- Linux-stable-mirror - lists.linaro.org

[PATCH 3/4] smb: client: fix potential UAF in smb2_is_valid_lease_break()

by Chanho Min

From: Paulo Alcantara <pc(a)manguebit.com> Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Cc: stable(a)vger.kernel.org # 5.4 Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> [ chanho: Backported to v5.4.y, smb2misc.c was moved from fs/cifs to fs/smb/client ] Signed-off-by: Chanho Min <chanho.min(a)lge.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> --- fs/cifs/smb2misc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c index d7cbf1b07126c..c47927d257635 100644 --- a/fs/cifs/smb2misc.c +++ b/fs/cifs/smb2misc.c @@ -611,7 +611,8 @@ smb2_is_valid_lease_break(char *buffer) list_for_each(tmp1, &server->smb_ses_list) { ses = list_entry(tmp1, struct cifs_ses, smb_ses_list); - + if (cifs_ses_exiting(ses)) + continue; list_for_each(tmp2, &ses->tcon_list) { tcon = list_entry(tmp2, struct cifs_tcon, tcon_list);

2 weeks, 3 days

1
0
0 0

[PATCH 2/4] smb: client: fix potential UAF in is_valid_oplock_break()

by Chanho Min

From: Paulo Alcantara <pc(a)manguebit.com> commit 69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29 upstream. Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Cc: stable(a)vger.kernel.org # 5.4 Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [ chanho: Backported to v5.4.y, misc.c was moved from fs/cifs to fs/smb/client ] Signed-off-by: Chanho Min <chanho.min(a)lge.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/cifs/misc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c index db1fcdedf289a..4d838d7db7b57 100644 --- a/fs/cifs/misc.c +++ b/fs/cifs/misc.c @@ -473,6 +473,8 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv) spin_lock(&cifs_tcp_ses_lock); list_for_each(tmp, &srv->smb_ses_list) { ses = list_entry(tmp, struct cifs_ses, smb_ses_list); + if (cifs_ses_exiting(ses)) + continue; list_for_each(tmp1, &ses->tcon_list) { tcon = list_entry(tmp1, struct cifs_tcon, tcon_list); if (tcon->tid != buf->Tid)

2 weeks, 3 days

1
0
0 0

[PATCH 1/4] smb: client: fix potential UAF in cifs_debug_files_proc_show()

by Chanho Min

From: Paulo Alcantara <pc(a)manguebit.com> commit ca545b7f0823f19db0f1148d59bc5e1a56634502 upstream. Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. Cc: stable(a)vger.kernel.org # 5.4 Signed-off-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> [ This patch removes lock/unlock operation in routine cifs_ses_exiting() for ses_lock is not present in v5.10 and not ported yet. ses->status is protected by a global lock, cifs_tcp_ses_lock, in v5.10. ] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> [ chanho: Backport to v5.4.y from v5.10.y's commit 8f8718afd44 ] Signed-off-by: Chanho Min <chanho.min(a)lge.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/cifs/cifs_debug.c | 2 ++ fs/cifs/cifsglob.h | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index efb2928ff6c89..df3dfa611c352 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c @@ -162,6 +162,8 @@ static int cifs_debug_files_proc_show(struct seq_file *m, void *v) tcp_ses_list); list_for_each(tmp, &server->smb_ses_list) { ses = list_entry(tmp, struct cifs_ses, smb_ses_list); + if (cifs_ses_exiting(ses)) + continue; list_for_each(tmp1, &ses->tcon_list) { tcon = list_entry(tmp1, struct cifs_tcon, tcon_list); spin_lock(&tcon->open_file_lock); diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index 253321adc2664..5f545a240afa6 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -2027,4 +2027,12 @@ static inline struct scatterlist *cifs_sg_set_buf(struct scatterlist *sg, return sg; } +static inline bool cifs_ses_exiting(struct cifs_ses *ses) +{ + bool ret; + + ret = ses->status == CifsExiting; + return ret; +} + #endif /* _CIFS_GLOB_H */

2 weeks, 3 days

1
0
0 0

[PATCH v2 1/3] drm/i915/gt: Relocate compression repacking WA for JSL/EHL

by Sebastian Brzezinka

CACHE_MODE_0 registers should be saved and restored as part of the context, not during engine reset. Move the related workaround (Disable Repacking for Compression) from rcs_engine_wa_init() to icl_ctx_workarounds_init() for Jasper Lake and Elkhart Lake platforms. This ensures the WA is applied during context initialisation. BSPEC: 11322 Signed-off-by: Sebastian Brzezinka <sebastian.brzezinka(a)intel.com> Reviewed-by: Andi Shyti <andi.shyti(a)linux.intel.com> Reviewed-by: Krzysztof Karas <krzysztof.karas(a)intel.com> Fixes: 0ddae025ab6c ("drm/i915: Disable compression tricks on JSL") Closes: Fixes: 0ddae025ab6c ("drm/i915: Disable compression tricks on JSL") Cc: <stable(a)vger.kernel.org> # v6.13+ --- v1 -> v2: - clarify commit message --- drivers/gpu/drm/i915/gt/intel_workarounds.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/i915/gt/intel_workarounds.c b/drivers/gpu/drm/i915/gt/intel_workarounds.c index b37e400f74e5..5a95f06900b5 100644 --- a/drivers/gpu/drm/i915/gt/intel_workarounds.c +++ b/drivers/gpu/drm/i915/gt/intel_workarounds.c @@ -634,6 +634,8 @@ static void cfl_ctx_workarounds_init(struct intel_engine_cs *engine, static void icl_ctx_workarounds_init(struct intel_engine_cs *engine, struct i915_wa_list *wal) { + struct drm_i915_private *i915 = engine->i915; + /* Wa_1406697149 (WaDisableBankHangMode:icl) */ wa_write(wal, GEN8_L3CNTLREG, GEN8_ERRDETBCTRL); @@ -669,6 +671,15 @@ static void icl_ctx_workarounds_init(struct intel_engine_cs *engine, /* Wa_1406306137:icl,ehl */ wa_mcr_masked_en(wal, GEN9_ROW_CHICKEN4, GEN11_DIS_PICK_2ND_EU); + + if (IS_JASPERLAKE(i915) || IS_ELKHARTLAKE(i915)) { + /* + * Disable Repacking for Compression (masked R/W access) + * before rendering compressed surfaces for display. + */ + wa_masked_en(wal, CACHE_MODE_0_GEN7, + DISABLE_REPACKING_FOR_COMPRESSION); + } } /* @@ -2306,15 +2317,6 @@ rcs_engine_wa_init(struct intel_engine_cs *engine, struct i915_wa_list *wal) GEN8_RC_SEMA_IDLE_MSG_DISABLE); } - if (IS_JASPERLAKE(i915) || IS_ELKHARTLAKE(i915)) { - /* - * "Disable Repacking for Compression (masked R/W access) - * before rendering compressed surfaces for display." - */ - wa_masked_en(wal, CACHE_MODE_0_GEN7, - DISABLE_REPACKING_FOR_COMPRESSION); - } - if (GRAPHICS_VER(i915) == 11) { /* This is not an Wa. Enable for better image quality */ wa_masked_en(wal, -- 2.34.1

2 weeks, 3 days

1
0
0 0

[PATCH] kcov, usb: Fix invalid context sleep in softirq path on PREEMPT_RT

by Yunseong Kim

When fuzzing USB with syzkaller on a PREEMPT_RT enabled kernel, following bug is triggered in the ksoftirqd context. | BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 | in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 30, name: ksoftirqd/1 | preempt_count: 0, expected: 0 | RCU nest depth: 2, expected: 2 | CPU: 1 UID: 0 PID: 30 Comm: ksoftirqd/1 Tainted: G W 6.16.0-rc1-rt1 #11 PREEMPT_RT | Tainted: [W]=WARN | Hardware name: QEMU KVM Virtual Machine, BIOS 2025.02-8 05/13/2025 | Call trace: | show_stack+0x2c/0x3c (C) | __dump_stack+0x30/0x40 | dump_stack_lvl+0x148/0x1d8 | dump_stack+0x1c/0x3c | __might_resched+0x2e4/0x52c | rt_spin_lock+0xa8/0x1bc | kcov_remote_start+0xb0/0x490 | __usb_hcd_giveback_urb+0x2d0/0x5e8 | usb_giveback_urb_bh+0x234/0x3c4 | process_scheduled_works+0x678/0xd18 | bh_worker+0x2f0/0x59c | workqueue_softirq_action+0x104/0x14c | tasklet_action+0x18/0x8c | handle_softirqs+0x208/0x63c | run_ksoftirqd+0x64/0x264 | smpboot_thread_fn+0x4ac/0x908 | kthread+0x5e8/0x734 | ret_from_fork+0x10/0x20 To reproduce on PREEMPT_RT kernel: $ git remote add rt-devel git://git.kernel.org/pub/scm/linux/kernel/git/rt/linux-rt-devel.git $ git fetch rt-devel $ git checkout -b v6.16-rc1-rt1 v6.16-rc1-rt1 I have attached the syzlang and the C source code converted by syz-prog2c: Link: https://gist.github.com/kzall0c/9455aaa246f4aa1135353a51753adbbe Then, run with a PREEMPT_RT config. This issue was introduced by commit f85d39dd7ed8 ("kcov, usb: disable interrupts in kcov_remote_start_usb_softirq"). However, this creates a conflict on PREEMPT_RT kernels. The local_irq_save() call establishes an atomic context where sleeping is forbidden. Inside this context, kcov_remote_start() is called, which on PREEMPT_RT uses sleeping locks (spinlock_t and local_lock_t are mapped to rt_mutex). This results in a sleeping function called from invalid context. On PREEMPT_RT, interrupt handlers are threaded, so the re-entrancy scenario is already safely handled by the existing local_lock_t and the global kcov_remote_lock within kcov_remote_start(). Therefore, the outer local_irq_save() is not necessary. This preserves the intended re-entrancy protection for non-RT kernels while resolving the locking violation on PREEMPT_RT kernels. After making this modification and testing it, syzkaller fuzzing the PREEMPT_RT kernel is now running without stopping on latest announced Real-time Linux. Link: https://lore.kernel.org/linux-rt-devel/20250610080307.LMm1hleC@linutronix.d… Fixes: f85d39dd7ed8 ("kcov, usb: disable interrupts in kcov_remote_start_usb_softirq") Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Tetsuo Handa <penguin-kernel(a)i-love.sakura.ne.jp> Cc: Alan Stern <stern(a)rowland.harvard.edu> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> Cc: Byungchul Park <byungchul(a)sk.com> Cc: stable(a)vger.kernel.org Cc: kasan-dev(a)googlegroups.com Cc: syzkaller(a)googlegroups.com Cc: linux-usb(a)vger.kernel.org Cc: linux-rt-devel(a)lists.linux.dev Signed-off-by: Yunseong Kim <ysk(a)kzalloc.com> --- include/linux/kcov.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/linux/kcov.h b/include/linux/kcov.h index 75a2fb8b16c3..c5e1b2dd0bb7 100644 --- a/include/linux/kcov.h +++ b/include/linux/kcov.h @@ -85,7 +85,9 @@ static inline unsigned long kcov_remote_start_usb_softirq(u64 id) unsigned long flags = 0; if (in_serving_softirq()) { +#ifndef CONFIG_PREEMPT_RT local_irq_save(flags); +#endif kcov_remote_start_usb(id); } @@ -96,7 +98,9 @@ static inline void kcov_remote_stop_softirq(unsigned long flags) { if (in_serving_softirq()) { kcov_remote_stop(); +#ifndef CONFIG_PREEMPT_RT local_irq_restore(flags); +#endif } } -- 2.50.0

2 weeks, 3 days

5
8
0 0

[CI 5/5] drm/i915/icl+/tc: Convert AUX powered WARN to a debug message

by Imre Deak

The BIOS can leave the AUX power well enabled on an output, even if this isn't required (on platforms where the AUX power is only needed for an AUX access). This was observed at least on PTL. To avoid the WARN which would be triggered by this during the HW readout, convert the WARN to a debug message. Cc: stable(a)vger.kernel.org # v6.8+ Reported-by: Charlton Lin <charlton.lin(a)intel.com> Tested-by: Khaled Almahallawy <khaled.almahallawy(a)intel.com> Reviewed-by: Mika Kahola <mika.kahola(a)intel.com> Signed-off-by: Imre Deak <imre.deak(a)intel.com> --- drivers/gpu/drm/i915/display/intel_tc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_tc.c b/drivers/gpu/drm/i915/display/intel_tc.c index 8b6826fc06855..0ff5a8951e734 100644 --- a/drivers/gpu/drm/i915/display/intel_tc.c +++ b/drivers/gpu/drm/i915/display/intel_tc.c @@ -1497,11 +1497,11 @@ static void intel_tc_port_reset_mode(struct intel_tc_port *tc, intel_display_power_flush_work(display); if (!intel_tc_cold_requires_aux_pw(dig_port)) { enum intel_display_power_domain aux_domain; - bool aux_powered; aux_domain = intel_aux_power_domain(dig_port); - aux_powered = intel_display_power_is_enabled(display, aux_domain); - drm_WARN_ON(display->drm, aux_powered); + if (intel_display_power_is_enabled(display, aux_domain)) + drm_dbg_kms(display->drm, "Port %s: AUX unexpectedly powered\n", + tc->port_name); } tc_phy_disconnect(tc); -- 2.49.1

2 weeks, 3 days

1
0
0 0

[CI 4/5] drm/i915/lnl+/tc: Use the cached max lane count value

by Imre Deak

Use the cached max lane count value on LNL+, to account for scenarios where this value is queried after the HW cleared the corresponding pin assignment value in the TCSS_DDI_STATUS register after the sink got disconnected. For consistency, follow-up changes will use the cached max lane count value on other platforms as well and will also cache the pin assignment value in a similar way. Cc: stable(a)vger.kernel.org # v6.8+ Reported-by: Charlton Lin <charlton.lin(a)intel.com> Tested-by: Khaled Almahallawy <khaled.almahallawy(a)intel.com> Reviewed-by: Mika Kahola <mika.kahola(a)intel.com> Signed-off-by: Imre Deak <imre.deak(a)intel.com> --- drivers/gpu/drm/i915/display/intel_tc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/display/intel_tc.c b/drivers/gpu/drm/i915/display/intel_tc.c index b0edbce2060ff..8b6826fc06855 100644 --- a/drivers/gpu/drm/i915/display/intel_tc.c +++ b/drivers/gpu/drm/i915/display/intel_tc.c @@ -395,12 +395,16 @@ static void read_pin_configuration(struct intel_tc_port *tc) int intel_tc_port_max_lane_count(struct intel_digital_port *dig_port) { + struct intel_display *display = to_intel_display(dig_port); struct intel_tc_port *tc = to_tc_port(dig_port); if (!intel_encoder_is_tc(&dig_port->base)) return 4; - return get_max_lane_count(tc); + if (DISPLAY_VER(display) < 20) + return get_max_lane_count(tc); + + return tc->max_lane_count; } void intel_tc_port_set_fia_lane_count(struct intel_digital_port *dig_port, -- 2.49.1

2 weeks, 3 days

1
0
0 0

[CI 3/5] drm/i915/lnl+/tc: Fix max lane count HW readout

by Imre Deak

On LNL+ for a disconnected sink the pin assignment value gets cleared by the HW/FW as soon as the sink gets disconnected, even if the PHY ownership got acquired already by the BIOS/driver (and hence the PHY itself is still connected and used by the display). During HW readout this can result in detecting the PHY's max lane count as 0 - matching the above cleared aka NONE pin assignment HW state. For a connected PHY the driver in general (outside of intel_tc.c) expects the max lane count value to be valid for the video mode enabled on the corresponding output (1, 2 or 4). Ensure this by setting the max lane count to 4 in this case. Note, that it doesn't matter if this lane count happened to be more than the max lane count with which the PHY got connected and enabled, since the only thing the driver can do with such an output - where the DP-alt sink is disconnected - is to disable the output. v2: Rebased on change reading out the pin configuration only if the PHY is connected. Cc: stable(a)vger.kernel.org # v6.8+ Reported-by: Charlton Lin <charlton.lin(a)intel.com> Tested-by: Khaled Almahallawy <khaled.almahallawy(a)intel.com> Reviewed-by: Mika Kahola <mika.kahola(a)intel.com> Signed-off-by: Imre Deak <imre.deak(a)intel.com> --- drivers/gpu/drm/i915/display/intel_tc.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/gpu/drm/i915/display/intel_tc.c b/drivers/gpu/drm/i915/display/intel_tc.c index 752900f1c115c..b0edbce2060ff 100644 --- a/drivers/gpu/drm/i915/display/intel_tc.c +++ b/drivers/gpu/drm/i915/display/intel_tc.c @@ -23,6 +23,7 @@ #include "intel_modeset_lock.h" #include "intel_tc.h" +#define DP_PIN_ASSIGNMENT_NONE 0x0 #define DP_PIN_ASSIGNMENT_C 0x3 #define DP_PIN_ASSIGNMENT_D 0x4 #define DP_PIN_ASSIGNMENT_E 0x5 @@ -308,6 +309,8 @@ static int lnl_tc_port_get_max_lane_count(struct intel_digital_port *dig_port) REG_FIELD_GET(TCSS_DDI_STATUS_PIN_ASSIGNMENT_MASK, val); switch (pin_assignment) { + case DP_PIN_ASSIGNMENT_NONE: + return 0; default: MISSING_CASE(pin_assignment); fallthrough; @@ -1159,6 +1162,12 @@ static void xelpdp_tc_phy_get_hw_state(struct intel_tc_port *tc) tc->lock_wakeref = tc_cold_block(tc); read_pin_configuration(tc); + /* + * Set a valid lane count value for a DP-alt sink which got + * disconnected. The driver can only disable the output on this PHY. + */ + if (tc->max_lane_count == 0) + tc->max_lane_count = 4; } drm_WARN_ON(display->drm, -- 2.49.1

2 weeks, 3 days

1
0
0 0

[CI 2/5] drm/i915/icl+/tc: Cache the max lane count value

by Imre Deak

The PHY's pin assignment value in the TCSS_DDI_STATUS register - as set by the HW/FW based on the connected DP-alt sink's TypeC/PD pin assignment negotiation - gets cleared by the HW/FW on LNL+ as soon as the sink gets disconnected, even if the PHY ownership got acquired already by the driver (and hence the PHY itself is still connected and used by the display). This is similar to how the PHY Ready flag gets cleared on LNL+ in the same register. To be able to query the max lane count value on LNL+ - which is based on the above pin assignment - at all times even after the sink gets disconnected, the max lane count must be determined and cached during the PHY's HW readout and connect sequences. Do that here, leaving the actual use of the cached value to a follow-up change. v2: Don't read out the pin configuration if the PHY is disconnected. Cc: stable(a)vger.kernel.org # v6.8+ Reported-by: Charlton Lin <charlton.lin(a)intel.com> Tested-by: Khaled Almahallawy <khaled.almahallawy(a)intel.com> Reviewed-by: Mika Kahola <mika.kahola(a)intel.com> Signed-off-by: Imre Deak <imre.deak(a)intel.com> --- drivers/gpu/drm/i915/display/intel_tc.c | 57 +++++++++++++++++++++---- 1 file changed, 48 insertions(+), 9 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_tc.c b/drivers/gpu/drm/i915/display/intel_tc.c index d8247d1a8319b..752900f1c115c 100644 --- a/drivers/gpu/drm/i915/display/intel_tc.c +++ b/drivers/gpu/drm/i915/display/intel_tc.c @@ -66,6 +66,7 @@ struct intel_tc_port { enum tc_port_mode init_mode; enum phy_fia phy_fia; u8 phy_fia_idx; + u8 max_lane_count; }; static enum intel_display_power_domain @@ -365,12 +366,12 @@ static int intel_tc_port_get_max_lane_count(struct intel_digital_port *dig_port) } } -int intel_tc_port_max_lane_count(struct intel_digital_port *dig_port) +static int get_max_lane_count(struct intel_tc_port *tc) { - struct intel_display *display = to_intel_display(dig_port); - struct intel_tc_port *tc = to_tc_port(dig_port); + struct intel_display *display = to_intel_display(tc->dig_port); + struct intel_digital_port *dig_port = tc->dig_port; - if (!intel_encoder_is_tc(&dig_port->base) || tc->mode != TC_PORT_DP_ALT) + if (tc->mode != TC_PORT_DP_ALT) return 4; assert_tc_cold_blocked(tc); @@ -384,6 +385,21 @@ int intel_tc_port_max_lane_count(struct intel_digital_port *dig_port) return intel_tc_port_get_max_lane_count(dig_port); } +static void read_pin_configuration(struct intel_tc_port *tc) +{ + tc->max_lane_count = get_max_lane_count(tc); +} + +int intel_tc_port_max_lane_count(struct intel_digital_port *dig_port) +{ + struct intel_tc_port *tc = to_tc_port(dig_port); + + if (!intel_encoder_is_tc(&dig_port->base)) + return 4; + + return get_max_lane_count(tc); +} + void intel_tc_port_set_fia_lane_count(struct intel_digital_port *dig_port, int required_lanes) { @@ -596,9 +612,12 @@ static void icl_tc_phy_get_hw_state(struct intel_tc_port *tc) tc_cold_wref = __tc_cold_block(tc, &domain); tc->mode = tc_phy_get_current_mode(tc); - if (tc->mode != TC_PORT_DISCONNECTED) + if (tc->mode != TC_PORT_DISCONNECTED) { tc->lock_wakeref = tc_cold_block(tc); + read_pin_configuration(tc); + } + __tc_cold_unblock(tc, domain, tc_cold_wref); } @@ -656,8 +675,11 @@ static bool icl_tc_phy_connect(struct intel_tc_port *tc, tc->lock_wakeref = tc_cold_block(tc); - if (tc->mode == TC_PORT_TBT_ALT) + if (tc->mode == TC_PORT_TBT_ALT) { + read_pin_configuration(tc); + return true; + } if ((!tc_phy_is_ready(tc) || !icl_tc_phy_take_ownership(tc, true)) && @@ -668,6 +690,7 @@ static bool icl_tc_phy_connect(struct intel_tc_port *tc, goto out_unblock_tc_cold; } + read_pin_configuration(tc); if (!tc_phy_verify_legacy_or_dp_alt_mode(tc, required_lanes)) goto out_release_phy; @@ -858,9 +881,12 @@ static void adlp_tc_phy_get_hw_state(struct intel_tc_port *tc) port_wakeref = intel_display_power_get(display, port_power_domain); tc->mode = tc_phy_get_current_mode(tc); - if (tc->mode != TC_PORT_DISCONNECTED) + if (tc->mode != TC_PORT_DISCONNECTED) { tc->lock_wakeref = tc_cold_block(tc); + read_pin_configuration(tc); + } + intel_display_power_put(display, port_power_domain, port_wakeref); } @@ -873,6 +899,9 @@ static bool adlp_tc_phy_connect(struct intel_tc_port *tc, int required_lanes) if (tc->mode == TC_PORT_TBT_ALT) { tc->lock_wakeref = tc_cold_block(tc); + + read_pin_configuration(tc); + return true; } @@ -894,6 +923,8 @@ static bool adlp_tc_phy_connect(struct intel_tc_port *tc, int required_lanes) tc->lock_wakeref = tc_cold_block(tc); + read_pin_configuration(tc); + if (!tc_phy_verify_legacy_or_dp_alt_mode(tc, required_lanes)) goto out_unblock_tc_cold; @@ -1124,9 +1155,12 @@ static void xelpdp_tc_phy_get_hw_state(struct intel_tc_port *tc) tc_cold_wref = __tc_cold_block(tc, &domain); tc->mode = tc_phy_get_current_mode(tc); - if (tc->mode != TC_PORT_DISCONNECTED) + if (tc->mode != TC_PORT_DISCONNECTED) { tc->lock_wakeref = tc_cold_block(tc); + read_pin_configuration(tc); + } + drm_WARN_ON(display->drm, (tc->mode == TC_PORT_DP_ALT || tc->mode == TC_PORT_LEGACY) && !xelpdp_tc_phy_tcss_power_is_enabled(tc)); @@ -1138,14 +1172,19 @@ static bool xelpdp_tc_phy_connect(struct intel_tc_port *tc, int required_lanes) { tc->lock_wakeref = tc_cold_block(tc); - if (tc->mode == TC_PORT_TBT_ALT) + if (tc->mode == TC_PORT_TBT_ALT) { + read_pin_configuration(tc); + return true; + } if (!xelpdp_tc_phy_enable_tcss_power(tc, true)) goto out_unblock_tccold; xelpdp_tc_phy_take_ownership(tc, true); + read_pin_configuration(tc); + if (!tc_phy_verify_legacy_or_dp_alt_mode(tc, required_lanes)) goto out_release_phy; -- 2.49.1

2 weeks, 3 days

1
0
0 0

[CI 1/5] drm/i915/lnl+/tc: Fix handling of an enabled/disconnected dp-alt sink

by Imre Deak

The TypeC PHY HW readout during driver loading and system resume determines which TypeC mode the PHY is in (legacy/DP-alt/TBT-alt) and whether the PHY is connected, based on the PHY's Owned and Ready flags. For the PHY to be in DP-alt or legacy mode and for the PHY to be in the connected state in these modes, both the Owned (set by the BIOS/driver) and the Ready (set by the HW) flags should be set. On ICL-MTL the HW kept the PHY's Ready flag set after the driver connected the PHY by acquiring the PHY ownership (by setting the Owned flag), until the driver disconnected the PHY by releasing the PHY ownership (by clearing the Owned flag). On LNL+ this has changed, in that the HW clears the Ready flag as soon as the sink gets disconnected, even if the PHY ownership was acquired already and hence the PHY is being used by the display. When inheriting the HW state from BIOS for a PHY connected in DP-alt mode on which the sink got disconnected - i.e. in a case where the sink was connected while BIOS/GOP was running and so the sink got enabled connecting the PHY, but the user disconnected the sink by the time the driver loaded - the PHY Owned but not Ready state must be accounted for on LNL+ according to the above. Do that by assuming on LNL+ that the PHY is connected in DP-alt mode whenever the PHY Owned flag is set, regardless of the PHY Ready flag. This fixes a problem on LNL+, where the PHY TypeC mode / connected state was detected incorrectly for a DP-alt sink, which got connected and then disconnected by the user in the above way. v2: Rename tc_phy_in_legacy_or_dp_alt_mode() to tc_phy_owned_by_display(). (Luca, Jani) Cc: Jani Nikula <jani.nikula(a)intel.com> Cc: stable(a)vger.kernel.org # v6.8+ Reported-by: Charlton Lin <charlton.lin(a)intel.com> Tested-by: Khaled Almahallawy <khaled.almahallawy(a)intel.com> Reviewed-by: Mika Kahola <mika.kahola(a)intel.com> Reviewed-by: Luca Coelho <luciano.coelho(a)intel.com> Signed-off-by: Imre Deak <imre.deak(a)intel.com> --- drivers/gpu/drm/i915/display/intel_tc.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_tc.c b/drivers/gpu/drm/i915/display/intel_tc.c index 3bc57579fe53e..d8247d1a8319b 100644 --- a/drivers/gpu/drm/i915/display/intel_tc.c +++ b/drivers/gpu/drm/i915/display/intel_tc.c @@ -1226,14 +1226,18 @@ static void tc_phy_get_hw_state(struct intel_tc_port *tc) tc->phy_ops->get_hw_state(tc); } -static bool tc_phy_is_ready_and_owned(struct intel_tc_port *tc, - bool phy_is_ready, bool phy_is_owned) +static bool tc_phy_owned_by_display(struct intel_tc_port *tc, + bool phy_is_ready, bool phy_is_owned) { struct intel_display *display = to_intel_display(tc->dig_port); - drm_WARN_ON(display->drm, phy_is_owned && !phy_is_ready); + if (DISPLAY_VER(display) < 20) { + drm_WARN_ON(display->drm, phy_is_owned && !phy_is_ready); - return phy_is_ready && phy_is_owned; + return phy_is_ready && phy_is_owned; + } else { + return phy_is_owned; + } } static bool tc_phy_is_connected(struct intel_tc_port *tc, @@ -1244,7 +1248,7 @@ static bool tc_phy_is_connected(struct intel_tc_port *tc, bool phy_is_owned = tc_phy_is_owned(tc); bool is_connected; - if (tc_phy_is_ready_and_owned(tc, phy_is_ready, phy_is_owned)) + if (tc_phy_owned_by_display(tc, phy_is_ready, phy_is_owned)) is_connected = port_pll_type == ICL_PORT_DPLL_MG_PHY; else is_connected = port_pll_type == ICL_PORT_DPLL_DEFAULT; @@ -1352,7 +1356,7 @@ tc_phy_get_current_mode(struct intel_tc_port *tc) phy_is_ready = tc_phy_is_ready(tc); phy_is_owned = tc_phy_is_owned(tc); - if (!tc_phy_is_ready_and_owned(tc, phy_is_ready, phy_is_owned)) { + if (!tc_phy_owned_by_display(tc, phy_is_ready, phy_is_owned)) { mode = get_tc_mode_in_phy_not_owned_state(tc, live_mode); } else { drm_WARN_ON(display->drm, live_mode == TC_PORT_TBT_ALT); -- 2.49.1

2 weeks, 3 days

1
0
0 0

[PATCH] uio_hv_generic: Fix another memory leak in error handling paths

by Shivani Agarwal

From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> commit 0b0226be3a52dadd965644bc52a807961c2c26df upstream. Memory allocated by 'vmbus_alloc_ring()' at the beginning of the probe function is never freed in the error handling path. Add the missing 'vmbus_free_ring()' call. Note that it is already freed in the .remove function. Fixes: cdfa835c6e5e ("uio_hv_generic: defer opening vmbus until first use") Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Link: https://lore.kernel.org/r/0d86027b8eeed8e6360bc3d52bcdb328ff9bdca1.16205440… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Shivani: Modified to apply on 5.10.y] Signed-off-by: Shivani Agarwal <shivani.agarwal(a)broadcom.com> --- drivers/uio/uio_hv_generic.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c index 6625d340f..865a5b289 100644 --- a/drivers/uio/uio_hv_generic.c +++ b/drivers/uio/uio_hv_generic.c @@ -306,7 +306,7 @@ hv_uio_probe(struct hv_device *dev, pdata->recv_buf = vzalloc(RECV_BUFFER_SIZE); if (pdata->recv_buf == NULL) { ret = -ENOMEM; - goto fail_close; + goto fail_free_ring; } ret = vmbus_establish_gpadl(channel, pdata->recv_buf, @@ -366,6 +366,8 @@ hv_uio_probe(struct hv_device *dev, fail_close: hv_uio_cleanup(dev, pdata); +fail_free_ring: + vmbus_free_ring(dev->channel); return ret; }

2 weeks, 3 days

1
0
0 0

from pipe fitting factory source

by selene

2 weeks, 3 days

1
0
0 0

[PATCH] HID: multitouch: fix integer overflow in set_abs()

by Qasim Ijaz

It is possible for a malicious HID device to trigger a signed integer overflow (undefined behaviour) in set_abs() in the following expression by supplying bogus logical maximum and minimum values: int fuzz = snratio ? (fmax - fmin) / snratio : 0; For example, if the logical_maximum is INT_MAX and logical_minimum is -1 then (fmax - fmin) resolves to INT_MAX + 1, which does not fit in a 32-bit signed int, so the subtraction overflows. Fix this by computing the difference in a 64 bit context. Fixes: 5519cab477b6 ("HID: hid-multitouch: support for PixCir-based panels") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> --- drivers/hid/hid-multitouch.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c index 22c6314a8843..687638ed6d0f 100644 --- a/drivers/hid/hid-multitouch.c +++ b/drivers/hid/hid-multitouch.c @@ -540,7 +540,8 @@ static void set_abs(struct input_dev *input, unsigned int code, { int fmin = field->logical_minimum; int fmax = field->logical_maximum; - int fuzz = snratio ? (fmax - fmin) / snratio : 0; + s64 diff = (s64)fmax - (s64)fmin; + int fuzz = snratio ? (int)div_s64(diff, snratio) : 0; input_set_abs_params(input, code, fmin, fmax, fuzz, 0); input_abs_set_res(input, code, hidinput_calc_abs_res(field, code)); } -- 2.39.5

2 weeks, 4 days

2
4
0 0

[PATCH AUTOSEL 6.16-5.10] block: avoid possible overflow for chunk_sectors check in blk_stack_limits()

by Sasha Levin

From: John Garry <john.g.garry(a)oracle.com> [ Upstream commit 448dfecc7ff807822ecd47a5c052acedca7d09e8 ] In blk_stack_limits(), we check that the t->chunk_sectors value is a multiple of the t->physical_block_size value. However, by finding the chunk_sectors value in bytes, we may overflow the unsigned int which holds chunk_sectors, so change the check to be based on sectors. Reviewed-by: Hannes Reinecke <hare(a)suse.de> Reviewed-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: John Garry <john.g.garry(a)oracle.com> Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Link: https://lore.kernel.org/r/20250729091448.1691334-2-john.g.garry@oracle.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: **Backport Status: YES** ## Extensive Analysis This commit should be backported to stable kernel trees for the following reasons: ### 1. **It fixes a real integer overflow bug** The original code performs `(t->chunk_sectors << 9)` which can cause an integer overflow. Since both `chunk_sectors` and `physical_block_size` are `unsigned int` (32-bit), when `chunk_sectors` is larger than 8,388,607 (2^23 - 1), shifting it left by 9 bits (multiplying by 512) will overflow the 32-bit unsigned integer. This overflow can lead to incorrect alignment checks. ### 2. **The fix is minimal and contained** The change is a single-line modification that replaces: ```c if ((t->chunk_sectors << 9) & (t->physical_block_size - 1)) ``` with: ```c if (t->chunk_sectors % (t->physical_block_size >> SECTOR_SHIFT)) ``` This mathematically equivalent check avoids the overflow by dividing `physical_block_size` by the sector size (512 bytes) instead of multiplying `chunk_sectors` by 512. ### 3. **It's a correctness issue in critical block layer code** The `blk_stack_limits()` function is fundamental to the block layer's device stacking functionality, used by MD, DM, and other stacked block devices. An overflow here could lead to: - Incorrect alignment detection - Improper chunk_sectors being cleared when it shouldn't be - Potential data corruption or I/O errors in stacked block devices ### 4. **The fix has low regression risk** - The new calculation is mathematically equivalent to the intended check - It only changes how the comparison is performed, not the logic - The fix has been reviewed by multiple maintainers (Hannes Reinecke, Martin K. Petersen, Damien Le Moal) - No new features or architectural changes are introduced ### 5. **Real-world impact potential** Modern storage devices can have large chunk sizes. For example: - NVMe devices with large zones could have chunk_sectors approaching or exceeding the overflow threshold - RAID configurations with large stripe sizes - This becomes more likely as storage devices grow in capacity and complexity ### 6. **Follows stable kernel criteria** According to stable kernel rules, this qualifies because it: - Fixes a bug that users can potentially hit - Is obviously correct and tested - Is small (single line change) - Fixes only one thing - Has no dependencies on other patches The commit message clearly describes the problem (overflow in unsigned int) and the solution (changing the check to avoid overflow). The fix maintains the same semantic meaning while being overflow-safe, making it an ideal candidate for stable backporting. block/blk-settings.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/block/blk-settings.c b/block/blk-settings.c index a000daafbfb4..88890e904320 100644 --- a/block/blk-settings.c +++ b/block/blk-settings.c @@ -779,7 +779,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b, } /* chunk_sectors a multiple of the physical block size? */ - if ((t->chunk_sectors << 9) & (t->physical_block_size - 1)) { + if (t->chunk_sectors % (t->physical_block_size >> SECTOR_SHIFT)) { t->chunk_sectors = 0; t->flags |= BLK_FLAG_MISALIGNED; ret = -1; -- 2.39.5

2 weeks, 4 days

1
15
0 0

[PATCH v3] mm/damon/core: fix commit_ops_filters by using correct nth function

by Sang-Heon Jeon

damos_commit_ops_filters() incorrectly uses damos_nth_filter() which iterates core_filters. As a result, performing a commit unintentionally corrupts ops_filters. Add damos_nth_ops_filter() which iterates ops_filters. Use this function to fix issues caused by wrong iteration. Fixes: 3607cc590f18 ("mm/damon/core: support committing ops_filters") # 6.15.x Cc: stable(a)vger.kernel.org Signed-off-by: Sang-Heon Jeon <ekffu200098(a)gmail.com> --- mm/damon/core.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/mm/damon/core.c b/mm/damon/core.c index 883d791a10e5..19c8f01fc81a 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -862,6 +862,18 @@ static struct damos_filter *damos_nth_filter(int n, struct damos *s) return NULL; } +static struct damos_filter *damos_nth_ops_filter(int n, struct damos *s) +{ + struct damos_filter *filter; + int i = 0; + + damos_for_each_ops_filter(filter, s) { + if (i++ == n) + return filter; + } + return NULL; +} + static void damos_commit_filter_arg( struct damos_filter *dst, struct damos_filter *src) { @@ -925,7 +937,7 @@ static int damos_commit_ops_filters(struct damos *dst, struct damos *src) int i = 0, j = 0; damos_for_each_ops_filter_safe(dst_filter, next, dst) { - src_filter = damos_nth_filter(i++, src); + src_filter = damos_nth_ops_filter(i++, src); if (src_filter) damos_commit_filter(dst_filter, src_filter); else -- 2.43.0

2 weeks, 4 days

2
2
0 0

[PATCH v2] mm/damon/core: fix commit_ops_filters by using correct nth function

by Sang-Heon Jeon

damos_commit_ops_filters() incorrectly uses damos_nth_filter() which iterates core_filters. As a result, performing a commit unintentionally corrupts ops_filters. Add damos_nth_ops_filter() which iterates ops_filters. Use this function to fix issues caused by wrong iteration. Also, add test to verify that modification is right way. Fixes: 3607cc590f18 ("mm/damon/core: support committing ops_filters") # 6.15.x Cc: stable(a)vger.kernel.org Signed-off-by: Sang-Heon Jeon <ekffu200098(a)gmail.com> --- Changes from v1 [1]: 1. Fix code and commit message style. 2. Merge patch set into one patch. 3. Add fixes and cc section for backporting. [1] https://lore.kernel.org/damon/20250808195518.563053-1-ekffu200098@gmail.com/ --- I tried to fix your all comments, but maybe i miss something. Then please let me know; I'll fix it as soon as possible. --- mm/damon/core.c | 14 +++- tools/testing/selftests/damon/Makefile | 1 + .../damon/sysfs_no_op_commit_break.py | 72 +++++++++++++++++++ 3 files changed, 86 insertions(+), 1 deletion(-) create mode 100755 tools/testing/selftests/damon/sysfs_no_op_commit_break.py diff --git a/mm/damon/core.c b/mm/damon/core.c index 883d791a10e5..19c8f01fc81a 100644 --- a/mm/damon/core.c +++ b/mm/damon/core.c @@ -862,6 +862,18 @@ static struct damos_filter *damos_nth_filter(int n, struct damos *s) return NULL; } +static struct damos_filter *damos_nth_ops_filter(int n, struct damos *s) +{ + struct damos_filter *filter; + int i = 0; + + damos_for_each_ops_filter(filter, s) { + if (i++ == n) + return filter; + } + return NULL; +} + static void damos_commit_filter_arg( struct damos_filter *dst, struct damos_filter *src) { @@ -925,7 +937,7 @@ static int damos_commit_ops_filters(struct damos *dst, struct damos *src) int i = 0, j = 0; damos_for_each_ops_filter_safe(dst_filter, next, dst) { - src_filter = damos_nth_filter(i++, src); + src_filter = damos_nth_ops_filter(i++, src); if (src_filter) damos_commit_filter(dst_filter, src_filter); else diff --git a/tools/testing/selftests/damon/Makefile b/tools/testing/selftests/damon/Makefile index 5b230deb19e8..44a4a819df55 100644 --- a/tools/testing/selftests/damon/Makefile +++ b/tools/testing/selftests/damon/Makefile @@ -17,6 +17,7 @@ TEST_PROGS += reclaim.sh lru_sort.sh TEST_PROGS += sysfs_update_removed_scheme_dir.sh TEST_PROGS += sysfs_update_schemes_tried_regions_hang.py TEST_PROGS += sysfs_memcg_path_leak.sh +TEST_PROGS += sysfs_no_op_commit_break.py EXTRA_CLEAN = __pycache__ diff --git a/tools/testing/selftests/damon/sysfs_no_op_commit_break.py b/tools/testing/selftests/damon/sysfs_no_op_commit_break.py new file mode 100755 index 000000000000..fbefb1c83045 --- /dev/null +++ b/tools/testing/selftests/damon/sysfs_no_op_commit_break.py @@ -0,0 +1,72 @@ +#!/usr/bin/env python3 +# SPDX-License-Identifier: GPL-2.0 + +import json +import os +import subprocess +import sys + +import _damon_sysfs + +def dump_damon_status_dict(pid): + try: + subprocess.check_output(['which', 'drgn'], stderr=subprocess.DEVNULL) + except: + return None, 'drgn not found' + file_dir = os.path.dirname(os.path.abspath(__file__)) + dump_script = os.path.join(file_dir, 'drgn_dump_damon_status.py') + rc = subprocess.call(['drgn', dump_script, pid, 'damon_dump_output'], + stderr=subprocess.DEVNULL) + + if rc != 0: + return None, f'drgn fail: return code({rc})' + try: + with open('damon_dump_output', 'r') as f: + return json.load(f), None + except Exception as e: + return None, 'json.load fail (%s)' % e + +def main(): + kdamonds = _damon_sysfs.Kdamonds( + [_damon_sysfs.Kdamond( + contexts=[_damon_sysfs.DamonCtx( + schemes=[_damon_sysfs.Damos( + ops_filters=[ + _damon_sysfs.DamosFilter( + type_='anon', + matching=True, + allow=True, + ) + ] + )], + )])] + ) + + err = kdamonds.start() + if err is not None: + print('kdamond start failed: %s' % err) + exit(1) + + before_commit_status, err = \ + dump_damon_status_dict(kdamonds.kdamonds[0].pid) + if err is not None: + print(err) + exit(1) + + kdamonds.kdamonds[0].commit() + + after_commit_status, err = \ + dump_damon_status_dict(kdamonds.kdamonds[0].pid) + if err is not None: + print(err) + exit(1) + + if before_commit_status != after_commit_status: + print(f'before: {json.dump(before_commit_status, indent=2)}') + print(f'after: {json.dump(after_commit_status, indent=2)}') + exit(1) + + kdamonds.stop() + +if __name__ == '__main__': + main() -- 2.43.0

2 weeks, 4 days

2
2
0 0

[PATCH 5.4 000/204] 5.4.294-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.294 release. There are 204 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 04 Jun 2025 13:42:20 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.294-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.294-rc1 Juergen Gross <jgross(a)suse.com> xen/swiotlb: relax alignment requirements Mark Pearson <mpearson-lenovo(a)squebb.ca> platform/x86: thinkpad_acpi: Ignore battery threshold change event notification Valtteri Koskivuori <vkoskiv(a)gmail.com> platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys Alessandro Grassi <alessandro.grassi(a)mailbox.org> spi: spi-sun4i: fix early activation Masahiro Yamada <masahiroy(a)kernel.org> um: let 'make clean' properly clean underlying SUBARCH as well John Chau <johnchau(a)0atlas.com> platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS Jeff Layton <jlayton(a)kernel.org> nfs: don't share pNFS DS connections between net namespaces Milton Barrera <miltonjosue2001(a)gmail.com> HID: quirks: Add ADATA XPG alpha wireless mouse support Christian Brauner <brauner(a)kernel.org> coredump: hand a pidfd to the usermode coredump helper Christian Brauner <brauner(a)kernel.org> fork: use pidfd_prepare() Christian Brauner <brauner(a)kernel.org> pid: add pidfd_prepare() Christian Brauner <christian.brauner(a)ubuntu.com> pidfd: check pid has attached task in fdinfo Christian Brauner <brauner(a)kernel.org> coredump: fix error handling for replace_fd() Pedro Tammela <pctammela(a)mojatatu.com> net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Wang Zhaolong <wangzhaolong1(a)huawei.com> smb: client: Reset all search buffer pointers when releasing buffer Wang Zhaolong <wangzhaolong1(a)huawei.com> smb: client: Fix use-after-free in cifs_fill_dirent Jani Nikula <jani.nikula(a)intel.com> drm/i915/gvt: fix unterminated-string-initialization warning Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: do not defer rule destruction via call_rcu Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: wait for rcu grace period on net_device removal Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx Nathan Chancellor <nathan(a)kernel.org> kbuild: Disable -Wdefault-const-init-unsafe Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-dspi: restrict register range for regmap access Tianyang Zhang <zhangtianyang(a)loongson.cn> mm/page_alloc.c: avoid infinite retries caused by cpuset race Breno Leitao <leitao(a)debian.org> memcg: always call cond_resched() after fn() feijuan.li <feijuan.li(a)samsung.com> drm/edid: fixed the bug that hdr metadata was not reset Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> llc: fix data loss when reading from a socket in llc_ui_recvmsg() Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Fix race of buffer access at PCM OSS layer Oliver Hartkopp <socketcan(a)hartkopp.net> can: bcm: add missing rcu read protection for procfs content Oliver Hartkopp <socketcan(a)hartkopp.net> can: bcm: add locking for bcm_op runtime updates Ivan Pravdin <ipravdin.official(a)gmail.com> crypto: algif_hash - fix double free in hash_accept Cong Wang <xiyou.wangcong(a)gmail.com> sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() Paul Kocialkowski <paulk(a)sys-base.io> net: dwmac-sun8i: Use parsed internal PHY address instead of 1 Ido Schimmel <idosch(a)nvidia.com> bridge: netfilter: Fix forwarding of fragmented packets Paul Chaignon <paul.chaignon(a)gmail.com> xfrm: Sanitize marks before insert Al Viro <viro(a)zeniv.linux.org.uk> __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Allow PVH dom0 a non-local xenstore Goldwyn Rodrigues <rgoldwyn(a)suse.de> btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref Alistair Francis <alistair.francis(a)wdc.com> nvmet-tcp: don't restore null sk_state_change Takashi Iwai <tiwai(a)suse.de> ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> pinctrl: meson: define the pull up/down resistor value as 60 kOhm Jessica Zhang <quic_jesszhan(a)quicinc.com> drm: Add valid clones check Simona Vetter <simona.vetter(a)ffwll.ch> drm/atomic: clarify the rules around drm_atomic_state->allow_modeset Isaac Scott <isaac.scott(a)ideasonboard.com> regulator: ad5398: Add device tree support Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: Don't use static local variable in rtw8822b_set_tx_power_index_by_rate Viktor Malik <vmalik(a)redhat.com> bpftool: Fix readlink usage in get_fd_type junan <junan76(a)163.com> HID: usbkbd: Fix the bit shift number for LED_KANA Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: Restore some drive settings after reset Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine Ankur Arora <ankur.a.arora(a)oracle.com> rcu: fix header guard for rcu_all_qs() Ankur Arora <ankur.a.arora(a)oracle.com> rcu: handle quiescent states for PREEMPT_RCU=n, PREEMPT_COUNT=y Ido Schimmel <idosch(a)nvidia.com> vxlan: Annotate FDB data races Andrey Vatoropin <a.vatoropin(a)crpt.ru> hwmon: (xgene-hwmon) use appropriate type for the latency value Kuniyuki Iwashima <kuniyu(a)amazon.com> ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure(). William Tu <witu(a)nvidia.com> net/mlx5e: reduce rep rxq depth to 256 for ECPF William Tu <witu(a)nvidia.com> net/mlx5e: set the tx_queue_len for pfifo_fast Alexei Lazar <alazar(a)nvidia.com> net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> phy: core: don't require set_mode() callback for phy_get_mode() to work Kees Cook <kees(a)kernel.org> net/mlx4_core: Avoid impossible mlx4_db_alloc() order value Konstantin Andreev <andreev(a)swemel.ru> smack: recognize ipv4 CIPSO w/o categories Valentin Caron <valentin.caron(a)foss.st.com> pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map Martin Povišer <povik+lin(a)cutebit.org> ASoC: ops: Enforce platform maximum on initial value Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5: Apply rate-limiting to high temperature warning Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5: Modify LSB bitmask in temperature event to include only the first bit Xiaofei Tan <tanxiaofei(a)huawei.com> ACPI: HED: Always initialize before evged Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI: Fix old_size lower bound in calculate_iosize() too Arnd Bergmann <arnd(a)arndb.de> EDAC/ie31200: work around false positive build warning Peter Seiderer <ps.report(a)gmx.net> net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU Shivasharan S <shivasharan.srikanteshwara(a)broadcom.com> scsi: mpt3sas: Send a diag reset if target reset fails Paul Burton <paulburton(a)kernel.org> MIPS: pm-cps: Use per-CPU variables as per-CPU, not per-core Bibo Mao <maobibo(a)loongson.cn> MIPS: Use arch specific syscall name match function Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: menu: Avoid discarding useful information Waiman Long <longman(a)redhat.com> x86/nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus() Hangbin Liu <liuhangbin(a)gmail.com> bonding: report duplicate MAC address in all situations Arnd Bergmann <arnd(a)arndb.de> net: xgene-v2: remove incorrect ACPI_PTR annotation Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: KFD release_work possible circular locking Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: Avoid report two health errors on same syndrome Kuhanh Murugasen Krishnan <kuhanh.murugasen.krishnan(a)intel.com> fpga: altera-cvp: Increase credit timeout AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence Alexander Stein <alexander.stein(a)ew.tq-group.com> hwmon: (gpio-fan) Add missing mutex locks Breno Leitao <leitao(a)debian.org> x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 Peter Seiderer <ps.report(a)gmx.net> net: pktgen: fix mpls maximum labels list parsing Artur Weber <aweber.kernel(a)gmail.com> pinctrl: bcm281xx: Use "unsigned int" instead of bare "unsigned" Hans Verkuil <hverkuil(a)xs4all.nl> media: cx231xx: set device_caps for 417 Matthew Wilcox (Oracle) <willy(a)infradead.org> orangefs: Do not truncate file size Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: prevent BUG_ON by blocking retries on failed device resumes Markus Elfring <elfring(a)users.sourceforge.net> media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() Svyatoslav Ryhel <clamor95(a)gmail.com> ARM: tegra: Switch DSI-B clock parent to PLLD on Tegra114 Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> ieee802154: ca8210: Use proper setters and getters for bitwise types Alexandre Belloni <alexandre.belloni(a)bootlin.com> rtc: ds1307: stop disabling alarms on probe Andreas Schwab <schwab(a)linux-m68k.org> powerpc/prom_init: Fixup missing #size-cells on PowerBook6,7 Erick Shepherd <erick.shepherd(a)ni.com> mmc: sdhci: Disable SD card clock before changing parameters Nicolas Bouchinet <nicolas.bouchinet(a)ssi.gouv.fr> netfilter: conntrack: Bound nf_conntrack sysctl writes Eric Dumazet <edumazet(a)google.com> posix-timers: Add cond_resched() to posix_timer_add() search loop Frediano Ziglio <frediano.ziglio(a)cloud.com> xen: Add support for XenServer 6.1 platform device Mikulas Patocka <mpatocka(a)redhat.com> dm: restrict dm device size to 2^63-512 bytes Seyediman Seyedarab <imandevel(a)gmail.com> kbuild: fix argument parsing in scripts/config Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: ERASE does not change tape location Kai Mäkisara <Kai.Makisara(a)kolumbus.fi> scsi: st: Tighten the page format heuristics with MODE SELECT Christian Göttsche <cgzones(a)googlemail.com> ext4: reorder capability check last Tiwei Bie <tiwei.btw(a)antgroup.com> um: Update min_low_pfn to match changes in uml_reserved Benjamin Berg <benjamin(a)sipsolutions.net> um: Store full CSGSFS and SS register from mcontext Filipe Manana <fdmanana(a)suse.com> btrfs: send: return -ENAMETOOLONG when attempting a path that is too long Mark Harmstone <maharmstone(a)fb.com> btrfs: avoid linker error in btrfs_find_create_tree_block() Vitalii Mordan <mordan(a)ispras.ru> i2c: pxa: fix call balance of i2c->clk handling routines Erick Shepherd <erick.shepherd(a)ni.com> mmc: host: Wait for Vdd to settle on card power off Robert Richter <rrichter(a)amd.com> libnvdimm/labels: Fix divide error in nd_label_data_init() Trond Myklebust <trond.myklebust(a)hammerspace.com> pNFS/flexfiles: Report ENETDOWN as a connection error Ian Rogers <irogers(a)google.com> tools/build: Don't pass test log files to linker Jing Su <jingsusu(a)didiglobal.com> dql: Fix dql->limit value when reset. Trond Myklebust <trond.myklebust(a)hammerspace.com> SUNRPC: rpc_clnt_set_transport() must not change the autobind setting Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Treat ENETUNREACH errors as fatal for state recovery Zsolt Kajtar <soci(a)c64.rulez.org> fbdev: core: tileblit: Implement missing margin clearing for tileblit Shixiong Ou <oushixiong(a)kylinos.cn> fbdev: fsl-diu-fb: add missing device_remove_file() Tudor Ambarus <tudor.ambarus(a)linaro.org> mailbox: use error ret code of of_parse_phandle_with_args() Daniel Gomez <da.gomez(a)samsung.com> kconfig: merge_config: use an empty file as initfile gaoxu <gaoxu2(a)honor.com> cgroup: Fix compilation issue due to cgroup_mutex not being exported Marek Szyprowski <m.szyprowski(a)samsung.com> dma-mapping: avoid potential unused data compilation warning Dmitry Bogdanov <d.bogdanov(a)yadro.com> scsi: target: iscsi: Fix timeout on deleted connection Eelco Chaudron <echaudro(a)redhat.com> openvswitch: Fix unsafe attribute parsing in output_userspace() Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics - enable SMBus for HP Elitebook 850 G1 Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> phy: renesas: rcar-gen3-usb2: Set timing registers only once Ma Ke <make24(a)iscas.ac.cn> phy: Fix error handling in tegra_xusb_port_init Wentao Liang <vulab(a)iscas.ac.cn> ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() Jeremy Linton <jeremy.linton(a)arm.com> ACPI: PPTT: Fix processor subtable walk Nathan Lynch <nathan.lynch(a)amd.com> dmaengine: Revert "dmaengine: dmatest: Fix dmatest waiting less when interrupted" Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4/pnfs: Reset the layout state after a layoutreturn Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4/pnfs: pnfs_set_layout_stateid() should update the layout cred Abdun Nihaal <abdun.nihaal(a)gmail.com> qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd() Geert Uytterhoeven <geert+renesas(a)glider.be> ALSA: sh: SND_AICA should depend on SH_DMA_API Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING Geert Uytterhoeven <geert+renesas(a)glider.be> spi: loopback-test: Do not split 1024-byte hexdumps Li Lingfeng <lilingfeng3(a)huawei.com> nfs: handle failure of nfs_get_lock_context in unlock path Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug David Lechner <dlechner(a)baylibre.com> iio: chemical: sps30: use aligned_s64 for timestamp Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: ad7768-1: Fix insufficient alignment of timestamp. Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Correct handling of tx_fifo_depth for size validation Quentin Deslandes <quentin.deslandes(a)itdev.co.uk> staging: axis-fifo: avoid parsing ignored device tree properties Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: axis-fifo: Remove hardware resets for user errors Quentin Deslandes <quentin.deslandes(a)itdev.co.uk> staging: axis-fifo: replace spinlock with mutex Hans de Goede <hdegoede(a)redhat.com> platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection Al Viro <viro(a)zeniv.linux.org.uk> do_umount(): add missing barrier before refcount checks in sync case Daniel Wagner <wagi(a)kernel.org> nvme: unblock ctrl state transition for firmware update Thorsten Blum <thorsten.blum(a)linux.dev> MIPS: Fix MAX_REG_OFFSET Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: dln2: Use aligned_s64 for timestamp Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> types: Complement the aligned types with signed 64-bit one Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous generic_read ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous wait_srq ioctl return Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix erroneous get_stb ioctl error returns Oliver Neukum <oneukum(a)suse.com> USB: usbtmc: use interruptible sleep in usbtmc_read Andrei Kuchynski <akuchynski(a)chromium.org> usb: typec: ucsi: displayport: Fix NULL pointer access RD Babiera <rdbabiera(a)google.com> usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition Jan Kara <jack(a)suse.cz> ocfs2: stop quota recovery before disabling quotas Jan Kara <jack(a)suse.cz> ocfs2: implement handshaking with ocfs2 recovery thread Jan Kara <jack(a)suse.cz> ocfs2: switch osb->disable_recovery to enum Dmitry Antipov <dmantipov(a)yandex.ru> module: ensure that kobject_put() is safe for module type kobjects Jason Andryuk <jason.andryuk(a)amd.com> xenbus: Use kref to track req lifetime Alexey Charkov <alchark(a)gmail.com> usb: uhci-platform: Make the clock really optional Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Silvano Seva <s.seva(a)4sigma.it> iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Gabriel Shahrouzi <gshahrouzi(a)gmail.com> iio: adis16201: Correct inclinometer channel resolution Angelo Dureghello <adureghello(a)baylibre.com> iio: adc: ad7606: fix serial register access Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: adc: ad7816: Correct conditional logic for store mode Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dell Precision M3800 Aditya Garg <gargaditya08(a)live.com> Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Manuel Fombuena <fombuena(a)outlook.com> Input: synaptics - enable InterTouch on Dynabook Portege X30-D Jonas Gorski <jonas.gorski(a)gmail.com> net: dsa: b53: fix learning on VLAN unaware bridges Jozsef Kadlecsik <kadlec(a)netfilter.org> netfilter: ipset: fix region locking in hash types Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_deactivate() idempotent Mike Christie <michael.christie(a)oracle.com> scsi: target: Fix WRITE_SAME No Data Buffer crash Tudor Ambarus <tudor.ambarus(a)linaro.org> dm: fix copying after src array boundaries Pavel Paklov <Pavel.Paklov(a)cyberprotect.ru> iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: fix iface clock-name on px30 iommus Fedor Pchelkin <pchelkin(a)ispras.ru> usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling Alexander Stein <alexander.stein(a)ew.tq-group.com> usb: chipidea: ci_hdrc_imx: use dev_err_probe() Peter Chen <peter.chen(a)nxp.com> usb: chipidea: imx: refine the error handling for hsic Peter Chen <peter.chen(a)nxp.com> usb: chipidea: imx: change hsic power regulator as optional Suzuki K Poulose <suzuki.poulose(a)arm.com> irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() Thomas Gleixner <tglx(a)linutronix.de> irqchip/gic-v2m: Mark a few functions __init Xiang wangx <wangxiang(a)cdjrlc.com> irqchip/gic-v2m: Add const to of_device_id Cong Wang <xiyou.wangcong(a)gmail.com> sch_htb: make htb_qlen_notify() idempotent Sergey Shtylyov <s.shtylyov(a)omp.ru> of: module: add buffer overflow check in of_modalias() Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Skip controller_id generation logic for i.MX7D Mattias Barthel <mattias.barthel(a)atlascopco.com> net: fec: ERR007885 Workaround for conventional TX Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: Fix memleak issue when GSO enabled Alexey Denisov <rtgbnm(a)gmail.com> lan743x: fix endianness when accessing descriptors Colin Ian King <colin.king(a)canonical.com> lan743x: remove redundant initialization of variable current_head_index Michael Liang <mliang(a)purestorage.com> nvme-tcp: fix premature queue removal and I/O failover Simon Horman <horms(a)kernel.org> net: dlink: Correct endianness handling of led_mode Victor Nogueira <victor(a)mojatatu.com> net_sched: qfq: Fix double list add in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc Victor Nogueira <victor(a)mojatatu.com> net_sched: drr: Fix double list add in class with netem as child qdisc Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: E-Switch, Initialize MAC Address for Default GID Jeongjun Park <aha310510(a)gmail.com> tracing: Fix oob write in trace_seq_to_buffer() Benjamin Marzinski <bmarzins(a)redhat.com> dm: always update the array size in realloc_argv on success Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a warning on invalid table line Wentao Liang <vulab(a)iscas.ac.cn> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() Vishal Badole <Vishal.Badole(a)amd.com> amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload Helge Deller <deller(a)gmx.de> parisc: Fix double SIGFPE crash Clark Wang <xiaoning.wang(a)nxp.com> i2c: imx-lpi2c: Fix clock count when probe defers Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Set DDR and SDMMC interrupt mask before registration Niravkumar L Rabara <niravkumar.l.rabara(a)altera.com> EDAC/altera: Test the correct error reg offset ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 2 + Makefile | 16 +- arch/arm/boot/dts/tegra114.dtsi | 2 +- arch/arm64/boot/dts/rockchip/px30.dtsi | 4 +- arch/mips/include/asm/ftrace.h | 16 + arch/mips/include/asm/ptrace.h | 3 +- arch/mips/kernel/pm-cps.c | 30 +- arch/parisc/math-emu/driver.c | 16 +- arch/powerpc/kernel/prom_init.c | 4 +- arch/um/Makefile | 1 + arch/um/kernel/mem.c | 1 + arch/x86/include/asm/nmi.h | 2 + arch/x86/kernel/cpu/bugs.c | 10 +- arch/x86/kernel/nmi.c | 42 +++ arch/x86/kernel/reboot.c | 10 +- arch/x86/um/os-Linux/mcontext.c | 3 +- crypto/algif_hash.c | 4 - drivers/acpi/Kconfig | 2 +- drivers/acpi/hed.c | 7 +- drivers/acpi/pptt.c | 11 +- drivers/clocksource/i8253.c | 6 +- drivers/cpuidle/governors/menu.c | 13 +- drivers/dma/dmatest.c | 6 +- drivers/edac/altera_edac.c | 9 +- drivers/edac/altera_edac.h | 2 + drivers/edac/ie31200_edac.c | 28 +- drivers/fpga/altera-cvp.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 16 +- drivers/gpu/drm/drm_atomic_helper.c | 28 ++ drivers/gpu/drm/drm_edid.c | 1 + drivers/gpu/drm/i915/gvt/opregion.c | 8 +- drivers/gpu/drm/mediatek/mtk_dpi.c | 5 +- drivers/hid/hid-ids.h | 4 + drivers/hid/hid-quirks.c | 2 + drivers/hid/usbhid/usbkbd.c | 2 +- drivers/hwmon/gpio-fan.c | 16 +- drivers/hwmon/xgene-hwmon.c | 2 +- drivers/i2c/busses/i2c-imx-lpi2c.c | 4 +- drivers/i2c/busses/i2c-pxa.c | 5 +- drivers/iio/accel/adis16201.c | 4 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/iio/adc/ad7768-1.c | 2 +- drivers/iio/adc/dln2-adc.c | 2 +- drivers/iio/chemical/sps30.c | 2 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 + drivers/infiniband/sw/rxe/rxe_cq.c | 5 +- drivers/input/mouse/synaptics.c | 5 + drivers/iommu/amd_iommu_init.c | 8 + drivers/irqchip/irq-gic-v2m.c | 8 +- drivers/mailbox/mailbox.c | 7 +- drivers/md/dm-cache-target.c | 24 ++ drivers/md/dm-integrity.c | 2 +- drivers/md/dm-table.c | 9 +- .../media/platform/sti/c8sectpfe/c8sectpfe-core.c | 3 +- drivers/media/usb/cx231xx/cx231xx-417.c | 2 + drivers/mmc/host/sdhci-pci-core.c | 6 +- drivers/mmc/host/sdhci.c | 9 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/dsa/b53/b53_common.c | 2 +- drivers/net/dsa/sja1105/sja1105_main.c | 6 +- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 +- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 + drivers/net/ethernet/apm/xgene-v2/main.c | 4 +- drivers/net/ethernet/dlink/dl2k.c | 2 +- drivers/net/ethernet/dlink/dl2k.h | 2 +- drivers/net/ethernet/freescale/fec_main.c | 7 +- drivers/net/ethernet/mellanox/mlx4/alloc.c | 6 +- drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 5 + .../net/ethernet/mellanox/mlx5/core/en_selftest.c | 3 + drivers/net/ethernet/mellanox/mlx5/core/events.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/health.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 2 +- drivers/net/ethernet/microchip/lan743x_main.c | 75 ++-- drivers/net/ethernet/microchip/lan743x_main.h | 21 +- .../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 7 +- drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 2 +- drivers/net/ieee802154/ca8210.c | 9 +- drivers/net/vxlan.c | 18 +- .../net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 +- drivers/net/wireless/realtek/rtw88/main.c | 17 +- drivers/net/wireless/realtek/rtw88/rtw8822b.c | 14 +- drivers/nvdimm/label.c | 3 +- drivers/nvme/host/core.c | 3 +- drivers/nvme/host/tcp.c | 31 +- drivers/nvme/target/tcp.c | 3 + drivers/of/device.c | 7 +- drivers/pci/controller/dwc/pci-imx6.c | 5 +- drivers/pci/setup-bus.c | 6 +- drivers/phy/phy-core.c | 7 +- drivers/phy/renesas/phy-rcar-gen3-usb2.c | 7 +- drivers/phy/tegra/xusb.c | 8 +- drivers/pinctrl/bcm/pinctrl-bcm281xx.c | 44 +-- drivers/pinctrl/devicetree.c | 10 +- drivers/pinctrl/meson/pinctrl-meson.c | 2 +- drivers/platform/x86/asus-wmi.c | 3 +- drivers/platform/x86/fujitsu-laptop.c | 33 +- drivers/platform/x86/thinkpad_acpi.c | 7 + drivers/regulator/ad5398.c | 12 +- drivers/rtc/rtc-ds1307.c | 4 +- drivers/scsi/lpfc/lpfc_hbadisc.c | 17 +- drivers/scsi/mpt3sas/mpt3sas_ctl.c | 12 +- drivers/scsi/st.c | 29 +- drivers/scsi/st.h | 2 + drivers/spi/spi-fsl-dspi.c | 20 +- drivers/spi/spi-loopback-test.c | 2 +- drivers/spi/spi-sun4i.c | 5 +- drivers/staging/axis-fifo/axis-fifo.c | 417 ++++++++------------- drivers/staging/axis-fifo/axis-fifo.txt | 18 +- drivers/staging/iio/adc/ad7816.c | 2 +- drivers/target/iscsi/iscsi_target.c | 2 +- drivers/target/target_core_file.c | 3 + drivers/target/target_core_iblock.c | 4 + drivers/target/target_core_sbc.c | 6 + drivers/usb/chipidea/ci_hdrc_imx.c | 42 ++- drivers/usb/class/usbtmc.c | 59 +-- drivers/usb/host/uhci-platform.c | 2 +- drivers/usb/typec/tcpm/tcpm.c | 2 +- drivers/usb/typec/ucsi/displayport.c | 2 + drivers/video/fbdev/core/tileblit.c | 37 +- drivers/video/fbdev/fsl-diu-fb.c | 1 + drivers/xen/platform-pci.c | 4 + drivers/xen/swiotlb-xen.c | 18 +- drivers/xen/xenbus/xenbus.h | 2 + drivers/xen/xenbus/xenbus_comms.c | 9 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- drivers/xen/xenbus/xenbus_probe.c | 14 +- drivers/xen/xenbus/xenbus_xs.c | 18 +- fs/btrfs/extent_io.c | 7 +- fs/btrfs/send.c | 6 +- fs/cifs/readdir.c | 7 +- fs/coredump.c | 80 +++- fs/ext4/balloc.c | 4 +- fs/namespace.c | 9 +- fs/nfs/callback_proc.c | 2 +- fs/nfs/filelayout/filelayoutdev.c | 6 +- fs/nfs/flexfilelayout/flexfilelayout.c | 1 + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 6 +- fs/nfs/nfs4proc.c | 9 +- fs/nfs/nfs4state.c | 10 +- fs/nfs/pnfs.c | 29 +- fs/nfs/pnfs.h | 5 +- fs/nfs/pnfs_nfs.c | 9 +- fs/ocfs2/journal.c | 80 ++-- fs/ocfs2/journal.h | 1 + fs/ocfs2/ocfs2.h | 17 +- fs/ocfs2/quota_local.c | 9 +- fs/ocfs2/super.c | 3 + fs/orangefs/inode.c | 7 +- include/drm/drm_atomic.h | 23 +- include/linux/binfmts.h | 1 + include/linux/dma-mapping.h | 12 +- include/linux/mlx4/device.h | 2 +- include/linux/pid.h | 5 + include/linux/rcutree.h | 2 +- include/linux/types.h | 3 +- include/sound/pcm.h | 2 + include/trace/events/btrfs.h | 2 +- include/uapi/linux/types.h | 1 + kernel/cgroup/cgroup.c | 2 +- kernel/fork.c | 108 +++++- kernel/params.c | 4 +- kernel/rcu/tree_plugin.h | 11 +- kernel/time/posix-timers.c | 1 + kernel/trace/trace.c | 5 +- lib/dynamic_queue_limits.c | 2 +- mm/memcontrol.c | 6 +- mm/page_alloc.c | 8 + net/bridge/br_nf_core.c | 7 +- net/bridge/br_private.h | 1 + net/can/bcm.c | 79 ++-- net/core/pktgen.c | 13 +- net/ipv4/fib_rules.c | 4 +- net/ipv6/fib6_rules.c | 4 +- net/llc/af_llc.c | 8 +- net/netfilter/ipset/ip_set_hash_gen.h | 2 +- net/netfilter/nf_conntrack_standalone.c | 12 +- net/netfilter/nf_tables_api.c | 51 ++- net/openvswitch/actions.c | 3 +- net/sched/sch_drr.c | 9 +- net/sched/sch_hfsc.c | 15 +- net/sched/sch_htb.c | 13 +- net/sched/sch_qfq.c | 11 +- net/sunrpc/clnt.c | 3 - net/xfrm/xfrm_policy.c | 3 + net/xfrm/xfrm_state.c | 3 + scripts/config | 26 +- scripts/kconfig/merge_config.sh | 4 +- security/smack/smackfs.c | 4 + sound/core/oss/pcm_oss.c | 3 +- sound/core/pcm_native.c | 11 + sound/pci/es1968.c | 6 +- sound/sh/Kconfig | 2 +- sound/soc/intel/boards/bytcr_rt5640.c | 13 + sound/soc/soc-ops.c | 29 +- tools/bpf/bpftool/common.c | 3 +- tools/build/Makefile.build | 6 +- 198 files changed, 1682 insertions(+), 840 deletions(-)

2 weeks, 4 days

9
236
0 0

[PATCH] riscv: Only allow LTO with CMODEL_MEDANY

by Nathan Chancellor

When building with CONFIG_CMODEL_MEDLOW and CONFIG_LTO_CLANG, there is a series of errors due to some files being unconditionally compiled with '-mcmodel=medany', mismatching with the rest of the kernel built with '-mcmodel=medlow': ld.lld: error: Function Import: link error: linking module flags 'Code Model': IDs have conflicting values: 'i32 3' from vmlinux.a(init.o at 899908), and 'i32 1' from vmlinux.a(net-traces.o at 1014628) Only allow LTO to be performed when CONFIG_CMODEL_MEDANY is enabled to ensure there will be no code model mismatch errors. An alternative solution would be disabling LTO for the files with a different code model than the main kernel like some specialized areas of the kernel do but doing that for individual files is not as sustainable than forbidding the combination altogether. Cc: stable(a)vger.kernel.org Fixes: 021d23428bdb ("RISC-V: build: Allow LTO to be selected") Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202506290255.KBVM83vZ-lkp@intel.com/ Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- arch/riscv/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig index 36061f4732b7..4eee737a050f 100644 --- a/arch/riscv/Kconfig +++ b/arch/riscv/Kconfig @@ -68,7 +68,7 @@ config RISCV select ARCH_SUPPORTS_HUGE_PFNMAP if TRANSPARENT_HUGEPAGE select ARCH_SUPPORTS_HUGETLBFS if MMU # LLD >= 14: https://github.com/llvm/llvm-project/issues/50505 - select ARCH_SUPPORTS_LTO_CLANG if LLD_VERSION >= 140000 + select ARCH_SUPPORTS_LTO_CLANG if LLD_VERSION >= 140000 && CMODEL_MEDANY select ARCH_SUPPORTS_LTO_CLANG_THIN if LLD_VERSION >= 140000 select ARCH_SUPPORTS_MSEAL_SYSTEM_MAPPINGS if 64BIT && MMU select ARCH_SUPPORTS_PAGE_TABLE_CHECK if MMU --- base-commit: fda589c286040d9ba2d72a0eaf0a13945fc48026 change-id: 20250710-riscv-restrict-lto-to-medany-f1b7dd5c9bba Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

2 weeks, 4 days

2
3
0 0

[PATCH AUTOSEL 6.16-5.4] kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed()

by Sasha Levin

From: Masahiro Yamada <masahiroy(a)kernel.org> [ Upstream commit cae9cdbcd9af044810bcceeb43a87accca47c71d ] The on_treeview2_cursor_changed() handler is connected to both the left and right tree views, but it hardcodes model2 (the GtkTreeModel of the right tree view). This is incorrect. Get the associated model from the view. Signed-off-by: Masahiro Yamada <masahiroy(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Let me check the commit you provided more carefully. Looking at the diff: The commit changes line 851-852 in the `on_treeview2_cursor_changed` function from: ```c if (gtk_tree_selection_get_selected(selection, &model2, &iter)) { gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1); ``` To: ```c if (gtk_tree_selection_get_selected(selection, &model, &iter)) { gtk_tree_model_get(model, &iter, COL_MENU, &menu, -1); ``` Where `model` is obtained from: `GtkTreeModel *model = gtk_tree_view_get_model(treeview);` This is indeed a bug fix. The function `on_treeview2_cursor_changed()` is connected as a signal handler to BOTH tree views (tree1_w and tree2_w), as shown in the connection code around lines 989 and 997. However, the old code hardcoded `model2` which is specifically the model for the right tree view. This would cause incorrect behavior when the handler is triggered from the left tree view (tree1_w). **Backport Status: YES** ## Extensive Analysis: ### Bug Description: The commit fixes a clear bug in the gconf GUI tool for kernel configuration. The `on_treeview2_cursor_changed()` function is used as a signal handler for cursor changes in both the left and right tree views of the configuration interface. However, the function incorrectly hardcoded `model2` (the GtkTreeModel for the right tree view) instead of dynamically getting the model from whichever view triggered the event. ### Code Analysis: 1. **Signal Connection** (lines 988-997 in the repository): - The same handler is connected to both tree views: ```c g_signal_connect(tree1_w, "cursor-changed", G_CALLBACK(on_treeview2_cursor_changed), NULL); g_signal_connect(tree2_w, "cursor-changed", G_CALLBACK(on_treeview2_cursor_changed), NULL); ``` 2. **The Bug**: When the cursor changes in tree1_w (left tree), the handler would incorrectly use model2 (right tree's model) to get the selected item, potentially causing: - Incorrect help text display - Crashes if the models have different structures - Undefined behavior when accessing invalid iterators 3. **The Fix**: The commit correctly obtains the model from the treeview parameter that triggered the event: ```c GtkTreeModel *model = gtk_tree_view_get_model(treeview); ``` This ensures the correct model is used regardless of which tree view triggered the event. ### Backport Justification: 1. **Clear Bug Fix**: This fixes an obvious programming error that affects functionality 2. **Small and Contained**: The change is minimal (2 lines modified) and localized to a single function 3. **Low Risk**: The fix is straightforward and correct - getting the model from the actual tree view instead of hardcoding 4. **User Impact**: This bug could affect users of the gconf configuration tool, potentially causing crashes or incorrect behavior 5. **No Architectural Changes**: This is a simple bug fix with no design changes 6. **No New Features**: Pure bug fix, no functionality additions This is an ideal candidate for stable backporting as it's a clear, minimal bug fix that improves reliability without introducing risk. scripts/kconfig/gconf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c index c0f46f189060..abe4cfe66b14 100644 --- a/scripts/kconfig/gconf.c +++ b/scripts/kconfig/gconf.c @@ -942,13 +942,14 @@ on_treeview2_key_press_event(GtkWidget * widget, void on_treeview2_cursor_changed(GtkTreeView * treeview, gpointer user_data) { + GtkTreeModel *model = gtk_tree_view_get_model(treeview); GtkTreeSelection *selection; GtkTreeIter iter; struct menu *menu; selection = gtk_tree_view_get_selection(treeview); - if (gtk_tree_selection_get_selected(selection, &model2, &iter)) { - gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1); + if (gtk_tree_selection_get_selected(selection, &model, &iter)) { + gtk_tree_model_get(model, &iter, COL_MENU, &menu, -1); text_insert_help(menu); } } -- 2.39.5

2 weeks, 4 days

1
12
0 0

[PATCH 5.10] dma-buf: insert memory barrier before updating num_fences

by Jay Wang

From: Hyejeong Choi <hjeong.choi(a)samsung.com> commit 72c7d62583ebce7baeb61acce6057c361f73be4a upstream. smp_store_mb() inserts memory barrier after storing operation. It is different with what the comment is originally aiming so Null pointer dereference can be happened if memory update is reordered. Signed-off-by: Hyejeong Choi <hjeong.choi(a)samsung.com> Fixes: a590d0fdbaa5 ("dma-buf: Update reservation shared_count after adding the new fence") CC: stable(a)vger.kernel.org Reviewed-by: Christian König <christian.koenig(a)amd.com> Link: https://lore.kernel.org/r/20250513020638.GA2329653@au1-maretx-p37.eng.sarc.… Signed-off-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Conflict resolved by applying changes from dma_resv_add_fence() in the original fix to dma_resv_add_shared_fence() in current code base] Signed-off-by: Jay Wang <wanjay(a)amazon.com> --- drivers/dma-buf/dma-resv.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c index 789f72db097f..16eb0b389e08 100644 --- a/drivers/dma-buf/dma-resv.c +++ b/drivers/dma-buf/dma-resv.c @@ -291,8 +291,9 @@ void dma_resv_add_shared_fence(struct dma_resv *obj, struct dma_fence *fence) replace: RCU_INIT_POINTER(fobj->shared[i], fence); - /* pointer update must be visible before we extend the shared_count */ - smp_store_mb(fobj->shared_count, count); + /* fence update must be visible before we extend the shared_count */ + smp_wmb(); + fobj->shared_count = count; write_seqcount_end(&obj->seq); dma_fence_put(old); -- 2.47.3

2 weeks, 4 days

2
1
0 0

[PATCH i2c-host-fixes v4 0/5] i2c: rtl9300: Fix multi-byte I2C operations

by Sven Eckelmann

During the integration of the RTL8239 POE chip + its frontend MCU, it was noticed that multi-byte operations were basically broken in the current driver. Tests using SMBus Block Writes showed that the data (after the Wr maker + Ack) was mixed up on the wire. At first glance, it looked like an endianness problem. But for transfers where the number of count + data bytes was not divisible by 4, the last bytes were not looking like an endianness problem because they were in the wrong order but not for example 0 - which would be the case for an endianness problem with 32 bit registers. At the end, it turned out to be the way how i2c_write tried to add the bytes to the send registers. Each 32 bit register was used similar to a shift register - shifting the various bytes up the register while the next one is added to the least significant byte. But the I2C controller expects the first byte of the transmission in the least significant byte of the first register. And the last byte (assuming it is a 16 byte transfer) is expected in the most significant byte of the fourth register. While doing these tests, it was also observed that the count byte was missing from the SMBus Block Writes. The driver just removed them from the data->block (from the I2C subsystem). But the I2C controller DOES NOT automatically add this byte - for example by using the configured transmission length. The RTL8239 MCU is not actually an SMBus compliant device. Instead, it expects I2C Block Reads + I2C Block Writes. But according to the already identified bugs in the driver, it was clear that the I2C controller can simply be modified to not send the count byte for I2C_SMBUS_I2C_BLOCK_DATA. The receive part just needs to write the content of the receive buffer to the correct position in data->block. While the on-wire format was now correct, reads were still not possible against the MCU (for the RTL8239 POE chip). It was always timing out because the 2ms were not enough for sending the read request and then receiving the 12 byte answer. These changes were originally submitted to OpenWrt. But there are plans to migrate OpenWrt to the upstream Linux driver. As a result, the pull request was stopped and the changes were redone against this driver. For reasons of transparency: The work on I2C_SMBUS_I2C_BLOCK_DATA support for the RTL8239-MCU was done on RTL931xx. All problems were therefore detected with the patches from Jonas Jelonek [1] and not the vanilla Linux driver. But looking through the code, it seems like these are NOT regressions introduced by the RTL931x patchset. I've picked up Alex Guo's patch [2] to reduce conflicts between pending fixes. [1] https://patchwork.ozlabs.org/project/linux-i2c/cover/20250727114800.3046-1-… [2] https://lore.kernel.org/r/20250615235248.529019-1-alexguo1023@gmail.com Signed-off-by: Sven Eckelmann <sven(a)narfation.org> --- Changes in v4: - Provide only "write" examples for "i2c: rtl9300: Fix multi-byte I2C write" - drop the second initialization of vals in rtl9300_i2c_write() directly in the "Fix multi-byte I2C write" fix - indicate in target branch for each patch in PATCH prefix - minor commit message cleanups - Link to v3: https://lore.kernel.org/r/20250804-i2c-rtl9300-multi-byte-v3-0-e20607e1b28c… Changes in v3: - integrated patch https://lore.kernel.org/r/20250615235248.529019-1-alexguo1023@gmail.com to avoid conflicts in the I2C_SMBUS_BLOCK_DATA code - added Fixes and stable(a)vger.kernel.org to Alex Guo's patch - added Chris Packham's Reviewed-by/Acked-by - Link to v2: https://lore.kernel.org/r/20250803-i2c-rtl9300-multi-byte-v2-0-9b7b759fe2b6… Changes in v2: - add the missing transfer width and read length increase for the SMBus Write/Read - Link to v1: https://lore.kernel.org/r/20250802-i2c-rtl9300-multi-byte-v1-0-5f687e0098e2… --- Alex Guo (1): [i2c-host-fixes] i2c: rtl9300: Fix out-of-bounds bug in rtl9300_i2c_smbus_xfer Harshal Gohel (2): [i2c-host-fixes] i2c: rtl9300: Fix multi-byte I2C write [i2c-host] i2c: rtl9300: Implement I2C block read and write Sven Eckelmann (2): [i2c-host-fixes] i2c: rtl9300: Increase timeout for transfer polling [i2c-host-fixes] i2c: rtl9300: Add missing count byte for SMBus Block Ops drivers/i2c/busses/i2c-rtl9300.c | 50 +++++++++++++++++++++++++++++++++------- 1 file changed, 42 insertions(+), 8 deletions(-) --- base-commit: 09eaa2a604ed1bfda7e6fb10488127ce8fdc8048 change-id: 20250802-i2c-rtl9300-multi-byte-edaa1fb0872c Best regards, -- Sven Eckelmann <sven(a)narfation.org>

2 weeks, 5 days

2
5
0 0

Kernel warning on 5.15.187+ caused: net/sched: Always pass notifications when child class becomes empty

by Hauke Mehrtens

Hi, We see a kernel warning with kernel 5.15.187 and later in OpenWrt 23.05. When I revert this patch it is gone: commit e269f29e9395527bc00c213c6b15da04ebb35070 Author: Lion Ackermann <nnamrec(a)gmail.com> Date: Mon Jun 30 15:27:30 2025 +0200 net/sched: Always pass notifications when child class becomes empty [ Upstream commit 103406b38c600fec1fe375a77b27d87e314aea09 ] Link: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… Hauke Warning: [ 90.429594] ------------[ cut here ]------------ [ 90.429929] WARNING: CPU: 0 PID: 3667 at net/sched/sch_htb.c:609 0xffff800000d1b5dc [ 90.430561] Modules linked in: pppoe ppp_async nft_fib_inet nf_flow_table_ipv6 nf_flow_table_ipv4 nf_flow_table_inet pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_objref nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_counter nft_compat nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack iptable_mangle iptable_filter ipt_REJECT ipt_ECN ip_tables xt_time xt_tcpudp xt_tcpmss xt_statistic xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_ecn xt_dscp xt_comment xt_TCPMSS xt_LOG xt_HL xt_DSCP xt_CLASSIFY x_tables smsc slhc sfp sch_cake ravb nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 nf_defrag_ipv4 mdio_i2c mdio_gpio mdio_bitbang libcrc32c e1000e atlantic sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32 cls_route cls_matchall cls_fw cls_flow cls_basic act_skbedit act_mirred act_gact gpio_pca953x i2c_mux_pca954x i2c_mux i2c_dev [ 90.431030] sp805_wdt dwmac_sun8i dwmac_rk dwmac_imx nicvf nicpf thunder_bgx thunder_xcv dwmac_generic stmmac_platform stmmac rvu_nicvf rvu_nicpf rvu_af rvu_mbox mvpp2 mvneta vmxnet3 fec fsl_enetc fsl_enetc_mdio fsl_enetc_ierb fsl_dpaa2_eth ifb mdio_thunder mdio_cavium mdio_bcm_unimac xgmac_mdio pcs_lynx fsl_mc_dpio genet nls_utf8 nls_iso8859_1 nls_cp437 pcs_xpcs marvell10g marvell macsec sha512_generic seqiv jitterentropy_rng drbg hmac rtc_rx8025 vfat fat ptp realtek broadcom bcm_phy_lib aquantia hwmon crc_ccitt pps_core phylink mii [ 90.435728] CPU: 0 PID: 3667 Comm: tc Not tainted 5.15.189 #0 [ 90.436003] Hardware name: linux,dummy-virt (DT) [ 90.436306] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 90.436578] pc : 0xffff800000d1b5dc [ 90.436736] lr : qdisc_tree_reduce_backlog+0xa0/0x120 [ 90.436930] sp : ffff80000b73b6d0 [ 90.437053] x29: ffff80000b73b6d0 x28: ffff000003d81030 x27: ffff0000033bf800 [ 90.437335] x26: ffff0000033bf800 x25: ffff80000b73b8e0 x24: ffff000003677400 [ 90.437576] x23: ffff800000d1f5e0 x22: 0000000000000000 x21: 0000000000000000 [ 90.437816] x20: 0000000000000000 x19: ffff0000034f6800 x18: 0000000000000000 [ 90.438054] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffc7ffd278 [ 90.438299] x14: 000122a60001216d x13: 0001204400011f1c x12: 00011df300011cca [ 90.438548] x11: 00011b9100011a68 x10: 0001194000011817 x9 : 0000000000000000 [ 90.438794] x8 : ffff000003677e00 x7 : 0000000000000000 x6 : 0000000000000000 [ 90.439037] x5 : ffff0000029df000 x4 : 0000000000000003 x3 : ffff000003684000 [ 90.439277] x2 : ffff800000d1b5a0 x1 : 0000000000000000 x0 : ffff000003c64140 [ 90.439629] Call trace: [ 90.439859] 0xffff800000d1b5dc [ 90.440021] qdisc_tree_reduce_backlog+0xa0/0x120 [ 90.440184] 0xffff800000d1dd8c [ 90.440302] tc_ctl_tclass+0x15c/0x460 [ 90.440440] rtnetlink_rcv_msg+0x1b8/0x320 [ 90.440583] netlink_rcv_skb+0x5c/0x130 [ 90.440715] rtnetlink_rcv+0x18/0x2c [ 90.440841] netlink_unicast+0x214/0x310 [ 90.440975] netlink_sendmsg+0x1a0/0x3dc [ 90.441120] ____sys_sendmsg+0x1b8/0x220 [ 90.441257] ___sys_sendmsg+0x84/0xf0 [ 90.441385] __sys_sendmsg+0x48/0xb0 [ 90.441509] __arm64_sys_sendmsg+0x24/0x30 [ 90.441647] invoke_syscall.constprop.0+0x5c/0x110 [ 90.441811] do_el0_svc+0x6c/0x150 [ 90.441929] el0_svc+0x28/0xc0 [ 90.442039] el0t_64_sync_handler+0xe8/0x114 [ 90.442186] el0t_64_sync+0x1a4/0x1a8 [ 90.442408] ---[ end trace b27ff72c6be40920 ]---

2 weeks, 5 days

4
4
0 0

[PATCH 1/3] KEYS: trusted_tpm1: Compare HMAC values in constant time

by Eric Biggers

To prevent timing attacks, HMAC value comparison needs to be constant time. Replace the memcmp() with the correct function, crypto_memneq(). Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") Cc: stable(a)vger.kernel.org Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- security/keys/trusted-keys/trusted_tpm1.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trusted-keys/trusted_tpm1.c index 89c9798d18007..e73f2c6c817a0 100644 --- a/security/keys/trusted-keys/trusted_tpm1.c +++ b/security/keys/trusted-keys/trusted_tpm1.c @@ -5,10 +5,11 @@ * * See Documentation/security/keys/trusted-encrypted.rst */ #include <crypto/hash_info.h> +#include <crypto/utils.h> #include <linux/init.h> #include <linux/slab.h> #include <linux/parser.h> #include <linux/string.h> #include <linux/err.h> @@ -239,11 +240,11 @@ int TSS_checkhmac1(unsigned char *buffer, TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 1, continueflag, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) + if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE)) ret = -EINVAL; out: kfree_sensitive(sdesc); return ret; } @@ -332,20 +333,20 @@ static int TSS_checkhmac2(unsigned char *buffer, ret = TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, paramdigest, TPM_NONCE_SIZE, enonce1, TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { + if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { ret = -EINVAL; goto out; } ret = TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, paramdigest, TPM_NONCE_SIZE, enonce2, TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); if (ret < 0) goto out; - if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) + if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE)) ret = -EINVAL; out: kfree_sensitive(sdesc); return ret; } base-commit: d6084bb815c453de27af8071a23163a711586a6c -- 2.50.1

2 weeks, 5 days

2
4
0 0

Qualcomm Inventory Updated

by Alan Ye

The following are all Qualcomm's stock, original and authentic. If you need them, please contact us. Snapdragon骁龙 WIFI-5G/6G MPN QTY date code MPN QTY date code SM-6225-0-PSP807-TR-00-0-AB 8000 22+ IPQ5018-0-MRQFN232-MT-01-0 36000 22+ PM-6225-0-FOWNSP144-TR-01-0 8000 22+ QCN6102-0-DRQFN116-TR-01-0 30000 22+ WCD9375-0-WLPSP55-TR-01-3 8000 22+ QCA8337-AL3C 25000 22+ WTR3925-2-106BWLPSP-TR-03-1 8000 22+ WCN-3950-0-58WLPSP-TR-05-2 8000 22+ IPQ-6000-0-FCBGA570-TR-00-0 10000 22+ QCA-8072-0-108DRQFN-MT-00-0 10000 22+ QCM-6490-1-PSP1287-TR-00-0-AA E 12000 23+ QCN-5022-0-DRQFN100B-TR-00-0 10000 22+ PMK-7325-1-1-FOWPSP36-MT-01-0 12000 23+ QCN-5052-0-DRQFN100B-TR-00-0 10000 22+ PM-7325-0-WLNSP120B-TR-00-0 12000 23+ PM-7350C-0-FOWNSP143-MT-02-0 12000 23+ IPQ-6010-0-FCBGA570-TR-00-0 8000 22+ PM-7250B-2-FOWPSP110-TR-00-0 12000 23+ QCA-8075-0-108DRQFN-MT-01-0 8000 22+ WCD-9370-0-WLPSP55-TR-01-0 12000 23+ QCN-5052-0-DRQFN100B-TR-00-0 8000 22+ PM-8008-0-WLPSP20-TR-X0-0 12000 23+ QCN-5021-0-DRQFN100B-TR-03-0 8000 22+ SDR-735-0-PSP219B-TR-001-0 12000 23+ WCN-6750-0-PSP229-TR-01-0 12000 23+ QCA-9886-0-100DRQFN-MT-04-0 14000 22+ QCA9563-AL3A 14000 22+ SDM-450-B-792NSP-TR-01-0-AA 20000 24+ QCA8334-AL3C 14000 22+ WTR-2965-0-59F0WNSP-TR-07-1 20000 24+ PMI-8952-0-144WLNSP-TR-02-0-00 20000 24+ IPQ-5322-0-MRQFN251-MT-00-0 6000 24+ WCN-3680B-0-79BWLNSP-TR-05-1 20000 24+ QCN-6274-0-MSP264-MT-01-0 6000 24+ PM-8953-0-187F0WNSP-TR-01-1 20000 24+ QCA-8385-0-DRQFN172-MT-00-0 6000 24 SDM-660-3-692NSP-TR-01-0-A 28000 23+ IPQ-4018-0-180DRQFN-MT-00-0 150000 22+ PM-660-0-219WLPSP-TR-01-1-01 28000 23+ QCA-8072-0-108DRQFN-MT-00-0 100000 22+ PM-660L-0-196WLPSP-TR-04-0-01 28000 23+ SDR-660-0-180WLPSP-TR-03-0 28000 23+ QCN-9024-0-MSP234-TR-01-0 5000 23+ QET-4101-0-12WLNSP-HR-00-0 28000 23+ QCN-6024-0-MSP234-MT-01-0 20000 22+ WCN-3980-0-82BWLPSP-TR-0B-0 28000 23+ QCA-8081-0-56MQFN-MT-02-0 28000 22+ QCN-9074-0-MSP234-TR-01-0 8000 23+ QCM-2290-0-NSP752-TR-00-0 10000 24+ QCA-9377-3-115WLNSP-TR-03-0 10000 22+ PM-8008-0-WLPSP20-TR-X0-0 10000 24+ QCA-1023-0-115WLNSP-TR-03-0 20000 24+ WCN-3950-0-58WLPSP-TR-05-3 10000 24+ QCC-5181-0-WLNSP99-TR-05-0 10000 24+ PM-4125-3-NSP194-TR-01-0 10000 24+ QCC-5127-0-124CSP-TR-00-0 8000 23+ CSR8670C-ICXT-R 10000 23+ MSM-8909-2-504NSP-TR-01-1-AA 50000 22+ CSR8675C-IBBH-R 10000 23+ WCN-3660B-0-79BWLNSP-TR-05-1 50000 22+ AR8033-AL1A 25000 23+ PM-8909-0-152NSP-TR-01-0-02 50000 22+ AR8035-AL1A 45000 22+ WTR-4905-1-60WLNSP-TR-01-1 50000 22+ AR8031-AL1B 15000 22+ If you have other MPN requirements, please let me know and I will check the latest inventory status for you. We also recycle Qualcomm's excess inventory to help you solve the depreciation risk faced by electronic components Best Secure your updates and feature insights at . Continue Product News Wish to step back? Quickly hit Control Contact Settings.

2 weeks, 5 days

1
0
0 0

+ kho-warn-if-kho-is-disabled-due-to-an-error.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kho: warn if KHO is disabled due to an error has been added to the -mm mm-hotfixes-unstable branch. Its filename is kho-warn-if-kho-is-disabled-due-to-an-error.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Pasha Tatashin <pasha.tatashin(a)soleen.com> Subject: kho: warn if KHO is disabled due to an error Date: Fri, 8 Aug 2025 20:18:04 +0000 During boot scratch area is allocated based on command line parameters or auto calculated. However, scratch area may fail to allocate, and in that case KHO is disabled. Currently, no warning is printed that KHO is disabled, which makes it confusing for the end user to figure out why KHO is not available. Add the missing warning message. Link: https://lkml.kernel.org/r/20250808201804.772010-4-pasha.tatashin@soleen.com Signed-off-by: Pasha Tatashin <pasha.tatashin(a)soleen.com> Acked-by: Mike Rapoport (Microsoft) <rppt(a)kernel.org> Acked-by: Pratyush Yadav <pratyush(a)kernel.org> Cc: Alexander Graf <graf(a)amazon.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Baoquan He <bhe(a)redhat.com> Cc: Changyuan Lyu <changyuanl(a)google.com> Cc: Coiby Xu <coxu(a)redhat.com> Cc: Dave Vasilevsky <dave(a)vasilevsky.ca> Cc: Eric Biggers <ebiggers(a)google.com> Cc: Kees Cook <kees(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/kexec_handover.c | 1 + 1 file changed, 1 insertion(+) --- a/kernel/kexec_handover.c~kho-warn-if-kho-is-disabled-due-to-an-error +++ a/kernel/kexec_handover.c @@ -564,6 +564,7 @@ err_free_scratch_areas: err_free_scratch_desc: memblock_free(kho_scratch, kho_scratch_cnt * sizeof(*kho_scratch)); err_disable_kho: + pr_warn("Failed to reserve scratch area, disabling kexec handover\n"); kho_enable = false; } _ Patches currently in -mm which might be from pasha.tatashin(a)soleen.com are kho-init-new_physxa-phys_bits-to-fix-lockdep.patch kho-mm-dont-allow-deferred-struct-page-with-kho.patch kho-warn-if-kho-is-disabled-due-to-an-error.patch

2 weeks, 5 days

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror