- Linux-stable-mirror - lists.linaro.org

[tip: x86/cpu] x86/umip: Check that the instruction opcode is at least two bytes

by tip-bot2 for Sean Christopherson

The following commit has been merged into the x86/cpu branch of tip: Commit-ID: 32278c677947ae2f042c9535674a7fff9a245dd3 Gitweb: https://git.kernel.org/tip/32278c677947ae2f042c9535674a7fff9a245dd3 Author: Sean Christopherson <seanjc(a)google.com> AuthorDate: Fri, 08 Aug 2025 10:23:56 -07:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Fri, 19 Sep 2025 20:21:12 +02:00 x86/umip: Check that the instruction opcode is at least two bytes When checking for a potential UMIP violation on #GP, verify the decoder found at least two opcode bytes to avoid false positives when the kernel encounters an unknown instruction that starts with 0f. Because the array of opcode.bytes is zero-initialized by insn_init(), peeking at bytes[1] will misinterpret garbage as a potential SLDT or STR instruction, and can incorrectly trigger emulation. E.g. if a VPALIGNR instruction 62 83 c5 05 0f 08 ff vpalignr xmm17{k5},xmm23,XMMWORD PTR [r8],0xff hits a #GP, the kernel emulates it as STR and squashes the #GP (and corrupts the userspace code stream). Arguably the check should look for exactly two bytes, but no three byte opcodes use '0f 00 xx' or '0f 01 xx' as an escape, i.e. it should be impossible to get a false positive if the first two opcode bytes match '0f 00' or '0f 01'. Go with a more conservative check with respect to the existing code to minimize the chances of breaking userspace, e.g. due to decoder weirdness. Analyzed by Nick Bray <ncbray(a)google.com>. Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions") Reported-by: Dan Snyder <dansnyder(a)google.com> Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org --- arch/x86/kernel/umip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c index 5a4b213..406ac01 100644 --- a/arch/x86/kernel/umip.c +++ b/arch/x86/kernel/umip.c @@ -156,8 +156,8 @@ static int identify_insn(struct insn *insn) if (!insn->modrm.nbytes) return -EINVAL; - /* All the instructions of interest start with 0x0f. */ - if (insn->opcode.bytes[0] != 0xf) + /* The instructions of interest have 2-byte opcodes: 0F 00 or 0F 01. */ + if (insn->opcode.nbytes < 2 || insn->opcode.bytes[0] != 0xf) return -EINVAL; if (insn->opcode.bytes[1] == 0x1) {

2 months

1
0
0 0

[tip: x86/cpu] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)

by tip-bot2 for Sean Christopherson

The following commit has been merged into the x86/cpu branch of tip: Commit-ID: 27b1fd62012dfe9d3eb8ecde344d7aa673695ecf Gitweb: https://git.kernel.org/tip/27b1fd62012dfe9d3eb8ecde344d7aa673695ecf Author: Sean Christopherson <seanjc(a)google.com> AuthorDate: Fri, 08 Aug 2025 10:23:57 -07:00 Committer: Borislav Petkov (AMD) <bp(a)alien8.de> CommitterDate: Fri, 19 Sep 2025 21:34:48 +02:00 x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) Filter out the register forms of 0F 01 when determining whether or not to emulate in response to a potential UMIP violation #GP, as SGDT and SIDT only accept memory operands. The register variants of 0F 01 are used to encode instructions for things like VMX and SGX, i.e. not checking the Mod field would cause the kernel to incorrectly emulate on #GP, e.g. due to a CPL violation on VMLAUNCH. Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions") Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Acked-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: stable(a)vger.kernel.org --- arch/x86/kernel/umip.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/arch/x86/kernel/umip.c b/arch/x86/kernel/umip.c index 406ac01..d432f38 100644 --- a/arch/x86/kernel/umip.c +++ b/arch/x86/kernel/umip.c @@ -163,8 +163,19 @@ static int identify_insn(struct insn *insn) if (insn->opcode.bytes[1] == 0x1) { switch (X86_MODRM_REG(insn->modrm.value)) { case 0: + /* The reg form of 0F 01 /0 encodes VMX instructions. */ + if (X86_MODRM_MOD(insn->modrm.value) == 3) + return -EINVAL; + return UMIP_INST_SGDT; case 1: + /* + * The reg form of 0F 01 /1 encodes MONITOR/MWAIT, + * STAC/CLAC, and ENCLS. + */ + if (X86_MODRM_MOD(insn->modrm.value) == 3) + return -EINVAL; + return UMIP_INST_SIDT; case 4: return UMIP_INST_SMSW;

2 months

1
0
0 0

[PATCH net] net/core : fix KMSAN: uninit value in tipc_rcv

by hariconscious＠gmail.com

From: HariKrishna Sagala <hariconscious(a)gmail.com> Syzbot reported an uninit-value bug on at kmalloc_reserve for commit 320475fbd590 ("Merge tag 'mtd/fixes-for-6.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux")' Syzbot KMSAN reported use of uninitialized memory originating from functions "kmalloc_reserve()", where memory allocated via "kmem_cache_alloc_node()" or "kmalloc_node_track_caller()" was not explicitly initialized. This can lead to undefined behavior when the allocated buffer is later accessed. Fix this by requesting the initialized memory using the gfp flag appended with the option "__GFP_ZERO". Reported-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9a4fbb77c9d4aacd3388 Fixes: 915d975b2ffa ("net: deal with integer overflows in kmalloc_reserve()") Tested-by: syzbot+9a4fbb77c9d4aacd3388(a)syzkaller.appspotmail.com Signed-off-by: HariKrishna Sagala <hariconscious(a)gmail.com> --- net/core/skbuff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index ee0274417948..2308ebf99bbd 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -573,6 +573,7 @@ static void *kmalloc_reserve(unsigned int *size, gfp_t flags, int node, void *obj; obj_size = SKB_HEAD_ALIGN(*size); + flags |= __GFP_ZERO; if (obj_size <= SKB_SMALL_HEAD_CACHE_SIZE && !(flags & KMALLOC_NOT_NORMAL_BITS)) { obj = kmem_cache_alloc_node(net_hotdata.skb_small_head_cache, -- 2.43.0

2 months

3
2
0 0

[PATCH net v3] net: nfc: nci: Add parameter validation for packet data

by Deepak Sharma

Syzbot reported an uninit-value bug at nci_init_req for commit 5aca7966d2a7 ("Merge tag 'perf-tools-fixes-for-v6.17-2025-09-16'..). This bug arises due to very limited and poor input validation that was done at nic_valid_size(). This validation only validates the skb->len (directly reflects size provided at the userspace interface) with the length provided in the buffer itself (interpreted as NCI_HEADER). This leads to the processing of memory content at the address assuming the correct layout per what opcode requires there. This leads to the accesses to buffer of `skb_buff->data` which is not assigned anything yet. Following the same silent drop of packets of invalid sizes at `nic_valid_size()`, add validation of the data in the respective handlers and return error values in case of failure. Release the skb if error values are returned from handlers in `nci_nft_packet` and effectively do a silent drop Possible TODO: because we silently drop the packets, the call to `nci_request` will be waiting for completion of request and will face timeouts. These timeouts can get excessively logged in the dmesg. A proper handling of them may require to export `nci_request_cancel` (or propagate error handling from the nft packets handlers). Reported-by: syzbot+740e04c2a93467a0f8c8(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8 Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation) Tested-by: syzbot+740e04c2a93467a0f8c8(a)syzkaller.appspotmail.com Signed-off-by: Deepak Sharma <deepak.sharma.472935(a)gmail.com> --- v3: - Move the checks inside the packet data handlers - Improvements to the commit message v2: - Fix the release of skb in case of the early return v1: - Add checks in `nci_ntf_packet` on the skb->len and do early return on failure net/nfc/nci/ntf.c | 139 +++++++++++++++++++++++++++++++++------------- 1 file changed, 101 insertions(+), 38 deletions(-) diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c index a818eff27e6b..c0edf8242e22 100644 --- a/net/nfc/nci/ntf.c +++ b/net/nfc/nci/ntf.c @@ -27,11 +27,16 @@ /* Handle NCI Notification packets */ -static void nci_core_reset_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_core_reset_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { /* Handle NCI 2.x core reset notification */ - const struct nci_core_reset_ntf *ntf = (void *)skb->data; + const struct nci_core_reset_ntf *ntf; + + if (skb->len < sizeof(struct nci_core_reset_ntf)) + return -EINVAL; + + ntf = (struct nci_core_reset_ntf *)skb->data; ndev->nci_ver = ntf->nci_ver; pr_debug("nci_ver 0x%x, config_status 0x%x\n", @@ -42,15 +47,22 @@ static void nci_core_reset_ntf_packet(struct nci_dev *ndev, __le32_to_cpu(ntf->manufact_specific_info); nci_req_complete(ndev, NCI_STATUS_OK); + + return 0; } -static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, - struct sk_buff *skb) +static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, + struct sk_buff *skb) { - struct nci_core_conn_credit_ntf *ntf = (void *) skb->data; + struct nci_core_conn_credit_ntf *ntf; struct nci_conn_info *conn_info; int i; + if (skb->len < sizeof(struct nci_core_conn_credit_ntf)) + return -EINVAL; + + ntf = (struct nci_core_conn_credit_ntf *)skb->data; + pr_debug("num_entries %d\n", ntf->num_entries); if (ntf->num_entries > NCI_MAX_NUM_CONN) @@ -68,7 +80,7 @@ static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, conn_info = nci_get_conn_info_by_conn_id(ndev, ntf->conn_entries[i].conn_id); if (!conn_info) - return; + return 0; atomic_add(ntf->conn_entries[i].credits, &conn_info->credits_cnt); @@ -77,12 +89,19 @@ static void nci_core_conn_credits_ntf_packet(struct nci_dev *ndev, /* trigger the next tx */ if (!skb_queue_empty(&ndev->tx_q)) queue_work(ndev->tx_wq, &ndev->tx_work); + + return 0; } -static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_core_generic_error_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { - __u8 status = skb->data[0]; + __u8 status; + + if (skb->len < 1) + return -EINVAL; + + status = skb->data[0]; pr_debug("status 0x%x\n", status); @@ -91,12 +110,19 @@ static void nci_core_generic_error_ntf_packet(struct nci_dev *ndev, (the state remains the same) */ nci_req_complete(ndev, status); } + + return 0; } -static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, - struct sk_buff *skb) +static int nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, + struct sk_buff *skb) { - struct nci_core_intf_error_ntf *ntf = (void *) skb->data; + struct nci_core_intf_error_ntf *ntf; + + if (skb->len < sizeof(struct nci_core_intf_error_ntf)) + return -EINVAL; + + ntf = (struct nci_core_intf_error_ntf *)skb->data; ntf->conn_id = nci_conn_id(&ntf->conn_id); @@ -105,6 +131,8 @@ static void nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev, /* complete the data exchange transaction, if exists */ if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags)) nci_data_exchange_complete(ndev, NULL, ntf->conn_id, -EIO); + + return 0; } static const __u8 * @@ -329,13 +357,18 @@ void nci_clear_target_list(struct nci_dev *ndev) ndev->n_targets = 0; } -static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_discover_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { struct nci_rf_discover_ntf ntf; - const __u8 *data = skb->data; + const __u8 *data; bool add_target = true; + if (skb->len < sizeof(struct nci_rf_discover_ntf)) + return -EINVAL; + + data = skb->data; + ntf.rf_discovery_id = *data++; ntf.rf_protocol = *data++; ntf.rf_tech_and_mode = *data++; @@ -390,6 +423,8 @@ static void nci_rf_discover_ntf_packet(struct nci_dev *ndev, nfc_targets_found(ndev->nfc_dev, ndev->targets, ndev->n_targets); } + + return 0; } static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev, @@ -501,7 +536,7 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev, case NCI_NFC_A_PASSIVE_POLL_MODE: case NCI_NFC_F_PASSIVE_POLL_MODE: ndev->remote_gb_len = min_t(__u8, - (ntf->activation_params.poll_nfc_dep.atr_res_len + (ntf->activation_params.poll_nfc_dep.atr_res_len - NFC_ATR_RES_GT_OFFSET), NFC_ATR_RES_GB_MAXSIZE); memcpy(ndev->remote_gb, @@ -513,7 +548,7 @@ static int nci_store_general_bytes_nfc_dep(struct nci_dev *ndev, case NCI_NFC_A_PASSIVE_LISTEN_MODE: case NCI_NFC_F_PASSIVE_LISTEN_MODE: ndev->remote_gb_len = min_t(__u8, - (ntf->activation_params.listen_nfc_dep.atr_req_len + (ntf->activation_params.listen_nfc_dep.atr_req_len - NFC_ATR_REQ_GT_OFFSET), NFC_ATR_REQ_GB_MAXSIZE); memcpy(ndev->remote_gb, @@ -553,14 +588,19 @@ static int nci_store_ats_nfc_iso_dep(struct nci_dev *ndev, return NCI_STATUS_OK; } -static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { struct nci_conn_info *conn_info; struct nci_rf_intf_activated_ntf ntf; - const __u8 *data = skb->data; + const __u8 *data; int err = NCI_STATUS_OK; + if (skb->len < sizeof(struct nci_rf_intf_activated_ntf)) + return -EINVAL; + + data = skb->data; + ntf.rf_discovery_id = *data++; ntf.rf_interface = *data++; ntf.rf_protocol = *data++; @@ -667,7 +707,7 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, if (err == NCI_STATUS_OK) { conn_info = ndev->rf_conn_info; if (!conn_info) - return; + return 0; conn_info->max_pkt_payload_len = ntf.max_data_pkt_payload_size; conn_info->initial_num_credits = ntf.initial_num_credits; @@ -721,19 +761,26 @@ static void nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev, pr_err("error when signaling tm activation\n"); } } + + return 0; } -static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { const struct nci_conn_info *conn_info; - const struct nci_rf_deactivate_ntf *ntf = (void *)skb->data; + const struct nci_rf_deactivate_ntf *ntf; + + if (skb->len < sizeof(struct nci_rf_deactivate_ntf)) + return -EINVAL; + + ntf = (struct nci_rf_deactivate_ntf *)skb->data; pr_debug("entry, type 0x%x, reason 0x%x\n", ntf->type, ntf->reason); conn_info = ndev->rf_conn_info; if (!conn_info) - return; + return 0; /* drop tx data queue */ skb_queue_purge(&ndev->tx_q); @@ -765,14 +812,20 @@ static void nci_rf_deactivate_ntf_packet(struct nci_dev *ndev, } nci_req_complete(ndev, NCI_STATUS_OK); + + return 0; } -static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, - const struct sk_buff *skb) +static int nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, + const struct sk_buff *skb) { u8 status = NCI_STATUS_OK; - const struct nci_nfcee_discover_ntf *nfcee_ntf = - (struct nci_nfcee_discover_ntf *)skb->data; + const struct nci_nfcee_discover_ntf *nfcee_ntf; + + if (skb->len < sizeof(struct nci_nfcee_discover_ntf)) + return -EINVAL; + + nfcee_ntf = (struct nci_nfcee_discover_ntf *)skb->data; /* NFCForum NCI 9.2.1 HCI Network Specific Handling * If the NFCC supports the HCI Network, it SHALL return one, @@ -783,6 +836,8 @@ static void nci_nfcee_discover_ntf_packet(struct nci_dev *ndev, ndev->cur_params.id = nfcee_ntf->nfcee_id; nci_req_complete(ndev, status); + + return 0; } void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) @@ -809,35 +864,43 @@ void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb) switch (ntf_opcode) { case NCI_OP_CORE_RESET_NTF: - nci_core_reset_ntf_packet(ndev, skb); + if (nci_core_reset_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_CONN_CREDITS_NTF: - nci_core_conn_credits_ntf_packet(ndev, skb); + if (nci_core_conn_credits_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_GENERIC_ERROR_NTF: - nci_core_generic_error_ntf_packet(ndev, skb); + if (nci_core_generic_error_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_CORE_INTF_ERROR_NTF: - nci_core_conn_intf_error_ntf_packet(ndev, skb); + if (nci_core_conn_intf_error_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_DISCOVER_NTF: - nci_rf_discover_ntf_packet(ndev, skb); + if (nci_rf_discover_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_INTF_ACTIVATED_NTF: - nci_rf_intf_activated_ntf_packet(ndev, skb); + if (nci_rf_intf_activated_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_DEACTIVATE_NTF: - nci_rf_deactivate_ntf_packet(ndev, skb); + if (nci_rf_deactivate_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_NFCEE_DISCOVER_NTF: - nci_nfcee_discover_ntf_packet(ndev, skb); + if (nci_nfcee_discover_ntf_packet(ndev, skb)) + goto end; break; case NCI_OP_RF_NFCEE_ACTION_NTF: -- 2.51.0

2 months

4
3
0 0

[PATCH v2 RESEND] sparc: fix error handling in scan_one_device()

by Ma Ke

Once of_device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(). Calling path: of_device_register() -> of_device_add() -> device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - retained kfree() manually due to the lack of a release callback function. --- arch/sparc/kernel/of_device_64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/sparc/kernel/of_device_64.c b/arch/sparc/kernel/of_device_64.c index f98c2901f335..f53092b07b9e 100644 --- a/arch/sparc/kernel/of_device_64.c +++ b/arch/sparc/kernel/of_device_64.c @@ -677,6 +677,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); + put_device(&op->dev); kfree(op); op = NULL; } -- 2.25.1

2 months

2
1
0 0

Mate dar vo vyske dva miliony patstotisic euro.

by Dr Leonard Valentinovic Blavatnik

2 months

1
0
0 0

[bug-report 6.12.y] Probably a problematic stable backport commit: 7c62c442b6eb ("x86/vmscape: Enumerate VMSCAPE bug")

by Harshit Mogalapalli

Hi stable maintainers, While skimming over stable backports for VMSCAPE commits, I found something unusual. This is regarding the 6.12.y commit: 7c62c442b6eb ("x86/vmscape: Enumerate VMSCAPE bug") commit 7c62c442b6eb95d21bc4c5afc12fee721646ebe2 Author: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Date: Thu Aug 14 10:20:42 2025 -0700 x86/vmscape: Enumerate VMSCAPE bug Commit a508cec6e5215a3fbc7e73ae86a5c5602187934d upstream. The VMSCAPE vulnerability may allow a guest to cause Branch Target Injection (BTI) in userspace hypervisors. Kernels (both host and guest) have existing defenses against direct BTI attacks from guests. There are also inter-process BTI mitigations which prevent processes from attacking each other. However, the threat in this case is to a userspace hypervisor within the same process as the attacker. Userspace hypervisors have access to their own sensitive data like disk encryption keys and also typically have access to all guest data. This means guest userspace may use the hypervisor as a confused deputy to attack sensitive guest kernel data. There are no existing mitigations for these attacks. Introduce X86_BUG_VMSCAPE for this vulnerability and set it on affected Intel and AMD CPUs. Signed-off-by: Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: Borislav Petkov (AMD) <bp(a)alien8.de> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> So the problem in this commit is this part of the backport: in file: arch/x86/kernel/cpu/common.c VULNBL_AMD(0x15, RETBLEED), VULNBL_AMD(0x16, RETBLEED), - VULNBL_AMD(0x17, RETBLEED | SMT_RSB | SRSO), - VULNBL_HYGON(0x18, RETBLEED | SMT_RSB | SRSO), - VULNBL_AMD(0x19, SRSO | TSA), + VULNBL_AMD(0x17, RETBLEED | SMT_RSB | SRSO | VMSCAPE), + VULNBL_HYGON(0x18, RETBLEED | SMT_RSB | SRSO | VMSCAPE), + VULNBL_AMD(0x19, SRSO | TSA | VMSCAPE), + VULNBL_AMD(0x1a, SRSO | VMSCAPE), + {} Notice the part where VULNBL_AMD(0x1a, SRSO | VMSCAPE) is added, 6.12.y doesn't have commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support") so I think we shouldn't be adding VULNBL_AMD(0x1a, SRSO | VMSCAPE) directly. Boris Ostrovsky suggested me to verify this on a Turin machine as this could cause a very big performance regression : and stated if SRSO mitigation status is Safe RET we are likely in a problem, and we are in that situation. # lscpu | grep -E "CPU family" CPU family: 26 Notes: CPU ID 26 -> 0x1a And Turin machine reports the SRSO mitigation status as "Safe RET" # uname -r 6.12.48-master.20250917.el8.rc1.x86_64 # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Safe RET Boris Ostrovsky suggested backporting three commits to 6.12.y: 1. commit: 877818802c3e ("x86/bugs: Add SRSO_USER_KERNEL_NO support") 2. commit: 8442df2b49ed ("x86/bugs: KVM: Add support for SRSO_MSR_FIX") and its fix 3. commit: e3417ab75ab2 ("KVM: SVM: Set/clear SRSO's BP_SPEC_REDUCE on 0 <=> 1 VM count transitions") -- Maybe optional After backporting these three: # uname -r 6.12.48-master.20250919.el8.dev.x86_64 // Note this this is kernel with patches above three applied. # dmesg | grep -C 2 Reduce [ 3.186135] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl [ 3.187135] Speculative Return Stack Overflow: Reducing speculation to address VM/HV SRSO attack vector. [ 3.188134] Speculative Return Stack Overflow: Mitigation: Reduced Speculation [ 3.189135] VMSCAPE: Mitigation: IBPB before exit to userspace [ 3.191139] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Reduced Speculation I can send my backports to stable if this looks good. Thoughts ? Thanks, Harshit

2 months

3
3
0 0

[PATCH] ceph: fix deadlock bugs by making iput() calls asynchronous

by Max Kellermann

The iput() function is a dangerous one - if the reference counter goes to zero, the function may block for a long time due to: - inode_wait_for_writeback() waits until writeback on this inode completes - the filesystem-specific "evict_inode" callback can do similar things; e.g. all netfs-based filesystems will call netfs_wait_for_outstanding_io() which is similar to inode_wait_for_writeback() Therefore, callers must carefully evaluate the context they're in and check whether invoking iput() is a good idea at all. Most of the time, this is not a problem because the dcache holds references to all inodes, and the dcache is usually the one to release the last reference. But this assumption is fragile. For example, under (memcg) memory pressure, the dcache shrinker is more likely to release inode references, moving the inode eviction to contexts where that was extremely unlikely to occur. Our production servers "found" at least two deadlock bugs in the Ceph filesystem that were caused by this iput() behavior: 1. Writeback may lead to iput() calls in Ceph (e.g. from ceph_put_wrbuffer_cap_refs()) which deadlocks in inode_wait_for_writeback(). Waiting for writeback completion from within writeback will obviously never be able to make any progress. This leads to blocked kworkers like this: INFO: task kworker/u777:6:1270802 blocked for more than 122 seconds. Not tainted 6.16.7-i1-es #773 task:kworker/u777:6 state:D stack:0 pid:1270802 tgid:1270802 ppid:2 task_flags:0x4208060 flags:0x00004000 Workqueue: writeback wb_workfn (flush-ceph-3) Call Trace: <TASK> __schedule+0x4ea/0x17d0 schedule+0x1c/0xc0 inode_wait_for_writeback+0x71/0xb0 evict+0xcf/0x200 ceph_put_wrbuffer_cap_refs+0xdd/0x220 ceph_invalidate_folio+0x97/0xc0 ceph_writepages_start+0x127b/0x14d0 do_writepages+0xba/0x150 __writeback_single_inode+0x34/0x290 writeback_sb_inodes+0x203/0x470 __writeback_inodes_wb+0x4c/0xe0 wb_writeback+0x189/0x2b0 wb_workfn+0x30b/0x3d0 process_one_work+0x143/0x2b0 worker_thread+0x30a/0x450 2. In the Ceph messenger thread (net/ceph/messenger*.c), any iput() call may invoke ceph_evict_inode() which will deadlock in netfs_wait_for_outstanding_io(); since this blocks the messenger thread, completions from the Ceph servers will not ever be received and handled. It looks like these deadlock bugs have been in the Ceph filesystem code since forever (therefore no "Fixes" tag in this patch). There may be various ways to solve this: - make iput() asynchronous and defer the actual eviction like fput() (may add overhead) - make iput() only asynchronous if I_SYNC is set (doesn't solve random things happening inside the "evict_inode" callback) - add iput_deferred() to make this asynchronous behavior/overhead optional and explicit - refactor Ceph to avoid iput() calls from within writeback and messenger (if that is even possible) - add a Ceph-specific workaround After advice from Mateusz Guzik, I decided to do the latter. The implementation is simple because it piggybacks on the existing work_struct for ceph_queue_inode_work() - ceph_inode_work() calls iput() at the end which means we can donate the last reference to it. Since Ceph has a few iput() callers in a loop, it seemed simple enough to pass this counter and use atomic_sub() instead of atomic_dec(). This patch adds ceph_iput_n_async() and converts lots of iput() calls to it - at least those that may come through writeback and the messenger. Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> Cc: Mateusz Guzik <mjguzik(a)gmail.com> Cc: stable(a)vger.kernel.org --- fs/ceph/addr.c | 2 +- fs/ceph/caps.c | 21 ++++++++++----------- fs/ceph/dir.c | 2 +- fs/ceph/inode.c | 42 ++++++++++++++++++++++++++++++++++++++++++ fs/ceph/mds_client.c | 32 ++++++++++++++++---------------- fs/ceph/quota.c | 4 ++-- fs/ceph/snap.c | 10 +++++----- fs/ceph/super.h | 7 +++++++ 8 files changed, 84 insertions(+), 36 deletions(-) diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c index 322ed268f14a..fc497c91530e 100644 --- a/fs/ceph/addr.c +++ b/fs/ceph/addr.c @@ -265,7 +265,7 @@ static void finish_netfs_read(struct ceph_osd_request *req) subreq->error = err; trace_netfs_sreq(subreq, netfs_sreq_trace_io_progress); netfs_read_subreq_terminated(subreq); - iput(req->r_inode); + ceph_iput_async(req->r_inode); ceph_dec_osd_stopping_blocker(fsc->mdsc); } diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index b1a8ff612c41..bd88b5287a2b 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -1771,7 +1771,7 @@ void ceph_flush_snaps(struct ceph_inode_info *ci, spin_unlock(&mdsc->snap_flush_lock); if (need_put) - iput(inode); + ceph_iput_async(inode); } /* @@ -3318,8 +3318,8 @@ static void __ceph_put_cap_refs(struct ceph_inode_info *ci, int had, } if (wake) wake_up_all(&ci->i_cap_wq); - while (put-- > 0) - iput(inode); + if (put > 0) + ceph_iput_n_async(inode, put); } void ceph_put_cap_refs(struct ceph_inode_info *ci, int had) @@ -3418,9 +3418,8 @@ void ceph_put_wrbuffer_cap_refs(struct ceph_inode_info *ci, int nr, } if (complete_capsnap) wake_up_all(&ci->i_cap_wq); - while (put-- > 0) { - iput(inode); - } + if (put > 0) + ceph_iput_n_async(inode, put); } /* @@ -3917,7 +3916,7 @@ static void handle_cap_flush_ack(struct inode *inode, u64 flush_tid, if (wake_mdsc) wake_up_all(&mdsc->cap_flushing_wq); if (drop) - iput(inode); + ceph_iput_async(inode); } void __ceph_remove_capsnap(struct inode *inode, struct ceph_cap_snap *capsnap, @@ -4008,7 +4007,7 @@ static void handle_cap_flushsnap_ack(struct inode *inode, u64 flush_tid, wake_up_all(&ci->i_cap_wq); if (wake_mdsc) wake_up_all(&mdsc->cap_flushing_wq); - iput(inode); + ceph_iput_async(inode); } } @@ -4557,7 +4556,7 @@ void ceph_handle_caps(struct ceph_mds_session *session, done: mutex_unlock(&session->s_mutex); done_unlocked: - iput(inode); + ceph_iput_async(inode); out: ceph_dec_mds_stopping_blocker(mdsc); @@ -4636,7 +4635,7 @@ unsigned long ceph_check_delayed_caps(struct ceph_mds_client *mdsc) doutc(cl, "on %p %llx.%llx\n", inode, ceph_vinop(inode)); ceph_check_caps(ci, 0); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->cap_delay_lock); } @@ -4675,7 +4674,7 @@ static void flush_dirty_session_caps(struct ceph_mds_session *s) spin_unlock(&mdsc->cap_dirty_lock); ceph_wait_on_async_create(inode); ceph_check_caps(ci, CHECK_CAPS_FLUSH); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->cap_dirty_lock); } spin_unlock(&mdsc->cap_dirty_lock); diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c index 32973c62c1a2..ec73ed52a227 100644 --- a/fs/ceph/dir.c +++ b/fs/ceph/dir.c @@ -1290,7 +1290,7 @@ static void ceph_async_unlink_cb(struct ceph_mds_client *mdsc, ceph_mdsc_free_path_info(&path_info); } out: - iput(req->r_old_inode); + ceph_iput_async(req->r_old_inode); ceph_mdsc_release_dir_caps(req); } diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c index f67025465de0..385d5261632d 100644 --- a/fs/ceph/inode.c +++ b/fs/ceph/inode.c @@ -2191,6 +2191,48 @@ void ceph_queue_inode_work(struct inode *inode, int work_bit) } } +/** + * Queue an asynchronous iput() call in a worker thread. Use this + * instead of iput() in contexts where evicting the inode is unsafe. + * For example, inode eviction may cause deadlocks in + * inode_wait_for_writeback() (when called from within writeback) or + * in netfs_wait_for_outstanding_io() (when called from within the + * Ceph messenger). + * + * @n: how many references to put + */ +void ceph_iput_n_async(struct inode *inode, int n) +{ + if (unlikely(!inode)) + return; + + if (likely(atomic_sub_return(n, &inode->i_count) > 0)) + /* somebody else is holding another reference - + * nothing left to do for us + */ + return; + + doutc(ceph_inode_to_fs_client(inode)->client, "%p %llx.%llx\n", inode, ceph_vinop(inode)); + + /* the reference counter is now 0, i.e. nobody else is holding + * a reference to this inode; restore it to 1 and donate it to + * ceph_inode_work() which will call iput() at the end + */ + atomic_set(&inode->i_count, 1); + + /* simply queue a ceph_inode_work() without setting + * i_work_mask bit; other than putting the reference, there is + * nothing to do + */ + WARN_ON_ONCE(!queue_work(ceph_inode_to_fs_client(inode)->inode_wq, + &ceph_inode(inode)->i_work)); + + /* note: queue_work() cannot fail; it i_work were already + * queued, then it would be holding another reference, but no + * such reference exists + */ +} + static void ceph_do_invalidate_pages(struct inode *inode) { struct ceph_client *cl = ceph_inode_to_client(inode); diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index 3bc72b47fe4d..d7fce1ad8073 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -1097,14 +1097,14 @@ void ceph_mdsc_release_request(struct kref *kref) ceph_msg_put(req->r_reply); if (req->r_inode) { ceph_put_cap_refs(ceph_inode(req->r_inode), CEPH_CAP_PIN); - iput(req->r_inode); + ceph_iput_async(req->r_inode); } if (req->r_parent) { ceph_put_cap_refs(ceph_inode(req->r_parent), CEPH_CAP_PIN); - iput(req->r_parent); + ceph_iput_async(req->r_parent); } - iput(req->r_target_inode); - iput(req->r_new_inode); + ceph_iput_async(req->r_target_inode); + ceph_iput_async(req->r_new_inode); if (req->r_dentry) dput(req->r_dentry); if (req->r_old_dentry) @@ -1118,7 +1118,7 @@ void ceph_mdsc_release_request(struct kref *kref) */ ceph_put_cap_refs(ceph_inode(req->r_old_dentry_dir), CEPH_CAP_PIN); - iput(req->r_old_dentry_dir); + ceph_iput_async(req->r_old_dentry_dir); } kfree(req->r_path1); kfree(req->r_path2); @@ -1240,7 +1240,7 @@ static void __unregister_request(struct ceph_mds_client *mdsc, } if (req->r_unsafe_dir) { - iput(req->r_unsafe_dir); + ceph_iput_async(req->r_unsafe_dir); req->r_unsafe_dir = NULL; } @@ -1413,7 +1413,7 @@ static int __choose_mds(struct ceph_mds_client *mdsc, cap = rb_entry(rb_first(&ci->i_caps), struct ceph_cap, ci_node); if (!cap) { spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); goto random; } mds = cap->session->s_mds; @@ -1422,7 +1422,7 @@ static int __choose_mds(struct ceph_mds_client *mdsc, cap == ci->i_auth_cap ? "auth " : "", cap); spin_unlock(&ci->i_ceph_lock); out: - iput(inode); + ceph_iput_async(inode); return mds; random: @@ -1841,7 +1841,7 @@ int ceph_iterate_session_caps(struct ceph_mds_session *session, spin_unlock(&session->s_cap_lock); if (last_inode) { - iput(last_inode); + ceph_iput_async(last_inode); last_inode = NULL; } if (old_cap) { @@ -1874,7 +1874,7 @@ int ceph_iterate_session_caps(struct ceph_mds_session *session, session->s_cap_iterator = NULL; spin_unlock(&session->s_cap_lock); - iput(last_inode); + ceph_iput_async(last_inode); if (old_cap) ceph_put_cap(session->s_mdsc, old_cap); @@ -1903,8 +1903,8 @@ static int remove_session_caps_cb(struct inode *inode, int mds, void *arg) wake_up_all(&ci->i_cap_wq); if (invalidate) ceph_queue_invalidate(inode); - while (iputs--) - iput(inode); + if (iputs > 0) + ceph_iput_n_async(inode, iputs); return 0; } @@ -1944,7 +1944,7 @@ static void remove_session_caps(struct ceph_mds_session *session) spin_unlock(&session->s_cap_lock); inode = ceph_find_inode(sb, vino); - iput(inode); + ceph_iput_async(inode); spin_lock(&session->s_cap_lock); } @@ -2512,7 +2512,7 @@ static void ceph_cap_unlink_work(struct work_struct *work) doutc(cl, "on %p %llx.%llx\n", inode, ceph_vinop(inode)); ceph_check_caps(ci, CHECK_CAPS_FLUSH); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->cap_delay_lock); } } @@ -3933,7 +3933,7 @@ static void handle_reply(struct ceph_mds_session *session, struct ceph_msg *msg) !req->r_reply_info.has_create_ino) { /* This should never happen on an async create */ WARN_ON_ONCE(req->r_deleg_ino); - iput(in); + ceph_iput_async(in); in = NULL; } @@ -5313,7 +5313,7 @@ static void handle_lease(struct ceph_mds_client *mdsc, out: mutex_unlock(&session->s_mutex); - iput(inode); + ceph_iput_async(inode); ceph_dec_mds_stopping_blocker(mdsc); return; diff --git a/fs/ceph/quota.c b/fs/ceph/quota.c index d90eda19bcc4..bba00f8926e6 100644 --- a/fs/ceph/quota.c +++ b/fs/ceph/quota.c @@ -76,7 +76,7 @@ void ceph_handle_quota(struct ceph_mds_client *mdsc, le64_to_cpu(h->max_files)); spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); out: ceph_dec_mds_stopping_blocker(mdsc); } @@ -190,7 +190,7 @@ void ceph_cleanup_quotarealms_inodes(struct ceph_mds_client *mdsc) node = rb_first(&mdsc->quotarealms_inodes); qri = rb_entry(node, struct ceph_quotarealm_inode, node); rb_erase(node, &mdsc->quotarealms_inodes); - iput(qri->inode); + ceph_iput_async(qri->inode); kfree(qri); } mutex_unlock(&mdsc->quotarealms_inodes_mutex); diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c index c65f2b202b2b..19f097e79b3c 100644 --- a/fs/ceph/snap.c +++ b/fs/ceph/snap.c @@ -735,7 +735,7 @@ static void queue_realm_cap_snaps(struct ceph_mds_client *mdsc, if (!inode) continue; spin_unlock(&realm->inodes_with_caps_lock); - iput(lastinode); + ceph_iput_async(lastinode); lastinode = inode; /* @@ -762,7 +762,7 @@ static void queue_realm_cap_snaps(struct ceph_mds_client *mdsc, spin_lock(&realm->inodes_with_caps_lock); } spin_unlock(&realm->inodes_with_caps_lock); - iput(lastinode); + ceph_iput_async(lastinode); if (capsnap) kmem_cache_free(ceph_cap_snap_cachep, capsnap); @@ -955,7 +955,7 @@ static void flush_snaps(struct ceph_mds_client *mdsc) ihold(inode); spin_unlock(&mdsc->snap_flush_lock); ceph_flush_snaps(ci, &session); - iput(inode); + ceph_iput_async(inode); spin_lock(&mdsc->snap_flush_lock); } spin_unlock(&mdsc->snap_flush_lock); @@ -1116,12 +1116,12 @@ void ceph_handle_snap(struct ceph_mds_client *mdsc, ceph_get_snap_realm(mdsc, realm); ceph_change_snap_realm(inode, realm); spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); continue; skip_inode: spin_unlock(&ci->i_ceph_lock); - iput(inode); + ceph_iput_async(inode); } /* we may have taken some of the old realm's children. */ diff --git a/fs/ceph/super.h b/fs/ceph/super.h index cf176aab0f82..15c09b6c94aa 100644 --- a/fs/ceph/super.h +++ b/fs/ceph/super.h @@ -1085,6 +1085,13 @@ static inline void ceph_queue_flush_snaps(struct inode *inode) ceph_queue_inode_work(inode, CEPH_I_WORK_FLUSH_SNAPS); } +void ceph_iput_n_async(struct inode *inode, int n); + +static inline void ceph_iput_async(struct inode *inode) +{ + ceph_iput_n_async(inode, 1); +} + extern int ceph_try_to_choose_auth_mds(struct inode *inode, int mask); extern int __ceph_do_getattr(struct inode *inode, struct page *locked_page, int mask, bool force); -- 2.47.3

2 months

3
12
0 0

[PATCH 1/1] perf/x86/intel: Fix crash in icl_update_topdown_event()

by Angel Adetula

From: Kan Liang <kan.liang(a)linux.intel.com> [ Upstream commit b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed ] The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision 9660/0VJ762 RIP: 0010:native_read_pmc+0x7/0x40 Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... RSP: 000:fffb03100273de8 EFLAGS: 00010046 .... Call Trace: <TASK> icl_update_topdown_event+0x165/0x190 ? ktime_get+0x38/0xd0 intel_pmu_read_event+0xf9/0x210 __perf_event_read+0xf9/0x210 CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. The icl_update_topdown_event() should not be invoked on these CPUs. It's a regression of commit: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") The bug introduced by that commit is that the is_topdown_event() function is mistakenly used to replace the is_topdown_count() call to check if the topdown functions for the perf metrics feature should be invoked. Fix it. Fixes: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") Closes: https://lore.kernel.org/lkml/352f0709-f026-cd45-e60c-60dfd97f73f3@maine.edu/ Reported-by: Vince Weaver <vincent.weaver(a)maine.edu> Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Tested-by: Vince Weaver <vincent.weaver(a)maine.edu> Cc: stable(a)vger.kernel.org # v6.15+ Link: https://lore.kernel.org/r/20250612143818.2889040-1-kan.liang@linux.intel.com [ omitted PEBS check ] Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Angel Adetula <angeladetula(a)google.com> --- arch/x86/events/intel/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index 5e43d390f7a3..36d8404f406d 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -2793,7 +2793,7 @@ static void intel_pmu_read_event(struct perf_event *event) if (pmu_enabled) intel_pmu_disable_all(); - if (is_topdown_event(event)) + if (is_topdown_count(event)) static_call(intel_pmu_update_topdown_event)(event); else intel_pmu_drain_pebs_buffer(); -- 2.51.0.470.ga7dc726c21-goog

2 months

1
0
0 0

Linux 6.16.8

by Greg Kroah-Hartman

I'm announcing the release of the 6.16.8 kernel. All users of the 6.16 kernel series must upgrade. The updated 6.16.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.16.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/brcm,bcm7271-uart.yaml | 2 Documentation/netlink/specs/mptcp_pm.yaml | 2 Documentation/networking/can.rst | 2 Documentation/networking/mptcp.rst | 8 Makefile | 2 arch/arm64/kernel/machine_kexec_file.c | 2 arch/s390/kernel/kexec_elf.c | 2 arch/s390/kernel/kexec_image.c | 2 arch/s390/kernel/machine_kexec_file.c | 6 arch/s390/kernel/perf_cpum_cf.c | 4 arch/s390/kernel/perf_pai_crypto.c | 4 arch/s390/kernel/perf_pai_ext.c | 2 arch/x86/kernel/cpu/topology_amd.c | 25 block/fops.c | 13 drivers/cpufreq/amd-pstate.c | 19 drivers/cpufreq/intel_pstate.c | 4 drivers/dma/dw/rzn1-dmamux.c | 15 drivers/dma/idxd/init.c | 39 - drivers/dma/qcom/bam_dma.c | 8 drivers/dma/ti/edma.c | 4 drivers/edac/altera_edac.c | 1 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h | 11 drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 drivers/gpu/drm/amd/amdgpu/isp_v4_1_1.c | 2 drivers/gpu/drm/amd/amdgpu/psp_v10_0.c | 4 drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 31 - drivers/gpu/drm/amd/amdgpu/psp_v11_0_8.c | 25 drivers/gpu/drm/amd/amdgpu/psp_v12_0.c | 18 drivers/gpu/drm/amd/amdgpu/psp_v13_0.c | 25 drivers/gpu/drm/amd/amdgpu/psp_v13_0_4.c | 25 drivers/gpu/drm/amd/amdgpu/psp_v14_0.c | 25 drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 12 drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 64 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 106 ++-- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 1 drivers/gpu/drm/amd/display/dc/dc.h | 1 drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 74 +- drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 2 drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 115 ---- drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c | 3 drivers/gpu/drm/amd/display/dc/hwss/dcn351/dcn351_init.c | 3 drivers/gpu/drm/amd/display/dc/inc/hw/pg_cntl.h | 1 drivers/gpu/drm/amd/display/dc/pg/dcn35/dcn35_pg_cntl.c | 78 +- drivers/gpu/drm/display/drm_dp_helper.c | 42 + drivers/gpu/drm/drm_edid.c | 232 ++++---- drivers/gpu/drm/i915/display/intel_display_power.c | 6 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 drivers/gpu/drm/panthor/panthor_drv.c | 2 drivers/gpu/drm/xe/tests/xe_bo.c | 2 drivers/gpu/drm/xe/tests/xe_dma_buf.c | 10 drivers/gpu/drm/xe/xe_bo.c | 16 drivers/gpu/drm/xe/xe_bo.h | 2 drivers/gpu/drm/xe/xe_device_types.h | 6 drivers/gpu/drm/xe/xe_dma_buf.c | 2 drivers/gpu/drm/xe/xe_exec.c | 9 drivers/gpu/drm/xe/xe_pm.c | 42 + drivers/gpu/drm/xe/xe_survivability_mode.c | 3 drivers/gpu/drm/xe/xe_vm.c | 42 + drivers/gpu/drm/xe/xe_vm.h | 2 drivers/gpu/drm/xe/xe_vm_types.h | 5 drivers/i2c/busses/i2c-i801.c | 2 drivers/i2c/busses/i2c-rtl9300.c | 22 drivers/input/joystick/xpad.c | 2 drivers/input/misc/iqs7222.c | 3 drivers/input/serio/i8042-acpipnpio.h | 14 drivers/iommu/intel/cache.c | 5 drivers/iommu/intel/iommu.c | 263 ++++++---- drivers/iommu/intel/iommu.h | 12 drivers/iommu/intel/nested.c | 4 drivers/iommu/intel/svm.c | 1 drivers/irqchip/irq-mvebu-gicp.c | 2 drivers/md/md.c | 6 drivers/mtd/nand/raw/atmel/nand-controller.c | 16 drivers/mtd/nand/raw/nuvoton-ma35d1-nand-controller.c | 4 drivers/mtd/nand/raw/stm32_fmc2_nand.c | 46 - drivers/mtd/nand/spi/core.c | 18 drivers/mtd/nand/spi/winbond.c | 80 ++- drivers/net/can/xilinx_can.c | 16 drivers/net/dsa/b53/b53_common.c | 17 drivers/net/ethernet/freescale/fec_main.c | 3 drivers/net/ethernet/intel/i40e/i40e_main.c | 2 drivers/net/ethernet/intel/igb/igb_ethtool.c | 5 drivers/net/ethernet/intel/igb/igb_main.c | 3 drivers/net/ethernet/ti/icssg/icssg_prueth.c | 20 drivers/net/ethernet/wangxun/libwx/wx_hw.c | 4 drivers/net/macsec.c | 1 drivers/net/phy/phy.c | 12 drivers/net/phy/phylink.c | 28 - drivers/net/wireless/ath/ath12k/core.h | 1 drivers/net/wireless/ath/ath12k/dp_mon.c | 22 drivers/net/wireless/ath/ath12k/dp_rx.c | 11 drivers/net/wireless/ath/ath12k/hw.c | 55 ++ drivers/net/wireless/ath/ath12k/hw.h | 2 drivers/net/wireless/ath/ath12k/mac.c | 127 ++-- drivers/net/wireless/ath/ath12k/peer.c | 2 drivers/net/wireless/ath/ath12k/peer.h | 28 + drivers/net/wireless/ath/ath12k/wmi.c | 58 ++ drivers/net/wireless/ath/ath12k/wmi.h | 16 drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 26 drivers/pci/controller/pci-mvebu.c | 21 drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 4 drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 25 drivers/phy/tegra/xusb-tegra210.c | 6 drivers/phy/ti/phy-omap-usb2.c | 13 drivers/phy/ti/phy-ti-pipe3.c | 13 drivers/regulator/sy7636a-regulator.c | 7 drivers/tty/hvc/hvc_console.c | 6 drivers/tty/serial/sc16is7xx.c | 14 drivers/usb/gadget/function/f_midi2.c | 11 drivers/usb/gadget/udc/dummy_hcd.c | 8 drivers/usb/host/xhci-dbgcap.c | 94 ++- drivers/usb/host/xhci-mem.c | 2 drivers/usb/serial/option.c | 17 drivers/usb/typec/tcpm/tcpm.c | 12 fs/btrfs/extent_io.c | 73 ++ fs/btrfs/inode.c | 12 fs/btrfs/qgroup.c | 6 fs/ceph/addr.c | 9 fs/ceph/debugfs.c | 14 fs/ceph/dir.c | 17 fs/ceph/file.c | 24 fs/ceph/inode.c | 88 ++- fs/ceph/mds_client.c | 172 +++--- fs/ceph/mds_client.h | 18 fs/coredump.c | 4 fs/erofs/data.c | 8 fs/erofs/fileio.c | 2 fs/erofs/fscache.c | 2 fs/erofs/inode.c | 8 fs/erofs/internal.h | 2 fs/erofs/super.c | 16 fs/erofs/zdata.c | 17 fs/erofs/zmap.c | 98 +-- fs/exec.c | 2 fs/fhandle.c | 8 fs/fuse/dev.c | 2 fs/fuse/file.c | 5 fs/fuse/passthrough.c | 5 fs/kernfs/file.c | 58 +- fs/nfs/client.c | 2 fs/nfs/file.c | 7 fs/nfs/flexfilelayout/flexfilelayout.c | 21 fs/nfs/inode.c | 4 fs/nfs/internal.h | 10 fs/nfs/io.c | 13 fs/nfs/localio.c | 12 fs/nfs/nfs42proc.c | 2 fs/nfs/nfs4file.c | 2 fs/nfs/nfs4proc.c | 7 fs/nfs/write.c | 1 fs/ocfs2/extent_map.c | 10 fs/proc/generic.c | 3 fs/resctrl/ctrlmondata.c | 2 fs/resctrl/internal.h | 4 fs/resctrl/monitor.c | 6 fs/smb/client/cifsglob.h | 13 fs/smb/client/file.c | 18 fs/smb/client/inode.c | 86 ++- fs/smb/client/smb2glob.h | 3 fs/smb/client/smb2inode.c | 204 ++++++- fs/smb/client/smb2ops.c | 32 + fs/smb/client/smb2proto.h | 3 fs/smb/client/trace.h | 9 include/drm/display/drm_dp_helper.h | 6 include/drm/drm_connector.h | 4 include/drm/drm_edid.h | 8 include/linux/compiler-clang.h | 29 - include/linux/energy_model.h | 10 include/linux/fs.h | 3 include/linux/kasan.h | 6 include/linux/mtd/spinand.h | 8 include/net/netfilter/nf_tables.h | 11 include/net/netfilter/nf_tables_core.h | 49 - include/net/netns/nftables.h | 1 include/uapi/linux/raid/md_p.h | 2 io_uring/rw.c | 3 kernel/bpf/Makefile | 1 kernel/bpf/core.c | 16 kernel/bpf/cpumap.c | 4 kernel/bpf/crypto.c | 2 kernel/bpf/helpers.c | 7 kernel/bpf/rqspinlock.c | 2 kernel/dma/debug.c | 48 + kernel/dma/debug.h | 20 kernel/dma/mapping.c | 4 kernel/events/core.c | 1 kernel/power/energy_model.c | 29 - kernel/power/hibernate.c | 1 kernel/time/hrtimer.c | 11 kernel/trace/fgraph.c | 3 kernel/trace/trace.c | 10 kernel/trace/trace_osnoise.c | 3 mm/damon/core.c | 4 mm/damon/lru_sort.c | 5 mm/damon/reclaim.c | 5 mm/damon/sysfs.c | 14 mm/hugetlb.c | 9 mm/kasan/shadow.c | 31 - mm/khugepaged.c | 4 mm/memory-failure.c | 20 mm/vmalloc.c | 8 net/bluetooth/hci_conn.c | 14 net/bluetooth/hci_event.c | 7 net/bluetooth/iso.c | 2 net/bridge/br.c | 7 net/can/j1939/bus.c | 5 net/can/j1939/j1939-priv.h | 1 net/can/j1939/main.c | 3 net/can/j1939/socket.c | 52 + net/ceph/messenger.c | 7 net/core/dev_ioctl.c | 22 net/hsr/hsr_device.c | 28 - net/hsr/hsr_main.c | 4 net/hsr/hsr_main.h | 3 net/ipv4/ip_tunnel_core.c | 6 net/ipv4/tcp_bpf.c | 5 net/mptcp/sockopt.c | 11 net/netfilter/nf_tables_api.c | 123 +++- net/netfilter/nft_dynset.c | 5 net/netfilter/nft_lookup.c | 67 +- net/netfilter/nft_objref.c | 5 net/netfilter/nft_set_bitmap.c | 14 net/netfilter/nft_set_hash.c | 54 -- net/netfilter/nft_set_pipapo.c | 214 ++------ net/netfilter/nft_set_pipapo_avx2.c | 27 - net/netfilter/nft_set_rbtree.c | 46 - net/netlink/genetlink.c | 3 net/sunrpc/sched.c | 2 net/sunrpc/xprtsock.c | 6 net/xdp/xsk.c | 113 +++- net/xdp/xsk_queue.h | 12 samples/ftrace/ftrace-direct-modify.c | 2 tools/testing/selftests/net/can/config | 3 234 files changed, 3151 insertions(+), 1712 deletions(-) Alan Stern (1): USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels Alex Deucher (3): Revert "drm/amdgpu: Add more checks to PSP mailbox" drm/amdgpu: fix a memory leak in fence cleanup when unloading drm/amd/display: use udelay rather than fsleep Alex Markuze (2): ceph: fix race condition validating r_parent before applying state ceph: fix race condition where r_parent becomes stale before sending message Alex Tran (1): docs: networking: can: change bcm_msg_head frames member to support flexible array Alexander Sverdlin (1): mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing Alok Tiwari (1): genetlink: fix genl_bind() invoking bind() after -EPERM Amir Goldstein (2): fhandle: use more consistent rules for decoding file handle from userns fuse: do not allow mapping a non-regular backing file Anders Roxell (1): dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Andreas Kemnade (1): regulator: sy7636a: fix lifecycle of power good gpio Anssi Hannula (1): can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB Antheas Kapenekakis (1): Input: xpad - add support for Flydigi Apex 5 Antoine Tenart (1): tunnels: reset the GSO metadata before reusing the skb Baochen Qiang (1): dma-debug: don't enforce dma mapping check on noncoherent allocations Boris Burkov (2): btrfs: fix squota compressed stats leak btrfs: use readahead_expand() on compressed extents Breno Leitao (2): arm64: kexec: initialize kexec_buf struct in load_other_segments() s390: kexec: initialize kexec_buf struct Carolina Jubran (1): net: dev_ioctl: take ops lock in hwtstamp lower paths Chen Ridong (1): kernfs: Fix UAF in polling when open file is released Chia-I Wu (1): drm/panthor: validate group queue count Chiasheng Lee (1): i2c: i801: Hide Intel Birch Stream SoC TCO WDT Christian Brauner (1): coredump: don't pointlessly check and spew warnings Christoffer Sandberg (1): Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table Christoph Hellwig (2): fs: add a FMODE_ flag to indicate IOCB_HAS_METADATA availability block: don't silently ignore metadata for sync read/write Christophe JAILLET (1): mtd: rawnand: nuvoton: Fix an error handling path in ma35_nand_chips_init() Christophe Kerello (2): mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer mtd: rawnand: stm32_fmc2: fix ECC overwrite Dan Carpenter (2): irqchip/mvebu-gicp: Fix an IS_ERR() vs NULL check in probe() dmaengine: idxd: Fix double free in idxd_setup_wqs() Daniel Borkmann (1): bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt David Rosca (2): drm/amdgpu/vcn: Allow limiting ctx to instance 0 for AV1 at any time drm/amdgpu/vcn4: Fix IB parsing with multiple engine info packages Davide Caratti (1): selftests: can: enable CONFIG_CAN_VCAN as a module Edward Adam Davis (1): fuse: Block access to folio overlimit Fabian Vogt (1): tty: hvc_console: Call hvc_kick in hvc_write unconditionally Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FN990A w/audio compositions USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions Fangzhi Zuo (1): drm/amd/display: Disable DPCD Probe Quirk Florian Westphal (11): netfilter: nft_set_bitmap: fix lockdep splat due to missing annotation netfilter: nft_set_pipapo: remove unused arguments netfilter: nft_set: remove one argument from lookup and update functions netfilter: nft_set_pipapo: merge pipapo_get/lookup netfilter: nft_set_pipapo: don't return bogus extension pointer netfilter: nft_set_pipapo: don't check genbit from packetpath lookups netfilter: nft_set_rbtree: continue traversal if element is inactive netfilter: nf_tables: place base_seq in struct net netfilter: nf_tables: make nft_set_do_lookup available unconditionally netfilter: nf_tables: restart set lookup on base_seq change netfilter: nft_set_pipapo: fix null deref for empty set Gao Xiang (4): erofs: get rid of {get,put}_page() for ztailpacking data erofs: remove need_kmap in erofs_read_metabuf() erofs: unify meta buffers in z_erofs_fill_inode() erofs: fix invalid algorithm for encoded extents Gautham R. Shenoy (1): cpufreq/amd-pstate: Fix setting of CPPC.min_perf in active mode for performance governor Geoffrey McRae (1): drm/amd/display: remove oem i2c adapter on finish Greg Kroah-Hartman (1): Linux 6.16.8 Guenter Roeck (1): trace/fgraph: Fix error handling Hangbin Liu (3): hsr: use rtnl lock when iterating over ports hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr hsr: hold rcu and dev lock for hsr_get_port_ndev Hugo Villeneuve (1): serial: sc16is7xx: fix bug in flow control levels init Ilya Dryomov (1): libceph: fix invalid accesses to ceph_connection_v1_info Imre Deak (3): drm/edid: Define the quirks in an enum list drm/edid: Add support for quirks visible to DRM core and drivers drm/dp: Add an EDID quirk for the DPCD register access probe Jani Nikula (1): drm/i915/power: fix size for for_each_set_bit() in abox iteration Jason Gunthorpe (3): iommu/vt-d: Split intel_iommu_domain_alloc_paging_flags() iommu/vt-d: Create unique domain ops for each stage iommu/vt-d: Split paging_domain_compatible() Jeff LaBundy (1): Input: iqs7222 - avoid enabling unused interrupts Jeongjun Park (1): mm/hugetlb: add missing hugetlb_lock in __unmap_hugepage_range() Jesper Dangaard Brouer (1): bpf, cpumap: Disable page_pool direct xdp_return need larger scope Jiawen Wu (1): net: libwx: fix to enable RSS Johan Hovold (4): drm/mediatek: fix potential OF node use-after-free phy: tegra: xusb: fix device and OF node leak at probe phy: ti: omap-usb2: fix device leak at unbind phy: ti-pipe3: fix device leak at unbind Johannes Berg (1): wifi: iwlwifi: fix 130/1030 configs Jonas Gorski (1): net: dsa: b53: fix ageing time for BCM53101 Jonas Jelonek (3): i2c: rtl9300: fix channel number bound check i2c: rtl9300: ensure data length is within supported range i2c: rtl9300: remove broken SMBus Quick operation support Jonathan Curley (1): NFSv4/flexfiles: Fix layout merge mirror check. Justin Worrell (1): SUNRPC: call xs_sock_process_cmsg for all cmsg K Prateek Nayak (1): x86/cpu/topology: Always try cpu_parse_topology_ext() on AMD/Hygon KaFai Wan (1): bpf: Allow fall back to interpreter for programs with stack size <= 512 Kan Liang (1): perf: Fix the POLL_HUP delivery breakage Klaus Kudielka (1): PCI: mvebu: Fix use of for_each_of_range() iterator Kohei Enju (1): igb: fix link test skipping when interface is admin down Krister Johansen (1): mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN Krzysztof Kozlowski (1): dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks Kumar Kartikeya Dwivedi (1): rqspinlock: Choose trylock fallback for NMI waiters Kuniyuki Iwashima (1): tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. Kyle Meyer (1): mm/memory-failure: fix redundant updates for already poisoned pages Lu Baolu (1): iommu/vt-d: Make iotlb_sync_map a static property of dmar_domain Luiz Augusto von Dentz (3): Bluetooth: hci_conn: Fix not cleaning up Broadcaster/Broadcast Source Bluetooth: hci_conn: Fix running bis_cleanup for hci_conn->type PA_LINK Bluetooth: ISO: Fix getname not returning broadcast fields Luo Gengkun (1): tracing: Fix tracing_marker may trigger page fault during preempt_disable Maciej Fijalkowski (1): xsk: Fix immature cq descriptor production Mario Limonciello (1): drm/amd/display: Destroy cached state in complete() callback Mario Limonciello (AMD) (2): cpufreq/amd-pstate: Fix a regression leading to EPP 0 after resume drm/amd/display: Drop dm_prepare_suspend() and dm_complete() Mark Tinguely (1): ocfs2: fix recursive semaphore deadlock in fiemap call Mathias Nyman (3): xhci: dbc: decouple endpoint allocation from initialization xhci: dbc: Fix full DbC transfer ring after several reconnects xhci: fix memory leak regression when freeing xhci vdev devices depth first Matthieu Baerts (NGI0) (2): doc: mptcp: net.mptcp.pm_type is deprecated netlink: specs: mptcp: fix if-idx attribute type Max Kellermann (2): ceph: always call ceph_shift_unused_folios_left() ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error Miaohe Lin (1): mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory Miaoqian Lin (1): dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate Miaoqing Pan (2): wifi: ath12k: Fix missing station power save configuration wifi: ath12k: fix WMI TLV header misalignment Michal Schmidt (1): i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path Michal Wajdeczko (1): drm/xe/configfs: Don't touch survivability_mode on fini Miklos Szeredi (2): fuse: check if copy_file_range() returns larger than requested size fuse: prevent overflow in copy_file_range return value Miquel Raynal (2): mtd: spinand: Add a ->configure_chip() hook mtd: spinand: winbond: Enable high-speed modes on w25n0xjw Nathan Chancellor (1): compiler-clang.h: define __SANITIZE_*__ macros only when undefined Oleksij Rempel (1): net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups Omar Sandoval (1): btrfs: fix subvolume deletion lockup caused by inodes xarray race Ovidiu Bunea (1): drm/amd/display: Correct sequences and delays for DCN35 PG & RCG Paolo Abeni (1): Revert "net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM wakeups" Paulo Alcantara (2): smb: client: fix compound alignment with encryption smb: client: fix data loss due to broken rename(2) Peilin Ye (1): bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() Pengyu Luo (1): phy: qualcomm: phy-qcom-eusb2-repeater: fix override properties Petr Machata (1): net: bridge: Bounce invalid boolopts Phil Sutter (1): netfilter: nf_tables: Reintroduce shortened deletion notifications Pratap Nirujogi (1): drm/amd/amdgpu: Declare isp firmware binary file Pu Lehui (1): tracing: Silence warning when chunk allocation fails in trace_pid_write Qu Wenruo (1): btrfs: fix corruption reading compressed range when block size is smaller than page size Quanmin Yan (2): mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() RD Babiera (1): usb: typec: tcpm: properly deliver cable vdms to altmode drivers Rafael J. Wysocki (2): PM: EM: Add function for registering a PD without capacity update PM: hibernate: Restrict GFP mask in hibernation_snapshot() Reinette Chatre (1): fs/resctrl: Eliminate false positive lockdep warning when reading SNC counters Salah Triki (1): EDAC/altera: Delete an inappropriate dma_free_coherent() call Sang-Heon Jeon (1): mm/damon/core: set quota->charged_from to jiffies at first charge window Santhosh Kumar K (1): mtd: spinand: winbond: Fix oob_layout for W25N01JW Sarika Sharma (1): wifi: ath12k: add link support for multi-link in arsta Scott Mayhew (1): nfs/localio: restore creds before releasing pageio data Sriram R (1): wifi: ath12k: Add support to enqueue management frame at MLD level Stanislav Fomichev (1): macsec: sync features on RTM_NEWLINK Stanislav Fort (1): mm/damon/sysfs: fix use-after-free in state_show() Stefan Wahren (1): net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() Stephan Gerhold (2): dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees phy: qcom: qmp-pcie: Fix PHY initialization when powered down by firmware Takashi Iwai (2): usb: gadget: midi2: Fix missing UMP group attributes initialization usb: gadget: midi2: Fix MIDI2 IN EP max packet size Tetsuo Handa (3): can: j1939: implement NETDEV_UNREGISTER notification handler can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails Thomas Hellström (3): drm/xe: Attempt to bring bos back to VRAM after eviction drm/xe: Allow the pm notifier to continue on failure drm/xe: Block exec and rebind worker while evicting for suspend / hibernate Thomas Richter (2): s390/pai: Deny all events not handled by this PMU s390/cpum_cf: Deny all sampling events by counter PMU Tianyu Xu (1): igb: Fix NULL pointer dereference in ethtool loopback test Tigran Mkrtchyan (1): flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read Trond Myklebust (10): NFSv4: Don't clear capabilities that won't be reset NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set NFSv4: Clear NFS_CAP_OPEN_XOR and NFS_CAP_DELEGTIME if not supported NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server NFS: Serialise O_DIRECT i/o and truncate() NFSv4.2: Serialise O_DIRECT i/o and fallocate() NFSv4.2: Serialise O_DIRECT i/o and clone range NFSv4.2: Serialise O_DIRECT i/o and copy range NFS: nfs_invalidate_folio() must observe the offset and size arguments Revert "SUNRPC: Don't allow waiting for exiting tasks" Uladzislau Rezki (Sony) (1): mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() Vladimir Oltean (2): net: phylink: add lock for serializing concurrent pl->phydev writes with resolver net: phy: transfer phy_config_inband() locking responsibility to phylink Vladimir Riabchun (1): ftrace/samples: Fix function size computation Wang Liang (1): tracing/osnoise: Fix null-ptr-deref in bitmap_parselist() Wei Yang (1): mm/khugepaged: fix the address passed to notifier on testing young Xiao Ni (1): md: keep recovery_cp in mdp_superblock_s Xiongfeng Wang (1): hrtimers: Unconditionally update target CPU base after offline timer migration Yi Sun (2): dmaengine: idxd: Remove improper idxd_free dmaengine: idxd: Fix refcount underflow on module unload Yuezhang Mo (1): erofs: fix runtime warning on truncate_folio_batch_exceptionals() wangzijie (1): proc: fix type confusion in pde_set_flags()

2 months

1
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror