… and Managing notifications https://support.docusign.com/en/articles/How-do-I-manage-my-email-notificat… . If you have trouble signing, visit " How to Sign a Document https://support.docusign.com/s/articles/How-do-I-sign-a-DocuSign-document-B… " on our Docusign Support Center https://support.docusign.com/ , or browse our Docusign Community https://community.docusign.com/esignature-111?utm_campaign=GBL_US_PRD_AWA_2… for more information. Download the Docusign App https://www.docusign.com/features-and-benefits/mobile?utm_campaign=GBL_XX_D… This message was sent to you who is using the Docusign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.

1 week, 5 days

1
0
0 0

FAILED: patch "[PATCH] media: mediatek: vcodec: Fix a resource leak related to the" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 4936cd5817af35d23e4d283f48fa59a18ef481e4 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041738-unfounded-kitten-3d41@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 4936cd5817af35d23e4d283f48fa59a18ef481e4 Mon Sep 17 00:00:00 2001 From: Jiasheng Jiang <jiashengjiangcool(a)gmail.com> Date: Tue, 18 Feb 2025 18:58:09 +0000 Subject: [PATCH] media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization On Mediatek devices with a system companion processor (SCP) the mtk_scp structure has to be removed explicitly to avoid a resource leak. Free the structure in case the allocation of the firmware structure fails during the firmware initialization. Fixes: 53dbe0850444 ("media: mtk-vcodec: potential null pointer deference in SCP") Cc: stable(a)vger.kernel.org Signed-off-by: Jiasheng Jiang <jiashengjiangcool(a)gmail.com> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> diff --git a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c index ff23b225db70..1b0bc47355c0 100644 --- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c +++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c @@ -79,8 +79,11 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_scp_init(void *priv, enum mtk_vcodec_fw_use } fw = devm_kzalloc(&plat_dev->dev, sizeof(*fw), GFP_KERNEL); - if (!fw) + if (!fw) { + scp_put(scp); return ERR_PTR(-ENOMEM); + } + fw->type = SCP; fw->ops = &mtk_vcodec_rproc_msg; fw->scp = scp;

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] media: mtk-vcodec: venc: avoid -Wenum-compare-conditional" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 07df4f23ef3ffe6fee697cd2e03623ad27108843 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041757-suffix-chevron-2444@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 07df4f23ef3ffe6fee697cd2e03623ad27108843 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann <arnd(a)arndb.de> Date: Fri, 18 Oct 2024 15:21:10 +0000 Subject: [PATCH] media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning This is one of three clang warnings about incompatible enum types in a conditional expression: drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c:597:29: error: conditional expression between different enumeration types ('enum scp_ipi_id' and 'enum ipi_id') [-Werror,-Wenum-compare-conditional] 597 | inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264; | ^ ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ The code is correct, so just rework it to avoid the warning. Fixes: 0dc4b3286125 ("media: mtk-vcodec: venc: support SCP firmware") Cc: stable(a)vger.kernel.org Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> Reviewed-by: Alexandre Courbot <acourbot(a)google.com> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c index f8145998fcaf..8522f71fc901 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c +++ b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c @@ -594,7 +594,11 @@ static int h264_enc_init(struct mtk_vcodec_enc_ctx *ctx) inst->ctx = ctx; inst->vpu_inst.ctx = ctx; - inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264; + if (is_ext) + inst->vpu_inst.id = SCP_IPI_VENC_H264; + else + inst->vpu_inst.id = IPI_VENC_H264; + inst->hw_base = mtk_vcodec_get_reg_addr(inst->ctx->dev->reg_base, VENC_SYS); ret = vpu_enc_init(&inst->vpu_inst);

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] media: mtk-vcodec: venc: avoid -Wenum-compare-conditional" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 07df4f23ef3ffe6fee697cd2e03623ad27108843 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041752-utensil-affront-c113@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 07df4f23ef3ffe6fee697cd2e03623ad27108843 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann <arnd(a)arndb.de> Date: Fri, 18 Oct 2024 15:21:10 +0000 Subject: [PATCH] media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning This is one of three clang warnings about incompatible enum types in a conditional expression: drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c:597:29: error: conditional expression between different enumeration types ('enum scp_ipi_id' and 'enum ipi_id') [-Werror,-Wenum-compare-conditional] 597 | inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264; | ^ ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ The code is correct, so just rework it to avoid the warning. Fixes: 0dc4b3286125 ("media: mtk-vcodec: venc: support SCP firmware") Cc: stable(a)vger.kernel.org Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> Reviewed-by: Alexandre Courbot <acourbot(a)google.com> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c index f8145998fcaf..8522f71fc901 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c +++ b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c @@ -594,7 +594,11 @@ static int h264_enc_init(struct mtk_vcodec_enc_ctx *ctx) inst->ctx = ctx; inst->vpu_inst.ctx = ctx; - inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264; + if (is_ext) + inst->vpu_inst.id = SCP_IPI_VENC_H264; + else + inst->vpu_inst.id = IPI_VENC_H264; + inst->hw_base = mtk_vcodec_get_reg_addr(inst->ctx->dev->reg_base, VENC_SYS); ret = vpu_enc_init(&inst->vpu_inst);

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] media: i2c: imx214: Fix link frequency validation" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x acc294519f1749041e1b8c74d46bbf6c57d8b061 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041717-tapestry-degrading-b2ed@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From acc294519f1749041e1b8c74d46bbf6c57d8b061 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Apitzsch?= <git(a)apitzsch.eu> Date: Fri, 20 Dec 2024 14:26:12 +0100 Subject: [PATCH] media: i2c: imx214: Fix link frequency validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The driver defines IMX214_DEFAULT_LINK_FREQ 480000000, and then IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10), which works out as 384MPix/s. (The 8 is 4 lanes and DDR.) Parsing the PLL registers with the defined 24MHz input. We're in single PLL mode, so MIPI frequency is directly linked to pixel rate. VTCK ends up being 1200MHz, and VTPXCK and OPPXCK both are 120MHz. Section 5.3 "Frame rate calculation formula" says "Pixel rate [pixels/s] = VTPXCK [MHz] * 4", so 120 * 4 = 480MPix/s, which basically agrees with my number above. 3.1.4. MIPI global timing setting says "Output bitrate = OPPXCK * reg 0x113[7:0]", so 120MHz * 10, or 1200Mbit/s. That would be a link frequency of 600MHz due to DDR. That also matches to 480MPix/s * 10bpp / 4 lanes / 2 for DDR. Keep the previous link frequency for backward compatibility. Acked-by: Ricardo Ribalda <ribalda(a)chromium.org> Signed-off-by: André Apitzsch <git(a)apitzsch.eu> Fixes: 436190596241 ("media: imx214: Add imx214 camera sensor driver") Cc: stable(a)vger.kernel.org Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> diff --git a/drivers/media/i2c/imx214.c b/drivers/media/i2c/imx214.c index 4d7044cd9b7f..6c3f6f3c8b1f 100644 --- a/drivers/media/i2c/imx214.c +++ b/drivers/media/i2c/imx214.c @@ -31,7 +31,9 @@ #define IMX214_REG_FAST_STANDBY_CTRL CCI_REG8(0x0106) #define IMX214_DEFAULT_CLK_FREQ 24000000 -#define IMX214_DEFAULT_LINK_FREQ 480000000 +#define IMX214_DEFAULT_LINK_FREQ 600000000 +/* Keep wrong link frequency for backward compatibility */ +#define IMX214_DEFAULT_LINK_FREQ_LEGACY 480000000 #define IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10) #define IMX214_FPS 30 @@ -1225,18 +1227,26 @@ static int imx214_parse_fwnode(struct device *dev) goto done; } - for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) + if (bus_cfg.nr_of_link_frequencies != 1) + dev_warn(dev, "Only one link-frequency supported, please review your DT. Continuing anyway\n"); + + for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) { if (bus_cfg.link_frequencies[i] == IMX214_DEFAULT_LINK_FREQ) break; - - if (i == bus_cfg.nr_of_link_frequencies) { - dev_err_probe(dev, -EINVAL, - "link-frequencies %d not supported, Please review your DT\n", - IMX214_DEFAULT_LINK_FREQ); - ret = -EINVAL; - goto done; + if (bus_cfg.link_frequencies[i] == + IMX214_DEFAULT_LINK_FREQ_LEGACY) { + dev_warn(dev, + "link-frequencies %d not supported, please review your DT. Continuing anyway\n", + IMX214_DEFAULT_LINK_FREQ); + break; + } } + if (i == bus_cfg.nr_of_link_frequencies) + ret = dev_err_probe(dev, -EINVAL, + "link-frequencies %d not supported, please review your DT\n", + IMX214_DEFAULT_LINK_FREQ); + done: v4l2_fwnode_endpoint_free(&bus_cfg); fwnode_handle_put(endpoint);

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] net: Fix null-ptr-deref by sock_lock_init_class_and_name()" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041752-spoof-botany-cc00@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 Mon Sep 17 00:00:00 2001 From: Kuniyuki Iwashima <kuniyu(a)amazon.com> Date: Mon, 7 Apr 2025 09:33:11 -0700 Subject: [PATCH] net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TCP socket, and it returns quickly. However, the socket remains in FIN_WAIT_1 because incoming FIN packets are dropped. At this point, the module's refcnt is 0 while the socket is still alive, so the following rmmod command succeeds. # ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 # lsmod | grep cifs cifs 1159168 0 This highlights a discrepancy between the lifetime of the CIFS module and the underlying TCP socket. Even after CIFS calls sock_release() and it returns, the TCP socket does not die immediately in order to close the connection gracefully. While this is generally fine, it causes an issue with LOCKDEP because CIFS assigns a different lock class to the TCP socket's sk->sk_lock using sock_lock_init_class_and_name(). Once an incoming packet is processed for the socket or a timer fires, sk->sk_lock is acquired. Then, LOCKDEP checks the lock context in check_wait_context(), where hlock_class() is called to retrieve the lock class. However, since the module has already been unloaded, hlock_class() logs a warning and returns NULL, triggering the null-ptr-deref. If LOCKDEP is enabled, we must ensure that a module calling sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded while such a socket is still alive to prevent this issue. Let's hold the module reference in sock_lock_init_class_and_name() and release it when the socket is freed in sk_prot_free(). Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() that calls sock_lock_init_class_and_name() for a listening socket, which clones a socket by sk_clone_lock() without GFP_ZERO. [0]: CIFS_SERVER="10.0.0.137" CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" DEV="enp0s3" CRED="/root/WindowsCredential.txt" MNT=$(mktemp -d /tmp/XXXXXX) mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 iptables -A INPUT -s ${CIFS_SERVER} -j DROP for i in $(seq 10); do umount ${MNT} rmmod cifs sleep 1 done rm -r ${MNT} iptables -D INPUT -s ${CIFS_SERVER} -j DROP [1]: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) ... Call Trace: <IRQ> __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ... BUG: kernel NULL pointer dereference, address: 00000000000000c4 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire (kernel/locking/lockdep.c:4852 kernel/locking/lockdep.c:5178) Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 e1 bc ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 d1 bc ff ff 0f b6 80 c5 00 00 00 88 44 RSP: 0018:ffa0000000468a10 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ff1100010091cc38 RCX: 0000000000000027 RDX: ff1100081f09ca48 RSI: 0000000000000001 RDI: ff1100010091cc88 RBP: ff1100010091c200 R08: ff1100083fe6e228 R09: 00000000ffffbfff R10: ff1100081eca0000 R11: ff1100083fe10dc0 R12: ff1100010091cc88 R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424b1 FS: 0000000000000000(0000) GS:ff1100081f080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c4 CR3: 0000000002c4a003 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234) ip_sublist_rcv_finish (net/ipv4/ip_input.c:576) ip_list_rcv_finish (net/ipv4/ip_input.c:628) ip_list_rcv (net/ipv4/ip_input.c:670) __netif_receive_skb_list_core (net/core/dev.c:5939 net/core/dev.c:5986) netif_receive_skb_list_internal (net/core/dev.c:6040 net/core/dev.c:6129) napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:519 ./include/net/gro.h:514 net/core/dev.c:6496) e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3815) __napi_poll.constprop.0 (net/core/dev.c:7191) net_rx_action (net/core/dev.c:7262 net/core/dev.c:7382) handle_softirqs (kernel/softirq.c:561) __irq_exit_rcu (kernel/softirq.c:596 kernel/softirq.c:435 kernel/softirq.c:662) irq_exit_rcu (kernel/softirq.c:680) common_interrupt (arch/x86/kernel/irq.c:280 (discriminator 14)) </IRQ> <TASK> asm_common_interrupt (./arch/x86/include/asm/idtentry.h:693) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:744) Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 2b 15 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffa00000000ffee8 EFLAGS: 00000202 RAX: 000000000000640b RBX: ff1100010091c200 RCX: 0000000000061aa4 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f30c5 RBP: 000000000000000a R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ? do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) cpu_startup_entry (kernel/sched/idle.c:422 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:315) common_startup_64 (arch/x86/kernel/head_64.S:421) </TASK> Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CR2: 00000000000000c4 Fixes: ed07536ed673 ("[PATCH] lockdep: annotate nfs/nfsd in-kernel sockets") Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250407163313.22682-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/include/net/sock.h b/include/net/sock.h index 8daf1b3b12c6..694f954258d4 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -339,6 +339,8 @@ struct sk_filter; * @sk_txtime_unused: unused txtime flags * @ns_tracker: tracker for netns reference * @sk_user_frags: xarray of pages the user is holding a reference on. + * @sk_owner: reference to the real owner of the socket that calls + * sock_lock_init_class_and_name(). */ struct sock { /* @@ -547,6 +549,10 @@ struct sock { struct rcu_head sk_rcu; netns_tracker ns_tracker; struct xarray sk_user_frags; + +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) + struct module *sk_owner; +#endif }; struct sock_bh_locked { @@ -1583,6 +1589,35 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) sk_mem_reclaim(sk); } +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) +static inline void sk_owner_set(struct sock *sk, struct module *owner) +{ + __module_get(owner); + sk->sk_owner = owner; +} + +static inline void sk_owner_clear(struct sock *sk) +{ + sk->sk_owner = NULL; +} + +static inline void sk_owner_put(struct sock *sk) +{ + module_put(sk->sk_owner); +} +#else +static inline void sk_owner_set(struct sock *sk, struct module *owner) +{ +} + +static inline void sk_owner_clear(struct sock *sk) +{ +} + +static inline void sk_owner_put(struct sock *sk) +{ +} +#endif /* * Macro so as to not evaluate some arguments when * lockdep is not enabled. @@ -1592,13 +1627,14 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) */ #define sock_lock_init_class_and_name(sk, sname, skey, name, key) \ do { \ + sk_owner_set(sk, THIS_MODULE); \ sk->sk_lock.owned = 0; \ init_waitqueue_head(&sk->sk_lock.wq); \ spin_lock_init(&(sk)->sk_lock.slock); \ debug_check_no_locks_freed((void *)&(sk)->sk_lock, \ - sizeof((sk)->sk_lock)); \ + sizeof((sk)->sk_lock)); \ lockdep_set_class_and_name(&(sk)->sk_lock.slock, \ - (skey), (sname)); \ + (skey), (sname)); \ lockdep_init_map(&(sk)->sk_lock.dep_map, (name), (key), 0); \ } while (0) diff --git a/net/core/sock.c b/net/core/sock.c index 323892066def..739a79859828 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -2130,6 +2130,8 @@ int sk_getsockopt(struct sock *sk, int level, int optname, */ static inline void sock_lock_init(struct sock *sk) { + sk_owner_clear(sk); + if (sk->sk_kern_sock) sock_lock_init_class_and_name( sk, @@ -2226,6 +2228,9 @@ static void sk_prot_free(struct proto *prot, struct sock *sk) cgroup_sk_free(&sk->sk_cgrp_data); mem_cgroup_sk_free(sk); security_sk_free(sk); + + sk_owner_put(sk); + if (slab != NULL) kmem_cache_free(slab, sk); else

1 week, 5 days

2
1
0 0

[PATCH] pinctrl: airoha: fix wrong MDIO function bitmaks

by Christian Marangi

With further testing with an attached Aeonsemi it was discovered that the pinctrl MDIO function applied the wrong bitmask. The error was probably caused by the confusing documentation related to these bits. Inspecting what the bootloader actually configure, the SGMII_MDIO_MODE is never actually set but instead it's set force enable to the 2 GPIO (gpio 1-2) for MDC and MDIO pin. Applying this configuration permits correct functionality of any externally attached PHY. Cc: stable(a)vger.kernel.org Fixes: 1c8ace2d0725 ("pinctrl: airoha: Add support for EN7581 SoC") Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> --- drivers/pinctrl/mediatek/pinctrl-airoha.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/pinctrl/mediatek/pinctrl-airoha.c b/drivers/pinctrl/mediatek/pinctrl-airoha.c index f7f8fd2f35fc..d89da9581c55 100644 --- a/drivers/pinctrl/mediatek/pinctrl-airoha.c +++ b/drivers/pinctrl/mediatek/pinctrl-airoha.c @@ -108,6 +108,9 @@ #define JTAG_UDI_EN_MASK BIT(4) #define JTAG_DFD_EN_MASK BIT(3) +#define REG_FORCE_GPIO_EN 0x0228 +#define FORCE_GPIO_EN(n) BIT(n) + /* LED MAP */ #define REG_LAN_LED0_MAPPING 0x027c #define REG_LAN_LED1_MAPPING 0x0280 @@ -718,17 +721,17 @@ static const struct airoha_pinctrl_func_group mdio_func_group[] = { { .name = "mdio", .regmap[0] = { - AIROHA_FUNC_MUX, - REG_GPIO_PON_MODE, - GPIO_SGMII_MDIO_MODE_MASK, - GPIO_SGMII_MDIO_MODE_MASK - }, - .regmap[1] = { AIROHA_FUNC_MUX, REG_GPIO_2ND_I2C_MODE, GPIO_MDC_IO_MASTER_MODE_MODE, GPIO_MDC_IO_MASTER_MODE_MODE }, + .regmap[1] = { + AIROHA_FUNC_MUX, + REG_FORCE_GPIO_EN, + FORCE_GPIO_EN(1) | FORCE_GPIO_EN(2), + FORCE_GPIO_EN(1) | FORCE_GPIO_EN(2) + }, .regmap_size = 2, }, }; -- 2.51.0

1 week, 5 days

4
9
0 0

FAILED: patch "[PATCH] media: i2c: imx214: Fix link frequency validation" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x acc294519f1749041e1b8c74d46bbf6c57d8b061 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041716-art-upriver-d0a6@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From acc294519f1749041e1b8c74d46bbf6c57d8b061 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Apitzsch?= <git(a)apitzsch.eu> Date: Fri, 20 Dec 2024 14:26:12 +0100 Subject: [PATCH] media: i2c: imx214: Fix link frequency validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The driver defines IMX214_DEFAULT_LINK_FREQ 480000000, and then IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10), which works out as 384MPix/s. (The 8 is 4 lanes and DDR.) Parsing the PLL registers with the defined 24MHz input. We're in single PLL mode, so MIPI frequency is directly linked to pixel rate. VTCK ends up being 1200MHz, and VTPXCK and OPPXCK both are 120MHz. Section 5.3 "Frame rate calculation formula" says "Pixel rate [pixels/s] = VTPXCK [MHz] * 4", so 120 * 4 = 480MPix/s, which basically agrees with my number above. 3.1.4. MIPI global timing setting says "Output bitrate = OPPXCK * reg 0x113[7:0]", so 120MHz * 10, or 1200Mbit/s. That would be a link frequency of 600MHz due to DDR. That also matches to 480MPix/s * 10bpp / 4 lanes / 2 for DDR. Keep the previous link frequency for backward compatibility. Acked-by: Ricardo Ribalda <ribalda(a)chromium.org> Signed-off-by: André Apitzsch <git(a)apitzsch.eu> Fixes: 436190596241 ("media: imx214: Add imx214 camera sensor driver") Cc: stable(a)vger.kernel.org Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> diff --git a/drivers/media/i2c/imx214.c b/drivers/media/i2c/imx214.c index 4d7044cd9b7f..6c3f6f3c8b1f 100644 --- a/drivers/media/i2c/imx214.c +++ b/drivers/media/i2c/imx214.c @@ -31,7 +31,9 @@ #define IMX214_REG_FAST_STANDBY_CTRL CCI_REG8(0x0106) #define IMX214_DEFAULT_CLK_FREQ 24000000 -#define IMX214_DEFAULT_LINK_FREQ 480000000 +#define IMX214_DEFAULT_LINK_FREQ 600000000 +/* Keep wrong link frequency for backward compatibility */ +#define IMX214_DEFAULT_LINK_FREQ_LEGACY 480000000 #define IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10) #define IMX214_FPS 30 @@ -1225,18 +1227,26 @@ static int imx214_parse_fwnode(struct device *dev) goto done; } - for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) + if (bus_cfg.nr_of_link_frequencies != 1) + dev_warn(dev, "Only one link-frequency supported, please review your DT. Continuing anyway\n"); + + for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) { if (bus_cfg.link_frequencies[i] == IMX214_DEFAULT_LINK_FREQ) break; - - if (i == bus_cfg.nr_of_link_frequencies) { - dev_err_probe(dev, -EINVAL, - "link-frequencies %d not supported, Please review your DT\n", - IMX214_DEFAULT_LINK_FREQ); - ret = -EINVAL; - goto done; + if (bus_cfg.link_frequencies[i] == + IMX214_DEFAULT_LINK_FREQ_LEGACY) { + dev_warn(dev, + "link-frequencies %d not supported, please review your DT. Continuing anyway\n", + IMX214_DEFAULT_LINK_FREQ); + break; + } } + if (i == bus_cfg.nr_of_link_frequencies) + ret = dev_err_probe(dev, -EINVAL, + "link-frequencies %d not supported, please review your DT\n", + IMX214_DEFAULT_LINK_FREQ); + done: v4l2_fwnode_endpoint_free(&bus_cfg); fwnode_handle_put(endpoint);

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] media: mtk-vcodec: venc: avoid -Wenum-compare-conditional" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 07df4f23ef3ffe6fee697cd2e03623ad27108843 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041751-dimple-antiquely-856c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 07df4f23ef3ffe6fee697cd2e03623ad27108843 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann <arnd(a)arndb.de> Date: Fri, 18 Oct 2024 15:21:10 +0000 Subject: [PATCH] media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning This is one of three clang warnings about incompatible enum types in a conditional expression: drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c:597:29: error: conditional expression between different enumeration types ('enum scp_ipi_id' and 'enum ipi_id') [-Werror,-Wenum-compare-conditional] 597 | inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264; | ^ ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ The code is correct, so just rework it to avoid the warning. Fixes: 0dc4b3286125 ("media: mtk-vcodec: venc: support SCP firmware") Cc: stable(a)vger.kernel.org Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> Reviewed-by: Alexandre Courbot <acourbot(a)google.com> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c index f8145998fcaf..8522f71fc901 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c +++ b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c @@ -594,7 +594,11 @@ static int h264_enc_init(struct mtk_vcodec_enc_ctx *ctx) inst->ctx = ctx; inst->vpu_inst.ctx = ctx; - inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264; + if (is_ext) + inst->vpu_inst.id = SCP_IPI_VENC_H264; + else + inst->vpu_inst.id = IPI_VENC_H264; + inst->hw_base = mtk_vcodec_get_reg_addr(inst->ctx->dev->reg_base, VENC_SYS); ret = vpu_enc_init(&inst->vpu_inst);

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] media: i2c: imx214: Fix link frequency validation" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x acc294519f1749041e1b8c74d46bbf6c57d8b061 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041714-famished-unpleased-e24e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From acc294519f1749041e1b8c74d46bbf6c57d8b061 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Apitzsch?= <git(a)apitzsch.eu> Date: Fri, 20 Dec 2024 14:26:12 +0100 Subject: [PATCH] media: i2c: imx214: Fix link frequency validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The driver defines IMX214_DEFAULT_LINK_FREQ 480000000, and then IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10), which works out as 384MPix/s. (The 8 is 4 lanes and DDR.) Parsing the PLL registers with the defined 24MHz input. We're in single PLL mode, so MIPI frequency is directly linked to pixel rate. VTCK ends up being 1200MHz, and VTPXCK and OPPXCK both are 120MHz. Section 5.3 "Frame rate calculation formula" says "Pixel rate [pixels/s] = VTPXCK [MHz] * 4", so 120 * 4 = 480MPix/s, which basically agrees with my number above. 3.1.4. MIPI global timing setting says "Output bitrate = OPPXCK * reg 0x113[7:0]", so 120MHz * 10, or 1200Mbit/s. That would be a link frequency of 600MHz due to DDR. That also matches to 480MPix/s * 10bpp / 4 lanes / 2 for DDR. Keep the previous link frequency for backward compatibility. Acked-by: Ricardo Ribalda <ribalda(a)chromium.org> Signed-off-by: André Apitzsch <git(a)apitzsch.eu> Fixes: 436190596241 ("media: imx214: Add imx214 camera sensor driver") Cc: stable(a)vger.kernel.org Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> diff --git a/drivers/media/i2c/imx214.c b/drivers/media/i2c/imx214.c index 4d7044cd9b7f..6c3f6f3c8b1f 100644 --- a/drivers/media/i2c/imx214.c +++ b/drivers/media/i2c/imx214.c @@ -31,7 +31,9 @@ #define IMX214_REG_FAST_STANDBY_CTRL CCI_REG8(0x0106) #define IMX214_DEFAULT_CLK_FREQ 24000000 -#define IMX214_DEFAULT_LINK_FREQ 480000000 +#define IMX214_DEFAULT_LINK_FREQ 600000000 +/* Keep wrong link frequency for backward compatibility */ +#define IMX214_DEFAULT_LINK_FREQ_LEGACY 480000000 #define IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10) #define IMX214_FPS 30 @@ -1225,18 +1227,26 @@ static int imx214_parse_fwnode(struct device *dev) goto done; } - for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) + if (bus_cfg.nr_of_link_frequencies != 1) + dev_warn(dev, "Only one link-frequency supported, please review your DT. Continuing anyway\n"); + + for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) { if (bus_cfg.link_frequencies[i] == IMX214_DEFAULT_LINK_FREQ) break; - - if (i == bus_cfg.nr_of_link_frequencies) { - dev_err_probe(dev, -EINVAL, - "link-frequencies %d not supported, Please review your DT\n", - IMX214_DEFAULT_LINK_FREQ); - ret = -EINVAL; - goto done; + if (bus_cfg.link_frequencies[i] == + IMX214_DEFAULT_LINK_FREQ_LEGACY) { + dev_warn(dev, + "link-frequencies %d not supported, please review your DT. Continuing anyway\n", + IMX214_DEFAULT_LINK_FREQ); + break; + } } + if (i == bus_cfg.nr_of_link_frequencies) + ret = dev_err_probe(dev, -EINVAL, + "link-frequencies %d not supported, please review your DT\n", + IMX214_DEFAULT_LINK_FREQ); + done: v4l2_fwnode_endpoint_free(&bus_cfg); fwnode_handle_put(endpoint);

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] net: Fix null-ptr-deref by sock_lock_init_class_and_name()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041750-occultist-uncanny-4e5e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 Mon Sep 17 00:00:00 2001 From: Kuniyuki Iwashima <kuniyu(a)amazon.com> Date: Mon, 7 Apr 2025 09:33:11 -0700 Subject: [PATCH] net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TCP socket, and it returns quickly. However, the socket remains in FIN_WAIT_1 because incoming FIN packets are dropped. At this point, the module's refcnt is 0 while the socket is still alive, so the following rmmod command succeeds. # ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 # lsmod | grep cifs cifs 1159168 0 This highlights a discrepancy between the lifetime of the CIFS module and the underlying TCP socket. Even after CIFS calls sock_release() and it returns, the TCP socket does not die immediately in order to close the connection gracefully. While this is generally fine, it causes an issue with LOCKDEP because CIFS assigns a different lock class to the TCP socket's sk->sk_lock using sock_lock_init_class_and_name(). Once an incoming packet is processed for the socket or a timer fires, sk->sk_lock is acquired. Then, LOCKDEP checks the lock context in check_wait_context(), where hlock_class() is called to retrieve the lock class. However, since the module has already been unloaded, hlock_class() logs a warning and returns NULL, triggering the null-ptr-deref. If LOCKDEP is enabled, we must ensure that a module calling sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded while such a socket is still alive to prevent this issue. Let's hold the module reference in sock_lock_init_class_and_name() and release it when the socket is freed in sk_prot_free(). Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() that calls sock_lock_init_class_and_name() for a listening socket, which clones a socket by sk_clone_lock() without GFP_ZERO. [0]: CIFS_SERVER="10.0.0.137" CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" DEV="enp0s3" CRED="/root/WindowsCredential.txt" MNT=$(mktemp -d /tmp/XXXXXX) mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 iptables -A INPUT -s ${CIFS_SERVER} -j DROP for i in $(seq 10); do umount ${MNT} rmmod cifs sleep 1 done rm -r ${MNT} iptables -D INPUT -s ${CIFS_SERVER} -j DROP [1]: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) ... Call Trace: <IRQ> __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ... BUG: kernel NULL pointer dereference, address: 00000000000000c4 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire (kernel/locking/lockdep.c:4852 kernel/locking/lockdep.c:5178) Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 e1 bc ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 d1 bc ff ff 0f b6 80 c5 00 00 00 88 44 RSP: 0018:ffa0000000468a10 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ff1100010091cc38 RCX: 0000000000000027 RDX: ff1100081f09ca48 RSI: 0000000000000001 RDI: ff1100010091cc88 RBP: ff1100010091c200 R08: ff1100083fe6e228 R09: 00000000ffffbfff R10: ff1100081eca0000 R11: ff1100083fe10dc0 R12: ff1100010091cc88 R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424b1 FS: 0000000000000000(0000) GS:ff1100081f080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c4 CR3: 0000000002c4a003 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234) ip_sublist_rcv_finish (net/ipv4/ip_input.c:576) ip_list_rcv_finish (net/ipv4/ip_input.c:628) ip_list_rcv (net/ipv4/ip_input.c:670) __netif_receive_skb_list_core (net/core/dev.c:5939 net/core/dev.c:5986) netif_receive_skb_list_internal (net/core/dev.c:6040 net/core/dev.c:6129) napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:519 ./include/net/gro.h:514 net/core/dev.c:6496) e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3815) __napi_poll.constprop.0 (net/core/dev.c:7191) net_rx_action (net/core/dev.c:7262 net/core/dev.c:7382) handle_softirqs (kernel/softirq.c:561) __irq_exit_rcu (kernel/softirq.c:596 kernel/softirq.c:435 kernel/softirq.c:662) irq_exit_rcu (kernel/softirq.c:680) common_interrupt (arch/x86/kernel/irq.c:280 (discriminator 14)) </IRQ> <TASK> asm_common_interrupt (./arch/x86/include/asm/idtentry.h:693) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:744) Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 2b 15 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffa00000000ffee8 EFLAGS: 00000202 RAX: 000000000000640b RBX: ff1100010091c200 RCX: 0000000000061aa4 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f30c5 RBP: 000000000000000a R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ? do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) cpu_startup_entry (kernel/sched/idle.c:422 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:315) common_startup_64 (arch/x86/kernel/head_64.S:421) </TASK> Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CR2: 00000000000000c4 Fixes: ed07536ed673 ("[PATCH] lockdep: annotate nfs/nfsd in-kernel sockets") Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250407163313.22682-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/include/net/sock.h b/include/net/sock.h index 8daf1b3b12c6..694f954258d4 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -339,6 +339,8 @@ struct sk_filter; * @sk_txtime_unused: unused txtime flags * @ns_tracker: tracker for netns reference * @sk_user_frags: xarray of pages the user is holding a reference on. + * @sk_owner: reference to the real owner of the socket that calls + * sock_lock_init_class_and_name(). */ struct sock { /* @@ -547,6 +549,10 @@ struct sock { struct rcu_head sk_rcu; netns_tracker ns_tracker; struct xarray sk_user_frags; + +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) + struct module *sk_owner; +#endif }; struct sock_bh_locked { @@ -1583,6 +1589,35 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) sk_mem_reclaim(sk); } +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) +static inline void sk_owner_set(struct sock *sk, struct module *owner) +{ + __module_get(owner); + sk->sk_owner = owner; +} + +static inline void sk_owner_clear(struct sock *sk) +{ + sk->sk_owner = NULL; +} + +static inline void sk_owner_put(struct sock *sk) +{ + module_put(sk->sk_owner); +} +#else +static inline void sk_owner_set(struct sock *sk, struct module *owner) +{ +} + +static inline void sk_owner_clear(struct sock *sk) +{ +} + +static inline void sk_owner_put(struct sock *sk) +{ +} +#endif /* * Macro so as to not evaluate some arguments when * lockdep is not enabled. @@ -1592,13 +1627,14 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) */ #define sock_lock_init_class_and_name(sk, sname, skey, name, key) \ do { \ + sk_owner_set(sk, THIS_MODULE); \ sk->sk_lock.owned = 0; \ init_waitqueue_head(&sk->sk_lock.wq); \ spin_lock_init(&(sk)->sk_lock.slock); \ debug_check_no_locks_freed((void *)&(sk)->sk_lock, \ - sizeof((sk)->sk_lock)); \ + sizeof((sk)->sk_lock)); \ lockdep_set_class_and_name(&(sk)->sk_lock.slock, \ - (skey), (sname)); \ + (skey), (sname)); \ lockdep_init_map(&(sk)->sk_lock.dep_map, (name), (key), 0); \ } while (0) diff --git a/net/core/sock.c b/net/core/sock.c index 323892066def..739a79859828 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -2130,6 +2130,8 @@ int sk_getsockopt(struct sock *sk, int level, int optname, */ static inline void sock_lock_init(struct sock *sk) { + sk_owner_clear(sk); + if (sk->sk_kern_sock) sock_lock_init_class_and_name( sk, @@ -2226,6 +2228,9 @@ static void sk_prot_free(struct proto *prot, struct sock *sk) cgroup_sk_free(&sk->sk_cgrp_data); mem_cgroup_sk_free(sk); security_sk_free(sk); + + sk_owner_put(sk); + if (slab != NULL) kmem_cache_free(slab, sk); else

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] media: i2c: imx214: Fix link frequency validation" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x acc294519f1749041e1b8c74d46bbf6c57d8b061 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041713-patchwork-breeder-db17@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From acc294519f1749041e1b8c74d46bbf6c57d8b061 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Apitzsch?= <git(a)apitzsch.eu> Date: Fri, 20 Dec 2024 14:26:12 +0100 Subject: [PATCH] media: i2c: imx214: Fix link frequency validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The driver defines IMX214_DEFAULT_LINK_FREQ 480000000, and then IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10), which works out as 384MPix/s. (The 8 is 4 lanes and DDR.) Parsing the PLL registers with the defined 24MHz input. We're in single PLL mode, so MIPI frequency is directly linked to pixel rate. VTCK ends up being 1200MHz, and VTPXCK and OPPXCK both are 120MHz. Section 5.3 "Frame rate calculation formula" says "Pixel rate [pixels/s] = VTPXCK [MHz] * 4", so 120 * 4 = 480MPix/s, which basically agrees with my number above. 3.1.4. MIPI global timing setting says "Output bitrate = OPPXCK * reg 0x113[7:0]", so 120MHz * 10, or 1200Mbit/s. That would be a link frequency of 600MHz due to DDR. That also matches to 480MPix/s * 10bpp / 4 lanes / 2 for DDR. Keep the previous link frequency for backward compatibility. Acked-by: Ricardo Ribalda <ribalda(a)chromium.org> Signed-off-by: André Apitzsch <git(a)apitzsch.eu> Fixes: 436190596241 ("media: imx214: Add imx214 camera sensor driver") Cc: stable(a)vger.kernel.org Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> diff --git a/drivers/media/i2c/imx214.c b/drivers/media/i2c/imx214.c index 4d7044cd9b7f..6c3f6f3c8b1f 100644 --- a/drivers/media/i2c/imx214.c +++ b/drivers/media/i2c/imx214.c @@ -31,7 +31,9 @@ #define IMX214_REG_FAST_STANDBY_CTRL CCI_REG8(0x0106) #define IMX214_DEFAULT_CLK_FREQ 24000000 -#define IMX214_DEFAULT_LINK_FREQ 480000000 +#define IMX214_DEFAULT_LINK_FREQ 600000000 +/* Keep wrong link frequency for backward compatibility */ +#define IMX214_DEFAULT_LINK_FREQ_LEGACY 480000000 #define IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10) #define IMX214_FPS 30 @@ -1225,18 +1227,26 @@ static int imx214_parse_fwnode(struct device *dev) goto done; } - for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) + if (bus_cfg.nr_of_link_frequencies != 1) + dev_warn(dev, "Only one link-frequency supported, please review your DT. Continuing anyway\n"); + + for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) { if (bus_cfg.link_frequencies[i] == IMX214_DEFAULT_LINK_FREQ) break; - - if (i == bus_cfg.nr_of_link_frequencies) { - dev_err_probe(dev, -EINVAL, - "link-frequencies %d not supported, Please review your DT\n", - IMX214_DEFAULT_LINK_FREQ); - ret = -EINVAL; - goto done; + if (bus_cfg.link_frequencies[i] == + IMX214_DEFAULT_LINK_FREQ_LEGACY) { + dev_warn(dev, + "link-frequencies %d not supported, please review your DT. Continuing anyway\n", + IMX214_DEFAULT_LINK_FREQ); + break; + } } + if (i == bus_cfg.nr_of_link_frequencies) + ret = dev_err_probe(dev, -EINVAL, + "link-frequencies %d not supported, please review your DT\n", + IMX214_DEFAULT_LINK_FREQ); + done: v4l2_fwnode_endpoint_free(&bus_cfg); fwnode_handle_put(endpoint);

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] net: Fix null-ptr-deref by sock_lock_init_class_and_name()" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041747-recast-siren-a46c@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 Mon Sep 17 00:00:00 2001 From: Kuniyuki Iwashima <kuniyu(a)amazon.com> Date: Mon, 7 Apr 2025 09:33:11 -0700 Subject: [PATCH] net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TCP socket, and it returns quickly. However, the socket remains in FIN_WAIT_1 because incoming FIN packets are dropped. At this point, the module's refcnt is 0 while the socket is still alive, so the following rmmod command succeeds. # ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 # lsmod | grep cifs cifs 1159168 0 This highlights a discrepancy between the lifetime of the CIFS module and the underlying TCP socket. Even after CIFS calls sock_release() and it returns, the TCP socket does not die immediately in order to close the connection gracefully. While this is generally fine, it causes an issue with LOCKDEP because CIFS assigns a different lock class to the TCP socket's sk->sk_lock using sock_lock_init_class_and_name(). Once an incoming packet is processed for the socket or a timer fires, sk->sk_lock is acquired. Then, LOCKDEP checks the lock context in check_wait_context(), where hlock_class() is called to retrieve the lock class. However, since the module has already been unloaded, hlock_class() logs a warning and returns NULL, triggering the null-ptr-deref. If LOCKDEP is enabled, we must ensure that a module calling sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded while such a socket is still alive to prevent this issue. Let's hold the module reference in sock_lock_init_class_and_name() and release it when the socket is freed in sk_prot_free(). Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() that calls sock_lock_init_class_and_name() for a listening socket, which clones a socket by sk_clone_lock() without GFP_ZERO. [0]: CIFS_SERVER="10.0.0.137" CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" DEV="enp0s3" CRED="/root/WindowsCredential.txt" MNT=$(mktemp -d /tmp/XXXXXX) mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 iptables -A INPUT -s ${CIFS_SERVER} -j DROP for i in $(seq 10); do umount ${MNT} rmmod cifs sleep 1 done rm -r ${MNT} iptables -D INPUT -s ${CIFS_SERVER} -j DROP [1]: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) ... Call Trace: <IRQ> __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ... BUG: kernel NULL pointer dereference, address: 00000000000000c4 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire (kernel/locking/lockdep.c:4852 kernel/locking/lockdep.c:5178) Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 e1 bc ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 d1 bc ff ff 0f b6 80 c5 00 00 00 88 44 RSP: 0018:ffa0000000468a10 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ff1100010091cc38 RCX: 0000000000000027 RDX: ff1100081f09ca48 RSI: 0000000000000001 RDI: ff1100010091cc88 RBP: ff1100010091c200 R08: ff1100083fe6e228 R09: 00000000ffffbfff R10: ff1100081eca0000 R11: ff1100083fe10dc0 R12: ff1100010091cc88 R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424b1 FS: 0000000000000000(0000) GS:ff1100081f080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c4 CR3: 0000000002c4a003 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234) ip_sublist_rcv_finish (net/ipv4/ip_input.c:576) ip_list_rcv_finish (net/ipv4/ip_input.c:628) ip_list_rcv (net/ipv4/ip_input.c:670) __netif_receive_skb_list_core (net/core/dev.c:5939 net/core/dev.c:5986) netif_receive_skb_list_internal (net/core/dev.c:6040 net/core/dev.c:6129) napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:519 ./include/net/gro.h:514 net/core/dev.c:6496) e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3815) __napi_poll.constprop.0 (net/core/dev.c:7191) net_rx_action (net/core/dev.c:7262 net/core/dev.c:7382) handle_softirqs (kernel/softirq.c:561) __irq_exit_rcu (kernel/softirq.c:596 kernel/softirq.c:435 kernel/softirq.c:662) irq_exit_rcu (kernel/softirq.c:680) common_interrupt (arch/x86/kernel/irq.c:280 (discriminator 14)) </IRQ> <TASK> asm_common_interrupt (./arch/x86/include/asm/idtentry.h:693) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:744) Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 2b 15 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffa00000000ffee8 EFLAGS: 00000202 RAX: 000000000000640b RBX: ff1100010091c200 RCX: 0000000000061aa4 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f30c5 RBP: 000000000000000a R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ? do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) cpu_startup_entry (kernel/sched/idle.c:422 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:315) common_startup_64 (arch/x86/kernel/head_64.S:421) </TASK> Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CR2: 00000000000000c4 Fixes: ed07536ed673 ("[PATCH] lockdep: annotate nfs/nfsd in-kernel sockets") Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250407163313.22682-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/include/net/sock.h b/include/net/sock.h index 8daf1b3b12c6..694f954258d4 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -339,6 +339,8 @@ struct sk_filter; * @sk_txtime_unused: unused txtime flags * @ns_tracker: tracker for netns reference * @sk_user_frags: xarray of pages the user is holding a reference on. + * @sk_owner: reference to the real owner of the socket that calls + * sock_lock_init_class_and_name(). */ struct sock { /* @@ -547,6 +549,10 @@ struct sock { struct rcu_head sk_rcu; netns_tracker ns_tracker; struct xarray sk_user_frags; + +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) + struct module *sk_owner; +#endif }; struct sock_bh_locked { @@ -1583,6 +1589,35 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) sk_mem_reclaim(sk); } +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) +static inline void sk_owner_set(struct sock *sk, struct module *owner) +{ + __module_get(owner); + sk->sk_owner = owner; +} + +static inline void sk_owner_clear(struct sock *sk) +{ + sk->sk_owner = NULL; +} + +static inline void sk_owner_put(struct sock *sk) +{ + module_put(sk->sk_owner); +} +#else +static inline void sk_owner_set(struct sock *sk, struct module *owner) +{ +} + +static inline void sk_owner_clear(struct sock *sk) +{ +} + +static inline void sk_owner_put(struct sock *sk) +{ +} +#endif /* * Macro so as to not evaluate some arguments when * lockdep is not enabled. @@ -1592,13 +1627,14 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) */ #define sock_lock_init_class_and_name(sk, sname, skey, name, key) \ do { \ + sk_owner_set(sk, THIS_MODULE); \ sk->sk_lock.owned = 0; \ init_waitqueue_head(&sk->sk_lock.wq); \ spin_lock_init(&(sk)->sk_lock.slock); \ debug_check_no_locks_freed((void *)&(sk)->sk_lock, \ - sizeof((sk)->sk_lock)); \ + sizeof((sk)->sk_lock)); \ lockdep_set_class_and_name(&(sk)->sk_lock.slock, \ - (skey), (sname)); \ + (skey), (sname)); \ lockdep_init_map(&(sk)->sk_lock.dep_map, (name), (key), 0); \ } while (0) diff --git a/net/core/sock.c b/net/core/sock.c index 323892066def..739a79859828 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -2130,6 +2130,8 @@ int sk_getsockopt(struct sock *sk, int level, int optname, */ static inline void sock_lock_init(struct sock *sk) { + sk_owner_clear(sk); + if (sk->sk_kern_sock) sock_lock_init_class_and_name( sk, @@ -2226,6 +2228,9 @@ static void sk_prot_free(struct proto *prot, struct sock *sk) cgroup_sk_free(&sk->sk_cgrp_data); mem_cgroup_sk_free(sk); security_sk_free(sk); + + sk_owner_put(sk); + if (slab != NULL) kmem_cache_free(slab, sk); else

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] net: Fix null-ptr-deref by sock_lock_init_class_and_name()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041745-flavorful-coastline-3583@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 Mon Sep 17 00:00:00 2001 From: Kuniyuki Iwashima <kuniyu(a)amazon.com> Date: Mon, 7 Apr 2025 09:33:11 -0700 Subject: [PATCH] net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TCP socket, and it returns quickly. However, the socket remains in FIN_WAIT_1 because incoming FIN packets are dropped. At this point, the module's refcnt is 0 while the socket is still alive, so the following rmmod command succeeds. # ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 # lsmod | grep cifs cifs 1159168 0 This highlights a discrepancy between the lifetime of the CIFS module and the underlying TCP socket. Even after CIFS calls sock_release() and it returns, the TCP socket does not die immediately in order to close the connection gracefully. While this is generally fine, it causes an issue with LOCKDEP because CIFS assigns a different lock class to the TCP socket's sk->sk_lock using sock_lock_init_class_and_name(). Once an incoming packet is processed for the socket or a timer fires, sk->sk_lock is acquired. Then, LOCKDEP checks the lock context in check_wait_context(), where hlock_class() is called to retrieve the lock class. However, since the module has already been unloaded, hlock_class() logs a warning and returns NULL, triggering the null-ptr-deref. If LOCKDEP is enabled, we must ensure that a module calling sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded while such a socket is still alive to prevent this issue. Let's hold the module reference in sock_lock_init_class_and_name() and release it when the socket is freed in sk_prot_free(). Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() that calls sock_lock_init_class_and_name() for a listening socket, which clones a socket by sk_clone_lock() without GFP_ZERO. [0]: CIFS_SERVER="10.0.0.137" CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" DEV="enp0s3" CRED="/root/WindowsCredential.txt" MNT=$(mktemp -d /tmp/XXXXXX) mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 iptables -A INPUT -s ${CIFS_SERVER} -j DROP for i in $(seq 10); do umount ${MNT} rmmod cifs sleep 1 done rm -r ${MNT} iptables -D INPUT -s ${CIFS_SERVER} -j DROP [1]: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) ... Call Trace: <IRQ> __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ... BUG: kernel NULL pointer dereference, address: 00000000000000c4 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire (kernel/locking/lockdep.c:4852 kernel/locking/lockdep.c:5178) Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 e1 bc ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 d1 bc ff ff 0f b6 80 c5 00 00 00 88 44 RSP: 0018:ffa0000000468a10 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ff1100010091cc38 RCX: 0000000000000027 RDX: ff1100081f09ca48 RSI: 0000000000000001 RDI: ff1100010091cc88 RBP: ff1100010091c200 R08: ff1100083fe6e228 R09: 00000000ffffbfff R10: ff1100081eca0000 R11: ff1100083fe10dc0 R12: ff1100010091cc88 R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424b1 FS: 0000000000000000(0000) GS:ff1100081f080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c4 CR3: 0000000002c4a003 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234) ip_sublist_rcv_finish (net/ipv4/ip_input.c:576) ip_list_rcv_finish (net/ipv4/ip_input.c:628) ip_list_rcv (net/ipv4/ip_input.c:670) __netif_receive_skb_list_core (net/core/dev.c:5939 net/core/dev.c:5986) netif_receive_skb_list_internal (net/core/dev.c:6040 net/core/dev.c:6129) napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:519 ./include/net/gro.h:514 net/core/dev.c:6496) e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3815) __napi_poll.constprop.0 (net/core/dev.c:7191) net_rx_action (net/core/dev.c:7262 net/core/dev.c:7382) handle_softirqs (kernel/softirq.c:561) __irq_exit_rcu (kernel/softirq.c:596 kernel/softirq.c:435 kernel/softirq.c:662) irq_exit_rcu (kernel/softirq.c:680) common_interrupt (arch/x86/kernel/irq.c:280 (discriminator 14)) </IRQ> <TASK> asm_common_interrupt (./arch/x86/include/asm/idtentry.h:693) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:744) Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 2b 15 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffa00000000ffee8 EFLAGS: 00000202 RAX: 000000000000640b RBX: ff1100010091c200 RCX: 0000000000061aa4 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f30c5 RBP: 000000000000000a R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ? do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) cpu_startup_entry (kernel/sched/idle.c:422 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:315) common_startup_64 (arch/x86/kernel/head_64.S:421) </TASK> Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CR2: 00000000000000c4 Fixes: ed07536ed673 ("[PATCH] lockdep: annotate nfs/nfsd in-kernel sockets") Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250407163313.22682-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/include/net/sock.h b/include/net/sock.h index 8daf1b3b12c6..694f954258d4 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -339,6 +339,8 @@ struct sk_filter; * @sk_txtime_unused: unused txtime flags * @ns_tracker: tracker for netns reference * @sk_user_frags: xarray of pages the user is holding a reference on. + * @sk_owner: reference to the real owner of the socket that calls + * sock_lock_init_class_and_name(). */ struct sock { /* @@ -547,6 +549,10 @@ struct sock { struct rcu_head sk_rcu; netns_tracker ns_tracker; struct xarray sk_user_frags; + +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) + struct module *sk_owner; +#endif }; struct sock_bh_locked { @@ -1583,6 +1589,35 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) sk_mem_reclaim(sk); } +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) +static inline void sk_owner_set(struct sock *sk, struct module *owner) +{ + __module_get(owner); + sk->sk_owner = owner; +} + +static inline void sk_owner_clear(struct sock *sk) +{ + sk->sk_owner = NULL; +} + +static inline void sk_owner_put(struct sock *sk) +{ + module_put(sk->sk_owner); +} +#else +static inline void sk_owner_set(struct sock *sk, struct module *owner) +{ +} + +static inline void sk_owner_clear(struct sock *sk) +{ +} + +static inline void sk_owner_put(struct sock *sk) +{ +} +#endif /* * Macro so as to not evaluate some arguments when * lockdep is not enabled. @@ -1592,13 +1627,14 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) */ #define sock_lock_init_class_and_name(sk, sname, skey, name, key) \ do { \ + sk_owner_set(sk, THIS_MODULE); \ sk->sk_lock.owned = 0; \ init_waitqueue_head(&sk->sk_lock.wq); \ spin_lock_init(&(sk)->sk_lock.slock); \ debug_check_no_locks_freed((void *)&(sk)->sk_lock, \ - sizeof((sk)->sk_lock)); \ + sizeof((sk)->sk_lock)); \ lockdep_set_class_and_name(&(sk)->sk_lock.slock, \ - (skey), (sname)); \ + (skey), (sname)); \ lockdep_init_map(&(sk)->sk_lock.dep_map, (name), (key), 0); \ } while (0) diff --git a/net/core/sock.c b/net/core/sock.c index 323892066def..739a79859828 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -2130,6 +2130,8 @@ int sk_getsockopt(struct sock *sk, int level, int optname, */ static inline void sock_lock_init(struct sock *sk) { + sk_owner_clear(sk); + if (sk->sk_kern_sock) sock_lock_init_class_and_name( sk, @@ -2226,6 +2228,9 @@ static void sk_prot_free(struct proto *prot, struct sock *sk) cgroup_sk_free(&sk->sk_cgrp_data); mem_cgroup_sk_free(sk); security_sk_free(sk); + + sk_owner_put(sk); + if (slab != NULL) kmem_cache_free(slab, sk); else

1 week, 5 days

2
1
0 0

[PATCH stable 5.4] usb: hub: Fix flushing of delayed work used for post resume purposes

by Florian Fainelli

From: Mathias Nyman <mathias.nyman(a)linux.intel.com> commit 9bd9c8026341f75f25c53104eb7e656e357ca1a2 upstream Delayed work that prevents USB3 hubs from runtime-suspending too early needed to be flushed in hub_quiesce() to resolve issues detected on QC SC8280XP CRD board during suspend resume testing. This flushing did however trigger new issues on Raspberry Pi 3B+, which doesn't have USB3 ports, and doesn't queue any post resume delayed work. The flushed 'hub->init_work' item is used for several purposes, and is originally initialized with a 'NULL' work function. The work function is also changed on the fly, which may contribute to the issue. Solve this by creating a dedicated delayed work item for post resume work, and flush that delayed work in hub_quiesce() Cc: stable <stable(a)kernel.org> Fixes: a49e1e2e785f ("usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm") Reported-by: Mark Brown <broonie(a)kernel.org> Closes: https://lore.kernel.org/linux-usb/aF5rNp1l0LWITnEB@finisterre.sirena.org.uk Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Tested-by: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> # SC8280XP CRD Tested-by: Mark Brown <broonie(a)kernel.org> Link: https://lore.kernel.org/r/20250627164348.3982628-2-mathias.nyman@linux.inte… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [florian: adjust for lack of hub_{get,put} and timer_delete_sync] Signed-off-by: Florian Fainelli <florian.fainelli(a)broadcom.com> --- drivers/usb/core/hub.c | 21 ++++++++------------- drivers/usb/core/hub.h | 1 + 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 1a2039d1b342..63bb62680362 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -1030,12 +1030,11 @@ int usb_remove_device(struct usb_device *udev) enum hub_activation_type { HUB_INIT, HUB_INIT2, HUB_INIT3, /* INITs must come first */ - HUB_POST_RESET, HUB_RESUME, HUB_RESET_RESUME, HUB_POST_RESUME, + HUB_POST_RESET, HUB_RESUME, HUB_RESET_RESUME, }; static void hub_init_func2(struct work_struct *ws); static void hub_init_func3(struct work_struct *ws); -static void hub_post_resume(struct work_struct *ws); static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) { @@ -1059,12 +1058,6 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) goto init3; } - if (type == HUB_POST_RESUME) { - usb_autopm_put_interface_async(to_usb_interface(hub->intfdev)); - kref_put(&hub->kref, hub_release); - return; - } - kref_get(&hub->kref); /* The superspeed hub except for root hub has to use Hub Depth @@ -1318,8 +1311,8 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) usb_autopm_get_interface_no_resume( to_usb_interface(hub->intfdev)); - INIT_DELAYED_WORK(&hub->init_work, hub_post_resume); - queue_delayed_work(system_power_efficient_wq, &hub->init_work, + queue_delayed_work(system_power_efficient_wq, + &hub->post_resume_work, msecs_to_jiffies(USB_SS_PORT_U0_WAKE_TIME)); return; } @@ -1344,9 +1337,10 @@ static void hub_init_func3(struct work_struct *ws) static void hub_post_resume(struct work_struct *ws) { - struct usb_hub *hub = container_of(ws, struct usb_hub, init_work.work); + struct usb_hub *hub = container_of(ws, struct usb_hub, post_resume_work.work); - hub_activate(hub, HUB_POST_RESUME); + usb_autopm_put_interface_async(to_usb_interface(hub->intfdev)); + kref_put(&hub->kref, hub_release); } enum hub_quiescing_type { @@ -1374,7 +1368,7 @@ static void hub_quiesce(struct usb_hub *hub, enum hub_quiescing_type type) /* Stop hub_wq and related activity */ del_timer_sync(&hub->irq_urb_retry); - flush_delayed_work(&hub->init_work); + flush_delayed_work(&hub->post_resume_work); usb_kill_urb(hub->urb); if (hub->has_indicators) cancel_delayed_work_sync(&hub->leds); @@ -1921,6 +1915,7 @@ static int hub_probe(struct usb_interface *intf, const struct usb_device_id *id) hub->hdev = hdev; INIT_DELAYED_WORK(&hub->leds, led_work); INIT_DELAYED_WORK(&hub->init_work, NULL); + INIT_DELAYED_WORK(&hub->post_resume_work, hub_post_resume); INIT_WORK(&hub->events, hub_event); spin_lock_init(&hub->irq_urb_lock); timer_setup(&hub->irq_urb_retry, hub_retry_irq_urb, 0); diff --git a/drivers/usb/core/hub.h b/drivers/usb/core/hub.h index 1c455800f7d3..de29ce856953 100644 --- a/drivers/usb/core/hub.h +++ b/drivers/usb/core/hub.h @@ -69,6 +69,7 @@ struct usb_hub { u8 indicator[USB_MAXCHILDREN]; struct delayed_work leds; struct delayed_work init_work; + struct delayed_work post_resume_work; struct work_struct events; spinlock_t irq_urb_lock; struct timer_list irq_urb_retry; -- 2.34.1

1 week, 5 days

1
0
0 0

[PATCH] fs/ceph/addr: always call ceph_shift_unused_folios_left()

by Max Kellermann

The function ceph_process_folio_batch() sets folio_batch entries to NULL, which is an illegal state. Before folio_batch_release() crashes due to this API violation, the function ceph_shift_unused_folios_left() is supposed to remove those NULLs from the array. However, since commit ce80b76dd327 ("ceph: introduce ceph_process_folio_batch() method"), this shifting doesn't happen anymore because the "for" loop got moved to ceph_process_folio_batch(), and now the `i` variable that remains in ceph_writepages_start() doesn't get incremented anymore, making the shifting effectively unreachable much of the time. Later, commit 1551ec61dc55 ("ceph: introduce ceph_submit_write() method") added more preconditions for doing the shift, replacing the `i` check (with something that is still just as broken): - if ceph_process_folio_batch() fails, shifting never happens - if ceph_move_dirty_page_in_page_array() was never called (because ceph_process_folio_batch() has returned early for some of various reasons), shifting never happens - if `processed_in_fbatch` is zero (because ceph_process_folio_batch() has returned early for some of the reasons mentioned above or because ceph_move_dirty_page_in_page_array() has failed), shifting never happens Since those two commits, any problem in ceph_process_folio_batch() could crash the kernel, e.g. this way: BUG: kernel NULL pointer dereference, address: 0000000000000034 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] SMP NOPTI CPU: 172 UID: 0 PID: 2342707 Comm: kworker/u778:8 Not tainted 6.15.10-cm4all1-es #714 NONE Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.10 12/08/2023 Workqueue: writeback wb_workfn (flush-ceph-1) RIP: 0010:folios_put_refs+0x85/0x140 Code: 83 c5 01 39 e8 7e 76 48 63 c5 49 8b 5c c4 08 b8 01 00 00 00 4d 85 ed 74 05 41 8b 44 ad 00 48 8b 15 b0 > RSP: 0018:ffffb880af8db778 EFLAGS: 00010207 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000003 RDX: ffffe377cc3b0000 RSI: 0000000000000000 RDI: ffffb880af8db8c0 RBP: 0000000000000000 R08: 000000000000007d R09: 000000000102b86f R10: 0000000000000001 R11: 00000000000000ac R12: ffffb880af8db8c0 R13: 0000000000000000 R14: 0000000000000000 R15: ffff9bd262c97000 FS: 0000000000000000(0000) GS:ffff9c8efc303000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000034 CR3: 0000000160958004 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> ceph_writepages_start+0xeb9/0x1410 The crash can be reproduced easily by changing the ceph_check_page_before_write() return value to `-E2BIG`. (Interestingly, the crash happens only if `huge_zero_folio` has already been allocated; without `huge_zero_folio`, is_huge_zero_folio(NULL) returns true and folios_put_refs() skips NULL entries instead of dereferencing them. That makes reproducing the bug somewhat unreliable. See https://lore.kernel.org/20250826231626.218675-1-max.kellermann@ionos.com for a discussion of this detail.) My suggestion is to move the ceph_shift_unused_folios_left() to right after ceph_process_folio_batch() to ensure it always gets called to fix up the illegal folio_batch state. Fixes: ce80b76dd327 ("ceph: introduce ceph_process_folio_batch() method") Link: https://lore.kernel.org/ceph-devel/aK4v548CId5GIKG1@swift.blarg.de/ Cc: stable(a)vger.kernel.org Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> --- fs/ceph/addr.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c index 8b202d789e93..8bc66b45dade 100644 --- a/fs/ceph/addr.c +++ b/fs/ceph/addr.c @@ -1687,6 +1687,7 @@ static int ceph_writepages_start(struct address_space *mapping, process_folio_batch: rc = ceph_process_folio_batch(mapping, wbc, &ceph_wbc); + ceph_shift_unused_folios_left(&ceph_wbc.fbatch); if (rc) goto release_folios; @@ -1695,8 +1696,6 @@ static int ceph_writepages_start(struct address_space *mapping, goto release_folios; if (ceph_wbc.processed_in_fbatch) { - ceph_shift_unused_folios_left(&ceph_wbc.fbatch); - if (folio_batch_count(&ceph_wbc.fbatch) == 0 && ceph_wbc.locked_pages < ceph_wbc.max_pages) { doutc(cl, "reached end fbatch, trying for more\n"); -- 2.47.2

1 week, 5 days

3
11
0 0

FAILED: patch "[PATCH] mtd: Add check for devm_kcalloc()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2aee30bb10d7bad0a60255059c9ce1b84cf0130e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041746-tummy-size-5785@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2aee30bb10d7bad0a60255059c9ce1b84cf0130e Mon Sep 17 00:00:00 2001 From: Jiasheng Jiang <jiashengjiangcool(a)gmail.com> Date: Wed, 5 Feb 2025 02:31:41 +0000 Subject: [PATCH] mtd: Add check for devm_kcalloc() Add a check for devm_kcalloc() to ensure successful allocation. Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk") Cc: stable(a)vger.kernel.org # v5.10+ Signed-off-by: Jiasheng Jiang <jiashengjiangcool(a)gmail.com> Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> diff --git a/drivers/mtd/mtdpstore.c b/drivers/mtd/mtdpstore.c index 2d004d41cf75..9cf3872e37ae 100644 --- a/drivers/mtd/mtdpstore.c +++ b/drivers/mtd/mtdpstore.c @@ -423,6 +423,9 @@ static void mtdpstore_notify_add(struct mtd_info *mtd) longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize)); cxt->badmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL); + if (!cxt->rmmap || !cxt->usedmap || !cxt->badmap) + return; + /* just support dmesg right now */ cxt->dev.flags = PSTORE_FLAGS_DMESG; cxt->dev.zone.read = mtdpstore_read;

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] net: Fix null-ptr-deref by sock_lock_init_class_and_name()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041742-unfasten-cargo-ed99@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 Mon Sep 17 00:00:00 2001 From: Kuniyuki Iwashima <kuniyu(a)amazon.com> Date: Mon, 7 Apr 2025 09:33:11 -0700 Subject: [PATCH] net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. When I ran the repro [0] and waited a few seconds, I observed two LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1] Reproduction Steps: 1) Mount CIFS 2) Add an iptables rule to drop incoming FIN packets for CIFS 3) Unmount CIFS 4) Unload the CIFS module 5) Remove the iptables rule At step 3), the CIFS module calls sock_release() for the underlying TCP socket, and it returns quickly. However, the socket remains in FIN_WAIT_1 because incoming FIN packets are dropped. At this point, the module's refcnt is 0 while the socket is still alive, so the following rmmod command succeeds. # ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445 # lsmod | grep cifs cifs 1159168 0 This highlights a discrepancy between the lifetime of the CIFS module and the underlying TCP socket. Even after CIFS calls sock_release() and it returns, the TCP socket does not die immediately in order to close the connection gracefully. While this is generally fine, it causes an issue with LOCKDEP because CIFS assigns a different lock class to the TCP socket's sk->sk_lock using sock_lock_init_class_and_name(). Once an incoming packet is processed for the socket or a timer fires, sk->sk_lock is acquired. Then, LOCKDEP checks the lock context in check_wait_context(), where hlock_class() is called to retrieve the lock class. However, since the module has already been unloaded, hlock_class() logs a warning and returns NULL, triggering the null-ptr-deref. If LOCKDEP is enabled, we must ensure that a module calling sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded while such a socket is still alive to prevent this issue. Let's hold the module reference in sock_lock_init_class_and_name() and release it when the socket is freed in sk_prot_free(). Note that sock_lock_init() clears sk->sk_owner for svc_create_socket() that calls sock_lock_init_class_and_name() for a listening socket, which clones a socket by sk_clone_lock() without GFP_ZERO. [0]: CIFS_SERVER="10.0.0.137" CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST" DEV="enp0s3" CRED="/root/WindowsCredential.txt" MNT=$(mktemp -d /tmp/XXXXXX) mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1 iptables -A INPUT -s ${CIFS_SERVER} -j DROP for i in $(seq 10); do umount ${MNT} rmmod cifs sleep 1 done rm -r ${MNT} iptables -D INPUT -s ${CIFS_SERVER} -j DROP [1]: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223) ... Call Trace: <IRQ> __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178) lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ... BUG: kernel NULL pointer dereference, address: 00000000000000c4 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire (kernel/locking/lockdep.c:4852 kernel/locking/lockdep.c:5178) Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 e1 bc ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 d1 bc ff ff 0f b6 80 c5 00 00 00 88 44 RSP: 0018:ffa0000000468a10 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ff1100010091cc38 RCX: 0000000000000027 RDX: ff1100081f09ca48 RSI: 0000000000000001 RDI: ff1100010091cc88 RBP: ff1100010091c200 R08: ff1100083fe6e228 R09: 00000000ffffbfff R10: ff1100081eca0000 R11: ff1100083fe10dc0 R12: ff1100010091cc88 R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424b1 FS: 0000000000000000(0000) GS:ff1100081f080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c4 CR3: 0000000002c4a003 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816) _raw_spin_lock_nested (kernel/locking/spinlock.c:379) tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1)) ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234) ip_sublist_rcv_finish (net/ipv4/ip_input.c:576) ip_list_rcv_finish (net/ipv4/ip_input.c:628) ip_list_rcv (net/ipv4/ip_input.c:670) __netif_receive_skb_list_core (net/core/dev.c:5939 net/core/dev.c:5986) netif_receive_skb_list_internal (net/core/dev.c:6040 net/core/dev.c:6129) napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:519 ./include/net/gro.h:514 net/core/dev.c:6496) e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3815) __napi_poll.constprop.0 (net/core/dev.c:7191) net_rx_action (net/core/dev.c:7262 net/core/dev.c:7382) handle_softirqs (kernel/softirq.c:561) __irq_exit_rcu (kernel/softirq.c:596 kernel/softirq.c:435 kernel/softirq.c:662) irq_exit_rcu (kernel/softirq.c:680) common_interrupt (arch/x86/kernel/irq.c:280 (discriminator 14)) </IRQ> <TASK> asm_common_interrupt (./arch/x86/include/asm/idtentry.h:693) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:744) Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 2b 15 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 RSP: 0018:ffa00000000ffee8 EFLAGS: 00000202 RAX: 000000000000640b RBX: ff1100010091c200 RCX: 0000000000061aa4 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f30c5 RBP: 000000000000000a R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ? do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325) cpu_startup_entry (kernel/sched/idle.c:422 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:315) common_startup_64 (arch/x86/kernel/head_64.S:421) </TASK> Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CR2: 00000000000000c4 Fixes: ed07536ed673 ("[PATCH] lockdep: annotate nfs/nfsd in-kernel sockets") Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Cc: stable(a)vger.kernel.org Link: https://patch.msgid.link/20250407163313.22682-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/include/net/sock.h b/include/net/sock.h index 8daf1b3b12c6..694f954258d4 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -339,6 +339,8 @@ struct sk_filter; * @sk_txtime_unused: unused txtime flags * @ns_tracker: tracker for netns reference * @sk_user_frags: xarray of pages the user is holding a reference on. + * @sk_owner: reference to the real owner of the socket that calls + * sock_lock_init_class_and_name(). */ struct sock { /* @@ -547,6 +549,10 @@ struct sock { struct rcu_head sk_rcu; netns_tracker ns_tracker; struct xarray sk_user_frags; + +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) + struct module *sk_owner; +#endif }; struct sock_bh_locked { @@ -1583,6 +1589,35 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) sk_mem_reclaim(sk); } +#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES) +static inline void sk_owner_set(struct sock *sk, struct module *owner) +{ + __module_get(owner); + sk->sk_owner = owner; +} + +static inline void sk_owner_clear(struct sock *sk) +{ + sk->sk_owner = NULL; +} + +static inline void sk_owner_put(struct sock *sk) +{ + module_put(sk->sk_owner); +} +#else +static inline void sk_owner_set(struct sock *sk, struct module *owner) +{ +} + +static inline void sk_owner_clear(struct sock *sk) +{ +} + +static inline void sk_owner_put(struct sock *sk) +{ +} +#endif /* * Macro so as to not evaluate some arguments when * lockdep is not enabled. @@ -1592,13 +1627,14 @@ static inline void sk_mem_uncharge(struct sock *sk, int size) */ #define sock_lock_init_class_and_name(sk, sname, skey, name, key) \ do { \ + sk_owner_set(sk, THIS_MODULE); \ sk->sk_lock.owned = 0; \ init_waitqueue_head(&sk->sk_lock.wq); \ spin_lock_init(&(sk)->sk_lock.slock); \ debug_check_no_locks_freed((void *)&(sk)->sk_lock, \ - sizeof((sk)->sk_lock)); \ + sizeof((sk)->sk_lock)); \ lockdep_set_class_and_name(&(sk)->sk_lock.slock, \ - (skey), (sname)); \ + (skey), (sname)); \ lockdep_init_map(&(sk)->sk_lock.dep_map, (name), (key), 0); \ } while (0) diff --git a/net/core/sock.c b/net/core/sock.c index 323892066def..739a79859828 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -2130,6 +2130,8 @@ int sk_getsockopt(struct sock *sk, int level, int optname, */ static inline void sock_lock_init(struct sock *sk) { + sk_owner_clear(sk); + if (sk->sk_kern_sock) sock_lock_init_class_and_name( sk, @@ -2226,6 +2228,9 @@ static void sk_prot_free(struct proto *prot, struct sock *sk) cgroup_sk_free(&sk->sk_cgrp_data); mem_cgroup_sk_free(sk); security_sk_free(sk); + + sk_owner_put(sk); + if (slab != NULL) kmem_cache_free(slab, sk); else

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] ima: limit the number of ToMToU integrity violations" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x a414016218ca97140171aa3bb926b02e1f68c2cc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041739-props-huff-8deb@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a414016218ca97140171aa3bb926b02e1f68c2cc Mon Sep 17 00:00:00 2001 From: Mimi Zohar <zohar(a)linux.ibm.com> Date: Mon, 27 Jan 2025 10:45:48 -0500 Subject: [PATCH] ima: limit the number of ToMToU integrity violations Each time a file in policy, that is already opened for read, is opened for write, a Time-of-Measure-Time-of-Use (ToMToU) integrity violation audit message is emitted and a violation record is added to the IMA measurement list. This occurs even if a ToMToU violation has already been recorded. Limit the number of ToMToU integrity violations per file open for read. Note: The IMA_MAY_EMIT_TOMTOU atomic flag must be set from the reader side based on policy. This may result in a per file open for read ToMToU violation. Since IMA_MUST_MEASURE is only used for violations, rename the atomic IMA_MUST_MEASURE flag to IMA_MAY_EMIT_TOMTOU. Cc: stable(a)vger.kernel.org # applies cleanly up to linux-6.6 Tested-by: Stefan Berger <stefanb(a)linux.ibm.com> Reviewed-by: Petr Vorel <pvorel(a)suse.cz> Tested-by: Petr Vorel <pvorel(a)suse.cz> Reviewed-by: Roberto Sassu <roberto.sassu(a)huawei.com> Signed-off-by: Mimi Zohar <zohar(a)linux.ibm.com> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3423b3088de5..e0489c6f7f59 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -181,7 +181,7 @@ struct ima_kexec_hdr { #define IMA_UPDATE_XATTR 1 #define IMA_CHANGE_ATTR 2 #define IMA_DIGSIG 3 -#define IMA_MUST_MEASURE 4 +#define IMA_MAY_EMIT_TOMTOU 4 #define IMA_EMITTED_OPENWRITERS 5 /* IMA integrity metadata associated with an inode */ diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 95118c1887cb..f3e7ac513db3 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -129,14 +129,15 @@ static void ima_rdwr_violation_check(struct file *file, if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) { if (!iint) iint = ima_iint_find(inode); + /* IMA_MEASURE is set from reader side */ - if (iint && test_bit(IMA_MUST_MEASURE, - &iint->atomic_flags)) + if (iint && test_and_clear_bit(IMA_MAY_EMIT_TOMTOU, + &iint->atomic_flags)) send_tomtou = true; } } else { if (must_measure) - set_bit(IMA_MUST_MEASURE, &iint->atomic_flags); + set_bit(IMA_MAY_EMIT_TOMTOU, &iint->atomic_flags); /* Limit number of open_writers violations */ if (inode_is_open_for_write(inode) && must_measure) {

1 week, 5 days

2
1
0 0

FAILED: patch "[PATCH] ASoC: q6apm-dai: schedule all available frames to avoid dsp" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 3d4a4411aa8bbc3653ff22a1ff0432eb93d22ae0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041708-persevere-tripod-4354@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 3d4a4411aa8bbc3653ff22a1ff0432eb93d22ae0 Mon Sep 17 00:00:00 2001 From: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> Date: Fri, 14 Mar 2025 17:47:56 +0000 Subject: [PATCH] ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs With the existing code, we are only setting up one period at a time, in a ping-pong buffer style. This triggers lot of underruns in the dsp leading to jitter noise during audio playback. Fix this by scheduling all available periods, this will ensure that the dsp has enough buffer feed and ultimatley fixing the underruns and audio distortion. Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support") Cc: stable(a)vger.kernel.org Reported-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Tested-by: Johan Hovold <johan+linaro(a)kernel.org> Link: https://patch.msgid.link/20250314174800.10142-2-srinivas.kandagatla@linaro.… Signed-off-by: Mark Brown <broonie(a)kernel.org> diff --git a/sound/soc/qcom/qdsp6/q6apm-dai.c b/sound/soc/qcom/qdsp6/q6apm-dai.c index c9404b5934c7..9d8e8e37c6de 100644 --- a/sound/soc/qcom/qdsp6/q6apm-dai.c +++ b/sound/soc/qcom/qdsp6/q6apm-dai.c @@ -70,6 +70,7 @@ struct q6apm_dai_rtd { unsigned int bytes_received; unsigned int copied_total; uint16_t bits_per_sample; + snd_pcm_uframes_t queue_ptr; bool next_track; enum stream_state state; struct q6apm_graph *graph; @@ -134,8 +135,6 @@ static void event_handler(uint32_t opcode, uint32_t token, void *payload, void * prtd->pos += prtd->pcm_count; spin_unlock_irqrestore(&prtd->lock, flags); snd_pcm_period_elapsed(substream); - if (prtd->state == Q6APM_STREAM_RUNNING) - q6apm_write_async(prtd->graph, prtd->pcm_count, 0, 0, 0); break; case APM_CLIENT_EVENT_DATA_READ_DONE: @@ -294,6 +293,27 @@ static int q6apm_dai_prepare(struct snd_soc_component *component, return 0; } +static int q6apm_dai_ack(struct snd_soc_component *component, struct snd_pcm_substream *substream) +{ + struct snd_pcm_runtime *runtime = substream->runtime; + struct q6apm_dai_rtd *prtd = runtime->private_data; + int i, ret = 0, avail_periods; + + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { + avail_periods = (runtime->control->appl_ptr - prtd->queue_ptr)/runtime->period_size; + for (i = 0; i < avail_periods; i++) { + ret = q6apm_write_async(prtd->graph, prtd->pcm_count, 0, 0, NO_TIMESTAMP); + if (ret < 0) { + dev_err(component->dev, "Error queuing playback buffer %d\n", ret); + return ret; + } + prtd->queue_ptr += runtime->period_size; + } + } + + return ret; +} + static int q6apm_dai_trigger(struct snd_soc_component *component, struct snd_pcm_substream *substream, int cmd) { @@ -305,9 +325,6 @@ static int q6apm_dai_trigger(struct snd_soc_component *component, case SNDRV_PCM_TRIGGER_START: case SNDRV_PCM_TRIGGER_RESUME: case SNDRV_PCM_TRIGGER_PAUSE_RELEASE: - /* start writing buffers for playback only as we already queued capture buffers */ - if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) - ret = q6apm_write_async(prtd->graph, prtd->pcm_count, 0, 0, 0); break; case SNDRV_PCM_TRIGGER_STOP: /* TODO support be handled via SoftPause Module */ @@ -836,6 +853,7 @@ static const struct snd_soc_component_driver q6apm_fe_dai_component = { .hw_params = q6apm_dai_hw_params, .pointer = q6apm_dai_pointer, .trigger = q6apm_dai_trigger, + .ack = q6apm_dai_ack, .compress_ops = &q6apm_dai_compress_ops, .use_dai_pcm_id = true, };

1 week, 5 days

2
1
0 0

[PATCH v2 00/16] drm/msm: Support for Inter Frame Power Collapse (IFPC) feature

by Akhil P Oommen

This patch series introduces the IFPC feature to the DRM-MSM driver for Adreno GPUs. IFPC enables GMU to quickly transition GPU into a low power state when idle and quickly resume gpu to active state upon workload submission, hence the name 'Inter Frame Power Collapse'. Since the KMD is unaware of these transitions, it must perform a handshake with the hardware (eg: fenced_write, OOB signaling etc) before accessing registers in the GX power domain. Initial patches address a few existing issues that were not exposed in the absence of IFPC. Rest of the patches are additional changes required for IFPC. This series adds the necessary restore register list for X1-85/A750 GPUs and enables IFPC support for them. To: Rob Clark <robin.clark(a)oss.qualcomm.com> To: Sean Paul <sean(a)poorly.run> To: Konrad Dybcio <konradybcio(a)kernel.org> To: Dmitry Baryshkov <lumag(a)kernel.org> To: Abhinav Kumar <abhinav.kumar(a)linux.dev> To: Jessica Zhang <jessica.zhang(a)oss.qualcomm.com> To: Marijn Suijten <marijn.suijten(a)somainline.org> To: David Airlie <airlied(a)gmail.com> To: Simona Vetter <simona(a)ffwll.ch> To: Antonino Maniscalco <antomani103(a)gmail.com> To: Neil Armstrong <neil.armstrong(a)linaro.org> Cc: linux-arm-msm(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: freedreno(a)lists.freedesktop.org Cc: linux-kernel(a)vger.kernel.org Cc: Antonino Maniscalco <antomani103(a)gmail.com> Cc: Neil Armstrong <neil.armstrong(a)linaro.org> Signed-off-by: Akhil P Oommen <akhilpo(a)oss.qualcomm.com> --- Changes in v2: - Elaborate commit text and add Fixes tags (Dmitry/Konrad) - Document GMU_IDLE_STATE_RESERVED (Konrad) - Add a memory barrier in fenced_write - Move an error print in fenced_write to after polling - %s/set_keepalive_vote/a6xx[gpu|preempt]_keepalive_vote (Dmitry) - Add an "unlikely()" to read_gmu_ao_counter() (Konrad/Rob) - Define IFPC_LONG_HYST to document a magic number - Add a new patch to enable IFPC on A750 GPU (Neil/Antonino) - Drop patch 12 & 17 from v1 revision - Link to v1: https://lore.kernel.org/r/20250720-ifpc-support-v1-0-9347aa5bcbd6@oss.qualc… --- Akhil P Oommen (16): drm/msm: Update GMU register xml drm/msm: a6xx: Fix gx_is_on check for a7x family drm/msm/a6xx: Poll additional DRV status drm/msm/a6xx: Fix PDC sleep sequence drm/msm: a6xx: Refactor a6xx_sptprac_enable() drm/msm: Add an ftrace for gpu register access drm/msm/adreno: Add fenced regwrite support drm/msm/a6xx: Set Keep-alive votes to block IFPC drm/msm/a6xx: Switch to GMU AO counter drm/msm/a6xx: Poll AHB fence status in GPU IRQ handler drm/msm: Add support for IFPC drm/msm/a6xx: Fix hangcheck for IFPC drm/msm/adreno: Disable IFPC when sysprof is active drm/msm/a6xx: Make crashstate capture IFPC safe drm/msm/a6xx: Enable IFPC on Adreno X1-85 drm/msm/a6xx: Enable IFPC on A750 GPU drivers/gpu/drm/msm/adreno/a6xx_catalog.c | 71 ++++++- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 105 ++++++++-- drivers/gpu/drm/msm/adreno/a6xx_gmu.h | 14 ++ drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 221 ++++++++++++++++++---- drivers/gpu/drm/msm/adreno/a6xx_gpu.h | 3 + drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 10 +- drivers/gpu/drm/msm/adreno/a6xx_hfi.c | 34 +++- drivers/gpu/drm/msm/adreno/a6xx_preempt.c | 40 +++- drivers/gpu/drm/msm/adreno/adreno_gpu.h | 1 + drivers/gpu/drm/msm/msm_gpu.h | 9 + drivers/gpu/drm/msm/msm_gpu_trace.h | 12 ++ drivers/gpu/drm/msm/msm_submitqueue.c | 4 + drivers/gpu/drm/msm/registers/adreno/a6xx_gmu.xml | 11 ++ 13 files changed, 459 insertions(+), 76 deletions(-) --- base-commit: 5cc61f86dff464a63b6a6e4758f26557fda4d494 change-id: 20241216-ifpc-support-3b80167b3532 Best regards, -- Akhil P Oommen <akhilpo(a)oss.qualcomm.com>

1 week, 5 days

2
2
0 0

[PATCH] media: uvcvideo: Fix race condition for meta buffer list

by Ricardo Ribalda

queue->irqueue contains a list of the buffers owned by the driver. The list is protected by queue->irqlock. uvc_queue_get_current_buffer() returns a pointer to the current buffer in that list, but does not remove the buffer from it. This can lead to race conditions. Inspecting the code, it seems that the candidate for such race is uvc_queue_return_buffers(). For the capture queue, that function is called with the device streamoff, so no race can occur. On the other hand, the metadata queue, could trigger a race condition, because stop_streaming can be called with the device in any streaming state. We can solve this issue modifying the way the metadata buffer lifetime works. We can keep the queue->irqlock while the use the current metadata buffer. The core of this change is uvc_video_decode_meta(), it now obtains the buffer and holds the spinlock instead of getting the buffer as an argument. Reported-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Closes: https://lore.kernel.org/linux-media/20250630141707.GG20333@pendragon.ideaso… Cc: stable(a)vger.kernel.org Fixes: 088ead255245 ("media: uvcvideo: Add a metadata device node") Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- drivers/media/usb/uvc/uvc_isight.c | 3 +- drivers/media/usb/uvc/uvc_queue.c | 4 +- drivers/media/usb/uvc/uvc_video.c | 92 ++++++++++++++++++++++---------------- drivers/media/usb/uvc/uvcvideo.h | 8 ++-- 4 files changed, 62 insertions(+), 45 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_isight.c b/drivers/media/usb/uvc/uvc_isight.c index 43cda5e760a345af56186603e2f0594b814cdbcb..f0e71744d25cab98184335b46569b31ba1346e12 100644 --- a/drivers/media/usb/uvc/uvc_isight.c +++ b/drivers/media/usb/uvc/uvc_isight.c @@ -98,8 +98,7 @@ static int isight_decode(struct uvc_video_queue *queue, struct uvc_buffer *buf, return 0; } -void uvc_video_decode_isight(struct uvc_urb *uvc_urb, struct uvc_buffer *buf, - struct uvc_buffer *meta_buf) +void uvc_video_decode_isight(struct uvc_urb *uvc_urb, struct uvc_buffer *buf) { struct urb *urb = uvc_urb->urb; struct uvc_streaming *stream = uvc_urb->stream; diff --git a/drivers/media/usb/uvc/uvc_queue.c b/drivers/media/usb/uvc/uvc_queue.c index 790184c9843d211d34fa7d66801631d5a07450bd..e184e3ae0f59f142a683263168724bca64509628 100644 --- a/drivers/media/usb/uvc/uvc_queue.c +++ b/drivers/media/usb/uvc/uvc_queue.c @@ -310,9 +310,11 @@ void uvc_queue_cancel(struct uvc_video_queue *queue, int disconnect) * Buffers may span multiple packets, and even URBs, therefore the active buffer * remains on the queue until the EOF marker. */ -static struct uvc_buffer * +struct uvc_buffer * __uvc_queue_get_current_buffer(struct uvc_video_queue *queue) { + lockdep_assert_held(&queue->irqlock); + if (list_empty(&queue->irqqueue)) return NULL; diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index 2e377e7b9e81599aca19b800a171cc16a09c1e8a..d6777090d0f892ffe93696c915acd4ec171ca798 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -1428,9 +1428,11 @@ static int uvc_video_encode_data(struct uvc_streaming *stream, * previous header. */ static void uvc_video_decode_meta(struct uvc_streaming *stream, - struct uvc_buffer *meta_buf, const u8 *mem, unsigned int length) { + struct vb2_queue *vb2_qmeta = stream->meta.vdev.queue; + struct uvc_video_queue *qmeta = &stream->meta.queue; + struct uvc_buffer *meta_buf; struct uvc_meta_buf *meta; size_t len_std = 2; bool has_pts, has_scr; @@ -1439,7 +1441,13 @@ static void uvc_video_decode_meta(struct uvc_streaming *stream, ktime_t time; const u8 *scr; - if (!meta_buf || length == 2) + if (!vb2_qmeta || length <= 2) + return; + + guard(spinlock_irqsave)(&qmeta->irqlock); + + meta_buf = __uvc_queue_get_current_buffer(qmeta); + if (!meta_buf) return; has_pts = mem[1] & UVC_STREAM_PTS; @@ -1512,30 +1520,48 @@ static void uvc_video_validate_buffer(const struct uvc_streaming *stream, * Completion handler for video URBs. */ -static void uvc_video_next_buffers(struct uvc_streaming *stream, - struct uvc_buffer **video_buf, struct uvc_buffer **meta_buf) +static void uvc_video_next_meta(struct uvc_streaming *stream, + struct uvc_buffer *video_buf) { - uvc_video_validate_buffer(stream, *video_buf); + struct vb2_queue *vb2_qmeta = stream->meta.vdev.queue; + struct uvc_video_queue *qmeta = &stream->meta.queue; + struct uvc_buffer *meta_buf; + struct vb2_v4l2_buffer *vb2_meta; + const struct vb2_v4l2_buffer *vb2_video; - if (*meta_buf) { - struct vb2_v4l2_buffer *vb2_meta = &(*meta_buf)->buf; - const struct vb2_v4l2_buffer *vb2_video = &(*video_buf)->buf; + if (!vb2_qmeta) + return; - vb2_meta->sequence = vb2_video->sequence; - vb2_meta->field = vb2_video->field; - vb2_meta->vb2_buf.timestamp = vb2_video->vb2_buf.timestamp; + guard(spinlock_irqsave)(&qmeta->irqlock); - (*meta_buf)->state = UVC_BUF_STATE_READY; - if (!(*meta_buf)->error) - (*meta_buf)->error = (*video_buf)->error; - *meta_buf = uvc_queue_next_buffer(&stream->meta.queue, - *meta_buf); - } - *video_buf = uvc_queue_next_buffer(&stream->queue, *video_buf); + meta_buf = __uvc_queue_get_current_buffer(qmeta); + if (!meta_buf) + return; + list_del(&meta_buf->queue); + + vb2_meta = &meta_buf->buf; + vb2_video = &video_buf->buf; + + vb2_meta->sequence = vb2_video->sequence; + vb2_meta->field = vb2_video->field; + vb2_meta->vb2_buf.timestamp = vb2_video->vb2_buf.timestamp; + meta_buf->state = UVC_BUF_STATE_READY; + if (!meta_buf->error) + meta_buf->error = video_buf->error; + + uvc_queue_buffer_release(meta_buf); +} + +static struct uvc_buffer *uvc_video_next_buffer(struct uvc_streaming *stream, + struct uvc_buffer *video_buf) +{ + uvc_video_validate_buffer(stream, video_buf); + uvc_video_next_meta(stream, video_buf); + return uvc_queue_next_buffer(&stream->queue, video_buf); } static void uvc_video_decode_isoc(struct uvc_urb *uvc_urb, - struct uvc_buffer *buf, struct uvc_buffer *meta_buf) + struct uvc_buffer *buf) { struct urb *urb = uvc_urb->urb; struct uvc_streaming *stream = uvc_urb->stream; @@ -1559,13 +1585,13 @@ static void uvc_video_decode_isoc(struct uvc_urb *uvc_urb, ret = uvc_video_decode_start(stream, buf, mem, urb->iso_frame_desc[i].actual_length); if (ret == -EAGAIN) - uvc_video_next_buffers(stream, &buf, &meta_buf); + buf = uvc_video_next_buffer(stream, buf); } while (ret == -EAGAIN); if (ret < 0) continue; - uvc_video_decode_meta(stream, meta_buf, mem, ret); + uvc_video_decode_meta(stream, mem, ret); /* Decode the payload data. */ uvc_video_decode_data(uvc_urb, buf, mem + ret, @@ -1576,12 +1602,12 @@ static void uvc_video_decode_isoc(struct uvc_urb *uvc_urb, urb->iso_frame_desc[i].actual_length); if (buf->state == UVC_BUF_STATE_READY) - uvc_video_next_buffers(stream, &buf, &meta_buf); + buf = uvc_video_next_buffer(stream, buf); } } static void uvc_video_decode_bulk(struct uvc_urb *uvc_urb, - struct uvc_buffer *buf, struct uvc_buffer *meta_buf) + struct uvc_buffer *buf) { struct urb *urb = uvc_urb->urb; struct uvc_streaming *stream = uvc_urb->stream; @@ -1607,7 +1633,7 @@ static void uvc_video_decode_bulk(struct uvc_urb *uvc_urb, do { ret = uvc_video_decode_start(stream, buf, mem, len); if (ret == -EAGAIN) - uvc_video_next_buffers(stream, &buf, &meta_buf); + buf = uvc_video_next_buffer(stream, buf); } while (ret == -EAGAIN); /* If an error occurred skip the rest of the payload. */ @@ -1617,7 +1643,7 @@ static void uvc_video_decode_bulk(struct uvc_urb *uvc_urb, memcpy(stream->bulk.header, mem, ret); stream->bulk.header_size = ret; - uvc_video_decode_meta(stream, meta_buf, mem, ret); + uvc_video_decode_meta(stream, mem, ret); mem += ret; len -= ret; @@ -1644,7 +1670,7 @@ static void uvc_video_decode_bulk(struct uvc_urb *uvc_urb, uvc_video_decode_end(stream, buf, stream->bulk.header, stream->bulk.payload_size); if (buf->state == UVC_BUF_STATE_READY) - uvc_video_next_buffers(stream, &buf, &meta_buf); + buf = uvc_video_next_buffer(stream, buf); } stream->bulk.header_size = 0; @@ -1654,7 +1680,7 @@ static void uvc_video_decode_bulk(struct uvc_urb *uvc_urb, } static void uvc_video_encode_bulk(struct uvc_urb *uvc_urb, - struct uvc_buffer *buf, struct uvc_buffer *meta_buf) + struct uvc_buffer *buf) { struct urb *urb = uvc_urb->urb; struct uvc_streaming *stream = uvc_urb->stream; @@ -1707,8 +1733,6 @@ static void uvc_video_complete(struct urb *urb) struct uvc_video_queue *qmeta = &stream->meta.queue; struct vb2_queue *vb2_qmeta = stream->meta.vdev.queue; struct uvc_buffer *buf = NULL; - struct uvc_buffer *buf_meta = NULL; - unsigned long flags; int ret; switch (urb->status) { @@ -1734,14 +1758,6 @@ static void uvc_video_complete(struct urb *urb) buf = uvc_queue_get_current_buffer(queue); - if (vb2_qmeta) { - spin_lock_irqsave(&qmeta->irqlock, flags); - if (!list_empty(&qmeta->irqqueue)) - buf_meta = list_first_entry(&qmeta->irqqueue, - struct uvc_buffer, queue); - spin_unlock_irqrestore(&qmeta->irqlock, flags); - } - /* Re-initialise the URB async work. */ uvc_urb->async_operations = 0; @@ -1755,7 +1771,7 @@ static void uvc_video_complete(struct urb *urb) * Process the URB headers, and optionally queue expensive memcpy tasks * to be deferred to a work queue. */ - stream->decode(uvc_urb, buf, buf_meta); + stream->decode(uvc_urb, buf); /* If no async work is needed, resubmit the URB immediately. */ if (!uvc_urb->async_operations) { diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h index 757254fc4fe930ae61c9d0425f04d4cd074a617e..bb41477ce4ff5cdbf27bc9d830b63a60645e3fa1 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -479,8 +479,7 @@ struct uvc_streaming { unsigned int frozen : 1; struct uvc_video_queue queue; struct workqueue_struct *async_wq; - void (*decode)(struct uvc_urb *uvc_urb, struct uvc_buffer *buf, - struct uvc_buffer *meta_buf); + void (*decode)(struct uvc_urb *uvc_urb, struct uvc_buffer *buf); struct { struct video_device vdev; @@ -694,6 +693,8 @@ int uvc_queue_init(struct uvc_video_queue *queue, enum v4l2_buf_type type); void uvc_queue_cancel(struct uvc_video_queue *queue, int disconnect); struct uvc_buffer *uvc_queue_next_buffer(struct uvc_video_queue *queue, struct uvc_buffer *buf); +struct uvc_buffer * +__uvc_queue_get_current_buffer(struct uvc_video_queue *queue); struct uvc_buffer *uvc_queue_get_current_buffer(struct uvc_video_queue *queue); void uvc_queue_buffer_release(struct uvc_buffer *buf); static inline int uvc_queue_streaming(struct uvc_video_queue *queue) @@ -802,8 +803,7 @@ u16 uvc_endpoint_max_bpi(struct usb_device *dev, struct usb_host_endpoint *ep); /* Quirks support */ void uvc_video_decode_isight(struct uvc_urb *uvc_urb, - struct uvc_buffer *buf, - struct uvc_buffer *meta_buf); + struct uvc_buffer *buf); /* debugfs and statistics */ void uvc_debugfs_init(void); --- base-commit: d968e50b5c26642754492dea23cbd3592bde62d8 change-id: 20250714-uvc-racemeta-fee2e69bbfcd Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

1 week, 5 days

2
5
0 0

You have received a completed document. All Parties have signed.

by Completed Document via Document Signature Docu_Sign_lists.linaro.org

Your document has been completed VIEW COMPLETED DOCUMENT https://docucompleteandsigned.drr.ac/ linux-stable-mirror linux-stable-mirror(a)lists.linaro.org All parties have completed Complete with Docusign. Do Not Share This Email This email contains a secure link to Docusign. Please do not share this email, link, or access code with others. Alternate Signing Method Visit Docusign.com, click 'Access Documents', and enter the security code: 27CF116EB55240BB8CC8A9B2003BC0A41 About Docusign Sign documents electronically in just minutes. It's safe, secure, and legally binding. Whether you're in an office, at home, on-the-go -- or even across the globe -- Docusign provides a professional trusted solution for Digital Transaction ManagementT. Questions about the Document? If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly. Stop receiving this email Report this email https://protect.docusign.net/report-abuse?e=AUtomjpFak9GlbPL0zFFi13hh8bLDb3… or read more about Declining to sign https://support.docusign.com/en/guides/Declining-to-sign-DocuSign-Signer-Gu… and Managing notifications https://support.docusign.com/en/articles/How-do-I-manage-my-email-notificat… . If you have trouble signing, visit " How to Sign a Document https://support.docusign.com/s/articles/How-do-I-sign-a-DocuSign-document-B… " on our Docusign Support Center https://support.docusign.com/ , or browse our Docusign Community https://community.docusign.com/esignature-111?utm_campaign=GBL_US_PRD_AWA_2… for more information. Download the Docusign App https://www.docusign.com/features-and-benefits/mobile?utm_campaign=GBL_XX_D… This message was sent to you who is using the Docusign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.

1 week, 5 days

1
0
0 0

[PATCH v3 0/4] hwmon: (sht21) Add devicetree support

by Kurt Borja

Hi all, The sht21 driver actually supports all i2c sht2x chips so add support for those names and additionally add DT support. Tested for sht20 and verified against the datasheet for sht25. Thanks! Signed-off-by: Kurt Borja <kuurtb(a)gmail.com> --- Changes in v3: - Add MODULE_DEVICE_TABLE() (I forgot, sorry for the noise!) - Link to v2: https://lore.kernel.org/r/20250907-sht2x-v2-0-1c7dc90abf8e@gmail.com Changes in v2: - Add a documentation cleanup patch - Add entry for each chip instead of sht2x placeholder - Update Kconfig too - Link to v1: https://lore.kernel.org/r/20250907-sht2x-v1-0-fd56843b1b43@gmail.com --- Kurt Borja (4): hwmon: (sht21) Documentation cleanup hwmon: (sht21) Add support for SHT20, SHT25 chips hwmon: (sht21) Add devicetree support dt-bindings: trivial-devices: Add sht2x sensors .../devicetree/bindings/trivial-devices.yaml | 3 +++ Documentation/hwmon/sht21.rst | 26 +++++++++++++--------- drivers/hwmon/Kconfig | 4 ++-- drivers/hwmon/sht21.c | 15 ++++++++++++- 4 files changed, 34 insertions(+), 14 deletions(-) --- base-commit: b236920731dd90c3fba8c227aa0c4dee5351a639 change-id: 20250907-sht2x-9b96125a0cf5 -- ~ Kurt

1 week, 5 days

3
8
0 0

[tip: x86/urgent] x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon

by tip-bot2 for K Prateek Nayak

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: cba4262a19afae21665ee242b3404bcede5a94d7 Gitweb: https://git.kernel.org/tip/cba4262a19afae21665ee242b3404bcede5a94d7 Author: K Prateek Nayak <kprateek.nayak(a)amd.com> AuthorDate: Mon, 01 Sep 2025 17:04:15 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Mon, 08 Sep 2025 11:37:49 +02:00 x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon Support for parsing the topology on AMD/Hygon processors using CPUID leaf 0xb was added in 3986a0a805e6 ("x86/CPU/AMD: Derive CPU topology from CPUID function 0xB when available"). In an effort to keep all the topology parsing bits in one place, this commit also introduced a pseudo dependency on the TOPOEXT feature to parse the CPUID leaf 0xb. The TOPOEXT feature (CPUID 0x80000001 ECX[22]) advertises the support for Cache Properties leaf 0x8000001d and the CPUID leaf 0x8000001e EAX for "Extended APIC ID" however support for 0xb was introduced alongside the x2APIC support not only on AMD [1], but also historically on x86 [2]. Similar to 0xb, the support for extended CPU topology leaf 0x80000026 too does not depend on the TOPOEXT feature. The support for these leaves is expected to be confirmed by ensuring leaf <= {extended_}cpuid_level and then parsing the level 0 of the respective leaf to confirm EBX[15:0] (LogProcAtThisLevel) is non-zero as stated in the definition of "CPUID_Fn0000000B_EAX_x00 [Extended Topology Enumeration] (Core::X86::Cpuid::ExtTopEnumEax0)" in Processor Programming Reference (PPR) for AMD Family 19h Model 01h Rev B1 Vol1 [3] Sec. 2.1.15.1 "CPUID Instruction Functions". This has not been a problem on baremetal platforms since support for TOPOEXT (Fam 0x15 and later) predates the support for CPUID leaf 0xb (Fam 0x17[Zen2] and later), however, for AMD guests on QEMU, the "x2apic" feature can be enabled independent of the "topoext" feature where QEMU expects topology and the initial APICID to be parsed using the CPUID leaf 0xb (especially when number of cores > 255) which is populated independent of the "topoext" feature flag. Unconditionally call cpu_parse_topology_ext() on AMD and Hygon processors to first parse the topology using the XTOPOLOGY leaves (0x80000026 / 0xb) before using the TOPOEXT leaf (0x8000001e). While at it, break down the single large comment in parse_topology_amd() to better highlight the purpose of each CPUID leaf. Fixes: 3986a0a805e6 ("x86/CPU/AMD: Derive CPU topology from CPUID function 0xB when available") Suggested-by: Naveen N Rao (AMD) <naveen(a)kernel.org> Signed-off-by: K Prateek Nayak <kprateek.nayak(a)amd.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: stable(a)vger.kernel.org # Only v6.9 and above; depends on x86 topology rewrite Link: https://lore.kernel.org/lkml/1529686927-7665-1-git-send-email-suravee.suthi… [1] Link: https://lore.kernel.org/lkml/20080818181435.523309000@linux-os.sc.intel.com/ [2] Link: https://bugzilla.kernel.org/show_bug.cgi?id=206537 [3] --- arch/x86/kernel/cpu/topology_amd.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/arch/x86/kernel/cpu/topology_amd.c b/arch/x86/kernel/cpu/topology_amd.c index 827dd0d..c79ebbb 100644 --- a/arch/x86/kernel/cpu/topology_amd.c +++ b/arch/x86/kernel/cpu/topology_amd.c @@ -175,27 +175,30 @@ static void topoext_fixup(struct topo_scan *tscan) static void parse_topology_amd(struct topo_scan *tscan) { - bool has_topoext = false; - /* - * If the extended topology leaf 0x8000_001e is available - * try to get SMT, CORE, TILE, and DIE shifts from extended + * Try to get SMT, CORE, TILE, and DIE shifts from extended * CPUID leaf 0x8000_0026 on supported processors first. If * extended CPUID leaf 0x8000_0026 is not supported, try to - * get SMT and CORE shift from leaf 0xb first, then try to - * get the CORE shift from leaf 0x8000_0008. + * get SMT and CORE shift from leaf 0xb. If either leaf is + * available, cpu_parse_topology_ext() will return true. */ - if (cpu_feature_enabled(X86_FEATURE_TOPOEXT)) - has_topoext = cpu_parse_topology_ext(tscan); + bool has_xtopology = cpu_parse_topology_ext(tscan); if (cpu_feature_enabled(X86_FEATURE_AMD_HTR_CORES)) tscan->c->topo.cpu_type = cpuid_ebx(0x80000026); - if (!has_topoext && !parse_8000_0008(tscan)) + /* + * If XTOPOLOGY leaves (0x26/0xb) are not available, try to + * get the CORE shift from leaf 0x8000_0008 first. + */ + if (!has_xtopology && !parse_8000_0008(tscan)) return; - /* Prefer leaf 0x8000001e if available */ - if (parse_8000_001e(tscan, has_topoext)) + /* + * Prefer leaf 0x8000001e if available to get the SMT shift and + * the initial APIC ID if XTOPOLOGY leaves are not available. + */ + if (parse_8000_001e(tscan, has_xtopology)) return; /* Try the NODEID MSR */

1 week, 5 days

1
0
0 0

You have received a completed document. All Parties have signed.

by Completed Document via Document Signature Docu_Sign_lists.linaro.org

Your document has been completed VIEW COMPLETED DOCUMENT https://docucompleteandsigned.drr.ac/ linux-stable-mirror linux-stable-mirror(a)lists.linaro.org All parties have completed Complete with Docusign. Do Not Share This Email This email contains a secure link to Docusign. Please do not share this email, link, or access code with others. Alternate Signing Method Visit Docusign.com, click 'Access Documents', and enter the security code: 27CF116EB55240BB8CC8A9B2003BC0A41 About Docusign Sign documents electronically in just minutes. It's safe, secure, and legally binding. Whether you're in an office, at home, on-the-go -- or even across the globe -- Docusign provides a professional trusted solution for Digital Transaction ManagementT. Questions about the Document? If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly. Stop receiving this email Report this email https://protect.docusign.net/report-abuse?e=AUtomjpFak9GlbPL0zFFi13hh8bLDb3… or read more about Declining to sign https://support.docusign.com/en/guides/Declining-to-sign-DocuSign-Signer-Gu… and Managing notifications https://support.docusign.com/en/articles/How-do-I-manage-my-email-notificat… . If you have trouble signing, visit " How to Sign a Document https://support.docusign.com/s/articles/How-do-I-sign-a-DocuSign-document-B… " on our Docusign Support Center https://support.docusign.com/ , or browse our Docusign Community https://community.docusign.com/esignature-111?utm_campaign=GBL_US_PRD_AWA_2… for more information. Download the Docusign App https://www.docusign.com/features-and-benefits/mobile?utm_campaign=GBL_XX_D… This message was sent to you who is using the Docusign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.

1 week, 5 days

1
0
0 0

[PATCH 6.12.y] net/mlx5: HWS, change error flow on matcher disconnect

by Subramaniam, Sujana

From: Sujana Subramaniam <sujana.subramaniam(a)sap.com> [ Upstream commit 1ce840c7a659aa53a31ef49f0271b4fd0dc10296 ] Currently, when firmware failure occurs during matcher disconnect flow, the error flow of the function reconnects the matcher back and returns an error, which continues running the calling function and eventually frees the matcher that is being disconnected. This leads to a case where we have a freed matcher on the matchers list, which in turn leads to use-after-free and eventual crash. This patch fixes that by not trying to reconnect the matcher back when some FW command fails during disconnect. Note that we're dealing here with FW error. We can't overcome this problem. This might lead to bad steering state (e.g. wrong connection between matchers), and will also lead to resource leakage, as it is the case with any other error handling during resource destruction. However, the goal here is to allow the driver to continue and not crash the machine with use-after-free error. Signed-off-by: Yevgeny Kliteynik <kliteyn(a)nvidia.com> Signed-off-by: Itamar Gozlan <igozlan(a)nvidia.com> Reviewed-by: Mark Bloch <mbloch(a)nvidia.com> Signed-off-by: Tariq Toukan <tariqt(a)nvidia.com> Link: https://patch.msgid.link/20250102181415.1477316-7-tariqt@nvidia.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Jan Alexander Preissler <akendo(a)akendo.eu> Signed-off-by: Sujana Subramaniam <sujana.subramaniam(a)sap.com> --- .../mlx5/core/steering/hws/mlx5hws_matcher.c | 24 +++++++------------ 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/hws/mlx5hws_matcher.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/hws/mlx5hws_matcher.c index 61a1155d4b4f..ce541c60c5b4 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/steering/hws/mlx5hws_matcher.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/hws/mlx5hws_matcher.c @@ -165,14 +165,14 @@ static int hws_matcher_disconnect(struct mlx5hws_matcher *matcher) next->match_ste.rtc_0_id, next->match_ste.rtc_1_id); if (ret) { - mlx5hws_err(tbl->ctx, "Failed to disconnect matcher\n"); - goto matcher_reconnect; + mlx5hws_err(tbl->ctx, "Fatal error, failed to disconnect matcher\n"); + return ret; } } else { ret = mlx5hws_table_connect_to_miss_table(tbl, tbl->default_miss.miss_tbl); if (ret) { - mlx5hws_err(tbl->ctx, "Failed to disconnect last matcher\n"); - goto matcher_reconnect; + mlx5hws_err(tbl->ctx, "Fatal error, failed to disconnect last matcher\n"); + return ret; } } @@ -180,27 +180,19 @@ static int hws_matcher_disconnect(struct mlx5hws_matcher *matcher) if (prev_ft_id == tbl->ft_id) { ret = mlx5hws_table_update_connected_miss_tables(tbl); if (ret) { - mlx5hws_err(tbl->ctx, "Fatal error, failed to update connected miss table\n"); - goto matcher_reconnect; + mlx5hws_err(tbl->ctx, + "Fatal error, failed to update connected miss table\n"); + return ret; } } ret = mlx5hws_table_ft_set_default_next_ft(tbl, prev_ft_id); if (ret) { mlx5hws_err(tbl->ctx, "Fatal error, failed to restore matcher ft default miss\n"); - goto matcher_reconnect; + return ret; } return 0; - -matcher_reconnect: - if (list_empty(&tbl->matchers_list) || !prev) - list_add(&matcher->list_node, &tbl->matchers_list); - else - /* insert after prev matcher */ - list_add(&matcher->list_node, &prev->list_node); - - return ret; } static void hws_matcher_set_rtc_attr_sz(struct mlx5hws_matcher *matcher, -- 2.39.5 (Apple Git-154)

1 week, 5 days

1
0
0 0

[PATCH] media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID

by Ricardo Ribalda

From: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero unique ID. ``` Each Unit and Terminal within the video function is assigned a unique identification number, the Unit ID (UID) or Terminal ID (TID), contained in the bUnitID or bTerminalID field of the descriptor. The value 0x00 is reserved for undefined ID, ``` If we add a new entity with id 0 or a duplicated ID, it will be marked as UVC_INVALID_ENTITY_ID. In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require entities to have a non-zero unique ID"), we ignored all the invalid units, this broke a lot of non-compatible cameras. Hopefully we are more lucky this time. This also prevents some syzkaller reproducers from triggering warnings due to a chain of entities referring to themselves. In one particular case, an Output Unit is connected to an Input Unit, both with the same ID of 1. But when looking up for the source ID of the Output Unit, that same entity is found instead of the input entity, which leads to such warnings. In another case, a backward chain was considered finished as the source ID was 0. Later on, that entity was found, but its pads were not valid. Here is a sample stack trace for one of those cases. [ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 20.830206] usb 1-1: Using ep0 maxpacket: 8 [ 20.833501] usb 1-1: config 0 descriptor?? [ 21.038518] usb 1-1: string descriptor 0 read error: -71 [ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201) [ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized! [ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized! [ 21.042218] ------------[ cut here ]------------ [ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0 [ 21.043195] Modules linked in: [ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444 [ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 21.044639] Workqueue: usb_hub_wq hub_event [ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0 [ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00 [ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246 [ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1 [ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290 [ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000 [ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003 [ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000 [ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 [ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0 [ 21.051136] PKRU: 55555554 [ 21.051331] Call Trace: [ 21.051480] <TASK> [ 21.051611] ? __warn+0xc4/0x210 [ 21.051861] ? media_create_pad_link+0x2c4/0x2e0 [ 21.052252] ? report_bug+0x11b/0x1a0 [ 21.052540] ? trace_hardirqs_on+0x31/0x40 [ 21.052901] ? handle_bug+0x3d/0x70 [ 21.053197] ? exc_invalid_op+0x1a/0x50 [ 21.053511] ? asm_exc_invalid_op+0x1a/0x20 [ 21.053924] ? media_create_pad_link+0x91/0x2e0 [ 21.054364] ? media_create_pad_link+0x2c4/0x2e0 [ 21.054834] ? media_create_pad_link+0x91/0x2e0 [ 21.055131] ? _raw_spin_unlock+0x1e/0x40 [ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210 [ 21.055837] uvc_mc_register_entities+0x358/0x400 [ 21.056144] uvc_register_chains+0x1fd/0x290 [ 21.056413] uvc_probe+0x380e/0x3dc0 [ 21.056676] ? __lock_acquire+0x5aa/0x26e0 [ 21.056946] ? find_held_lock+0x33/0xa0 [ 21.057196] ? kernfs_activate+0x70/0x80 [ 21.057533] ? usb_match_dynamic_id+0x1b/0x70 [ 21.057811] ? find_held_lock+0x33/0xa0 [ 21.058047] ? usb_match_dynamic_id+0x55/0x70 [ 21.058330] ? lock_release+0x124/0x260 [ 21.058657] ? usb_match_one_id_intf+0xa2/0x100 [ 21.058997] usb_probe_interface+0x1ba/0x330 [ 21.059399] really_probe+0x1ba/0x4c0 [ 21.059662] __driver_probe_device+0xb2/0x180 [ 21.059944] driver_probe_device+0x5a/0x100 [ 21.060170] __device_attach_driver+0xe9/0x160 [ 21.060427] ? __pfx___device_attach_driver+0x10/0x10 [ 21.060872] bus_for_each_drv+0xa9/0x100 [ 21.061312] __device_attach+0xed/0x190 [ 21.061812] device_initial_probe+0xe/0x20 [ 21.062229] bus_probe_device+0x4d/0xd0 [ 21.062590] device_add+0x308/0x590 [ 21.062912] usb_set_configuration+0x7b6/0xaf0 [ 21.063403] usb_generic_driver_probe+0x36/0x80 [ 21.063714] usb_probe_device+0x7b/0x130 [ 21.063936] really_probe+0x1ba/0x4c0 [ 21.064111] __driver_probe_device+0xb2/0x180 [ 21.064577] driver_probe_device+0x5a/0x100 [ 21.065019] __device_attach_driver+0xe9/0x160 [ 21.065403] ? __pfx___device_attach_driver+0x10/0x10 [ 21.065820] bus_for_each_drv+0xa9/0x100 [ 21.066094] __device_attach+0xed/0x190 [ 21.066535] device_initial_probe+0xe/0x20 [ 21.066992] bus_probe_device+0x4d/0xd0 [ 21.067250] device_add+0x308/0x590 [ 21.067501] usb_new_device+0x347/0x610 [ 21.067817] hub_event+0x156b/0x1e30 [ 21.068060] ? process_scheduled_works+0x48b/0xaf0 [ 21.068337] process_scheduled_works+0x5a3/0xaf0 [ 21.068668] worker_thread+0x3cf/0x560 [ 21.068932] ? kthread+0x109/0x1b0 [ 21.069133] kthread+0x197/0x1b0 [ 21.069343] ? __pfx_worker_thread+0x10/0x10 [ 21.069598] ? __pfx_kthread+0x10/0x10 [ 21.069908] ret_from_fork+0x32/0x40 [ 21.070169] ? __pfx_kthread+0x10/0x10 [ 21.070424] ret_from_fork_asm+0x1a/0x30 [ 21.070737] </TASK> Cc: stable(a)vger.kernel.org Reported-by: syzbot+0584f746fde3d52b4675(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0584f746fde3d52b4675 Reported-by: syzbot+dd320d114deb3f5bb79b(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=dd320d114deb3f5bb79b Fixes: a3fbc2e6bb05 ("media: mc-entity.c: use WARN_ON, validate link pads") Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> Co-developed-by: Ricardo Ribalda <ribalda(a)chromium.org> Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- This is a new attempt to land a Thadeu's patch, but being a bit more benevolent on the non-compliant cameras. I have kept most of Thadeu's code, but instead of returning an error when trying to allocate an invalid entity, I replace its id with a special ID. Thadeu can you validate this new version? Tomasz can you also check this patch with your non compliant camera? Thanks! --- drivers/media/usb/uvc/uvc_driver.c | 73 ++++++++++++++++++++++++-------------- drivers/media/usb/uvc/uvcvideo.h | 2 ++ 2 files changed, 48 insertions(+), 27 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index 775bede0d93d9b3e5391914aa395326d3de6a3b1..46923cd85f0b6790f01ae6b393571ca7660900f7 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -137,6 +137,9 @@ struct uvc_entity *uvc_entity_by_id(struct uvc_device *dev, int id) { struct uvc_entity *entity; + if (id == UVC_INVALID_ENTITY_ID) + return NULL; + list_for_each_entry(entity, &dev->entities, list) { if (entity->id == id) return entity; @@ -795,14 +798,27 @@ static const u8 uvc_media_transport_input_guid[16] = UVC_GUID_UVC_MEDIA_TRANSPORT_INPUT; static const u8 uvc_processing_guid[16] = UVC_GUID_UVC_PROCESSING; -static struct uvc_entity *uvc_alloc_entity(u16 type, u16 id, - unsigned int num_pads, unsigned int extra_size) +static struct uvc_entity *uvc_alloc_new_entity(struct uvc_device *dev, u16 type, + u16 id, unsigned int num_pads, + unsigned int extra_size) { struct uvc_entity *entity; unsigned int num_inputs; unsigned int size; unsigned int i; + /* Per UVC 1.1+ spec 3.7.2, the ID should be non-zero. */ + if (id == 0) { + dev_err(&dev->intf->dev, "Found Unit with invalid ID 0.\n"); + id = UVC_INVALID_ENTITY_ID; + } + + /* Per UVC 1.1+ spec 3.7.2, the ID is unique. */ + if (uvc_entity_by_id(dev, id)) { + dev_err(&dev->intf->dev, "Found multiple Units with ID %u\n", id); + id = UVC_INVALID_ENTITY_ID; + } + extra_size = roundup(extra_size, sizeof(*entity->pads)); if (num_pads) num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1; @@ -812,7 +828,7 @@ static struct uvc_entity *uvc_alloc_entity(u16 type, u16 id, + num_inputs; entity = kzalloc(size, GFP_KERNEL); if (entity == NULL) - return NULL; + return ERR_PTR(-ENOMEM); entity->id = id; entity->type = type; @@ -924,10 +940,10 @@ static int uvc_parse_vendor_control(struct uvc_device *dev, break; } - unit = uvc_alloc_entity(UVC_VC_EXTENSION_UNIT, buffer[3], - p + 1, 2*n); - if (unit == NULL) - return -ENOMEM; + unit = uvc_alloc_new_entity(dev, UVC_VC_EXTENSION_UNIT, + buffer[3], p + 1, 2 * n); + if (IS_ERR(unit)) + return PTR_ERR(unit); memcpy(unit->guid, &buffer[4], 16); unit->extension.bNumControls = buffer[20]; @@ -1036,10 +1052,10 @@ static int uvc_parse_standard_control(struct uvc_device *dev, return -EINVAL; } - term = uvc_alloc_entity(type | UVC_TERM_INPUT, buffer[3], - 1, n + p); - if (term == NULL) - return -ENOMEM; + term = uvc_alloc_new_entity(dev, type | UVC_TERM_INPUT, + buffer[3], 1, n + p); + if (IS_ERR(term)) + return PTR_ERR(term); if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) { term->camera.bControlSize = n; @@ -1095,10 +1111,10 @@ static int uvc_parse_standard_control(struct uvc_device *dev, return 0; } - term = uvc_alloc_entity(type | UVC_TERM_OUTPUT, buffer[3], - 1, 0); - if (term == NULL) - return -ENOMEM; + term = uvc_alloc_new_entity(dev, type | UVC_TERM_OUTPUT, + buffer[3], 1, 0); + if (IS_ERR(term)) + return PTR_ERR(term); memcpy(term->baSourceID, &buffer[7], 1); @@ -1117,9 +1133,10 @@ static int uvc_parse_standard_control(struct uvc_device *dev, return -EINVAL; } - unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, 0); - if (unit == NULL) - return -ENOMEM; + unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], + p + 1, 0); + if (IS_ERR(unit)) + return PTR_ERR(unit); memcpy(unit->baSourceID, &buffer[5], p); @@ -1139,9 +1156,9 @@ static int uvc_parse_standard_control(struct uvc_device *dev, return -EINVAL; } - unit = uvc_alloc_entity(buffer[2], buffer[3], 2, n); - if (unit == NULL) - return -ENOMEM; + unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], 2, n); + if (IS_ERR(unit)) + return PTR_ERR(unit); memcpy(unit->baSourceID, &buffer[4], 1); unit->processing.wMaxMultiplier = @@ -1168,9 +1185,10 @@ static int uvc_parse_standard_control(struct uvc_device *dev, return -EINVAL; } - unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, n); - if (unit == NULL) - return -ENOMEM; + unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], + p + 1, n); + if (IS_ERR(unit)) + return PTR_ERR(unit); memcpy(unit->guid, &buffer[4], 16); unit->extension.bNumControls = buffer[20]; @@ -1315,9 +1333,10 @@ static int uvc_gpio_parse(struct uvc_device *dev) return dev_err_probe(&dev->intf->dev, irq, "No IRQ for privacy GPIO\n"); - unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1); - if (!unit) - return -ENOMEM; + unit = uvc_alloc_new_entity(dev, UVC_EXT_GPIO_UNIT, + UVC_EXT_GPIO_UNIT_ID, 0, 1); + if (IS_ERR(unit)) + return PTR_ERR(unit); unit->gpio.gpio_privacy = gpio_privacy; unit->gpio.irq = irq; diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h index 70dc80e2b213dff333665022b3410b175d072793..881bfa0caab22714c26a3260cc843bda8e2706a4 100644 --- a/drivers/media/usb/uvc/uvcvideo.h +++ b/drivers/media/usb/uvc/uvcvideo.h @@ -41,6 +41,8 @@ #define UVC_EXT_GPIO_UNIT 0x7ffe #define UVC_EXT_GPIO_UNIT_ID 0x100 +#define UVC_INVALID_ENTITY_ID 0xffff + /* ------------------------------------------------------------------------ * Driver specific constants. */ --- base-commit: a75b8d198c55e9eb5feb6f6e155496305caba2dc change-id: 20250820-uvc-thadeu2-25723a961bd8 Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

1 week, 5 days

4
5
0 0

[PATCH] pinctrl: airoha: fix wrong PHY LED mux value for LED1 GPIO46

by Christian Marangi

In all the MUX value for LED1 GPIO46 there is a Copy-Paste error where the MUX value is set to LED0_MODE_MASK instead of LED1_MODE_MASK. This wasn't notice as there were no board that made use of the secondary PHY LED but looking at the internal Documentation the actual value should be LED1_MODE_MASK similar to the other GPIO entry. Fix the wrong value to apply the correct MUX configuration. Cc: stable(a)vger.kernel.org Fixes: 1c8ace2d0725 ("pinctrl: airoha: Add support for EN7581 SoC") Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> --- drivers/pinctrl/mediatek/pinctrl-airoha.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/pinctrl/mediatek/pinctrl-airoha.c b/drivers/pinctrl/mediatek/pinctrl-airoha.c index 5d84a778683d..f7f8fd2f35fc 100644 --- a/drivers/pinctrl/mediatek/pinctrl-airoha.c +++ b/drivers/pinctrl/mediatek/pinctrl-airoha.c @@ -1752,8 +1752,8 @@ static const struct airoha_pinctrl_func_group phy1_led1_func_group[] = { .regmap[0] = { AIROHA_FUNC_MUX, REG_GPIO_2ND_I2C_MODE, - GPIO_LAN3_LED0_MODE_MASK, - GPIO_LAN3_LED0_MODE_MASK + GPIO_LAN3_LED1_MODE_MASK, + GPIO_LAN3_LED1_MODE_MASK }, .regmap[1] = { AIROHA_FUNC_MUX, @@ -1816,8 +1816,8 @@ static const struct airoha_pinctrl_func_group phy2_led1_func_group[] = { .regmap[0] = { AIROHA_FUNC_MUX, REG_GPIO_2ND_I2C_MODE, - GPIO_LAN3_LED0_MODE_MASK, - GPIO_LAN3_LED0_MODE_MASK + GPIO_LAN3_LED1_MODE_MASK, + GPIO_LAN3_LED1_MODE_MASK }, .regmap[1] = { AIROHA_FUNC_MUX, @@ -1880,8 +1880,8 @@ static const struct airoha_pinctrl_func_group phy3_led1_func_group[] = { .regmap[0] = { AIROHA_FUNC_MUX, REG_GPIO_2ND_I2C_MODE, - GPIO_LAN3_LED0_MODE_MASK, - GPIO_LAN3_LED0_MODE_MASK + GPIO_LAN3_LED1_MODE_MASK, + GPIO_LAN3_LED1_MODE_MASK }, .regmap[1] = { AIROHA_FUNC_MUX, @@ -1944,8 +1944,8 @@ static const struct airoha_pinctrl_func_group phy4_led1_func_group[] = { .regmap[0] = { AIROHA_FUNC_MUX, REG_GPIO_2ND_I2C_MODE, - GPIO_LAN3_LED0_MODE_MASK, - GPIO_LAN3_LED0_MODE_MASK + GPIO_LAN3_LED1_MODE_MASK, + GPIO_LAN3_LED1_MODE_MASK }, .regmap[1] = { AIROHA_FUNC_MUX, -- 2.51.0

1 week, 5 days

2
1
0 0

[PATCH v4] bus: mhi: host: Fix potential kernel panic by calling dev_err

by Adam Xue

In mhi_init_irq_setup, the device pointer used for dev_err was not initialized. Use the pointer from mhi_cntrl instead. Signed-off-by: Adam Xue <zxue(a)semtech.com> --- drivers/bus/mhi/host/init.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/bus/mhi/host/init.c b/drivers/bus/mhi/host/init.c index 7f72aab38ce9..099be8dd1900 100644 --- a/drivers/bus/mhi/host/init.c +++ b/drivers/bus/mhi/host/init.c @@ -194,7 +194,6 @@ static void mhi_deinit_free_irq(struct mhi_controller *mhi_cntrl) static int mhi_init_irq_setup(struct mhi_controller *mhi_cntrl) { struct mhi_event *mhi_event = mhi_cntrl->mhi_event; - struct device *dev = &mhi_cntrl->mhi_dev->dev; unsigned long irq_flags = IRQF_SHARED | IRQF_NO_SUSPEND; int i, ret; @@ -221,7 +220,7 @@ static int mhi_init_irq_setup(struct mhi_controller *mhi_cntrl) continue; if (mhi_event->irq >= mhi_cntrl->nr_irqs) { - dev_err(dev, "irq %d not available for event ring\n", + dev_err(mhi_cntrl->cntrl_dev, "irq %d not available for event ring\n", mhi_event->irq); ret = -EINVAL; goto error_request; @@ -232,7 +231,7 @@ static int mhi_init_irq_setup(struct mhi_controller *mhi_cntrl) irq_flags, "mhi", mhi_event); if (ret) { - dev_err(dev, "Error requesting irq:%d for ev:%d\n", + dev_err(mhi_cntrl->cntrl_dev, "Error requesting irq:%d for ev:%d\n", mhi_cntrl->irq[mhi_event->irq], i); goto error_request; } -- 2.43.0 To view our privacy policy, including the types of personal information we collect, process and share, and the rights and options you have in this respect, see www.semtech.com/legal.

1 week, 5 days

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror