Linux-stable-mirror

linux-stable-mirror@lists.linaro.org

3 participants
123729 discussions

Re: [PATCH] net: usb: sr9700: fix incorrect command used to write single register

by kernel test robot

Hi, Thanks for your patch. FYI: kernel test robot notices the stable kernel rule is not satisfied. The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html#opt… Rule: add the tag "Cc: stable(a)vger.kernel.org" in the sign-off area to have the patch automatically included in the stable tree. Subject: [PATCH] net: usb: sr9700: fix incorrect command used to write single register Link: https://lore.kernel.org/stable/20251221072732.41426-1-enelsonmoore%40gmail.… -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 week, 3 days

[PATCH] mfd: qcom-pm8xxx: fix OF populate on driver rebind

by Johan Hovold

Since commit c6e126de43e7 ("of: Keep track of populated platform devices") child devices will not be created by of_platform_populate() if the devices had previously been deregistered individually so that the OF_POPULATED flag is still set in the corresponding OF nodes. Switch to using of_platform_depopulate() instead of open coding so that the child devices are created if the driver is rebound. Fixes: c6e126de43e7 ("of: Keep track of populated platform devices") Cc: stable(a)vger.kernel.org # 3.16 Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/mfd/qcom-pm8xxx.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/drivers/mfd/qcom-pm8xxx.c b/drivers/mfd/qcom-pm8xxx.c index 1149f7102a36..0cf374c015ce 100644 --- a/drivers/mfd/qcom-pm8xxx.c +++ b/drivers/mfd/qcom-pm8xxx.c @@ -577,17 +577,11 @@ static int pm8xxx_probe(struct platform_device *pdev) return rc; } -static int pm8xxx_remove_child(struct device *dev, void *unused) -{ - platform_device_unregister(to_platform_device(dev)); - return 0; -} - static void pm8xxx_remove(struct platform_device *pdev) { struct pm_irq_chip *chip = platform_get_drvdata(pdev); - device_for_each_child(&pdev->dev, NULL, pm8xxx_remove_child); + of_platform_depopulate(&pdev->dev); irq_domain_remove(chip->irqdomain); } -- 2.51.2

1 week, 3 days

+ fix-amdgpu-failure-with-periodic-signal.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: AMDGPU: fix failure with periodic signal has been added to the -mm mm-hotfixes-unstable branch. Its filename is fix-amdgpu-failure-with-periodic-signal.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via various branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there most days ------------------------------------------------------ From: Mikulas Patocka <mpatocka(a)redhat.com> Subject: AMDGPU: fix failure with periodic signal Date: Fri, 7 Nov 2025 18:48:01 +0100 (CET) If a process sets up a timer that periodically sends a signal in short intervals and if it uses OpenCL on AMDGPU at the same time, we get random errors. Sometimes, probing the OpenCL device fails (strace shows that open("/dev/kfd") failed with -EINTR). Sometimes we get the message "amdgpu: init_user_pages: Failed to register MMU notifier: -4" in the syslog. The bug can be reproduced with this program: http://www.jikos.cz/~mikulas/testcases/opencl/opencl-bug-small.c The root cause for these failures is in the function mm_take_all_locks. This function fails with -EINTR if there is pending signal. The -EINTR is propagated up the call stack to userspace and userspace fails if it gets this error. There is the following call chain: kfd_open -> kfd_create_process -> create_process -> mmu_notifier_get -> mmu_notifier_get_locked -> __mmu_notifier_register -> mm_take_all_locks -> "return -EINTR" If the failure happens in init_user_pages, there is the following call chain: init_user_pages -> amdgpu_hmm_register -> mmu_interval_notifier_insert -> mmu_notifier_register -> __mmu_notifier_register -> mm_take_all_locks -> "return -EINTR" In order to fix these failures, this commit changes signal_pending(current) to fatal_signal_pending(current) in mm_take_all_locks, so that it is interrupted only if the signal is actually killing the process. Also, this commit skips pr_err in init_user_pages if the process is being killed - in this situation, there was no error and so we don't want to report it in the syslog. I'm submitting this patch for the stable kernels, because this bug may cause random failures in any OpenCL code. Link: https://lkml.kernel.org/r/6f16b618-26fc-3031-abe8-65c2090262e7@redhat.com Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Cc: Alexander Deucher <alexander.deucher(a)amd.com> Cc: Christan K��nig <christian.koenig(a)amd.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: "Liam R. Howlett" <Liam.Howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Jann Horn <jannh(a)google.com> Cc: Pedro Falcato <pfalcato(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 9 +++++++-- mm/vma.c | 8 ++++---- 2 files changed, 11 insertions(+), 6 deletions(-) --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c~fix-amdgpu-failure-with-periodic-signal +++ a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c @@ -1070,8 +1070,13 @@ static int init_user_pages(struct kgd_me ret = amdgpu_hmm_register(bo, user_addr); if (ret) { - pr_err("%s: Failed to register MMU notifier: %d\n", - __func__, ret); + /* + * If we got EINTR because the process was killed, don't report + * it, because no error happened. + */ + if (!(fatal_signal_pending(current) && ret == -EINTR)) + pr_err("%s: Failed to register MMU notifier: %d\n", + __func__, ret); goto out; } --- a/mm/vma.c~fix-amdgpu-failure-with-periodic-signal +++ a/mm/vma.c @@ -2166,14 +2166,14 @@ int mm_take_all_locks(struct mm_struct * * is reached. */ for_each_vma(vmi, vma) { - if (signal_pending(current)) + if (fatal_signal_pending(current)) goto out_unlock; vma_start_write(vma); } vma_iter_init(&vmi, mm, 0); for_each_vma(vmi, vma) { - if (signal_pending(current)) + if (fatal_signal_pending(current)) goto out_unlock; if (vma->vm_file && vma->vm_file->f_mapping && is_vm_hugetlb_page(vma)) @@ -2182,7 +2182,7 @@ int mm_take_all_locks(struct mm_struct * vma_iter_init(&vmi, mm, 0); for_each_vma(vmi, vma) { - if (signal_pending(current)) + if (fatal_signal_pending(current)) goto out_unlock; if (vma->vm_file && vma->vm_file->f_mapping && !is_vm_hugetlb_page(vma)) @@ -2191,7 +2191,7 @@ int mm_take_all_locks(struct mm_struct * vma_iter_init(&vmi, mm, 0); for_each_vma(vmi, vma) { - if (signal_pending(current)) + if (fatal_signal_pending(current)) goto out_unlock; if (vma->anon_vma) list_for_each_entry(avc, &vma->anon_vma_chain, same_vma) _ Patches currently in -mm which might be from mpatocka(a)redhat.com are fix-amdgpu-failure-with-periodic-signal.patch

1 week, 4 days

+ mm-page_owner-fix-memory-leak-in-page_owner_stack_fops-release.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/page_owner: fix memory leak in page_owner_stack_fops->release() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-page_owner-fix-memory-leak-in-page_owner_stack_fops-release.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via various branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there most days ------------------------------------------------------ From: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Subject: mm/page_owner: fix memory leak in page_owner_stack_fops->release() Date: Fri, 19 Dec 2025 07:42:32 +0000 The page_owner_stack_fops->open() callback invokes seq_open_private(), therefore its corresponding ->release() callback must call seq_release_private(). Otherwise it will cause a memory leak of struct stack_print_ctx. Link: https://lkml.kernel.org/r/20251219074232.136482-1-ranxiaokai627@163.com Fixes: 765973a098037 ("mm,page_owner: display all stacks and their count") Signed-off-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Acked-by: Michal Hocko <mhocko(a)suse.com> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Brendan Jackman <jackmanb(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Marco Elver <elver(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_owner.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/page_owner.c~mm-page_owner-fix-memory-leak-in-page_owner_stack_fops-release +++ a/mm/page_owner.c @@ -952,7 +952,7 @@ static const struct file_operations page .open = page_owner_stack_open, .read = seq_read, .llseek = seq_lseek, - .release = seq_release, + .release = seq_release_private, }; static int page_owner_threshold_get(void *data, u64 *val) _ Patches currently in -mm which might be from ran.xiaokai(a)zte.com.cn are mm-page_owner-fix-memory-leak-in-page_owner_stack_fops-release.patch

1 week, 4 days

+ mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/memory-failure: fix missing ->mf_stats count in hugetlb poison has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via various branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there most days ------------------------------------------------------ From: Jane Chu <jane.chu(a)oracle.com> Subject: mm/memory-failure: fix missing ->mf_stats count in hugetlb poison Date: Fri, 19 Dec 2025 12:15:58 -0700 When a newly poisoned subpage ends up in an already poisoned hugetlb folio, 'num_poisoned_pages' is incremented, but the per node ->mf_stats is not. Fix the inconsistency by designating action_result() to update them both. While at it, define __get_huge_page_for_hwpoison() return values in terms of symbol names for better readibility. Also rename folio_set_hugetlb_hwpoison() to hugetlb_update_hwpoison() since the function does more than the conventional bit setting and the fact three possible return values are expected. Link: https://lkml.kernel.org/r/20251219191559.2962716-1-jane.chu@oracle.com Fixes: 18f41fa616ee4 ("mm: memory-failure: bump memory failure stats to pglist_data") Signed-off-by: Jane Chu <jane.chu(a)oracle.com> Cc: "David Hildenbrand (Red Hat)" <david(a)kernel.org> Cc: David Rientjes <rientjes(a)google.com> Cc: Jiaqi Yan <jiaqiyan(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: William Roche <william.roche(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory-failure.c | 56 ++++++++++++++++++++++++------------------ 1 file changed, 33 insertions(+), 23 deletions(-) --- a/mm/memory-failure.c~mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison +++ a/mm/memory-failure.c @@ -1883,12 +1883,18 @@ static unsigned long __folio_free_raw_hw return count; } -static int folio_set_hugetlb_hwpoison(struct folio *folio, struct page *page) +#define MF_HUGETLB_ALREADY_POISONED 3 /* already poisoned */ +#define MF_HUGETLB_ACC_EXISTING_POISON 4 /* accessed existing poisoned page */ +/* + * Set hugetlb folio as hwpoisoned, update folio private raw hwpoison list + * to keep track of the poisoned pages. + */ +static int hugetlb_update_hwpoison(struct folio *folio, struct page *page) { struct llist_head *head; struct raw_hwp_page *raw_hwp; struct raw_hwp_page *p; - int ret = folio_test_set_hwpoison(folio) ? -EHWPOISON : 0; + int ret = folio_test_set_hwpoison(folio) ? MF_HUGETLB_ALREADY_POISONED : 0; /* * Once the hwpoison hugepage has lost reliable raw error info, @@ -1896,20 +1902,18 @@ static int folio_set_hugetlb_hwpoison(st * so skip to add additional raw error info. */ if (folio_test_hugetlb_raw_hwp_unreliable(folio)) - return -EHWPOISON; + return MF_HUGETLB_ALREADY_POISONED; + head = raw_hwp_list_head(folio); llist_for_each_entry(p, head->first, node) { if (p->page == page) - return -EHWPOISON; + return MF_HUGETLB_ACC_EXISTING_POISON; } raw_hwp = kmalloc(sizeof(struct raw_hwp_page), GFP_ATOMIC); if (raw_hwp) { raw_hwp->page = page; llist_add(&raw_hwp->node, head); - /* the first error event will be counted in action_result(). */ - if (ret) - num_poisoned_pages_inc(page_to_pfn(page)); } else { /* * Failed to save raw error info. We no longer trace all @@ -1955,32 +1959,30 @@ void folio_clear_hugetlb_hwpoison(struct folio_free_raw_hwp(folio, true); } +#define MF_HUGETLB_FREED 0 /* freed hugepage */ +#define MF_HUGETLB_IN_USED 1 /* in-use hugepage */ +#define MF_NOT_HUGETLB 2 /* not a hugepage */ + /* * Called from hugetlb code with hugetlb_lock held. - * - * Return values: - * 0 - free hugepage - * 1 - in-use hugepage - * 2 - not a hugepage - * -EBUSY - the hugepage is busy (try to retry) - * -EHWPOISON - the hugepage is already hwpoisoned */ int __get_huge_page_for_hwpoison(unsigned long pfn, int flags, bool *migratable_cleared) { struct page *page = pfn_to_page(pfn); struct folio *folio = page_folio(page); - int ret = 2; /* fallback to normal page handling */ + int ret = MF_NOT_HUGETLB; bool count_increased = false; + int rc; if (!folio_test_hugetlb(folio)) goto out; if (flags & MF_COUNT_INCREASED) { - ret = 1; + ret = MF_HUGETLB_IN_USED; count_increased = true; } else if (folio_test_hugetlb_freed(folio)) { - ret = 0; + ret = MF_HUGETLB_FREED; } else if (folio_test_hugetlb_migratable(folio)) { ret = folio_try_get(folio); if (ret) @@ -1991,8 +1993,9 @@ int __get_huge_page_for_hwpoison(unsigne goto out; } - if (folio_set_hugetlb_hwpoison(folio, page)) { - ret = -EHWPOISON; + rc = hugetlb_update_hwpoison(folio, page); + if (rc >= MF_HUGETLB_ALREADY_POISONED) { + ret = rc; goto out; } @@ -2029,22 +2032,29 @@ static int try_memory_failure_hugetlb(un *hugetlb = 1; retry: res = get_huge_page_for_hwpoison(pfn, flags, &migratable_cleared); - if (res == 2) { /* fallback to normal page handling */ + switch (res) { + case MF_NOT_HUGETLB: /* fallback to normal page handling */ *hugetlb = 0; return 0; - } else if (res == -EHWPOISON) { + case MF_HUGETLB_ALREADY_POISONED: + case MF_HUGETLB_ACC_EXISTING_POISON: if (flags & MF_ACTION_REQUIRED) { folio = page_folio(p); res = kill_accessing_process(current, folio_pfn(folio), flags); } - action_result(pfn, MF_MSG_ALREADY_POISONED, MF_FAILED); + if (res == MF_HUGETLB_ALREADY_POISONED) + action_result(pfn, MF_MSG_ALREADY_POISONED, MF_FAILED); + else + action_result(pfn, MF_MSG_HUGE, MF_FAILED); return res; - } else if (res == -EBUSY) { + case -EBUSY: if (!(flags & MF_NO_RETRY)) { flags |= MF_NO_RETRY; goto retry; } return action_result(pfn, MF_MSG_GET_HWPOISON, MF_IGNORED); + default: + break; } folio = page_folio(p); _ Patches currently in -mm which might be from jane.chu(a)oracle.com are mm-memory-failure-fix-missing-mf_stats-count-in-hugetlb-poison.patch

1 week, 4 days

[PATCH] PNP: add put_device() in pnpbios_init()

by Haoxiang Li

If pnp_register_protocol() fails, call put_device() to drop the device reference. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- drivers/pnp/pnpbios/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/pnp/pnpbios/core.c b/drivers/pnp/pnpbios/core.c index f7e86ae9f72f..997e0153d6e3 100644 --- a/drivers/pnp/pnpbios/core.c +++ b/drivers/pnp/pnpbios/core.c @@ -538,6 +538,7 @@ static int __init pnpbios_init(void) /* register with the pnp layer */ ret = pnp_register_protocol(&pnpbios_protocol); if (ret) { + put_device(&pnpbios_protocol.dev) printk(KERN_ERR "PnPBIOS: Unable to register driver. Aborting.\n"); return ret; -- 2.25.1

1 week, 4 days

[PATCH 0/2] block/blk-mq: fix RT kernel performance regressions

by Ionut Nechita (WindRiver)

From: Ionut Nechita <ionut.nechita(a)windriver.com> This series addresses two critical performance regressions in the block layer multiqueue (blk-mq) subsystem when running on PREEMPT_RT kernels. On RT kernels, regular spinlocks are converted to sleeping rt_mutex locks, which can cause severe performance degradation in the I/O hot path. This series converts two problematic locking patterns to prevent IRQ threads from sleeping during I/O operations. Testing on MegaRAID 12GSAS controller with 8 MSI-X vectors shows: - v6.6.52-rt (before regression): 640 MB/s sequential read - v6.6.64-rt (regression introduced): 153 MB/s (-76% regression) - v6.6.68-rt with queue_lock fix only: 640 MB/s (performance restored) - v6.6.69-rt with both fixes: expected similar or better performance The first patch replaces queue_lock with memory barriers in the I/O completion hot path, eliminating the contention that caused IRQ threads to sleep. The second patch converts the global blk_mq_cpuhp_lock from mutex to raw_spinlock to prevent sleeping during CPU hotplug operations. Both conversions are safe because the protected code paths only perform fast, non-blocking operations (memory barriers, list/hlist manipulation, flag checks). Ionut Nechita (2): block/blk-mq: fix RT kernel regression with queue_lock in hot path block/blk-mq: convert blk_mq_cpuhp_lock to raw_spinlock for RT block/blk-mq.c | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) -- 2.52.0

1 week, 4 days

[PATCH v2] net: dsa: Fix error handling in dsa_port_parse_of

by Ma Ke

When of_find_net_device_by_node() successfully acquires a reference to a network device but the subsequent call to dsa_port_parse_cpu() fails, dsa_port_parse_of() returns without releasing the reference count on the network device. of_find_net_device_by_node() increments the reference count of the returned structure, which should be balanced with a corresponding put_device() when the reference is no longer needed. Found by code review. Cc: stable(a)vger.kernel.org Fixes: deff710703d8 ("net: dsa: Allow default tag protocol to be overridden from DT") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - simplified the patch as suggestions; - modified the Fixes tag as suggestions. --- net/dsa/dsa.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c index a20efabe778f..31b409a47491 100644 --- a/net/dsa/dsa.c +++ b/net/dsa/dsa.c @@ -1247,6 +1247,7 @@ static int dsa_port_parse_of(struct dsa_port *dp, struct device_node *dn) struct device_node *ethernet = of_parse_phandle(dn, "ethernet", 0); const char *name = of_get_property(dn, "label", NULL); bool link = of_property_read_bool(dn, "link"); + int err = 0; dp->dn = dn; @@ -1260,7 +1261,11 @@ static int dsa_port_parse_of(struct dsa_port *dp, struct device_node *dn) return -EPROBE_DEFER; user_protocol = of_get_property(dn, "dsa-tag-protocol", NULL); - return dsa_port_parse_cpu(dp, conduit, user_protocol); + err = dsa_port_parse_cpu(dp, conduit, user_protocol); + if (err) + put_device(conduit); + + return err; } if (link) -- 2.17.1

1 week, 4 days

[PATCH] scsi: be2iscsi: fix a memory leak in beiscsi_boot_get_sinfo()

by Haoxiang Li

If nonemb_cmd->va fails to be allocated, call free_mcc_wrb() to restore the impact caused by alloc_mcc_wrb(). Fixes: 50a4b824be9e ("scsi: be2iscsi: Fix to make boot discovery non-blocking") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- drivers/scsi/be2iscsi/be_mgmt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c index 4e899ec1477d..b1cba986f0fb 100644 --- a/drivers/scsi/be2iscsi/be_mgmt.c +++ b/drivers/scsi/be2iscsi/be_mgmt.c @@ -1025,6 +1025,7 @@ unsigned int beiscsi_boot_get_sinfo(struct beiscsi_hba *phba) &nonemb_cmd->dma, GFP_KERNEL); if (!nonemb_cmd->va) { + free_mcc_wrb(ctrl, tag); mutex_unlock(&ctrl->mbox_lock); return 0; } -- 2.25.1

1 week, 4 days

[PATCH] iommu/io-pgtable-arm: fix size_t signedness bug in unmap path

by Chaitanya Kulkarni

__arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning "nothing unmapped") is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions. Fixes: 3318f7b5cefb ("iommu/io-pgtable-arm: Add quirk to quiet WARN_ON()") Cc: stable(a)vger.kernel.org Signed-off-by: Chaitanya Kulkarni <ckulkarnilinux(a)gmail.com> --- drivers/iommu/io-pgtable-arm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c index e6626004b323..05d63fe92e43 100644 --- a/drivers/iommu/io-pgtable-arm.c +++ b/drivers/iommu/io-pgtable-arm.c @@ -637,7 +637,7 @@ static size_t __arm_lpae_unmap(struct arm_lpae_io_pgtable *data, pte = READ_ONCE(*ptep); if (!pte) { WARN_ON(!(data->iop.cfg.quirks & IO_PGTABLE_QUIRK_NO_WARN)); - return -ENOENT; + return 0; } /* If the size matches this level, we're in the right place */ -- 2.40.0

1 week, 4 days

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror