- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] i2c: stm32f7: unmap DMA mapped buffer" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 6aae87fe7f180cd93a74466cdb6cf2aa9bb28798 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072104-bacteria-resend-dcff@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6aae87fe7f180cd93a74466cdb6cf2aa9bb28798 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Le=20Goffic?= <clement.legoffic(a)foss.st.com> Date: Fri, 4 Jul 2025 10:39:15 +0200 Subject: [PATCH] i2c: stm32f7: unmap DMA mapped buffer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Before each I2C transfer using DMA, the I2C buffer is DMA'pped to make sure the memory buffer is DMA'able. This is handle in the function `stm32_i2c_prep_dma_xfer()`. If the transfer fails for any reason the I2C buffer must be unmap. Use the dma_callback to factorize the code and fix this issue. Note that the `stm32f7_i2c_dma_callback()` is now called in case of DMA transfer success and error and that the `complete()` on the dma_complete completion structure is done inconditionnally in case of transfer success or error as well as the `dmaengine_terminate_async()`. This is allowed as a `complete()` in case transfer error has no effect as well as a `dmaengine_terminate_async()` on a transfer success. Also fix the unneeded cast and remove not more needed variables. Fixes: 7ecc8cfde553 ("i2c: i2c-stm32f7: Add DMA support") Signed-off-by: Clément Le Goffic <clement.legoffic(a)foss.st.com> Cc: <stable(a)vger.kernel.org> # v4.18+ Acked-by: Alain Volmat <alain.volmat(a)foss.st.com> Signed-off-by: Andi Shyti <andi.shyti(a)kernel.org> Link: https://lore.kernel.org/r/20250704-i2c-upstream-v4-2-84a095a2c728@foss.st.c… diff --git a/drivers/i2c/busses/i2c-stm32f7.c b/drivers/i2c/busses/i2c-stm32f7.c index 817d081460c2..73a7b8894c0d 100644 --- a/drivers/i2c/busses/i2c-stm32f7.c +++ b/drivers/i2c/busses/i2c-stm32f7.c @@ -739,10 +739,11 @@ static void stm32f7_i2c_disable_dma_req(struct stm32f7_i2c_dev *i2c_dev) static void stm32f7_i2c_dma_callback(void *arg) { - struct stm32f7_i2c_dev *i2c_dev = (struct stm32f7_i2c_dev *)arg; + struct stm32f7_i2c_dev *i2c_dev = arg; struct stm32_i2c_dma *dma = i2c_dev->dma; stm32f7_i2c_disable_dma_req(i2c_dev); + dmaengine_terminate_async(dma->chan_using); dma_unmap_single(i2c_dev->dev, dma->dma_buf, dma->dma_len, dma->dma_data_dir); complete(&dma->dma_complete); @@ -1510,7 +1511,6 @@ static irqreturn_t stm32f7_i2c_handle_isr_errs(struct stm32f7_i2c_dev *i2c_dev, u16 addr = f7_msg->addr; void __iomem *base = i2c_dev->base; struct device *dev = i2c_dev->dev; - struct stm32_i2c_dma *dma = i2c_dev->dma; /* Bus error */ if (status & STM32F7_I2C_ISR_BERR) { @@ -1551,10 +1551,8 @@ static irqreturn_t stm32f7_i2c_handle_isr_errs(struct stm32f7_i2c_dev *i2c_dev, } /* Disable dma */ - if (i2c_dev->use_dma) { - stm32f7_i2c_disable_dma_req(i2c_dev); - dmaengine_terminate_async(dma->chan_using); - } + if (i2c_dev->use_dma) + stm32f7_i2c_dma_callback(i2c_dev); i2c_dev->master_mode = false; complete(&i2c_dev->complete); @@ -1600,7 +1598,6 @@ static irqreturn_t stm32f7_i2c_isr_event_thread(int irq, void *data) { struct stm32f7_i2c_dev *i2c_dev = data; struct stm32f7_i2c_msg *f7_msg = &i2c_dev->f7_msg; - struct stm32_i2c_dma *dma = i2c_dev->dma; void __iomem *base = i2c_dev->base; u32 status, mask; int ret; @@ -1619,10 +1616,8 @@ static irqreturn_t stm32f7_i2c_isr_event_thread(int irq, void *data) dev_dbg(i2c_dev->dev, "<%s>: Receive NACK (addr %x)\n", __func__, f7_msg->addr); writel_relaxed(STM32F7_I2C_ICR_NACKCF, base + STM32F7_I2C_ICR); - if (i2c_dev->use_dma) { - stm32f7_i2c_disable_dma_req(i2c_dev); - dmaengine_terminate_async(dma->chan_using); - } + if (i2c_dev->use_dma) + stm32f7_i2c_dma_callback(i2c_dev); f7_msg->result = -ENXIO; } @@ -1640,8 +1635,7 @@ static irqreturn_t stm32f7_i2c_isr_event_thread(int irq, void *data) ret = wait_for_completion_timeout(&i2c_dev->dma->dma_complete, HZ); if (!ret) { dev_dbg(i2c_dev->dev, "<%s>: Timed out\n", __func__); - stm32f7_i2c_disable_dma_req(i2c_dev); - dmaengine_terminate_async(dma->chan_using); + stm32f7_i2c_dma_callback(i2c_dev); f7_msg->result = -ETIMEDOUT; } }

3 months, 3 weeks

3
13
0 0

[PATCH 5.4.y 0/8] Backport CVE-2022-4269 fix to stable kernel v5.4.y

by skulkarni＠mvista.com

From: Shubham Kulkarni <skulkarni(a)mvista.com> Hi Greg/All, This patch series backports the fix for CVE-2022-4269 along with its 7 dependency commits to 5.4 stable kernel. These patches are already part of the next stable kernel v5.10.y and I have referred to those commits to generate this series for v5.4. [CVE-2022-4269 - kernel: net: CPU soft lockup in TC mirred egress-to-ingress action] Patch 1: Dependency Patch #1 - mainline commit c8ecebd04cbb (v5.5-rc1) Patch 2: Dependency Patch #2 - mainline commit 5e1ad95b630e (v5.5-rc1) Patch 3: Dependency Patch #3 - mainline commit 26b537a88ca5 (v5.5-rc1) Patch 4: Dependency Patch #4 - mainline commit ef816f3c49c1 (v5.5-rc1) Patch 5: Dependency Patch #5 - mainline commit 075c8aa79d54 (v5.8-rc1) Patch 6: Dependency Patch #6 - v5.10.y commit bba7ebe10baf (v5.10.181) Patch 7: Dependency Patch #7 - v5.10.y commit f5bf8e3ca13e (v5.10.181) Patch 8: CVE-2022-4269 fix - v5.10.y commit 532451037863 (v5.10.181) --- Davide Caratti (2): net/sched: act_mirred: better wording on protection against excessive stack growth act_mirred: use the backlog for nested calls to mirred ingress Jiri Pirko (1): selftests: forwarding: tc_actions.sh: add matchall mirror test Vlad Buslov (4): net: sched: extract common action counters update code into function net: sched: extract bstats update code into function net: sched: extract qstats update code into functions net: sched: don't expose action qstats to skb_tc_reinsert() wenxu (1): net/sched: act_mirred: refactor the handle of xmit include/net/act_api.h | 25 +++++++ include/net/sch_generic.h | 13 ---- net/sched/act_api.c | 14 ++++ net/sched/act_csum.c | 4 +- net/sched/act_ct.c | 10 +-- net/sched/act_gact.c | 14 +--- net/sched/act_mirred.c | 55 ++++++++------ net/sched/act_police.c | 5 +- net/sched/act_tunnel_key.c | 2 +- net/sched/act_vlan.c | 9 +-- .../selftests/net/forwarding/tc_actions.sh | 72 ++++++++++++++++--- 11 files changed, 150 insertions(+), 73 deletions(-) -- 2.25.1

3 months, 3 weeks

4
19
0 0

[PATCH 6.6] arm64: kaslr: fix nokaslr cmdline parsing

by Chen Ridong

From: Chen Ridong <chenridong(a)huawei.com> Currently, when the command line contains "nokaslrxxx", it was incorrectly treated as a request to disable KASLR virtual memory. However, the behavior is different from physical address handling. This issue exists before the commit af73b9a2dd39 ("arm64: kaslr: Use feature override instead of parsing the cmdline again"). This patch fixes the parsing logic for the 'nokaslr' command line argument. Only the exact strings, 'nokaslr', will disable KASLR. Other inputs such as 'xxnokaslr', 'xxnokaslrxx', or 'xxnokaslr=xx' will not disable KASLR. Fixes: f80fb3a3d508 ("arm64: add support for kernel ASLR") Signed-off-by: Chen Ridong <chenridong(a)huawei.com> --- arch/arm64/kernel/pi/kaslr_early.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/arm64/kernel/pi/kaslr_early.c b/arch/arm64/kernel/pi/kaslr_early.c index 17bff6e399e4..731d0a3f1a89 100644 --- a/arch/arm64/kernel/pi/kaslr_early.c +++ b/arch/arm64/kernel/pi/kaslr_early.c @@ -35,9 +35,14 @@ static char *__strstr(const char *s1, const char *s2) static bool cmdline_contains_nokaslr(const u8 *cmdline) { const u8 *str; + size_t len = strlen("nokaslr"); + const char *after = cmdline + len; str = __strstr(cmdline, "nokaslr"); - return str == cmdline || (str > cmdline && *(str - 1) == ' '); + if ((str == cmdline || (str > cmdline && *(str - 1) == ' ')) && + (*after == ' ' || *after == '\0')) + return true; + return false; } static bool is_kaslr_disabled_cmdline(void *fdt) -- 2.34.1

3 months, 3 weeks

3
2
0 0

[PATCH v3] mm: slub: avoid deref of free pointer in sanity checks if object is invalid

by Li Qiong

For debugging, object_err() prints free pointer of the object. However, if check_valid_pointer() returns false for a object, dereferncing `object + s->offset` can lead to a crash. Therefore, print the object's address in such cases. Fixes: bb192ed9aa71 ("mm/slub: Convert most struct page to struct slab by spatch") Cc: <stable(a)vger.kernel.org> Signed-off-by: Li Qiong <liqiong(a)nfschina.com> --- v2: - rephrase the commit message, add comment for object_err(). v3: - check object pointer in object_err(). --- mm/slub.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/mm/slub.c b/mm/slub.c index 31e11ef256f9..d3abae5a2193 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -1104,7 +1104,11 @@ static void object_err(struct kmem_cache *s, struct slab *slab, return; slab_bug(s, reason); - print_trailer(s, slab, object); + if (!check_valid_pointer(s, slab, object)) { + print_slab_info(slab); + pr_err("invalid object 0x%p\n", object); + } else + print_trailer(s, slab, object); add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); WARN_ON(1); @@ -1587,7 +1591,7 @@ static inline int alloc_consistency_checks(struct kmem_cache *s, return 0; if (!check_valid_pointer(s, slab, object)) { - object_err(s, slab, object, "Freelist Pointer check fails"); + slab_err(s, slab, "Freelist Pointer(0x%p) check fails", object); return 0; } -- 2.30.2

3 months, 3 weeks

3
4
0 0

"stack state/frame" and "jump dest instruction" errors (was Re: Linux 6.16)

by Alan J. Wylie

#regzbot introduced: 6.15.8..6.16 Linus Torvalds <torvalds(a)linux-foundation.org> writes: > It's Sunday afternoon, and the release cycle has come to an end. Last > week was nice and calm, and there were no big show-stopper surprises > to keep us from the regular schedule, so I've tagged and pushed out > 6.16 as planned. Even after a "make mrproper" and "git clean -fxd" I'm seeing lots of warnings and errors. can't find jump dest instruction stack state mismatch return with modified stack frame objtool: can't decode instruction can't find starting instruction gcc (Gentoo Hardened 14.3.0 p8) 14.3.0 I selected "Y" to the new config option "X86_NATIVE_CPU" CPU is AMD FX-8350 .config attached The build is fine on a cross-compile of a minimal kernel for an Intel Atom server. Possibly related to https://lore.kernel.org/lkml/5263a182e608408bf42dc1ed12bc43dee9598ac9.17509… LD [M] arch/x86/events/amd/amd-uncore.o arch/x86/events/amd/amd-uncore.o: warning: objtool: amd_uncore_df_ctx_scan+0x54: can't find jump dest instruction at .text+0x1b6 make[5]: *** [scripts/Makefile.build:502: arch/x86/events/amd/amd-uncore.o] Error 255 make[5]: *** Deleting file 'arch/x86/events/amd/amd-uncore.o' make[4]: *** [scripts/Makefile.build:555: arch/x86/events/amd] Error 2 make[3]: *** [scripts/Makefile.build:555: arch/x86/events] Error 2 make[3]: *** Waiting for unfinished jobs.... CC fs/pidfs.o crypto/cmac.o: warning: objtool: crypto_cmac_digest_setkey+0xc2: stack state mismatch: cfa1=4+32 cfa2=4+24 CC [M] sound/core/device.o crypto/md4.o: warning: objtool: md4_final+0xd1: return with modified stack frame LD [M] block/bfq.o block/bfq.o: warning: objtool: bfq_timeout_sync_store+0x42: can't find jump dest instruction at .text+0x10f9 make[3]: *** [scripts/Makefile.build:502: block/bfq.o] Error 255 make[3]: *** Deleting file 'block/bfq.o' make[2]: *** [scripts/Makefile.build:555: block] Error 2 make[2]: *** Waiting for unfinished jobs.... CC arch/x86/kernel/acpi/madt_wakeup.o crypto/wp512.o: warning: objtool: wp512_init+0x58: return with modified stack frame crypto/wp512.o: warning: objtool: wp512_process_buffer+0x149: stack state mismatch: cfa1=4+288 cfa2=4-352 CC [M] sound/core/vmaster.o crypto/blake2b_generic.o: warning: objtool: crypto_blake2b_setkey+0x68: return with modified stack frame crypto/blake2b_generic.o: warning: objtool: crypto_blake2b_finup.constprop.0.isra.0+0x132: return with modified stack frame CC drivers/pci/pcie/err.o crypto/ccm.o: warning: objtool: crypto_ccm_init_crypt+0x1b6: stack state mismatch: cfa1=4+56 cfa2=4+48 crypto/ccm.o: warning: objtool: crypto_ccm_auth+0x45e: return with modified stack frame CC drivers/pci/pcie/pme.o crypto/cryptd.o: warning: objtool: cryptd_enqueue_request+0x89: can't find jump dest instruction at .text+0x94c make[3]: *** [scripts/Makefile.build:287: crypto/cryptd.o] Error 255 make[3]: *** Deleting file 'crypto/cryptd.o' make[2]: *** [scripts/Makefile.build:555: crypto] Error 2 LD [M] sound/core/snd.o sound/core/snd.o: warning: objtool: snd_ctl_open+0x10c: can't find jump dest instruction at .text+0x47c6 make[4]: *** [scripts/Makefile.build:502: sound/core/snd.o] Error 255 make[4]: *** Deleting file 'sound/core/snd.o' make[4]: *** Waiting for unfinished jobs.... LD [M] sound/core/oss/snd-mixer-oss.o sound/core/oss/snd-mixer-oss.o: warning: objtool: mixer_slot_clear+0x4c: return with modified stack frame CC lib/crypto/mpi/mpi-mod.o sound/core/oss/snd-pcm-oss.o: warning: objtool: mulaw_decode+0xf9: can't find jump dest instruction at .text+0x722b make[5]: *** [scripts/Makefile.build:502: sound/core/oss/snd-pcm-oss.o] Error 255 make[5]: *** Deleting file 'sound/core/oss/snd-pcm-oss.o' make[4]: *** [scripts/Makefile.build:555: sound/core/oss] Error 2 CC arch/x86/kernel/smpboot.o drivers/char/ipmi/ipmi_msghandler.o: warning: objtool: ipmi_set_gets_events+0x155: can't find jump dest instruction at .text+0x21c8 make[4]: *** [scripts/Makefile.build:287: drivers/char/ipmi/ipmi_msghandler.o] Error 255 make[4]: *** Deleting file 'drivers/char/ipmi/ipmi_msghandler.o' make[3]: *** [scripts/Makefile.build:555: drivers/char/ipmi] Error 2 make[3]: *** Waiting for unfinished jobs.... CC kernel/entry/kvm.o lib/crypto/gf128mul.o: warning: objtool: gf128mul_init_64k_bbe+0x94: stack state mismatch: cfa1=5+16 cfa2=4+8 CC [M] sound/core/seq/oss/seq_oss_event.o make[2]: *** [scripts/Makefile.build:555: drivers] Error 2 LD [M] sound/core/seq/snd-seq.o sound/core/seq/snd-seq.o: warning: objtool: snd_seq_open+0xd7: can't find jump dest instruction at .text+0x2224 make[5]: *** [scripts/Makefile.build:502: sound/core/seq/snd-seq.o] Error 255 make[5]: *** Deleting file 'sound/core/seq/snd-seq.o' make[5]: *** Waiting for unfinished jobs.... LD [M] lib/crypto/libdes.o lib/crypto/libdes.o: warning: objtool: des3_ede_encrypt+0x86: can't find jump dest instruction at .text+0xcb8 make[4]: *** [scripts/Makefile.build:502: lib/crypto/libdes.o] Error 255 make[4]: *** Deleting file 'lib/crypto/libdes.o' make[3]: *** [scripts/Makefile.build:555: lib/crypto] Error 2 make[2]: *** [scripts/Makefile.build:555: lib] Error 2 LD [M] sound/core/seq/oss/snd-seq-oss.o sound/core/seq/oss/snd-seq-oss.o: warning: objtool: alloc_seq_queue+0xc7: return with modified stack frame sound/core/seq/oss/snd-seq-oss.o: warning: objtool: delete_seq_queue.isra.0+0xb5: return with modified stack frame sound/core/seq/oss/snd-seq-oss.o: warning: objtool: snd_seq_oss_synth_info_user+0xb7: return with modified stack frame sound/core/seq/oss/snd-seq-oss.o: warning: objtool: snd_seq_oss_midi_info_user+0xa5: return with modified stack frame sound/core/seq/oss/snd-seq-oss.o: warning: objtool: snd_seq_oss_process_event+0x73c: stack state mismatch: cfa1=4+72 cfa2=4+64 sound/core/seq/oss/snd-seq-oss.o: warning: objtool: snd_seq_oss_write+0x77: stack state mismatch: cfa1=4+120 cfa2=4+112 sound/core/seq/oss/snd-seq-oss.o: warning: objtool: snd_seq_oss_synth_setup+0x14c: return with modified stack frame sound/core/seq/oss/snd-seq-oss.o: warning: objtool: snd_seq_oss_synth_make_info+0x17d: stack state mismatch: cfa1=4+160 cfa2=4+152 make[4]: *** [scripts/Makefile.build:555: sound/core/seq] Error 2 make[3]: *** [scripts/Makefile.build:555: sound/core] Error 2 make[3]: *** Waiting for unfinished jobs.... LD [M] sound/pci/hda/snd-hda-codec.o sound/pci/hda/snd-hda-codec.o: error: objtool: can't decode instruction at .text:0xbf1c make[5]: *** [scripts/Makefile.build:502: sound/pci/hda/snd-hda-codec.o] Error 255 make[5]: *** Deleting file 'sound/pci/hda/snd-hda-codec.o' make[4]: *** [scripts/Makefile.build:555: sound/pci/hda] Error 2 make[3]: *** [scripts/Makefile.build:555: sound/pci] Error 2 make[2]: *** [scripts/Makefile.build:555: sound] Error 2 CC fs/ext4/mballoc.o fs/binfmt_misc.o: warning: objtool: load_misc_binary+0xf4: can't find jump dest instruction at .text+0xf07 make[3]: *** [scripts/Makefile.build:287: fs/binfmt_misc.o] Error 255 make[3]: *** Deleting file 'fs/binfmt_misc.o' make[3]: *** Waiting for unfinished jobs.... LD [M] fs/cramfs/cramfs.o fs/cramfs/cramfs.o: warning: objtool: cramfs_blkdev_fill_super+0x2b2: return with modified stack frame AR arch/x86/kernel/built-in.a make[2]: *** [scripts/Makefile.build:555: arch/x86] Error 2 LD [M] fs/configfs/configfs.o fs/configfs/configfs.o: error: objtool: configfs_create_link(): can't find starting instruction make[4]: *** [scripts/Makefile.build:502: fs/configfs/configfs.o] Error 255 make[4]: *** Deleting file 'fs/configfs/configfs.o' make[3]: *** [scripts/Makefile.build:555: fs/configfs] Error 2 AR fs/ext4/built-in.a make[2]: *** [scripts/Makefile.build:555: fs] Error 2 AR kernel/built-in.a make[1]: *** [/work/src.git/linux/Makefile:2003: .] Error 2 make: *** [Makefile:248: __sub-make] Error 2 -- Alan J. Wylie https://www.wylie.me.uk/ mailto:<alan(a)wylie.me.uk> Dance like no-one's watching. / Encrypt like everyone is. Security is inversely proportional to convenience

3 months, 3 weeks

4
4
0 0

[PATCH 6.12.y] mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma

by Jakub Acs

From: Liu Shixin <liushixin2(a)huawei.com> commit f1897f2f08b28ae59476d8b73374b08f856973af upstream. syzkaller reported such a BUG_ON(): ------------[ cut here ]------------ kernel BUG at mm/khugepaged.c:1835! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP ... CPU: 6 UID: 0 PID: 8009 Comm: syz.15.106 Kdump: loaded Tainted: G W 6.13.0-rc6 #22 Tainted: [W]=WARN Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : collapse_file+0xa44/0x1400 lr : collapse_file+0x88/0x1400 sp : ffff80008afe3a60 ... Call trace: collapse_file+0xa44/0x1400 (P) hpage_collapse_scan_file+0x278/0x400 madvise_collapse+0x1bc/0x678 madvise_vma_behavior+0x32c/0x448 madvise_walk_vmas.constprop.0+0xbc/0x140 do_madvise.part.0+0xdc/0x2c8 __arm64_sys_madvise+0x68/0x88 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 This indicates that the pgoff is unaligned. After analysis, I confirm the vma is mapped to /dev/zero. Such a vma certainly has vm_file, but it is set to anonymous by mmap_zero(). So even if it's mmapped by 2m-unaligned, it can pass the check in thp_vma_allowable_order() as it is an anonymous-mmap, but then be collapsed as a file-mmap. It seems the problem has existed for a long time, but actually, since we have khugepaged_max_ptes_none check before, we will skip collapse it as it is /dev/zero and so has no present page. But commit d8ea7cc8547c limit the check for only khugepaged, so the BUG_ON() can be triggered by madvise_collapse(). Add vma_is_anonymous() check to make such vma be processed by hpage_collapse_scan_pmd(). Link: https://lkml.kernel.org/r/20250111034511.2223353-1-liushixin2@huawei.com Fixes: d8ea7cc8547c ("mm/khugepaged: add flag to predicate khugepaged-only behavior") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Reviewed-by: Yang Shi <yang(a)os.amperecomputing.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Mattew Wilcox <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [acsjakub: backport, clean apply] Cc: Jakub Acs <acsjakub(a)amazon.de> Cc: linux-mm(a)kvack.org --- Ran into the crash with syzkaller, backporting this patch works - the reproducer no longer crashes. Please let me know if there was a reason not to backport. mm/khugepaged.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index b538c3d48386..abd5764e4864 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -2404,7 +2404,7 @@ static unsigned int khugepaged_scan_mm_slot(unsigned int pages, int *result, VM_BUG_ON(khugepaged_scan.address < hstart || khugepaged_scan.address + HPAGE_PMD_SIZE > hend); - if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file) { + if (IS_ENABLED(CONFIG_SHMEM) && !vma_is_anonymous(vma)) { struct file *file = get_file(vma->vm_file); pgoff_t pgoff = linear_page_index(vma, khugepaged_scan.address); @@ -2750,7 +2750,7 @@ int madvise_collapse(struct vm_area_struct *vma, struct vm_area_struct **prev, mmap_assert_locked(mm); memset(cc->node_load, 0, sizeof(cc->node_load)); nodes_clear(cc->alloc_nmask); - if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file) { + if (IS_ENABLED(CONFIG_SHMEM) && !vma_is_anonymous(vma)) { struct file *file = get_file(vma->vm_file); pgoff_t pgoff = linear_page_index(vma, addr); -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

3 months, 3 weeks

3
3
0 0

[PATCH v2 6.1.y] mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma

by Jakub Acs

From: Liu Shixin <liushixin2(a)huawei.com> commit f1897f2f08b28ae59476d8b73374b08f856973af upstream. syzkaller reported such a BUG_ON(): ------------[ cut here ]------------ kernel BUG at mm/khugepaged.c:1835! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP ... CPU: 6 UID: 0 PID: 8009 Comm: syz.15.106 Kdump: loaded Tainted: G W 6.13.0-rc6 #22 Tainted: [W]=WARN Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : collapse_file+0xa44/0x1400 lr : collapse_file+0x88/0x1400 sp : ffff80008afe3a60 ... Call trace: collapse_file+0xa44/0x1400 (P) hpage_collapse_scan_file+0x278/0x400 madvise_collapse+0x1bc/0x678 madvise_vma_behavior+0x32c/0x448 madvise_walk_vmas.constprop.0+0xbc/0x140 do_madvise.part.0+0xdc/0x2c8 __arm64_sys_madvise+0x68/0x88 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x34/0x128 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x190/0x198 This indicates that the pgoff is unaligned. After analysis, I confirm the vma is mapped to /dev/zero. Such a vma certainly has vm_file, but it is set to anonymous by mmap_zero(). So even if it's mmapped by 2m-unaligned, it can pass the check in thp_vma_allowable_order() as it is an anonymous-mmap, but then be collapsed as a file-mmap. It seems the problem has existed for a long time, but actually, since we have khugepaged_max_ptes_none check before, we will skip collapse it as it is /dev/zero and so has no present page. But commit d8ea7cc8547c limit the check for only khugepaged, so the BUG_ON() can be triggered by madvise_collapse(). Add vma_is_anonymous() check to make such vma be processed by hpage_collapse_scan_pmd(). Link: https://lkml.kernel.org/r/20250111034511.2223353-1-liushixin2@huawei.com Fixes: d8ea7cc8547c ("mm/khugepaged: add flag to predicate khugepaged-only behavior") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Reviewed-by: Yang Shi <yang(a)os.amperecomputing.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Mattew Wilcox <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: Qi Zheng <zhengqi.arch(a)bytedance.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [acsjakub: backport, clean apply] Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Cc: linux-mm(a)kvack.org --- v1 -> v2: fix missing sign-off Ran into the crash with syzkaller, backporting this patch works - the reproducer no longer crashes. Please let me know if there was a reason not to backport. mm/khugepaged.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index b538c3d48386..abd5764e4864 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -2404,7 +2404,7 @@ static unsigned int khugepaged_scan_mm_slot(unsigned int pages, int *result, VM_BUG_ON(khugepaged_scan.address < hstart || khugepaged_scan.address + HPAGE_PMD_SIZE > hend); - if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file) { + if (IS_ENABLED(CONFIG_SHMEM) && !vma_is_anonymous(vma)) { struct file *file = get_file(vma->vm_file); pgoff_t pgoff = linear_page_index(vma, khugepaged_scan.address); @@ -2750,7 +2750,7 @@ int madvise_collapse(struct vm_area_struct *vma, struct vm_area_struct **prev, mmap_assert_locked(mm); memset(cc->node_load, 0, sizeof(cc->node_load)); nodes_clear(cc->alloc_nmask); - if (IS_ENABLED(CONFIG_SHMEM) && vma->vm_file) { + if (IS_ENABLED(CONFIG_SHMEM) && !vma_is_anonymous(vma)) { struct file *file = get_file(vma->vm_file); pgoff_t pgoff = linear_page_index(vma, addr); -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

3 months, 3 weeks

1
0
0 0

[PATCH 1/2] ALSA: hda/realtek - Fix mute LED for HP Victus 16-s0xxx

by edip＠medip.dev

From: Edip Hazuri <edip(a)medip.dev> The mute led on this laptop is using ALC245 but requires a quirk to work This patch enables the existing quirk for the device. Tested on Victus 16-S0063NT Laptop. The LED behaviour works as intended. Cc: <stable(a)vger.kernel.org> Signed-off-by: Edip Hazuri <edip(a)medip.dev> --- sound/hda/codecs/realtek/alc269.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c index 05019fa732..77322ff8a6 100644 --- a/sound/hda/codecs/realtek/alc269.c +++ b/sound/hda/codecs/realtek/alc269.c @@ -6528,6 +6528,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8bbe, "HP Victus 16-r0xxx (MB 8BBE)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), SND_PCI_QUIRK(0x103c, 0x8bc8, "HP Victus 15-fa1xxx", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), SND_PCI_QUIRK(0x103c, 0x8bcd, "HP Omen 16-xd0xxx", ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8bd4, "HP Victus 16-s0xxx (MB 8BD4)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), SND_PCI_QUIRK(0x103c, 0x8bdd, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8bde, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8bdf, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2), -- 2.50.1

3 months, 3 weeks

2
2
0 0

[PATCH 5.4.y 0/3] Backport series: "permit write-sealed memfd read-only shared mappings"

by Isaac J. Manjarres

Hello, Until kernel version 6.7, a write-sealed memfd could not be mapped as shared and read-only. This was clearly a bug, and was not inline with the description of F_SEAL_WRITE in the man page for fcntl()[1]. Lorenzo's series [2] fixed that issue and was merged in kernel version 6.7, but was not backported to older kernels. So, this issue is still present on kernels 5.4, 5.10, 5.15, 6.1, and 6.6. This series backports Lorenzo's series to the 5.4 kernel. [1] https://man7.org/linux/man-pages/man2/fcntl.2.html [2] https://lore.kernel.org/all/913628168ce6cce77df7d13a63970bae06a526e0.169711… Lorenzo Stoakes (3): mm: drop the assumption that VM_SHARED always implies writable mm: update memfd seal write check to include F_SEAL_WRITE mm: perform the mapping_map_writable() check after call_mmap() fs/hugetlbfs/inode.c | 2 +- include/linux/fs.h | 4 ++-- include/linux/mm.h | 26 +++++++++++++++++++------- kernel/fork.c | 2 +- mm/filemap.c | 2 +- mm/madvise.c | 2 +- mm/mmap.c | 26 ++++++++++++++++---------- mm/shmem.c | 2 +- 8 files changed, 42 insertions(+), 24 deletions(-) -- 2.50.1.552.g942d659e1b-goog

3 months, 4 weeks

4
8
0 0

[PATCH 6.1] HID: mcp2221: Set driver data before I2C adapter add

by Sumanth Gavini

The process of adding an I2C adapter can invoke I2C accesses on that new adapter (see i2c_detect()). Ensure we have set the adapter's driver data to avoid null pointer dereferences in the xfer functions during the adapter add. This has been noted in the past and the same fix proposed but not completed. See: https://lore.kernel.org/lkml/ef597e73-ed71-168e-52af-0d19b03734ac@vigem.de/ Signed-off-by: Hamish Martin <hamish.martin(a)alliedtelesis.co.nz> Signed-off-by: Jiri Kosina <jkosina(a)suse.cz> Signed-off-by: Sumanth Gavini <sumanth.gavini(a)yahoo.com> --- drivers/hid/hid-mcp2221.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c index de52e9f7bb8c..9973545c1c4b 100644 --- a/drivers/hid/hid-mcp2221.c +++ b/drivers/hid/hid-mcp2221.c @@ -873,12 +873,12 @@ static int mcp2221_probe(struct hid_device *hdev, "MCP2221 usb-i2c bridge on hidraw%d", ((struct hidraw *)hdev->hidraw)->minor); + i2c_set_adapdata(&mcp->adapter, mcp); ret = i2c_add_adapter(&mcp->adapter); if (ret) { hid_err(hdev, "can't add usb-i2c adapter: %d\n", ret); goto err_i2c; } - i2c_set_adapdata(&mcp->adapter, mcp); /* Setup GPIO chip */ mcp->gc = devm_kzalloc(&hdev->dev, sizeof(*mcp->gc), GFP_KERNEL); -- 2.43.0

3 months, 4 weeks

3
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror