* [PATCH 5.15 000/644] 5.15.190-rc1 review
@ 2025-08-26 11:01 Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 001/644] phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode Greg Kroah-Hartman
` (649 more replies)
0 siblings, 650 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, achill
This is the start of the stable review cycle for the 5.15.190 release.
There are 644 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 28 Aug 2025 11:08:21 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.190-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.15.190-rc1
Mikhail Lobanov <m.lobanov@rosa.ru>
wifi: mac80211: check basic rates validity in sta_link_apply_parameters
Florian Westphal <fw@strlen.de>
netfilter: nf_reject: don't leak dst refcount for loopback packets
Peter Oberparleiter <oberpar@linux.ibm.com>
s390/hypfs: Enable limited access during lockdown
Peter Oberparleiter <oberpar@linux.ibm.com>
s390/hypfs: Avoid unnecessary ioctl registration in debugfs
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation
Hangbin Liu <liuhangbin@gmail.com>
bonding: update LACP activity flag after setting lacp_active
William Liu <will@willsroot.io>
net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate
William Liu <will@willsroot.io>
net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
ValdikSS <iam@valdikss.org.ru>
igc: fix disabling L1.2 PCI-E link substate on I226 on init
Jason Xing <kernelxing@tencent.com>
ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc
Yuichiro Tsuji <yuichtsu@amazon.com>
net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization
Horatiu Vultur <horatiu.vultur@microchip.com>
phy: mscc: Fix timestamping for vsc8584
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
net: phy: Use netif_rx().
Qingfang Deng <dqfext@gmail.com>
ppp: fix race conditions in ppp_fill_forward_path
Minhong He <heminhong@kylinos.cn>
ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add
Chenyuan Yang <chenyuan0y@gmail.com>
drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()
Dan Carpenter <dan.carpenter@linaro.org>
ALSA: usb-audio: Fix size validation in convert_chmap_v3()
Baihan Li <libaihan@huawei.com>
drm/hisilicon/hibmc: fix the hibmc loaded failed bug
Ido Schimmel <idosch@nvidia.com>
mlxsw: spectrum: Forward packets with an IPv4 link-local source IP
Kees Cook <kees@kernel.org>
iommu/amd: Avoid stack buffer overflow from kernel cmdline
Dan Carpenter <dan.carpenter@linaro.org>
scsi: qla4xxx: Prevent a potential error pointer dereference
Wang Liang <wangliang74@huawei.com>
net: bridge: fix soft lockup in br_multicast_query_expired()
Anantha Prabhu <anantha.prabhu@broadcom.com>
RDMA/bnxt_re: Fix to initialize the PBL array
Waiman Long <longman@redhat.com>
cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key
Feng Tang <feng.tang@intel.com>
mm/page_alloc: detect allocation forbidden by cpuset and bail out early
Tianxiang Peng <txpeng@tencent.com>
x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper
Jinjiang Tu <tujinjiang@huawei.com>
mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn
Jonathan Cameron <Jonathan.Cameron@huawei.com>
iio: light: as73211: Ensure buffer holes are zeroed
Pu Lehui <pulehui@huawei.com>
tracing: Limit access to parser->buffer when trace_get_user failed
Steven Rostedt <rostedt@goodmis.org>
tracing: Remove unneeded goto out logic
Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
iio: imu: inv_icm42600: change invalid data error to -EBUSY
Weitao Wang <WeitaoWang-oc@zhaoxin.com>
usb: xhci: Fix slot_id resource race conflict
Jan Beulich <jbeulich@suse.com>
compiler: remove __ADDRESSABLE_ASM{_STR,}() again
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: pm: check flush doesn't reset limits
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: mediatek: Fix duty and period setting
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: mediatek: Handle hardware enable and clock enable separately
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
pwm: mediatek: Implement .apply() callback
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers
André Draszik <andre.draszik@linaro.org>
scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
David Lechner <dlechner@baylibre.com>
iio: adc: ad_sigma_delta: change to buffer predisable
Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
soc: qcom: mdt_loader: Ensure we don't read past the ELF header
Johan Hovold <johan+linaro@kernel.org>
wifi: ath11k: fix dest ring-buffer corruption when ring is full
Kefeng Wang <wangkefeng.wang@huawei.com>
asm-generic: Add memory barrier dma_mb()
Marco Elver <elver@google.com>
locking/barriers, kcsan: Support generic instrumentation
Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
media: venus: protect against spurious interrupts during probe
Dikshita Agarwal <quic_dikshita@quicinc.com>
media: venus: Add support for SSR trigger using fault injection
Sasha Levin <sashal@kernel.org>
media: qcom: camss: cleanup media device allocated resource on error path
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
media: camss: Convert to platform remove callback returning void
Chao Yu <chao@kernel.org>
f2fs: fix to avoid out-of-boundary access in dnode page
Imre Deak <imre.deak@intel.com>
drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS
Geliang Tang <tanggeliang@kylinos.cn>
mptcp: disable add_addr retransmission when timeout is 0
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Don't overclock DCE 6 by 15%
Selvarasu Ganesan <selvarasu.g@samsung.com>
usb: dwc3: Remove WARN_ON for device endpoint command timeouts
Kuen-Han Tsai <khtsai@google.com>
usb: dwc3: Ignore late xferNotReady event to prevent halt timeout
Zenm Chen <zenmchen@gmail.com>
USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles
Thorsten Blum <thorsten.blum@linux.dev>
usb: storage: realtek_cr: Use correct byte order for bcs->Residue
Mael GUERIN <mael.guerin@murena.io>
USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera
Marek Vasut <marek.vasut+renesas@mailbox.org>
usb: renesas-xhci: Fix External ROM access timeouts
Xu Yang <xu.yang_2@nxp.com>
usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test
Ian Abbott <abbotti@mev.co.uk>
comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
Edward Adam Davis <eadavis@qq.com>
comedi: pcl726: Prevent invalid irq number
Ian Abbott <abbotti@mev.co.uk>
comedi: Make insn_rw_emulate_bits() do insn->n samples
Miao Li <limiao@kylinos.cn>
usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive
Miaoqian Lin <linmq006@gmail.com>
most: core: Drop device reference after usage in get_channel()
David Lechner <dlechner@baylibre.com>
iio: proximity: isl29501: fix buffered read on big-endian systems
Salah Triki <salah.triki@gmail.com>
iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe()
Steven Rostedt <rostedt@goodmis.org>
ftrace: Also allocate and copy hash for reading of filter files
Xu Yilun <yilun.xu@linux.intel.com>
fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable()
Al Viro <viro@zeniv.linux.org.uk>
use uniform permission checks for all mount propagation changes
Ye Bin <yebin10@huawei.com>
fs/buffer: fix use-after-free when call bh_read() helper
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Fix DP audio DTO1 clock source on DCE 6.
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3
Mario Limonciello <mario.limonciello@amd.com>
drm/amd/display: Avoid a NULL pointer dereference
Evgeniy Harchenko <evgeniyharchenko.dev@gmail.com>
ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6
Herton R. Krzesinski <herton@redhat.com>
mm/debug_vm_pgtable: clear page table entries at destroy_args()
Phillip Lougher <phillip@squashfs.org.uk>
squashfs: fix memory leak in squashfs_fill_super
Victor Shih <victor.shih@genesyslogic.com.tw>
mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency
Jiayi Li <lijiayi@kylinos.cn>
memstick: Fix deadlock by moving removing flag earlier
Will Deacon <will@kernel.org>
KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix
Adrian Hunter <adrian.hunter@intel.com>
scsi: ufs: ufs-pci: Fix default runtime and system PM levels
Archana Patni <archana.patni@intel.com>
scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers
Paolo Abeni <pabeni@redhat.com>
mptcp: do not queue data on closed subflows
Geliang Tang <geliang.tang@suse.com>
mptcp: drop unused sk in mptcp_push_release
Mat Martineau <mathew.j.martineau@linux.intel.com>
selftests: mptcp: Initialize variables to quiet gcc 12 warnings
Paolo Abeni <pabeni@redhat.com>
mptcp: introduce MAPPING_BAD_CSUM
Paolo Abeni <pabeni@redhat.com>
mptcp: fix error mibs accounting
Matthieu Baerts <matthieu.baerts@tessares.net>
selftests: mptcp: add missing join check
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: connect: also cover checksum
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: connect: also cover alt modes
Florian Westphal <fw@strlen.de>
selftests: mptcp: make sendfile selftest work
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
kbuild: userprogs: use correct linker when mixing clang and GNU ld
Li Zhong <floridsleeves@gmail.com>
ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value
Nirmal Patel <nirmal.patel@linux.intel.com>
PCI: vmd: Assign VMD IRQ domain before enumeration
Cong Wang <xiyou.wangcong@gmail.com>
sch_htb: make htb_deactivate() idempotent
Cong Wang <xiyou.wangcong@gmail.com>
codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()
Cong Wang <xiyou.wangcong@gmail.com>
sch_drr: make drr_qlen_notify() idempotent
Qu Wenruo <wqu@suse.com>
btrfs: populate otime when logging an inode item
Chao Gao <chao.gao@intel.com>
KVM: VMX: Flush shadow VMCS on emergency reboot
Davide Caratti <dcaratti@redhat.com>
net/sched: ets: use old 'nbands' while purging unused classes
Eric Dumazet <edumazet@google.com>
net_sched: sch_ets: implement lockless ets_dump()
Davide Caratti <dcaratti@redhat.com>
net/sched: sch_ets: properly init all active DRR list handles
Tzung-Bi Shih <tzungbi@kernel.org>
platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()
Tzung-Bi Shih <tzungbi@kernel.org>
platform/chrome: cros_ec: remove unneeded label and if-condition
Chen-Yu Tsai <wenst@chromium.org>
platform/chrome: cros_ec: Use per-device lockdep key
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
platform/chrome: cros_ec: Make cros_ec_unregister() return void
Johan Hovold <johan@kernel.org>
usb: dwc3: imx8mp: fix device leak at unbind
Youssef Samir <quic_yabdulra@quicinc.com>
bus: mhi: host: Detect events pointing to unexpected TREs
Damien Le Moal <dlemoal@kernel.org>
ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig
Johan Hovold <johan@kernel.org>
usb: musb: omap2430: fix device leak at unbind
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
usb: musb: omap2430: Convert to platform remove callback returning void
Anshuman Khandual <anshuman.khandual@arm.com>
mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix the setting of capabilities when automounting a new filesystem
Anna Schumaker <Anna.Schumaker@Netapp.com>
NFS: Create an nfs4_server_set_init_caps() function
Johan Hovold <johan@kernel.org>
net: enetc: fix device and OF node leak at probe
Damien Le Moal <dlemoal@kernel.org>
block: Make REQ_OP_ZONE_FINISH a write operation
Lukas Wunner <lukas@wunner.de>
PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports
Sebastian Reichel <sebastian.reichel@collabora.com>
usb: typec: fusb302: cache PD RX state
Haiyang Zhang <haiyangz@microsoft.com>
hv_netvsc: Fix panic during namespace deletion with VF
Thorsten Blum <thorsten.blum@linux.dev>
smb: server: Fix extension string in ksmbd_extract_shortname()
Geoffrey D. Bennett <g@b4.vu>
ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()
Dave Hansen <dave.hansen@linux.intel.com>
x86/fpu: Delay instruction pointer fixup until after warning
Wang Zhaolong <wangzhaolong@huaweicloud.com>
smb: client: fix use-after-free in crypt_message when using async crypto
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: hub: Don't try to recover devices lost during warm reset.
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: hub: avoid warm port reset during USB3 disconnect
Yazen Ghannam <yazen.ghannam@amd.com>
x86/mce/amd: Add default names for MCA banks and blocks
Zhang Lixu <lixu.zhang@intel.com>
iio: hid-sensor-prox: Fix incorrect OFFSET calculation
Zhang Lixu <lixu.zhang@intel.com>
iio: hid-sensor-prox: Restore lost scale assignments
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on ino and xnid
Nathan Chancellor <nathan@kernel.org>
ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS
Ada Couprie Diaz <ada.coupriediaz@arm.com>
arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
Lin.Cao <lincao12@amd.com>
drm/sched: Remove optimization that causes hang when killing dependent jobs
Haoxiang Li <haoxiang_li2024@163.com>
ice: Fix a null pointer dereference in ice_copy_and_init_pkg()
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
selftests/memfd: add test for mapping write-sealed memfd read-only
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
mm: reinstate ability to map write-sealed memfd mappings read-only
Lorenzo Stoakes <lstoakes@gmail.com>
mm: update memfd seal write check to include F_SEAL_WRITE
Lorenzo Stoakes <lstoakes@gmail.com>
mm: drop the assumption that VM_SHARED always implies writable
Cong Wang <xiyou.wangcong@gmail.com>
sch_qfq: make qfq_qlen_notify() idempotent
Cong Wang <xiyou.wangcong@gmail.com>
sch_hfsc: make hfsc_qlen_notify() idempotent
Cong Wang <xiyou.wangcong@gmail.com>
sch_htb: make htb_qlen_notify() idempotent
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: kernel: flush: do not reset ADD_ADDR limit
Christoph Paasch <cpaasch@openai.com>
mptcp: drop skb if MPTCP skb extension allocation fails
Eric Biggers <ebiggers@kernel.org>
ipv6: sr: Fix MAC comparison to be constant-time
Jakub Acs <acsjakub@amazon.de>
net, hsr: reject HSR frame if skb can't hold tag
Timur Kristóf <timur.kristof@gmail.com>
drm/amd/display: Don't overwrite dce60_clk_mgr
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Restore cached power limit during resume
Ricardo Ribalda <ribalda@chromium.org>
media: venus: venc: Clamp param smaller than 1fps and bigger than 240
Ricardo Ribalda <ribalda@chromium.org>
media: venus: vdec: Clamp param smaller than 1fps and bigger than 240.
Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
media: venus: hfi: explicitly release IRQ during teardown
Vedang Nagar <quic_vnagar@quicinc.com>
media: venus: Add a check for packet size after reading from shared memory
Zhang Shurong <zhang_shurong@foxmail.com>
media: ov2659: Fix memory leaks in ov2659_probe()
Gui-Dong Han <hanguidong02@gmail.com>
media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
Ludwig Disterhof <ludwig@disterhof.eu>
media: usbtv: Lock resolution while streaming
Sakari Ailus <sakari.ailus@linux.intel.com>
media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free()
Haoxiang Li <haoxiang_li2024@163.com>
media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init()
Bingbu Cao <bingbu.cao@intel.com>
media: hi556: correct the test pattern configuration
Dan Carpenter <dan.carpenter@linaro.org>
media: gspca: Add bounds checking to firmware parser
Jon Hunter <jonathanh@nvidia.com>
soc/tegra: pmc: Ensure power-domains are in a known state
Baokun Li <libaokun1@huawei.com>
jbd2: prevent softlockup in jbd2_log_do_checkpoint()
Damien Le Moal <dlemoal@kernel.org>
PCI: endpoint: Fix configfs group removal on driver teardown
Damien Le Moal <dlemoal@kernel.org>
PCI: endpoint: Fix configfs group list head handling
Thomas Fourier <fourier.thomas@gmail.com>
mtd: rawnand: fsmc: Add missing check after DMA map
Gabor Juhos <j4g8y7@gmail.com>
mtd: spinand: propagate spinand_wait() errors from spinand_write_page()
Tim Harvey <tharvey@gateworks.com>
hwmon: (gsc-hwmon) fix fan pwm setpoint show functions
Laurentiu Mihalcea <laurentiu.mihalcea@nxp.com>
pwm: imx-tpm: Reset counter if CMOD is 0
Johan Hovold <johan+linaro@kernel.org>
wifi: ath11k: fix source ring-buffer corruption
Nathan Chancellor <nathan@kernel.org>
wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table()
Marek Szyprowski <m.szyprowski@samsung.com>
zynq_fpga: use sgtable-based scatterlist wrappers
Damien Le Moal <dlemoal@kernel.org>
ata: libata-scsi: Fix ata_to_sense_error() status handling
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: mpi3mr: Fix race between config read submit and interrupt completion
Zhang Yi <yi.zhang@huawei.com>
ext4: fix hole length calculation overflow in non-extent inodes
Liao Yuanhong <liaoyuanhong@vivo.com>
ext4: use kmalloc_array() for array space allocation
Theodore Ts'o <tytso@mit.edu>
ext4: don't try to clear the orphan_present feature block device is r/o
Ojaswin Mujoo <ojaswin@linux.ibm.com>
ext4: fix reserved gdt blocks handling in fsmap
Ojaswin Mujoo <ojaswin@linux.ibm.com>
ext4: fix fsmap end of range reporting with bigalloc
Andreas Dilger <adilger@dilger.ca>
ext4: check fast symlink for ea_inode correctly
Helge Deller <deller@gmx.de>
Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()"
Eric Biggers <ebiggers@kernel.org>
lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
vt: defkeymap: Map keycodes above 127 to K_HOLE
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
vt: keyboard: Don't process Unicode characters in K_OFF mode
Alexander Wilhelm <alexander.wilhelm@westermo.com>
bus: mhi: host: Fix endianness of BHI vector table
Johan Hovold <johan@kernel.org>
usb: dwc3: meson-g12a: fix device leaks at unbind
Johan Hovold <johan@kernel.org>
usb: gadget: udc: renesas_usb3: fix device leak at unbind
Nathan Chancellor <nathan@kernel.org>
usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init()
Finn Thain <fthain@linux-m68k.org>
m68k: Fix lost column on framebuffer debug console
Dan Carpenter <dan.carpenter@linaro.org>
cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table()
Yunhui Cui <cuiyunhui@bytedance.com>
serial: 8250: fix panic due to PSLVERR
Aditya Garg <gargaditya08@live.com>
HID: magicmouse: avoid setting up battery timer when not needed
Ricardo Ribalda <ribalda@chromium.org>
media: uvcvideo: Do not mark valid metadata as invalid
Youngjun Lee <yjjuny.lee@samsung.com>
media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
Breno Leitao <leitao@debian.org>
mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock
Waiman Long <longman@redhat.com>
mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
Randy Dunlap <rdunlap@infradead.org>
parisc: Makefile: fix a typo in palo.conf
Sravan Kumar Gundu <sravankumarlpu@gmail.com>
fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
Qu Wenruo <wqu@suse.com>
btrfs: do not allow relocation of partially dropped subvolumes
Filipe Manana <fdmanana@suse.com>
btrfs: fix log tree replay failure due to file with 0 links and extents
Oliver Neukum <oneukum@suse.com>
cdc-acm: fix race between initial clearing halt and open
Eric Biggers <ebiggers@kernel.org>
thunderbolt: Fix copy+paste error in match_service_id()
Ian Abbott <abbotti@mev.co.uk>
comedi: fix race between polling and detaching
Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
usb: typec: ucsi: Update power_supply on power role change
Ricky Wu <ricky_wu@realtek.com>
misc: rtsx: usb: Ensure mmc child device is active when card is present
Xinyu Liu <katieeliu@tencent.com>
usb: core: config: Prevent OOB read in SS endpoint companion parsing
Baokun Li <libaokun1@huawei.com>
ext4: fix largest free orders lists corruption on mb_optimize_scan switch
Jack Xiao <Jack.Xiao@amd.com>
drm/amdgpu: fix incorrect vm flags to map bo
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_sai: replace regmap_write with regmap_update_bits
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: soc-dai.h: merge DAI call back functions into ops
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe()
Jiasheng Jiang <jiashengjiangcool@gmail.com>
scsi: lpfc: Remove redundant assignment to avoid memory leak
Meagan Lloyd <meaganlloyd@linux.microsoft.com>
rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe
Sergey Bashirov <sergeybashirov@gmail.com>
pNFS: Fix uninited ptr deref in block/scsi layout
Sergey Bashirov <sergeybashirov@gmail.com>
pNFS: Handle RPC size limit for layoutcommits
Sergey Bashirov <sergeybashirov@gmail.com>
pNFS: Fix disk addr range check in block/scsi layout
Sergey Bashirov <sergeybashirov@gmail.com>
pNFS: Fix stripe mapping in block/scsi layout
John Garry <john.g.garry@oracle.com>
block: avoid possible overflow for chunk_sectors check in blk_stack_limits()
Buday Csaba <buday.csaba@prolan.hu>
net: phy: smsc: add proper reset flags for LAN8710A
Corey Minyard <corey@minyard.net>
ipmi: Fix strcpy source and destination the same
Yann E. MORIN <yann.morin.1998@free.fr>
kconfig: lxdialog: fix 'space' to (de)select options
Masahiro Yamada <masahiroy@kernel.org>
kconfig: gconf: fix potential memory leak in renderer_edited()
Masahiro Yamada <masahiroy@kernel.org>
kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed()
Breno Leitao <leitao@debian.org>
ipmi: Use dev_warn_ratelimited() for incorrect message warnings
John Garry <john.g.garry@oracle.com>
scsi: aacraid: Stop using PCI_IRQ_AFFINITY
Maurizio Lombardi <mlombard@redhat.com>
scsi: target: core: Generate correct identifiers for PR OUT transport IDs
Ranjan Kumar <ranjan.kumar@broadcom.com>
scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans
Shankari Anand <shankari.ak0208@gmail.com>
kconfig: nconf: Ensure null termination where strncpy is used
Suchit Karunakaran <suchitkarunakaran@gmail.com>
kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c
fangzhong.zhou <myth5@myth5.com>
i2c: Force DLL0945 touchpad i2c freq to 100khz
Mikulas Patocka <mpatocka@redhat.com>
dm-mpath: don't print the "loaded" message if registering fails
Wolfram Sang <wsa+renesas@sang-engineering.com>
i3c: don't fail if GETHDRCAP is unsupported
Meagan Lloyd <meaganlloyd@linux.microsoft.com>
rtc: ds1307: handle oscillator stop flag (OSF) for ds1341
Wolfram Sang <wsa+renesas@sang-engineering.com>
i3c: add missing include to internal header
Purva Yeshi <purvayeshi550@gmail.com>
md: dm-zoned-target: Initialize return variable r to avoid uninitialized use
Bharat Bhushan <bbhushan2@marvell.com>
crypto: octeontx2 - add timeout for load_fvc completion poll
chenchangcheng <chenchangcheng@kylinos.cn>
media: uvcvideo: Fix bandwidth issue for Alcor camera
Alex Guo <alexguo1023@gmail.com>
media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar
Alex Guo <alexguo1023@gmail.com>
media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()
Wolfram Sang <wsa+renesas@sang-engineering.com>
media: usb: hdpvr: disable zero-length read messages
Dave Stevenson <dave.stevenson@raspberrypi.com>
media: tc358743: Increase FIFO trigger level to 374
Dave Stevenson <dave.stevenson@raspberrypi.com>
media: tc358743: Return an appropriate colorspace from tc358743_set_fmt
Dave Stevenson <dave.stevenson@raspberrypi.com>
media: tc358743: Check I2C succeeded during probe
Cheick Traore <cheick.traore@foss.st.com>
pinctrl: stm32: Manage irq affinity settings
Damien Le Moal <dlemoal@kernel.org>
scsi: mpt3sas: Correctly handle ATA device errors
Justin Tee <justin.tee@broadcom.com>
scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure
Arnd Bergmann <arnd@arndb.de>
RDMA/core: reduce stack using in nldev_stat_get_doit()
Yury Norov [NVIDIA] <yury.norov@gmail.com>
RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()
Johan Adolfsson <johan.adolfsson@axis.com>
leds: leds-lp50xx: Handle reg to get correct multi_index
Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
MIPS: Don't crash in stack_top() for tasks without ABI or vDSO
Arnaud Lecomte <contact@arnaud-lcm.com>
jfs: upper bound check of tree index in dbAllocAG
Edward Adam Davis <eadavis@qq.com>
jfs: Regular file corruption check
Lizhi Xu <lizhi.xu@windriver.com>
jfs: truncate good inode pages when hard link is 0
jackysliu <1972843537@qq.com>
scsi: bfa: Double-free fix
Ziyan Fu <fuzy5@lenovo.com>
watchdog: iTCO_wdt: Report error if timeout configuration fails
Shiji Yang <yangshiji66@outlook.com>
MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free}
Sebastian Reichel <sebastian.reichel@collabora.com>
watchdog: dw_wdt: Fix default timeout
Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
fs/orangefs: use snprintf() instead of sprintf()
Showrya M N <showrya@chelsio.com>
scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
Theodore Ts'o <tytso@mit.edu>
ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
Zhiqi Song <songzhiqi1@huawei.com>
crypto: hisilicon/hpre - fix dma unmap sequence
Pali Rohár <pali@kernel.org>
cifs: Fix calling CIFSFindFirst() for root path without msearch
Aaron Plattner <aplattner@nvidia.com>
watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition
Jason Wang <jasowang@redhat.com>
vhost: fail early when __vhost_add_used() fails
Álvaro Fernández Rojas <noltari@gmail.com>
net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325
Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
drm/ttm: Respect the shrinker core free target
Jakub Kicinski <kuba@kernel.org>
uapi: in6: restore visibility of most IPv6 socket options
Emily Deng <Emily.Deng@amd.com>
drm/ttm: Should to return the evict error
Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
net: ncsi: Fix buffer overflow in fetching version id
Thomas Fourier <fourier.thomas@gmail.com>
wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc()
Álvaro Fernández Rojas <noltari@gmail.com>
net: dsa: b53: prevent SWITCH_CTRL access on BCM5325
Álvaro Fernández Rojas <noltari@gmail.com>
net: dsa: b53: prevent DIS_LEARNING access on BCM5325
Álvaro Fernández Rojas <noltari@gmail.com>
net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325
Álvaro Fernández Rojas <noltari@gmail.com>
net: dsa: b53: fix b53_imp_vlan_setup for BCM5325
Alok Tiwari <alok.a.tiwari@oracle.com>
gve: Return error for unknown admin queue command
Gal Pressman <gal@nvidia.com>
net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual
Heiner Kallweit <hkallweit1@gmail.com>
dpaa_eth: don't use fixed_phy_change_carrier
Stanislaw Gruszka <stf_xl@wp.pl>
wifi: iwlegacy: Check rate_idx range after addition
Mina Almasry <almasrymina@google.com>
netmem: fix skb_frag_address_safe with unreadable skbs
Thomas Fourier <fourier.thomas@gmail.com>
wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`.
Wen Chen <Wen.Chen3@amd.com>
drm/amd/display: Fix 'failed to blank crtc!'
Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect
Rand Deeb <rand.sec96@gmail.com>
wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd()
Ilya Bakoulin <Ilya.Bakoulin@amd.com>
drm/amd/display: Separate set_gsl from set_gsl_source_select
Jonas Rebmann <jre@pengutronix.de>
net: fec: allow disable coalescing
Eric Work <work.eric@gmail.com>
net: atlantic: add set_power to fw_ops for atl2 to fix wol
zhangjianrong <zhangjianrong5@huawei.com>
net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths()
Rob Clark <robdclark@chromium.org>
drm/msm: use trylock for debugfs
Kuniyuki Iwashima <kuniyu@google.com>
ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc().
Thomas Fourier <fourier.thomas@gmail.com>
(powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: don't complete management TX on SAE commit
Sven Schnelle <svens@linux.ibm.com>
s390/stp: Remove udelay from stp_sync_clock()
Avraham Stern <avraham.stern@intel.com>
wifi: iwlwifi: mvm: fix scan request validation
Juri Lelli <juri.lelli@redhat.com>
sched/deadline: Fix accounting after global limits change
Alok Tiwari <alok.a.tiwari@oracle.com>
net: thunderx: Fix format-truncation warning in bgx_acpi_match_id()
Oscar Maes <oscmaes92@gmail.com>
net: ipv4: fix incorrect MTU in broadcast routes
Ilan Peer <ilan.peer@intel.com>
wifi: cfg80211: Fix interface type validation
Matt Johnston <matt@codeconstruct.com.au>
net: mctp: Prevent duplicate binds
Paul E. McKenney <paulmck@kernel.org>
rcu: Protect ->defer_qs_iw_pending from data race
Breno Leitao <leitao@debian.org>
arm64: Mark kernel as tainted on SAE and SError panic
Leon Romanovsky <leon@kernel.org>
net/mlx5e: Properly access RCU protected qdisc_sleeping variable
Thomas Fourier <fourier.thomas@gmail.com>
net: ag71xx: Add missing check after DMA map
Thomas Fourier <fourier.thomas@gmail.com>
et131x: Add missing check after DMA map
Alok Tiwari <alok.a.tiwari@oracle.com>
be2net: Use correct byte order and format string for TCP seq and ack_seq
Sven Schnelle <svens@linux.ibm.com>
s390/time: Use monotonic clock in get_cycles()
Johannes Berg <johannes.berg@intel.com>
wifi: cfg80211: reject HTC bit for management frames
Steven Rostedt <rostedt@goodmis.org>
ktest.pl: Prevent recursion of default variable options
Anthoine Bourgeois <anthoine.bourgeois@vates.tech>
xen/netfront: Fix TX response spurious interrupts
Xinxin Wan <xinxin.wan@intel.com>
ASoC: codecs: rt5640: Retry DEVICE_ID verification
Jonathan Santos <Jonathan.Santos@analog.com>
iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement
Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros
Christophe Leroy <christophe.leroy@csgroup.eu>
ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop
Lucy Thrun <lucy.thrun@digital-rabbithole.de>
ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control
Tomasz Michalec <tmichalec@google.com>
platform/chrome: cros_ec_typec: Defer probe on missing EC parent
Kees Cook <kees@kernel.org>
platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches
Gautham R. Shenoy <gautham.shenoy@amd.com>
pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop()
Oliver Neukum <oneukum@suse.com>
usb: core: usb_submit_urb: downgrade type check
Tomasz Michalec <tmichalec@google.com>
usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()
Alok Tiwari <alok.a.tiwari@oracle.com>
ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4
Mark Brown <broonie@kernel.org>
ASoC: hdac_hdmi: Rate limit logging on connection and disconnection
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
x86/bugs: Avoid warning when overriding return thunk
Ulf Hansson <ulf.hansson@linaro.org>
mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode()
Peter Robinson <pbrobinson@gmail.com>
reset: brcmstb: Enable reset drivers for ARCH_BCM2835
Eliav Farber <farbere@amazon.com>
pps: clients: gpio: fix interrupt handling order in remove path
Breno Leitao <leitao@debian.org>
ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path
Sarthak Garg <quic_sartgarg@quicinc.com>
mmc: sdhci-msm: Ensure SD card power isn't ON when card removed
Sebastian Ott <sebott@redhat.com>
ACPI: processor: fix acpi_object initialization
tuhaowen <tuhaowen@uniontech.com>
PM: sleep: console: Fix the black screen issue
Hsin-Te Yuan <yuanhsinte@chromium.org>
thermal: sysfs: Return ENODATA instead of EAGAIN for reads
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit()
Zhu Qiyu <qiyuzhu2@amd.com>
ACPI: PRM: Reduce unnecessary printing to avoid user confusion
Masami Hiramatsu (Google) <mhiramat@kernel.org>
selftests: tracing: Use mutex_unlock for testing glob filter
Aaron Kling <webgeek1234@gmail.com>
ARM: tegra: Use I/O memcpy to write to IRAM
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
gpio: tps65912: check the return value of regmap_update_bits()
Thomas Weißschuh <linux@weissschuh.net>
tools/nolibc: define time_t in terms of __kernel_old_time_t
David Collins <david.collins@oss.qualcomm.com>
thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed
Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
EDAC/synopsys: Clear the ECC counters on init
Lifeng Zheng <zhenglifeng1@huawei.com>
PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store()
Alexander Kochetkov <al.kochet@gmail.com>
ARM: rockchip: fix kernel hang during smp initialization
Lifeng Zheng <zhenglifeng1@huawei.com>
cpufreq: Exit governor when failed to start old governor
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
gpio: wcd934x: check the return value of regmap_update_bits()
Mario Limonciello <mario.limonciello@amd.com>
usb: xhci: Avoid showing errors during surprise removal
Jay Chen <shawn2000100@gmail.com>
usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command
Mario Limonciello <mario.limonciello@amd.com>
usb: xhci: Avoid showing warnings for dying controller
Benson Leung <bleung@chromium.org>
usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default
Cynthia Huang <cynthia@andestech.com>
selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t
Prashant Malani <pmalani@google.com>
cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag
Su Hui <suhui@nfschina.com>
usb: xhci: print xhci->xhc_state when queue_command failed
Al Viro <viro@zeniv.linux.org.uk>
securityfs: don't pin dentries twice, once is enough...
Wei Gao <wegao@suse.com>
ext2: Handle fiemap on empty files to prevent EINVAL
Rong Zhang <ulin0208@gmail.com>
fs/ntfs3: correctly create symlink for relative path
Lizhi Xu <lizhi.xu@windriver.com>
fs/ntfs3: Add sanity check for file name
Damien Le Moal <dlemoal@kernel.org>
ata: libata-sata: Disallow changing LPM state if not supported
Al Viro <viro@zeniv.linux.org.uk>
better lockdep annotations for simple_recursive_removal()
Viacheslav Dubeyko <slava@dubeyko.com>
hfs: fix not erasing deleted b-tree node issue
Sarah Newman <srn@prgmr.com>
drbd: add missing kref_get in handle_write_conflicts
Jan Kara <jack@suse.cz>
udf: Verify partition map count
NeilBrown <neil@brown.name>
smb/server: avoid deadlock when linking with ReplaceIfExists
Kees Cook <kees@kernel.org>
arm64: Handle KCOV __init vs inline mismatches
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()
Viacheslav Dubeyko <slava@dubeyko.com>
hfs: fix slab-out-of-bounds in hfs_bnode_read()
Jeongjun Park <aha310510@gmail.com>
ptp: prevent possible ABBA deadlock in ptp_clock_freerun()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpuidle: governors: menu: Avoid using invalid recent intervals data
Len Brown <len.brown@intel.com>
intel_idle: Allow loading ACPI tables for any family
Xin Long <lucien.xin@gmail.com>
sctp: linearize cloned gso packets in sctp_rcv
Florian Westphal <fw@strlen.de>
netfilter: ctnetlink: fix refcount leak on table dump
Sabrina Dubroca <sd@queasysnail.net>
udp: also consider secpath when evaluating ipsec use for checksumming
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: processor: perflib: Move problematic pr->performance check
Jiayi Li <lijiayi@kylinos.cn>
ACPI: processor: perflib: Fix initial _PPC limit application
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Documentation: ACPI: Fix parent device references
Jann Horn <jannh@google.com>
eventpoll: Fix semi-unbounded recursion
Sasha Levin <sashal@kernel.org>
fs: Prevent file descriptor table allocations exceeding INT_MAX
Ma Ke <make24@iscas.ac.cn>
sunvdc: Balance device refcount in vdc_port_mpgroup_check
Dai Ngo <dai.ngo@oracle.com>
NFSD: detect mismatch of file handle and delegation stateid in OPEN op
Jeff Layton <jlayton@kernel.org>
nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
Xu Yang <xu.yang_2@nxp.com>
net: usb: asix_devices: add phy_mask for ax88772 mdio bus
Johan Hovold <johan@kernel.org>
net: dpaa: fix device leak when querying time stamp info
Johan Hovold <johan@kernel.org>
net: gianfar: fix device leak when querying time stamp info
Fedor Pchelkin <pchelkin@ispras.ru>
netlink: avoid infinite retry looping in netlink_unicast()
Harald Mommer <harald.mommer@oss.qualcomm.com>
gpio: virtio: Fix config space reading.
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Validate UAC3 cluster segment descriptors
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Validate UAC3 power domain descriptors, too
Pavel Begunkov <asml.silence@gmail.com>
io_uring: don't use int for ABI
Tao Xue <xuetao09@huawei.com>
usb: gadget : fix use-after-free in composite_dev_cleanup()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery
Jiaxun Yang <jiaxun.yang@flygoat.com>
MIPS: mm: tlb-r4k: Uniquify TLB entries on init
Thorsten Blum <thorsten.blum@linux.dev>
ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe()
Ammar Faizi <ammarfaizi2@gnuweeb.org>
net: usbnet: Fix the wrong netif_carrier_on() call
John Ernberg <john.ernberg@actia.se>
net: usbnet: Avoid potential RCU stall on LINK_CHANGE event
Slark Xiao <slark_xiao@163.com>
USB: serial: option: add Foxconn T99W709
Budimir Markovic <markovicbudimir@gmail.com>
vsock: Do not allow binding to VMADDR_PORT_ANY
Quang Le <quanglex97@gmail.com>
net/packet: fix a race in packet_set_ring() and packet_notifier()
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
selftests/perf_events: Add a mmap() correctness test
Thomas Gleixner <tglx@linutronix.de>
perf/core: Prevent VMA split of buffer mappings
Thomas Gleixner <tglx@linutronix.de>
perf/core: Exit early on perf_mmap() fail
Thomas Gleixner <tglx@linutronix.de>
perf/core: Don't leak AUX buffer refcount on allocation failure
Eric Dumazet <edumazet@google.com>
pptp: fix pptp_xmit() error path
Stefan Metzmacher <metze@samba.org>
smb: client: let recv_done() cleanup before notifying the callers.
Stefan Metzmacher <metze@samba.org>
smb: server: let recv_done() avoid touching data_transfer after cleanup/move
Stefan Metzmacher <metze@samba.org>
smb: server: let recv_done() consistently call put_recvmsg/smb_direct_disconnect_rdma_connection
Stefan Metzmacher <metze@samba.org>
smb: server: make sure we call ib_dma_unmap_single() only if we called ib_dma_map_single already
Stefan Metzmacher <metze@samba.org>
smb: server: remove separate empty_recvmsg_queue
Takashi Iwai <tiwai@suse.de>
ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out()
Michal Schmidt <mschmidt@redhat.com>
benet: fix BUG when creating VFs
Wang Liang <wangliang74@huawei.com>
net: drop UFO packets in udp_rcv_segment()
Eric Dumazet <edumazet@google.com>
ipv6: reject malicious packets in ipv6_gso_segment()
Christoph Paasch <cpaasch@openai.com>
net/mlx5: Correctly set gso_segs when LRO is used
Eric Dumazet <edumazet@google.com>
pptp: ensure minimal skb length in pptp_xmit()
Horatiu Vultur <horatiu.vultur@microchip.com>
phy: mscc: Fix parsing of unicast frames
Jakub Kicinski <kuba@kernel.org>
netpoll: prevent hanging NAPI when netcons gets enabled
Benjamin Coddington <bcodding@redhat.com>
NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY
Matthew Wilcox (Oracle) <willy@infradead.org>
XArray: Add calls to might_alloc()
Olga Kornievskaia <okorniev@redhat.com>
NFSv4.2: another fix for listxattr
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
pNFS/flexfiles: don't attempt pnfs on fatal DS errors
Timothy Pearson <tpearson@raptorengineering.com>
PCI: pnv_php: Fix surprise plug detection and recovery
Timothy Pearson <tpearson@raptorengineering.com>
powerpc/eeh: Make EEH driver device hotplug safe
Maciej W. Rozycki <macro@orcam.me.uk>
powerpc/eeh: Rely on dev->link_active_reporting
Timothy Pearson <tpearson@raptorengineering.com>
powerpc/eeh: Export eeh_unfreeze_pe()
Timothy Pearson <tpearson@raptorengineering.com>
PCI: pnv_php: Work around switches with broken presence detection
Timothy Pearson <tpearson@raptorengineering.com>
PCI: pnv_php: Clean up allocated IRQs on unplug
Masahiro Yamada <masahiroy@kernel.org>
kconfig: qconf: fix ConfigList::updateListAllforAll()
Seunghui Lee <sh043.lee@samsung.com>
scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume
Tomas Henzl <thenzl@redhat.com>
scsi: mpt3sas: Fix a fw_event memory leak
Chao Yu <chao@kernel.org>
f2fs: fix to avoid out-of-boundary access in devs.path
Chao Yu <chao@kernel.org>
f2fs: fix to avoid panic in f2fs_evict_inode
Chao Yu <chao@kernel.org>
f2fs: fix to avoid UAF in f2fs_sync_inode_meta()
Chao Yu <chao@kernel.org>
f2fs: doc: fix wrong quota mount option description
Abinash Singh <abinashlalotra@gmail.com>
f2fs: fix KMSAN uninit-value in extent_info usage
Brian Masney <bmasney@redhat.com>
rtc: rv3028: fix incorrect maximum clock rate handling
Brian Masney <bmasney@redhat.com>
rtc: pcf8563: fix incorrect maximum clock rate handling
Brian Masney <bmasney@redhat.com>
rtc: pcf85063: fix incorrect maximum clock rate handling
Brian Masney <bmasney@redhat.com>
rtc: hym8563: fix incorrect maximum clock rate handling
Brian Masney <bmasney@redhat.com>
rtc: ds1307: fix incorrect maximum clock rate handling
Uros Bizjak <ubizjak@gmail.com>
ucount: fix atomic_long_inc_below() argument type
Petr Pavlu <petr.pavlu@suse.com>
module: Restore the moduleparam prefix length check
Ryan Lee <ryan.lee@canonical.com>
apparmor: ensure WB_HISTORY_SIZE value is a power of 2
Paul Chaignon <paul.chaignon@gmail.com>
bpf: Check flow_dissector ctx accesses are aligned
Mike Christie <michael.christie@oracle.com>
vhost-scsi: Fix log flooding with target does not exist errors
Balamanikandan Gunasundar <balamanikandan.gunasundar@microchip.com>
mtd: rawnand: atmel: set pmecc data setup time
Thomas Fourier <fourier.thomas@gmail.com>
mtd: rawnand: rockchip: Add missing check after DMA map
Thomas Fourier <fourier.thomas@gmail.com>
mtd: rawnand: atmel: Fix dma_mapping_error() address
Zheng Yu <zheng.yu@northwestern.edu>
jfs: fix metapage reference count leak in dbAllocCtl
Chenyuan Yang <chenyuan0y@gmail.com>
fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref
Giovanni Cabiddu <giovanni.cabiddu@intel.com>
crypto: qat - fix seq_file position update in adf_ring_next()
Ben Hutchings <benh@debian.org>
sh: Do not use hyphen in exported variable name
Thomas Fourier <fourier.thomas@gmail.com>
dmaengine: nbpfaxi: Add missing check after DMA map
Thomas Fourier <fourier.thomas@gmail.com>
dmaengine: mv_xor: Fix missing check after DMA map and missing unmap
Dan Carpenter <dan.carpenter@linaro.org>
fs/orangefs: Allow 2 more characters in do_c_string()
Manivannan Sadhasivam <mani@kernel.org>
PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute
Bard Liao <yung-chuan.liao@linux.intel.com>
soundwire: stream: restore params when prepare ports fail
Thomas Fourier <fourier.thomas@gmail.com>
crypto: img-hash - Fix dma_unmap_sg() nents value
Thomas Fourier <fourier.thomas@gmail.com>
crypto: keembay - Fix dma_unmap_sg() nents value
Ovidiu Panait <ovidiu.panait.oss@gmail.com>
hwrng: mtk - handle devm_pm_runtime_enable errors
Dan Carpenter <dan.carpenter@linaro.org>
watchdog: ziirave_wdt: check record length in ziirave_firm_verify()
Thomas Fourier <fourier.thomas@gmail.com>
scsi: isci: Fix dma_unmap_sg() nents value
Thomas Fourier <fourier.thomas@gmail.com>
scsi: mvsas: Fix dma_unmap_sg() nents value
Thomas Fourier <fourier.thomas@gmail.com>
scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value
Paul Kocialkowski <paulk@sys-base.io>
clk: sunxi-ng: v3s: Fix de clock definition
Leo Yan <leo.yan@arm.com>
perf tests bp_account: Fix leaked file descriptor
Arnd Bergmann <arnd@arndb.de>
kernel: trace: preemptirq_delay_test: use offstack cpu mask
Junxian Huang <huangjunxian6@hisilicon.com>
RDMA/hns: Fix -Wframe-larger-than issue
Mengbiao Xiong <xisme1998@gmail.com>
crypto: ccp - Fix crash when rebind ccp device for ccp.ko
Thomas Fourier <fourier.thomas@gmail.com>
crypto: inside-secure - Fix `dma_unmap_sg()` nents value
Namhyung Kim <namhyung@kernel.org>
perf sched: Fix memory leaks for evsel->priv in timehist
Nuno Sá <nuno.sa@analog.com>
clk: clk-axi-clkgen: fix fpfd_max frequency for zynq
Yuan Chen <chenyuan@kylinos.cn>
pinctrl: sunxi: Fix memory leak on krealloc failure
Jerome Brunet <jbrunet@baylibre.com>
PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails
Charles Han <hanchunchao@inspur.com>
power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set
Charles Han <hanchunchao@inspur.com>
power: supply: cpcap-charger: Fix null check for power_supply_get_by_name
Rohit Visavalia <rohit.visavalia@amd.com>
clk: xilinx: vcu: unregister pll_post only if registered correctly
James Cowgill <james.cowgill@blaize.com>
media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check
Henry Martin <bsdhenrymartin@gmail.com>
clk: davinci: Add NULL check in davinci_lpsc_clk_register()
Ivan Stepchenko <sid@itb.spb.ru>
mtd: fix possible integer overflow in erase_xfer()
Herbert Xu <herbert@gondor.apana.org.au>
crypto: marvell/cesa - Fix engine load inaccuracy
Hans Zhang <18255117159@163.com>
PCI: rockchip-host: Fix "Unexpected Completion" log message
Stanislav Fomichev <sdf@fomichev.me>
vrf: Drop existing dst reference in vrf_ip6_input_dst
Xiumei Mu <xmu@redhat.com>
selftests: rtnetlink.sh: remove esp4_offload after test
Florian Westphal <fw@strlen.de>
netfilter: xt_nfacct: don't assume acct name is null-terminated
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_usb: Assign netdev.dev_port based on device channel index
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_pciefd: Store device channel index
Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE
Remi Pommarel <repk@triplefau.lt>
Reapply "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()"
Remi Pommarel <repk@triplefau.lt>
wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key()
Alexander Wetzel <Alexander@wetzel-home.de>
wifi: mac80211: Don't call fq_flow_idx() for management frames
Thomas Fourier <fourier.thomas@gmail.com>
mwl8k: Add missing check after DMA map
Martin Kaistra <martin.kaistra@linutronix.de>
wifi: rtl8xxxu: Fix RX skb size for aggregation disabled
Juergen Gross <jgross@suse.com>
xen/gntdev: remove struct gntdev_copy_batch from stack
Eric Dumazet <edumazet@google.com>
net_sched: act_ctinfo: use atomic64_t for three counters
William Liu <will@willsroot.io>
net/sched: Restrict conditions for adding duplicating netems to qdisc tree
Tiwei Bie <tiwei.btw@antgroup.com>
um: rtc: Avoid shadowing err in uml_rtc_start()
Johan Korsnes <johan.korsnes@gmail.com>
arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX
Fedor Pchelkin <pchelkin@ispras.ru>
netfilter: nf_tables: adjust lockdep assertions handling
Fedor Pchelkin <pchelkin@ispras.ru>
drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value
Finn Thain <fthain@linux-m68k.org>
m68k: Don't unregister boot console needlessly
Stav Aviram <saviram@nvidia.com>
net/mlx5: Check device memory pointer before usage
xin.guo <guoxin0309@gmail.com>
tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range
Sergey Senozhatsky <senozhatsky@chromium.org>
wifi: ath11k: clear initialized flag for deinit-ed srng lists
Jiasheng Jiang <jiasheng@iscas.ac.cn>
iwlwifi: Add missing check for alloc_ordered_workqueue
Xiu Jianfeng <xiujianfeng@huawei.com>
wifi: iwlwifi: Fix memory leak in iwl_mvm_init()
Daniil Dulov <d.dulov@aladdin.ru>
wifi: rtl818x: Kill URBs before clearing tx status queue
Arnd Bergmann <arnd@arndb.de>
caif: reduce stack size, again
Yuan Chen <chenyuan@kylinos.cn>
bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf, sockmap: Fix psock incorrectly pointing to sk
Andy Yan <andy.yan@rock-chips.com>
drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed
Steven Rostedt <rostedt@goodmis.org>
selftests/tracing: Fix false failure of subsystem event test
Alok Tiwari <alok.a.tiwari@oracle.com>
staging: nvec: Fix incorrect null termination of battery manufacturer
Brahmajit Das <listout@listout.xyz>
samples: mei: Fix building on musl libc
Lifeng Zheng <zhenglifeng1@huawei.com>
cpufreq: Init policy->rwsem before it may be possibly used
Lifeng Zheng <zhenglifeng1@huawei.com>
cpufreq: Initialize cpufreq-based frequency-invariance later
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode
Lifeng Zheng <zhenglifeng1@huawei.com>
PM / devfreq: Check governor before using governor->name
Adam Ford <aford173@gmail.com>
arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed
Adam Ford <aford173@gmail.com>
arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed
Annette Kobou <annette.kobou@kontron.de>
ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface
Albin Törnqvist <albin.tornqvist@codiax.se>
arm: dts: ti: omap: Fixup pinheader typo
Lucas De Marchi <lucas.demarchi@intel.com>
usb: early: xhci-dbc: Fix early_ioremap leak
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "vmci: Prevent the dispatching of uninitialized payloads"
Denis OSTERLAND-HEIM <denis.osterland@diehl.com>
pps: fix poll support
Lizhi Xu <lizhi.xu@windriver.com>
vmci: Prevent the dispatching of uninitialized payloads
Abdun Nihaal <abdun.nihaal@gmail.com>
staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()
Charalampos Mitrodimas <charmitro@posteo.net>
usb: misc: apple-mfi-fastcharge: Make power supply names unique
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
ARM: dts: vfxxx: Correctly use two tuples for timer address
Dmitry Vyukov <dvyukov@google.com>
selftests: Fix errno checking in syscall_user_dispatch test
Arnd Bergmann <arnd@arndb.de>
ASoC: ops: dynamically allocate struct snd_ctl_elem_value
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask()
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Revert "fs/ntfs3: Replace inode_trylock with inode_lock"
Yangtao Li <frank.li@vivo.com>
hfsplus: remove mutex_lock check in hfsplus_free_extents
RubenKelevra <rubenkelevra@gmail.com>
fs_context: fix parameter name in infofc() macro
Arnd Bergmann <arnd@arndb.de>
ASoC: Intel: fix SND_SOC_SOF dependencies
Arnd Bergmann <arnd@arndb.de>
ethernet: intel: fix building with large NR_CPUS
Xu Yang <xu.yang_2@nxp.com>
usb: phy: mxs: disconnect line when USB charger is attached
Xu Yang <xu.yang_2@nxp.com>
usb: chipidea: add USB PHY event
Daniel Dadap <ddadap@nvidia.com>
ALSA: hda: Add missing NVIDIA HDA codec IDs
Ian Abbott <abbotti@mev.co.uk>
comedi: comedi_test: Fix possible deletion of uninitialized timers
Dmitry Antipov <dmantipov@yandex.ru>
jfs: reject on-disk inodes of an unsupported type
Michael Zhivich <mzhivich@akamai.com>
x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode()
RD Babiera <rdbabiera@google.com>
usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach
Michael Grzeschik <m.grzeschik@pengutronix.de>
usb: typec: tcpm: allow switching to mode accessory to mux properly
Michael Grzeschik <m.grzeschik@pengutronix.de>
usb: typec: tcpm: allow to use sink in accessory mode
Harry Yoo <harry.yoo@oracle.com>
mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: reject invalid file types when reading inodes
Praveen Kaligineedi <pkaligineedi@google.com>
gve: Fix stuck TX queue for DQ queue format
Jacek Kowalski <jacek@jacekk.info>
e1000e: ignore uninitialized checksum word on tgp
Jacek Kowalski <jacek@jacekk.info>
e1000e: disregard NVM checksum on tgp when valid checksum bit is not set
Ma Ke <make24@iscas.ac.cn>
dpaa2-switch: Fix device reference count leak in MAC endpoint handling
Ma Ke <make24@iscas.ac.cn>
dpaa2-eth: Fix device reference count leak in MAC endpoint handling
Dawid Rezler <dawidrezler.patches@gmail.com>
ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx
Ma Ke <make24@iscas.ac.cn>
bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint()
Viresh Kumar <viresh.kumar@linaro.org>
i2c: virtio: Avoid hang by using interruptible completion wait
Yang Xiwen <forbidden405@outlook.com>
i2c: qup: jump out of the loop in case of timeout
Rong Zhang <i@rong.moe>
platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots
Jian Shen <shenjian15@huawei.com>
net: hns3: fixed vf get max channels bug
Yonglong Liu <liuyonglong@huawei.com>
net: hns3: disable interrupt when ptp init failed
Jian Shen <shenjian15@huawei.com>
net: hns3: fix concurrent setting vlan filter issue
Xiang Mei <xmei5@asu.edu>
net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class
Kito Xu (veritas501) <hxzene@gmail.com>
net: appletalk: Fix use-after-free in AARP proxy probe
Dennis Chen <dechen@redhat.com>
i40e: report VF tx_dropped with tx_errors instead of tx_discards
Yajun Deng <yajun.deng@linux.dev>
i40e: Add rx_missed_errors for buffer exhaustion
Abdun Nihaal <abdun.nihaal@gmail.com>
regmap: fix potential memory leak of regmap_bus
Xilin Wu <sophon@radxa.com>
interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node
Maor Gottlieb <maorg@nvidia.com>
RDMA/core: Rate limit GID cache warning messages
Alessandro Carminati <acarmina@redhat.com>
regulator: core: fix NULL dereference on unbind due to stale coupling data
Fabrice Gasnier <fabrice.gasnier@foss.st.com>
Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT
Peter Zijlstra <peterz@infradead.org>
x86: Pin task-stack in __get_wchan()
Peter Zijlstra <peterz@infradead.org>
x86: Fix __get_wchan() for !STACKTRACE
Kees Cook <keescook@chromium.org>
sched: Add wrapper for get_wchan() to keep task blocked
Qi Zheng <zhengqi.arch@bytedance.com>
x86: Fix get_wchan() to support the ORC unwinder
Jiayuan Chen <jiayuan.chen@linux.dev>
bpf, sockmap: Fix panic when calling skb_linearize
Kurt Borja <kuurtb@gmail.com>
platform/x86: think-lmi: Fix kobject cleanup
Zhang Rui <rui.zhang@intel.com>
powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed
Alexander Gordeev <agordeev@linux.ibm.com>
mm/vmalloc: leave lazy MMU mode on PTE mapping error
Arun Raghavan <arun@asymptotic.io>
ASoC: fsl_sai: Force a software reset when starting in consumer mode
Krishna Kurapati <krishna.kurapati@oss.qualcomm.com>
usb: dwc3: qcom: Don't leave BCR asserted
Drew Hamilton <drew.hamilton@zetier.com>
usb: musb: fix gadget state on disconnect
Paul Cercueil <paul@crapouillou.net>
usb: musb: Add and use inline functions musb_{get,set}_state
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: hub: Fix flushing of delayed work used for post resume purposes
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: hub: fix detection of high tier USB3 devices behind suspended hubs
Al Viro <viro@zeniv.linux.org.uk>
clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
sched: Change nr_uninterruptible type to unsigned long
William Liu <will@willsroot.io>
net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree
Joseph Huang <Joseph.Huang@garmin.com>
net: bridge: Do not offload IGMP/MLD messages
Dong Chenchen <dongchenchen2@huawei.com>
net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU
Yue Haibing <yuehaibing@huawei.com>
ipv6: mcast: Delay put pmc->idev in mld_del_delrec()
Christoph Paasch <cpaasch@openai.com>
net/mlx5: Correctly set gso_size when LRO is used
Ben Ben-Ishay <benishay@nvidia.com>
net/mlx5e: Add support to klm_umr_wqe
Tariq Toukan <tariqt@nvidia.com>
lib: bitmap: Introduce node-aware alloc API
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: SMP: If an unallowed command is received consider it a failure
Kuniyuki Iwashima <kuniyu@google.com>
Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
Oliver Neukum <oneukum@suse.com>
usb: net: sierra: check for no status endpoint
Marius Zachmann <mail@mariuszachmann.de>
hwmon: (corsair-cpro) Validate the size of the received input buffer
Paolo Abeni <pabeni@redhat.com>
selftests: net: increase inter-packet timeout in udpgro.sh
Hangbin Liu <liuhangbin@gmail.com>
selftests: udpgro: report error when receive failed
Yu Kuai <yukuai3@huawei.com>
nvme: fix misaccounting of nvme-mpath inflight I/O
Wang Zhaolong <wangzhaolong@huaweicloud.com>
smb: client: fix use-after-free in cifs_oplock_break
Sam Shih <sam.shih@mediatek.com>
pinctrl: mediatek: moore: check if pin_desc is valid before use
Kuniyuki Iwashima <kuniyu@google.com>
rpl: Fix use-after-free in rpl_do_srh_inline().
Xiang Mei <xmei5@asu.edu>
net/sched: sch_qfq: Fix race condition on qfq_aggregate
Alok Tiwari <alok.a.tiwari@oracle.com>
net: emaclite: Fix missing pointer increment in aligned_read()
Paul Chaignon <paul.chaignon@gmail.com>
bpf: Reject %p% format string in bprintf-like helpers
Ian Abbott <abbotti@mev.co.uk>
comedi: Fix initialization of data for instructions that write to subdevice
Ian Abbott <abbotti@mev.co.uk>
comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
Ian Abbott <abbotti@mev.co.uk>
comedi: Fix some signed shift left operations
Ian Abbott <abbotti@mev.co.uk>
comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
Ian Abbott <abbotti@mev.co.uk>
comedi: das6402: Fix bit shift out of bounds
Ian Abbott <abbotti@mev.co.uk>
comedi: das16m1: Fix bit shift out of bounds
Ian Abbott <abbotti@mev.co.uk>
comedi: aio_iiro_16: Fix bit shift out of bounds
Ian Abbott <abbotti@mev.co.uk>
comedi: pcl812: Fix bit shift out of bounds
Chen Ni <nichen@iscas.ac.cn>
iio: adc: stm32-adc: Fix race in installing chained IRQ handler
Fabio Estevam <festevam@denx.de>
iio: adc: max1363: Reorder mode_list[] entries
Fabio Estevam <festevam@denx.de>
iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[]
Andrew Jeffery <andrew@codeconstruct.com.au>
soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled
Andrew Jeffery <andrew@codeconstruct.com.au>
soc: aspeed: lpc-snoop: Cleanup resources in stack-order
Maulik Shah <maulik.shah@oss.qualcomm.com>
pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov
Judith Mendez <jm@ti.com>
mmc: sdhci_am654: Workaround for Errata i2312
Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models
Thomas Fourier <fourier.thomas@gmail.com>
mmc: bcm2835: Fix dma_unmap_sg() nents value
Nathan Chancellor <nathan@kernel.org>
memstick: core: Zero initialize id_reg in h_memstick_read_dev_id()
Jan Kara <jack@suse.cz>
isofs: Verify inode mode when loading from disk
Dan Carpenter <dan.carpenter@linaro.org>
dmaengine: nbpfaxi: Fix memory corruption in probe()
Yun Lu <luyun@kylinos.cn>
af_packet: fix soft lockup issue caused by tpacket_snd()
Yun Lu <luyun@kylinos.cn>
af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd()
Nathan Chancellor <nathan@kernel.org>
phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept()
Steven Rostedt <rostedt@goodmis.org>
tracing: Add down_write(trace_event_sem) when adding trace event
Benjamin Tissoires <bentiss@kernel.org>
HID: core: do not bypass hid_hw_raw_request
Benjamin Tissoires <bentiss@kernel.org>
HID: core: ensure __hid_request reserves the report ID as the first byte
Benjamin Tissoires <bentiss@kernel.org>
HID: core: ensure the allocated report buffer can contain the reserved report ID
Thomas Fourier <fourier.thomas@gmail.com>
pch_uart: Fix dma_sync_sg_for_device() nents value
Nilton Perim Neto <niltonperimneto@gmail.com>
Input: xpad - set correct controller type for Acer NGR200
Alok Tiwari <alok.a.tiwari@oracle.com>
thunderbolt: Fix bit masking in tb_dp_port_set_hops()
Clément Le Goffic <clement.legoffic@foss.st.com>
i2c: stm32: fix the device used for the DMA map
Xinyu Liu <1171169449@qq.com>
usb: gadget: configfs: Fix OOB read on empty string write
Ryan Mann (NDI) <rmann@ndigital.com>
USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI
Slark Xiao <slark_xiao@163.com>
USB: serial: option: add Foxconn T99W640
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition
Wayne Chang <waynec@nvidia.com>
phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode
-------------
Diffstat:
Documentation/filesystems/f2fs.rst | 6 +-
Documentation/firmware-guide/acpi/i2c-muxes.rst | 8 +-
Documentation/memory-barriers.txt | 11 +-
Documentation/networking/mptcp-sysctl.rst | 2 +
Makefile | 6 +-
arch/alpha/include/asm/processor.h | 2 +-
arch/alpha/kernel/process.c | 5 +-
arch/arc/include/asm/processor.h | 2 +-
arch/arc/kernel/stacktrace.c | 4 +-
arch/arm/Makefile | 2 +-
arch/arm/boot/dts/am335x-boneblack.dts | 2 +-
arch/arm/boot/dts/imx6ul-kontron-n6x1x-s.dtsi | 1 -
arch/arm/boot/dts/vfxxx.dtsi | 2 +-
arch/arm/include/asm/processor.h | 2 +-
arch/arm/kernel/process.c | 4 +-
arch/arm/mach-rockchip/platsmp.c | 15 +-
arch/arm/mach-tegra/reset.c | 2 +-
.../boot/dts/freescale/imx8mm-beacon-som.dtsi | 2 +
.../boot/dts/freescale/imx8mn-beacon-som.dtsi | 2 +
arch/arm64/include/asm/acpi.h | 2 +-
arch/arm64/include/asm/processor.h | 2 +-
arch/arm64/kernel/entry.S | 6 +
arch/arm64/kernel/fpsimd.c | 4 +-
arch/arm64/kernel/process.c | 4 +-
arch/arm64/kernel/traps.c | 1 +
arch/arm64/mm/fault.c | 1 +
arch/arm64/mm/ptdump_debugfs.c | 3 -
arch/csky/include/asm/processor.h | 2 +-
arch/csky/kernel/stacktrace.c | 5 +-
arch/h8300/include/asm/processor.h | 2 +-
arch/h8300/kernel/process.c | 5 +-
arch/hexagon/include/asm/processor.h | 2 +-
arch/hexagon/kernel/process.c | 4 +-
arch/ia64/include/asm/processor.h | 2 +-
arch/ia64/kernel/process.c | 5 +-
arch/m68k/Kconfig.debug | 2 +-
arch/m68k/include/asm/processor.h | 2 +-
arch/m68k/kernel/early_printk.c | 42 +--
arch/m68k/kernel/head.S | 39 ++-
arch/m68k/kernel/process.c | 4 +-
arch/microblaze/include/asm/processor.h | 2 +-
arch/microblaze/kernel/process.c | 2 +-
arch/mips/crypto/chacha-core.S | 20 +-
arch/mips/include/asm/processor.h | 2 +-
arch/mips/include/asm/vpe.h | 8 +
arch/mips/kernel/process.c | 24 +-
arch/mips/mm/tlb-r4k.c | 56 +++-
arch/nds32/include/asm/processor.h | 2 +-
arch/nds32/kernel/process.c | 7 +-
arch/nios2/include/asm/processor.h | 2 +-
arch/nios2/kernel/process.c | 5 +-
arch/openrisc/include/asm/processor.h | 2 +-
arch/openrisc/kernel/process.c | 2 +-
arch/parisc/Makefile | 2 +-
arch/parisc/include/asm/processor.h | 2 +-
arch/parisc/kernel/process.c | 5 +-
arch/powerpc/configs/ppc6xx_defconfig | 1 -
arch/powerpc/include/asm/processor.h | 2 +-
arch/powerpc/kernel/eeh.c | 1 +
arch/powerpc/kernel/eeh_driver.c | 48 ++--
arch/powerpc/kernel/eeh_pe.c | 11 +-
arch/powerpc/kernel/pci-hotplug.c | 3 +
arch/powerpc/kernel/process.c | 9 +-
arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 +-
arch/riscv/include/asm/processor.h | 2 +-
arch/riscv/kernel/stacktrace.c | 12 +-
arch/s390/hypfs/hypfs_dbfs.c | 19 +-
arch/s390/include/asm/processor.h | 2 +-
arch/s390/include/asm/timex.h | 13 +-
arch/s390/kernel/process.c | 4 +-
arch/s390/kernel/time.c | 2 +-
arch/s390/mm/dump_pagetables.c | 2 -
arch/sh/Makefile | 10 +-
arch/sh/boot/compressed/Makefile | 4 +-
arch/sh/boot/romimage/Makefile | 4 +-
arch/sh/include/asm/processor_32.h | 2 +-
arch/sh/kernel/process_32.c | 5 +-
arch/sparc/include/asm/processor_32.h | 2 +-
arch/sparc/include/asm/processor_64.h | 2 +-
arch/sparc/kernel/process_32.c | 5 +-
arch/sparc/kernel/process_64.c | 5 +-
arch/um/drivers/rtc_user.c | 2 +-
arch/um/include/asm/processor-generic.h | 2 +-
arch/um/kernel/process.c | 5 +-
arch/x86/include/asm/processor.h | 2 +-
arch/x86/include/asm/xen/hypercall.h | 6 +-
arch/x86/kernel/cpu/amd.c | 2 +
arch/x86/kernel/cpu/bugs.c | 5 +-
arch/x86/kernel/cpu/hygon.c | 3 +
arch/x86/kernel/cpu/mce/amd.c | 13 +-
arch/x86/kernel/process.c | 62 ++---
arch/x86/kvm/vmx/vmx.c | 5 +-
arch/x86/mm/extable.c | 5 +-
arch/xtensa/include/asm/processor.h | 2 +-
arch/xtensa/kernel/process.c | 5 +-
block/blk-settings.c | 2 +-
drivers/acpi/acpi_processor.c | 2 +-
drivers/acpi/apei/ghes.c | 2 +
drivers/acpi/prmt.c | 26 +-
drivers/acpi/processor_idle.c | 4 +-
drivers/acpi/processor_perflib.c | 11 +
drivers/ata/Kconfig | 35 ++-
drivers/ata/libata-sata.c | 5 +
drivers/ata/libata-scsi.c | 20 +-
drivers/base/power/domain_governor.c | 18 +-
drivers/base/power/runtime.c | 5 +
drivers/base/regmap/regmap.c | 2 +
drivers/block/drbd/drbd_receiver.c | 6 +-
drivers/block/sunvdc.c | 4 +-
drivers/bus/fsl-mc/fsl-mc-bus.c | 19 +-
drivers/bus/mhi/host/boot.c | 8 +-
drivers/bus/mhi/host/internal.h | 4 +-
drivers/bus/mhi/host/main.c | 15 +-
drivers/char/hw_random/mtk-rng.c | 4 +-
drivers/char/ipmi/ipmi_msghandler.c | 8 +-
drivers/char/ipmi/ipmi_watchdog.c | 59 +++--
drivers/clk/clk-axi-clkgen.c | 2 +-
drivers/clk/davinci/psc.c | 5 +
drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 3 +-
drivers/clk/xilinx/xlnx_vcu.c | 4 +-
drivers/comedi/comedi_fops.c | 68 ++++-
drivers/comedi/comedi_internal.h | 1 +
drivers/comedi/drivers.c | 47 ++--
drivers/comedi/drivers/aio_iiro_16.c | 3 +-
drivers/comedi/drivers/comedi_test.c | 2 +-
drivers/comedi/drivers/das16m1.c | 3 +-
drivers/comedi/drivers/das6402.c | 3 +-
drivers/comedi/drivers/pcl726.c | 3 +-
drivers/comedi/drivers/pcl812.c | 3 +-
drivers/cpufreq/armada-8k-cpufreq.c | 2 +-
drivers/cpufreq/cppc_cpufreq.c | 2 +-
drivers/cpufreq/cpufreq.c | 29 +-
drivers/cpufreq/intel_pstate.c | 4 +-
drivers/cpuidle/governors/menu.c | 21 +-
drivers/crypto/ccp/ccp-debugfs.c | 3 +
drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 +-
drivers/crypto/img-hash.c | 2 +-
drivers/crypto/inside-secure/safexcel_hash.c | 8 +-
drivers/crypto/keembay/keembay-ocs-hcu-core.c | 8 +-
drivers/crypto/marvell/cesa/cipher.c | 4 +-
drivers/crypto/marvell/cesa/hash.c | 5 +-
.../crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 16 +-
.../crypto/qat/qat_common/adf_transport_debug.c | 4 +-
drivers/devfreq/devfreq.c | 10 +-
drivers/devfreq/governor_userspace.c | 6 +-
drivers/dma/mv_xor.c | 21 +-
drivers/dma/nbpfaxi.c | 24 +-
drivers/edac/synopsys_edac.c | 93 +++----
drivers/fpga/zynq-fpga.c | 10 +-
drivers/gpio/gpio-tps65912.c | 7 +-
drivers/gpio/gpio-virtio.c | 9 +-
drivers/gpio/gpio-wcd934x.c | 7 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 4 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +
.../gpu/drm/amd/display/dc/bios/command_table.c | 2 +-
drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 1 -
.../amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c | 2 -
.../amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 40 +--
.../amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 31 +--
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 11 +-
.../gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 +
.../gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c | 2 +-
drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 +
drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 37 ++-
drivers/gpu/drm/drm_dp_helper.c | 2 +-
drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c | 4 +-
drivers/gpu/drm/msm/msm_gem.c | 3 +-
drivers/gpu/drm/rockchip/rockchip_drm_fb.c | 9 +-
drivers/gpu/drm/scheduler/sched_entity.c | 27 +-
drivers/gpu/drm/ttm/ttm_pool.c | 8 +-
drivers/gpu/drm/ttm/ttm_resource.c | 3 +
drivers/hid/hid-core.c | 21 +-
drivers/hid/hid-magicmouse.c | 51 ++--
drivers/hwmon/corsair-cpro.c | 5 +
drivers/hwmon/gsc-hwmon.c | 4 +-
drivers/i2c/busses/i2c-qup.c | 4 +-
drivers/i2c/busses/i2c-stm32.c | 8 +-
drivers/i2c/busses/i2c-stm32f7.c | 4 +-
drivers/i2c/busses/i2c-virtio.c | 15 +-
drivers/i2c/i2c-core-acpi.c | 1 +
drivers/i3c/internals.h | 1 +
drivers/i3c/master.c | 2 +-
drivers/idle/intel_idle.c | 2 +-
drivers/iio/adc/ad7768-1.c | 23 +-
drivers/iio/adc/ad_sigma_delta.c | 4 +-
drivers/iio/adc/max1363.c | 43 ++-
drivers/iio/adc/stm32-adc-core.c | 7 +-
drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 6 +-
drivers/iio/light/as73211.c | 2 +-
drivers/iio/light/hid-sensor-prox.c | 8 +-
drivers/iio/pressure/bmp280-core.c | 9 +-
drivers/iio/proximity/isl29501.c | 14 +-
drivers/infiniband/core/cache.c | 4 +-
drivers/infiniband/core/nldev.c | 22 +-
drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 +
drivers/infiniband/hw/hfi1/affinity.c | 44 +--
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 15 +-
drivers/infiniband/hw/mlx5/dm.c | 2 +-
drivers/input/joystick/xpad.c | 2 +-
drivers/input/keyboard/gpio_keys.c | 4 +-
drivers/interconnect/qcom/sc7280.c | 1 +
drivers/iommu/amd/init.c | 4 +-
drivers/leds/leds-lp50xx.c | 11 +-
drivers/md/dm-ps-historical-service-time.c | 4 +-
drivers/md/dm-ps-queue-length.c | 4 +-
drivers/md/dm-ps-round-robin.c | 4 +-
drivers/md/dm-ps-service-time.c | 4 +-
drivers/md/dm-zoned-target.c | 2 +-
drivers/media/cec/usb/rainshadow/rainshadow-cec.c | 3 +-
drivers/media/dvb-frontends/dib7000p.c | 10 +
drivers/media/i2c/hi556.c | 26 +-
drivers/media/i2c/ov2659.c | 3 +-
drivers/media/i2c/tc358743.c | 86 +++---
drivers/media/platform/qcom/camss/camss.c | 10 +-
drivers/media/platform/qcom/venus/core.c | 21 +-
drivers/media/platform/qcom/venus/core.h | 2 +
drivers/media/platform/qcom/venus/dbgfs.c | 9 +
drivers/media/platform/qcom/venus/dbgfs.h | 13 +
drivers/media/platform/qcom/venus/hfi_venus.c | 5 +
drivers/media/platform/qcom/venus/vdec.c | 5 +-
drivers/media/platform/qcom/venus/venc.c | 5 +-
drivers/media/usb/gspca/vicam.c | 10 +-
drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 +
drivers/media/usb/usbtv/usbtv-video.c | 4 +
drivers/media/usb/uvc/uvc_driver.c | 3 +
drivers/media/usb/uvc/uvc_video.c | 21 +-
drivers/media/v4l2-core/v4l2-common.c | 8 +-
drivers/media/v4l2-core/v4l2-ctrls-core.c | 9 +-
drivers/memstick/core/memstick.c | 3 +-
drivers/memstick/host/rtsx_usb_ms.c | 1 +
drivers/misc/cardreader/rtsx_usb.c | 16 +-
drivers/mmc/host/bcm2835.c | 3 +-
drivers/mmc/host/rtsx_usb_sdmmc.c | 4 +-
drivers/mmc/host/sdhci-msm.c | 14 +
drivers/mmc/host/sdhci-pci-core.c | 3 +-
drivers/mmc/host/sdhci-pci-gli.c | 4 +-
drivers/mmc/host/sdhci_am654.c | 9 +-
drivers/most/core.c | 2 +-
drivers/mtd/ftl.c | 2 +-
drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +-
drivers/mtd/nand/raw/atmel/pmecc.c | 6 +
drivers/mtd/nand/raw/fsmc_nand.c | 2 +
drivers/mtd/nand/raw/rockchip-nand-controller.c | 15 ++
drivers/mtd/nand/spi/core.c | 5 +-
drivers/net/bonding/bond_3ad.c | 25 ++
drivers/net/bonding/bond_options.c | 1 +
drivers/net/can/kvaser_pciefd.c | 1 +
drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 +
drivers/net/dsa/b53/b53_common.c | 63 +++--
drivers/net/dsa/b53/b53_regs.h | 2 +
drivers/net/ethernet/agere/et131x.c | 36 +++
drivers/net/ethernet/aquantia/atlantic/aq_hw.h | 2 +
.../aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c | 39 +++
drivers/net/ethernet/atheros/ag71xx.c | 9 +
drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 +-
drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +-
drivers/net/ethernet/emulex/benet/be_main.c | 8 +-
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 -
drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 +-
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 15 +-
.../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 15 +-
drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 +-
drivers/net/ethernet/freescale/fec_main.c | 34 ++-
drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 +-
drivers/net/ethernet/google/gve/gve_adminq.c | 1 +
drivers/net/ethernet/google/gve/gve_main.c | 67 ++---
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 36 +--
.../net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 9 +-
.../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 6 +-
drivers/net/ethernet/intel/e1000e/defines.h | 3 +
drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 +
drivers/net/ethernet/intel/e1000e/nvm.c | 6 +
drivers/net/ethernet/intel/fm10k/fm10k.h | 3 +-
drivers/net/ethernet/intel/i40e/i40e.h | 2 +-
drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 3 +-
drivers/net/ethernet/intel/i40e/i40e_main.c | 18 +-
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 +-
drivers/net/ethernet/intel/ice/ice_flex_pipe.c | 2 +
drivers/net/ethernet/intel/igc/igc_main.c | 14 +-
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 3 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 4 +-
drivers/net/ethernet/mellanox/mlx5/core/en.h | 24 +-
drivers/net/ethernet/mellanox/mlx5/core/en/qos.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 13 +-
drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c | 4 +-
drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 -
drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 2 +
drivers/net/ethernet/mellanox/mlxsw/trap.h | 1 +
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +-
drivers/net/hyperv/hyperv_net.h | 3 +
drivers/net/hyperv/netvsc_drv.c | 29 +-
drivers/net/phy/dp83640.c | 6 +-
drivers/net/phy/mscc/mscc.h | 12 +
drivers/net/phy/mscc/mscc_main.c | 12 +
drivers/net/phy/mscc/mscc_ptp.c | 50 +++-
drivers/net/phy/mscc/mscc_ptp.h | 1 +
drivers/net/phy/nxp-c45-tja11xx.c | 2 +-
drivers/net/phy/smsc.c | 1 +
drivers/net/ppp/ppp_generic.c | 17 +-
drivers/net/ppp/pptp.c | 18 +-
drivers/net/thunderbolt.c | 8 +-
drivers/net/usb/asix_devices.c | 1 +
drivers/net/usb/sierra_net.c | 4 +
drivers/net/usb/usbnet.c | 11 +-
drivers/net/vrf.c | 2 +
drivers/net/wireless/ath/ath11k/hal.c | 25 +-
.../broadcom/brcm80211/brcmfmac/cfg80211.c | 8 +-
.../broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 2 +-
drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 +-
drivers/net/wireless/intel/iwlwifi/dvm/main.c | 11 +-
drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +-
drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 +-
drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 +-
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +-
drivers/net/wireless/marvell/mwl8k.c | 4 +
drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 +-
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +-
drivers/net/wireless/realtek/rtlwifi/pci.c | 23 +-
drivers/net/xen-netfront.c | 5 -
drivers/nvme/host/core.c | 4 +
drivers/pci/controller/pcie-rockchip-host.c | 2 +-
drivers/pci/controller/vmd.c | 3 +
drivers/pci/endpoint/functions/pci-epf-vntb.c | 4 +-
drivers/pci/endpoint/pci-ep-cfs.c | 1 +
drivers/pci/endpoint/pci-epf-core.c | 2 +-
drivers/pci/hotplug/pnv_php.c | 235 ++++++++++++++--
drivers/pci/pci-acpi.c | 4 +-
drivers/pci/pci.c | 8 +-
drivers/pci/probe.c | 2 +-
drivers/phy/tegra/xusb-tegra186.c | 61 +++--
drivers/pinctrl/mediatek/pinctrl-moore.c | 18 ++
drivers/pinctrl/stm32/pinctrl-stm32.c | 1 +
drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 +-
drivers/platform/chrome/cros_ec.c | 23 +-
drivers/platform/chrome/cros_ec.h | 2 +-
drivers/platform/chrome/cros_ec_i2c.c | 4 +-
drivers/platform/chrome/cros_ec_lpc.c | 4 +-
drivers/platform/chrome/cros_ec_spi.c | 4 +-
drivers/platform/chrome/cros_ec_typec.c | 4 +-
drivers/platform/x86/ideapad-laptop.c | 2 +-
drivers/platform/x86/think-lmi.c | 27 +-
drivers/platform/x86/thinkpad_acpi.c | 4 +-
drivers/power/supply/cpcap-charger.c | 5 +-
drivers/power/supply/max14577_charger.c | 4 +-
drivers/powercap/intel_rapl_common.c | 23 +-
drivers/pps/clients/pps-gpio.c | 5 +-
drivers/pps/pps.c | 11 +-
drivers/ptp/ptp_private.h | 5 +
drivers/ptp/ptp_vclock.c | 7 +
drivers/pwm/pwm-imx-tpm.c | 9 +
drivers/pwm/pwm-mediatek.c | 78 ++++--
drivers/regulator/core.c | 1 +
drivers/reset/Kconfig | 10 +-
drivers/rtc/rtc-ds1307.c | 17 +-
drivers/rtc/rtc-hym8563.c | 2 +-
drivers/rtc/rtc-pcf85063.c | 2 +-
drivers/rtc/rtc-pcf8563.c | 2 +-
drivers/rtc/rtc-rv3028.c | 2 +-
drivers/scsi/aacraid/comminit.c | 3 +-
drivers/scsi/bfa/bfad_im.c | 1 +
drivers/scsi/ibmvscsi_tgt/libsrp.c | 6 +-
drivers/scsi/isci/request.c | 2 +-
drivers/scsi/libiscsi.c | 3 +-
drivers/scsi/lpfc/lpfc_debugfs.c | 1 -
drivers/scsi/lpfc/lpfc_scsi.c | 4 +
drivers/scsi/mpi3mr/mpi3mr.h | 6 +-
drivers/scsi/mpi3mr/mpi3mr_fw.c | 17 +-
drivers/scsi/mpi3mr/mpi3mr_os.c | 2 +
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 22 +-
drivers/scsi/mvsas/mv_sas.c | 4 +-
drivers/scsi/qla4xxx/ql4_os.c | 2 +
drivers/scsi/scsi_scan.c | 2 +-
drivers/scsi/scsi_transport_sas.c | 62 ++++-
drivers/scsi/ufs/ufs-exynos.c | 4 +-
drivers/scsi/ufs/ufshcd-pci.c | 42 ++-
drivers/scsi/ufs/ufshcd.c | 10 +-
drivers/soc/aspeed/aspeed-lpc-snoop.c | 13 +-
drivers/soc/qcom/mdt_loader.c | 41 +++
drivers/soc/tegra/pmc.c | 51 ++--
drivers/soundwire/stream.c | 2 +-
drivers/staging/fbtft/fbtft-core.c | 1 +
drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +-
drivers/staging/nvec/nvec_power.c | 2 +-
drivers/target/target_core_fabric_lib.c | 65 +++--
drivers/target/target_core_internal.h | 4 +-
drivers/target/target_core_pr.c | 18 +-
drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 43 ++-
drivers/thermal/thermal_sysfs.c | 9 +-
drivers/thunderbolt/domain.c | 2 +-
drivers/thunderbolt/switch.c | 2 +-
drivers/tty/serial/8250/8250_port.c | 3 +-
drivers/tty/serial/pch_uart.c | 2 +-
drivers/tty/vt/defkeymap.c_shipped | 112 ++++++++
drivers/tty/vt/keyboard.c | 2 +-
drivers/usb/atm/cxacru.c | 172 ++++++------
drivers/usb/chipidea/ci.h | 18 +-
drivers/usb/chipidea/udc.c | 10 +
drivers/usb/class/cdc-acm.c | 11 +-
drivers/usb/core/config.c | 10 +-
drivers/usb/core/hcd.c | 8 +-
drivers/usb/core/hub.c | 60 ++++-
drivers/usb/core/hub.h | 1 +
drivers/usb/core/quirks.c | 1 +
drivers/usb/core/urb.c | 2 +-
drivers/usb/dwc3/dwc3-imx8mp.c | 6 +-
drivers/usb/dwc3/dwc3-meson-g12a.c | 3 +
drivers/usb/dwc3/dwc3-qcom.c | 7 +-
drivers/usb/dwc3/ep0.c | 20 +-
drivers/usb/dwc3/gadget.c | 19 +-
drivers/usb/early/xhci-dbc.c | 4 +
drivers/usb/gadget/composite.c | 5 +
drivers/usb/gadget/configfs.c | 2 +
drivers/usb/gadget/udc/renesas_usb3.c | 1 +
drivers/usb/host/xhci-hub.c | 3 +-
drivers/usb/host/xhci-mem.c | 24 +-
drivers/usb/host/xhci-pci-renesas.c | 7 +-
drivers/usb/host/xhci-ring.c | 19 +-
drivers/usb/host/xhci.c | 24 +-
drivers/usb/host/xhci.h | 3 +-
drivers/usb/misc/apple-mfi-fastcharge.c | 24 +-
drivers/usb/musb/musb_core.c | 62 ++---
drivers/usb/musb/musb_core.h | 11 +
drivers/usb/musb/musb_debugfs.c | 6 +-
drivers/usb/musb/musb_gadget.c | 30 ++-
drivers/usb/musb/musb_host.c | 6 +-
drivers/usb/musb/musb_virthub.c | 18 +-
drivers/usb/musb/omap2430.c | 16 +-
drivers/usb/phy/phy-mxs-usb.c | 4 +-
drivers/usb/serial/ftdi_sio.c | 2 +
drivers/usb/serial/ftdi_sio_ids.h | 3 +
drivers/usb/serial/option.c | 7 +
drivers/usb/storage/realtek_cr.c | 2 +-
drivers/usb/storage/unusual_devs.h | 29 ++
drivers/usb/typec/mux/intel_pmc_mux.c | 2 +-
drivers/usb/typec/tcpm/fusb302.c | 8 +
drivers/usb/typec/tcpm/tcpm.c | 64 +++--
drivers/usb/typec/ucsi/psy.c | 2 +-
drivers/usb/typec/ucsi/ucsi.c | 1 +
drivers/usb/typec/ucsi/ucsi.h | 7 +-
drivers/vhost/scsi.c | 4 +-
drivers/vhost/vhost.c | 3 +
drivers/video/console/vgacon.c | 2 +-
drivers/video/fbdev/core/fbcon.c | 9 +-
drivers/video/fbdev/imxfb.c | 9 +-
drivers/watchdog/dw_wdt.c | 2 +
drivers/watchdog/iTCO_wdt.c | 6 +-
drivers/watchdog/sbsa_gwdt.c | 50 +++-
drivers/watchdog/ziirave_wdt.c | 3 +
drivers/xen/gntdev-common.h | 4 +
drivers/xen/gntdev.c | 71 +++--
fs/btrfs/relocation.c | 19 ++
fs/btrfs/tree-log.c | 53 ++--
fs/buffer.c | 2 +-
fs/cifs/cifssmb.c | 10 +
fs/cifs/file.c | 10 +-
fs/cifs/smb2ops.c | 7 +-
fs/cifs/smbdirect.c | 14 +-
fs/eventpoll.c | 60 ++++-
fs/ext2/inode.c | 12 +-
fs/ext4/fsmap.c | 23 +-
fs/ext4/indirect.c | 4 +-
fs/ext4/inline.c | 19 +-
fs/ext4/inode.c | 2 +-
fs/ext4/mballoc.c | 35 ++-
fs/ext4/orphan.c | 5 +-
fs/ext4/super.c | 2 +
fs/f2fs/extent_cache.c | 2 +-
fs/f2fs/f2fs.h | 2 +-
fs/f2fs/inode.c | 28 +-
fs/f2fs/node.c | 10 +
fs/file.c | 15 ++
fs/hfs/bnode.c | 93 +++++++
fs/hfsplus/bnode.c | 92 +++++++
fs/hfsplus/extents.c | 3 -
fs/hfsplus/unicode.c | 7 +
fs/hfsplus/xattr.c | 6 +-
fs/hugetlbfs/inode.c | 2 +-
fs/isofs/inode.c | 9 +-
fs/jbd2/checkpoint.c | 1 +
fs/jfs/file.c | 3 +
fs/jfs/inode.c | 2 +-
fs/jfs/jfs_dmap.c | 10 +-
fs/jfs/jfs_imap.c | 13 +-
fs/ksmbd/smb2pdu.c | 16 +-
fs/ksmbd/smb_common.c | 2 +-
fs/ksmbd/transport_rdma.c | 97 +++----
fs/libfs.c | 4 +-
fs/namespace.c | 39 ++-
fs/nfs/blocklayout/blocklayout.c | 4 +-
fs/nfs/blocklayout/dev.c | 5 +-
fs/nfs/blocklayout/extent_tree.c | 20 +-
fs/nfs/client.c | 44 ++-
fs/nfs/export.c | 11 +-
fs/nfs/flexfilelayout/flexfilelayout.c | 26 +-
fs/nfs/flexfilelayout/flexfilelayoutdev.c | 6 +-
fs/nfs/internal.h | 10 +-
fs/nfs/nfs4client.c | 15 +-
fs/nfs/nfs4proc.c | 12 +-
fs/nfs/pnfs.c | 11 +-
fs/nfsd/nfs4state.c | 34 ++-
fs/nilfs2/inode.c | 9 +-
fs/ntfs3/dir.c | 3 +
fs/ntfs3/file.c | 5 +-
fs/ntfs3/inode.c | 31 ++-
fs/orangefs/orangefs-debugfs.c | 8 +-
fs/squashfs/super.c | 14 +-
fs/udf/super.c | 13 +-
include/asm-generic/barrier.h | 33 +++
include/linux/bitmap.h | 2 +
include/linux/blk_types.h | 8 +-
include/linux/compiler.h | 8 -
include/linux/cpuset.h | 17 ++
include/linux/fs.h | 4 +-
include/linux/fs_context.h | 2 +-
include/linux/if_vlan.h | 6 +-
include/linux/memfd.h | 14 +
include/linux/mlx5/device.h | 1 +
include/linux/mm.h | 76 ++++--
include/linux/mmzone.h | 22 ++
include/linux/moduleparam.h | 5 +-
include/linux/pci.h | 10 +-
include/linux/platform_data/cros_ec_proto.h | 4 +
include/linux/pps_kernel.h | 1 +
include/linux/sched.h | 1 +
include/linux/skbuff.h | 31 ++-
include/linux/usb/usbnet.h | 1 +
include/linux/xarray.h | 15 ++
include/net/bond_3ad.h | 1 +
include/net/cfg80211.h | 2 +-
include/net/mac80211.h | 2 +
include/net/tc_act/tc_ctinfo.h | 6 +-
include/net/udp.h | 24 +-
include/sound/soc-dai.h | 13 +
include/uapi/linux/in6.h | 4 +-
include/uapi/linux/io_uring.h | 2 +-
kernel/bpf/helpers.c | 11 +-
kernel/cgroup/cpuset.c | 23 ++
kernel/events/core.c | 20 +-
kernel/fork.c | 2 +-
kernel/power/console.c | 7 +-
kernel/rcu/tree_plugin.h | 3 +
kernel/sched/core.c | 19 ++
kernel/sched/deadline.c | 4 +-
kernel/sched/loadavg.c | 2 +-
kernel/sched/rt.c | 6 +
kernel/sched/sched.h | 2 +-
kernel/trace/ftrace.c | 19 +-
kernel/trace/preemptirq_delay_test.c | 13 +-
kernel/trace/trace.c | 33 ++-
kernel/trace/trace.h | 8 +-
kernel/trace/trace_events.c | 5 +
kernel/ucount.c | 2 +-
lib/bitmap.c | 13 +
mm/debug_vm_pgtable.c | 9 +-
mm/filemap.c | 2 +-
mm/hmm.c | 2 +-
mm/kmemleak.c | 10 +-
mm/madvise.c | 2 +-
mm/memfd.c | 2 +-
mm/memory-failure.c | 8 +
mm/mmap.c | 10 +-
mm/page_alloc.c | 13 +
mm/ptdump.c | 2 +
mm/shmem.c | 2 +-
mm/vmalloc.c | 17 +-
mm/zsmalloc.c | 3 +
net/8021q/vlan.c | 42 ++-
net/8021q/vlan.h | 1 +
net/appletalk/aarp.c | 24 +-
net/bluetooth/l2cap_core.c | 26 +-
net/bluetooth/l2cap_sock.c | 3 +
net/bluetooth/smp.c | 21 +-
net/bluetooth/smp.h | 1 +
net/bridge/br_multicast.c | 16 ++
net/bridge/br_private.h | 2 +
net/bridge/br_switchdev.c | 3 +
net/caif/cfctrl.c | 294 ++++++++++-----------
net/core/filter.c | 3 +
net/core/netpoll.c | 7 +
net/core/skmsg.c | 57 ++--
net/hsr/hsr_slave.c | 8 +-
net/ipv4/netfilter/nf_reject_ipv4.c | 6 +-
net/ipv4/route.c | 1 -
net/ipv4/tcp_input.c | 3 +-
net/ipv4/udp_offload.c | 2 +-
net/ipv6/addrconf.c | 7 +-
net/ipv6/ip6_offload.c | 4 +-
net/ipv6/mcast.c | 13 +-
net/ipv6/netfilter/nf_reject_ipv6.c | 5 +-
net/ipv6/rpl_iptunnel.c | 8 +-
net/ipv6/seg6_hmac.c | 6 +-
net/mac80211/cfg.c | 13 +-
net/mac80211/mlme.c | 9 +-
net/mac80211/tx.c | 10 +-
net/mctp/af_mctp.c | 28 +-
net/mptcp/options.c | 7 +-
net/mptcp/pm_netlink.c | 14 +-
net/mptcp/protocol.c | 17 +-
net/mptcp/protocol.h | 11 +-
net/mptcp/subflow.c | 20 +-
net/ncsi/internal.h | 2 +-
net/ncsi/ncsi-rsp.c | 1 +
net/netfilter/nf_conntrack_netlink.c | 24 +-
net/netfilter/nf_tables_api.c | 4 +-
net/netfilter/xt_nfacct.c | 4 +-
net/netlink/af_netlink.c | 2 +-
net/packet/af_packet.c | 39 ++-
net/phonet/pep.c | 2 +-
net/sched/act_ctinfo.c | 19 +-
net/sched/sch_cake.c | 14 +-
net/sched/sch_codel.c | 5 +-
net/sched/sch_drr.c | 7 +-
net/sched/sch_ets.c | 46 ++--
net/sched/sch_fq_codel.c | 6 +-
net/sched/sch_hfsc.c | 8 +-
net/sched/sch_htb.c | 19 +-
net/sched/sch_netem.c | 40 +++
net/sched/sch_qfq.c | 40 ++-
net/sctp/input.c | 2 +-
net/tls/tls_sw.c | 13 +
net/vmw_vsock/af_vsock.c | 3 +-
net/wireless/mlme.c | 3 +-
samples/mei/mei-amt-version.c | 2 +-
scripts/kconfig/gconf.c | 8 +-
scripts/kconfig/lxdialog/inputbox.c | 6 +-
scripts/kconfig/lxdialog/menubox.c | 2 +-
scripts/kconfig/nconf.c | 2 +
scripts/kconfig/nconf.gui.c | 1 +
scripts/kconfig/qconf.cc | 2 +-
security/apparmor/include/match.h | 3 +-
security/apparmor/match.c | 1 +
security/inode.c | 2 -
sound/core/pcm_native.c | 19 +-
sound/pci/hda/patch_ca0132.c | 7 +-
sound/pci/hda/patch_hdmi.c | 19 ++
sound/pci/hda/patch_realtek.c | 3 +
sound/pci/intel8x0.c | 2 +-
sound/soc/codecs/hdac_hdmi.c | 10 +-
sound/soc/codecs/rt5640.c | 5 +
sound/soc/fsl/fsl_sai.c | 30 ++-
sound/soc/generic/audio-graph-card.c | 2 +-
sound/soc/intel/boards/Kconfig | 2 +-
sound/soc/soc-core.c | 28 ++
sound/soc/soc-dai.c | 59 +++--
sound/soc/soc-dapm.c | 4 +
sound/soc/soc-ops.c | 28 +-
sound/usb/mixer_quirks.c | 14 +-
sound/usb/mixer_scarlett_gen2.c | 8 +
sound/usb/stream.c | 25 +-
sound/usb/validate.c | 14 +-
sound/x86/intel_hdmi_audio.c | 2 +-
tools/bpf/bpftool/net.c | 15 +-
tools/include/linux/sched/mm.h | 2 +
tools/include/nolibc/std.h | 4 +-
tools/perf/builtin-sched.c | 12 +
tools/perf/tests/bp_account.c | 1 +
tools/perf/util/evsel.c | 11 +
tools/perf/util/evsel.h | 2 +
.../cpupower/utils/idle_monitor/mperf_monitor.c | 4 +-
tools/testing/ktest/ktest.pl | 5 +-
.../ftrace/test.d/event/subsystem-enable.tc | 28 +-
.../ftrace/test.d/ftrace/func-filter-glob.tc | 2 +-
tools/testing/selftests/futex/include/futextest.h | 11 +
tools/testing/selftests/memfd/memfd_test.c | 43 +++
tools/testing/selftests/net/mptcp/Makefile | 3 +-
tools/testing/selftests/net/mptcp/mptcp_connect.c | 28 +-
.../selftests/net/mptcp/mptcp_connect_checksum.sh | 5 +
.../selftests/net/mptcp/mptcp_connect_mmap.sh | 5 +
.../selftests/net/mptcp/mptcp_connect_sendfile.sh | 5 +
tools/testing/selftests/net/mptcp/mptcp_join.sh | 1 +
tools/testing/selftests/net/mptcp/pm_netlink.sh | 1 +
tools/testing/selftests/net/rtnetlink.sh | 6 +
tools/testing/selftests/net/udpgro.sh | 46 ++--
tools/testing/selftests/perf_events/.gitignore | 1 +
tools/testing/selftests/perf_events/Makefile | 2 +-
tools/testing/selftests/perf_events/mmap.c | 236 +++++++++++++++++
.../selftests/syscall_user_dispatch/sud_test.c | 50 ++--
677 files changed, 6081 insertions(+), 2515 deletions(-)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 001/644] phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 002/644] USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition Greg Kroah-Hartman
` (648 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wayne Chang, Jon Hunter, Vinod Koul
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wayne Chang <waynec@nvidia.com>
commit cefc1caee9dd06c69e2d807edc5949b329f52b22 upstream.
When transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code
assumed that the regulator should be disabled. However, if the regulator
is marked as always-on, regulator_is_enabled() continues to return true,
leading to an incorrect attempt to disable a regulator which is not
enabled.
This can result in warnings such as:
[ 250.155624] WARNING: CPU: 1 PID: 7326 at drivers/regulator/core.c:3004
_regulator_disable+0xe4/0x1a0
[ 250.155652] unbalanced disables for VIN_SYS_5V0
To fix this, we move the regulator control logic into
tegra186_xusb_padctl_id_override() function since it's directly related
to the ID override state. The regulator is now only disabled when the role
transitions from USB_ROLE_HOST to USB_ROLE_NONE, by checking the VBUS_ID
register. This ensures that regulator enable/disable operations are
properly balanced and only occur when actually transitioning to/from host
mode.
Fixes: 49d46e3c7e59 ("phy: tegra: xusb: Add set_mode support for UTMI phy on Tegra186")
Cc: stable@vger.kernel.org
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://lore.kernel.org/r/20250502092606.2275682-1-waynec@nvidia.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/tegra/xusb-tegra186.c | 59 +++++++++++++++++++++++---------------
1 file changed, 37 insertions(+), 22 deletions(-)
--- a/drivers/phy/tegra/xusb-tegra186.c
+++ b/drivers/phy/tegra/xusb-tegra186.c
@@ -715,13 +715,15 @@ static int tegra186_xusb_padctl_vbus_ove
}
static int tegra186_xusb_padctl_id_override(struct tegra_xusb_padctl *padctl,
- bool status)
+ struct tegra_xusb_usb2_port *port, bool status)
{
- u32 value;
+ u32 value, id_override;
+ int err = 0;
dev_dbg(padctl->dev, "%s id override\n", status ? "set" : "clear");
value = padctl_readl(padctl, USB2_VBUS_ID);
+ id_override = value & ID_OVERRIDE(~0);
if (status) {
if (value & VBUS_OVERRIDE) {
@@ -732,14 +734,34 @@ static int tegra186_xusb_padctl_id_overr
value = padctl_readl(padctl, USB2_VBUS_ID);
}
- value &= ~ID_OVERRIDE(~0);
- value |= ID_OVERRIDE_GROUNDED;
+ if (id_override != ID_OVERRIDE_GROUNDED) {
+ value &= ~ID_OVERRIDE(~0);
+ value |= ID_OVERRIDE_GROUNDED;
+ padctl_writel(padctl, value, USB2_VBUS_ID);
+
+ err = regulator_enable(port->supply);
+ if (err) {
+ dev_err(padctl->dev, "Failed to enable regulator: %d\n", err);
+ return err;
+ }
+ }
} else {
- value &= ~ID_OVERRIDE(~0);
- value |= ID_OVERRIDE_FLOATING;
- }
+ if (id_override == ID_OVERRIDE_GROUNDED) {
+ /*
+ * The regulator is disabled only when the role transitions
+ * from USB_ROLE_HOST to USB_ROLE_NONE.
+ */
+ err = regulator_disable(port->supply);
+ if (err) {
+ dev_err(padctl->dev, "Failed to disable regulator: %d\n", err);
+ return err;
+ }
- padctl_writel(padctl, value, USB2_VBUS_ID);
+ value &= ~ID_OVERRIDE(~0);
+ value |= ID_OVERRIDE_FLOATING;
+ padctl_writel(padctl, value, USB2_VBUS_ID);
+ }
+ }
return 0;
}
@@ -759,27 +781,20 @@ static int tegra186_utmi_phy_set_mode(st
if (mode == PHY_MODE_USB_OTG) {
if (submode == USB_ROLE_HOST) {
- tegra186_xusb_padctl_id_override(padctl, true);
-
- err = regulator_enable(port->supply);
+ err = tegra186_xusb_padctl_id_override(padctl, port, true);
+ if (err)
+ goto out;
} else if (submode == USB_ROLE_DEVICE) {
tegra186_xusb_padctl_vbus_override(padctl, true);
} else if (submode == USB_ROLE_NONE) {
- /*
- * When port is peripheral only or role transitions to
- * USB_ROLE_NONE from USB_ROLE_DEVICE, regulator is not
- * enabled.
- */
- if (regulator_is_enabled(port->supply))
- regulator_disable(port->supply);
-
- tegra186_xusb_padctl_id_override(padctl, false);
+ err = tegra186_xusb_padctl_id_override(padctl, port, false);
+ if (err)
+ goto out;
tegra186_xusb_padctl_vbus_override(padctl, false);
}
}
-
+out:
mutex_unlock(&padctl->lock);
-
return err;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 002/644] USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 001/644] phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 003/644] USB: serial: option: add Foxconn T99W640 Greg Kroah-Hartman
` (647 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit 252f4ac08cd2f16ecd20e4c5e41ac2a17dd86942 upstream.
Add Telit Cinterion FE910C04 (ECM) composition:
0x10c7: ECM + tty (AT) + tty (AT) + tty (diag)
usb-devices output:
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 7 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c7 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1415,6 +1415,9 @@ static const struct usb_device_id option
.driver_info = NCTRL(5) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x60) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x30), /* Telit FE910C04 (ECM) */
+ .driver_info = NCTRL(4) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x30), /* Telit FN990B (MBIM) */
.driver_info = NCTRL(6) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x40) },
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 003/644] USB: serial: option: add Foxconn T99W640
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 001/644] phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 002/644] USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 004/644] USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI Greg Kroah-Hartman
` (646 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Slark Xiao, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Slark Xiao <slark_xiao@163.com>
commit 08f49cdb71f3759368fded4dbc9dde35a404ec2b upstream.
T99W640 is designed based on Qualconn SDX72 chip. There are 3
serial ports to be enumerated: Diag, NMEA and AT.
Test evidence as below:
T: Bus=04 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
D: Ver= 3.20 Cls=ef(misc ) Sub=02 Prot=01 MxPS= 9 #Cfgs= 1
P: Vendor=0489 ProdID=e167 Rev=05.15
S: Manufacturer=QCOM
S: Product=SDXPINNL USB WWAN Adapter
S: SerialNumber=cc1f1d92
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=896mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=88(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
0&1: MBIM, 2:Modem, 3:GNSS(non-serial port), 4: NMEA, 5:Diag
Signed-off-by: Slark Xiao <slark_xiao@163.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2346,6 +2346,8 @@ static const struct usb_device_id option
.driver_info = RSVD(3) },
{ USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe145, 0xff), /* Foxconn T99W651 RNDIS */
.driver_info = RSVD(5) | RSVD(6) },
+ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe167, 0xff), /* Foxconn T99W640 MBIM */
+ .driver_info = RSVD(3) },
{ USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 (IOT version) */
.driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
{ USB_DEVICE(0x1782, 0x4d10) }, /* Fibocom L610 (AT mode) */
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 004/644] USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 003/644] USB: serial: option: add Foxconn T99W640 Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 005/644] usb: gadget: configfs: Fix OOB read on empty string write Greg Kroah-Hartman
` (645 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ryan Mann, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Mann (NDI) <rmann@ndigital.com>
commit c980666b6958d9a841597331b38115a29a32250e upstream.
NDI (Northern Digital Inc.) is introducing a new product called the
EMGUIDE GEMINI that will use an FTDI chip for USB serial communications.
Add the NDI EMGUIDE GEMINI product ID that uses the NDI Vendor ID
rather than the FTDI Vendor ID, unlike older products.
Signed-off-by: Ryan Mann <rmann@ndigital.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 3 +++
2 files changed, 5 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -781,6 +781,8 @@ static const struct usb_device_id id_tab
.driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk },
{ USB_DEVICE(FTDI_VID, FTDI_NDI_AURORA_SCU_PID),
.driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk },
+ { USB_DEVICE(FTDI_NDI_VID, FTDI_NDI_EMGUIDE_GEMINI_PID),
+ .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk },
{ USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) },
{ USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) },
{ USB_DEVICE(FTDI_VID, RTSYSTEMS_USB_VX8_PID) },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -197,6 +197,9 @@
#define FTDI_NDI_FUTURE_3_PID 0xDA73 /* NDI future device #3 */
#define FTDI_NDI_AURORA_SCU_PID 0xDA74 /* NDI Aurora SCU */
+#define FTDI_NDI_VID 0x23F2
+#define FTDI_NDI_EMGUIDE_GEMINI_PID 0x0003 /* NDI Emguide Gemini */
+
/*
* ChamSys Limited (www.chamsys.co.uk) USB wing/interface product IDs
*/
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 005/644] usb: gadget: configfs: Fix OOB read on empty string write
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 004/644] USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 006/644] i2c: stm32: fix the device used for the DMA map Greg Kroah-Hartman
` (644 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xinyu Liu, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xinyu Liu <1171169449@qq.com>
commit 3014168731b7930300aab656085af784edc861f6 upstream.
When writing an empty string to either 'qw_sign' or 'landingPage'
sysfs attributes, the store functions attempt to access page[l - 1]
before validating that the length 'l' is greater than zero.
This patch fixes the vulnerability by adding a check at the beginning
of os_desc_qw_sign_store() and webusb_landingPage_store() to handle
the zero-length input case gracefully by returning immediately.
Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/tencent_B1C9481688D0E95E7362AB2E999DE8048207@qq.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/configfs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/gadget/configfs.c
+++ b/drivers/usb/gadget/configfs.c
@@ -861,6 +861,8 @@ static ssize_t os_desc_qw_sign_store(str
struct gadget_info *gi = os_desc_item_to_gadget_info(item);
int res, l;
+ if (!len)
+ return len;
l = min((int)len, OS_STRING_QW_SIGN_LEN >> 1);
if (page[l - 1] == '\n')
--l;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 006/644] i2c: stm32: fix the device used for the DMA map
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 005/644] usb: gadget: configfs: Fix OOB read on empty string write Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 007/644] thunderbolt: Fix bit masking in tb_dp_port_set_hops() Greg Kroah-Hartman
` (643 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Clément Le Goffic, Alain Volmat,
Andi Shyti
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Clément Le Goffic <clement.legoffic@foss.st.com>
commit c870cbbd71fccda71d575f0acd4a8d2b7cd88861 upstream.
If the DMA mapping failed, it produced an error log with the wrong
device name:
"stm32-dma3 40400000.dma-controller: rejecting DMA map of vmalloc memory"
Fix this issue by replacing the dev with the I2C dev.
Fixes: bb8822cbbc53 ("i2c: i2c-stm32: Add generic DMA API")
Signed-off-by: Clément Le Goffic <clement.legoffic@foss.st.com>
Cc: <stable@vger.kernel.org> # v4.18+
Acked-by: Alain Volmat <alain.volmat@foss.st.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20250704-i2c-upstream-v4-1-84a095a2c728@foss.st.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-stm32.c | 8 +++-----
drivers/i2c/busses/i2c-stm32f7.c | 4 ++--
2 files changed, 5 insertions(+), 7 deletions(-)
--- a/drivers/i2c/busses/i2c-stm32.c
+++ b/drivers/i2c/busses/i2c-stm32.c
@@ -102,7 +102,6 @@ int stm32_i2c_prep_dma_xfer(struct devic
void *dma_async_param)
{
struct dma_async_tx_descriptor *txdesc;
- struct device *chan_dev;
int ret;
if (rd_wr) {
@@ -116,11 +115,10 @@ int stm32_i2c_prep_dma_xfer(struct devic
}
dma->dma_len = len;
- chan_dev = dma->chan_using->device->dev;
- dma->dma_buf = dma_map_single(chan_dev, buf, dma->dma_len,
+ dma->dma_buf = dma_map_single(dev, buf, dma->dma_len,
dma->dma_data_dir);
- if (dma_mapping_error(chan_dev, dma->dma_buf)) {
+ if (dma_mapping_error(dev, dma->dma_buf)) {
dev_err(dev, "DMA mapping failed\n");
return -EINVAL;
}
@@ -150,7 +148,7 @@ int stm32_i2c_prep_dma_xfer(struct devic
return 0;
err:
- dma_unmap_single(chan_dev, dma->dma_buf, dma->dma_len,
+ dma_unmap_single(dev, dma->dma_buf, dma->dma_len,
dma->dma_data_dir);
return ret;
}
--- a/drivers/i2c/busses/i2c-stm32f7.c
+++ b/drivers/i2c/busses/i2c-stm32f7.c
@@ -721,10 +721,10 @@ static void stm32f7_i2c_dma_callback(voi
{
struct stm32f7_i2c_dev *i2c_dev = (struct stm32f7_i2c_dev *)arg;
struct stm32_i2c_dma *dma = i2c_dev->dma;
- struct device *dev = dma->chan_using->device->dev;
stm32f7_i2c_disable_dma_req(i2c_dev);
- dma_unmap_single(dev, dma->dma_buf, dma->dma_len, dma->dma_data_dir);
+ dma_unmap_single(i2c_dev->dev, dma->dma_buf, dma->dma_len,
+ dma->dma_data_dir);
complete(&dma->dma_complete);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 007/644] thunderbolt: Fix bit masking in tb_dp_port_set_hops()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 006/644] i2c: stm32: fix the device used for the DMA map Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 008/644] Input: xpad - set correct controller type for Acer NGR200 Greg Kroah-Hartman
` (642 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Mika Westerberg
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
commit 2cdde91c14ec358087f43287513946d493aef940 upstream.
The tb_dp_port_set_hops() function was incorrectly clearing
ADP_DP_CS_1_AUX_RX_HOPID_MASK twice. According to the function's
purpose, it should clear both TX and RX AUX HopID fields. Replace the
first instance with ADP_DP_CS_1_AUX_TX_HOPID_MASK to ensure proper
configuration of both AUX directions.
Fixes: 98176380cbe5 ("thunderbolt: Convert DP adapter register names to follow the USB4 spec")
Cc: stable@vger.kernel.org
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/switch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/thunderbolt/switch.c
+++ b/drivers/thunderbolt/switch.c
@@ -1333,7 +1333,7 @@ int tb_dp_port_set_hops(struct tb_port *
return ret;
data[0] &= ~ADP_DP_CS_0_VIDEO_HOPID_MASK;
- data[1] &= ~ADP_DP_CS_1_AUX_RX_HOPID_MASK;
+ data[1] &= ~ADP_DP_CS_1_AUX_TX_HOPID_MASK;
data[1] &= ~ADP_DP_CS_1_AUX_RX_HOPID_MASK;
data[0] |= (video << ADP_DP_CS_0_VIDEO_HOPID_SHIFT) &
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 008/644] Input: xpad - set correct controller type for Acer NGR200
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 007/644] thunderbolt: Fix bit masking in tb_dp_port_set_hops() Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 009/644] pch_uart: Fix dma_sync_sg_for_device() nents value Greg Kroah-Hartman
` (641 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vicki Pfau, Nilton Perim Neto,
Dmitry Torokhov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nilton Perim Neto <niltonperimneto@gmail.com>
commit bcce05041b21888f10b80ea903dcfe51a25c586e upstream.
The controller should have been set as XTYPE_XBOX360 and not XTYPE_XBOX.
Also the entry is in the wrong place. Fix it.
Reported-by: Vicki Pfau <vi@endrift.com>
Signed-off-by: Nilton Perim Neto <niltonperimneto@gmail.com>
Link: https://lore.kernel.org/r/20250708033126.26216-2-niltonperimneto@gmail.com
Fixes: 22c69d786ef8 ("Input: xpad - support Acer NGR 200 Controller")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/joystick/xpad.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -144,12 +144,12 @@ static const struct xpad_device {
{ 0x046d, 0xca88, "Logitech Compact Controller for Xbox", 0, XTYPE_XBOX },
{ 0x046d, 0xca8a, "Logitech Precision Vibration Feedback Wheel", 0, XTYPE_XBOX },
{ 0x046d, 0xcaa3, "Logitech DriveFx Racing Wheel", 0, XTYPE_XBOX360 },
+ { 0x0502, 0x1305, "Acer NGR200", 0, XTYPE_XBOX360 },
{ 0x056e, 0x2004, "Elecom JC-U3613M", 0, XTYPE_XBOX360 },
{ 0x05fd, 0x1007, "Mad Catz Controller (unverified)", 0, XTYPE_XBOX },
{ 0x05fd, 0x107a, "InterAct 'PowerPad Pro' X-Box pad (Germany)", 0, XTYPE_XBOX },
{ 0x05fe, 0x3030, "Chic Controller", 0, XTYPE_XBOX },
{ 0x05fe, 0x3031, "Chic Controller", 0, XTYPE_XBOX },
- { 0x0502, 0x1305, "Acer NGR200", 0, XTYPE_XBOX },
{ 0x062a, 0x0020, "Logic3 Xbox GamePad", 0, XTYPE_XBOX },
{ 0x062a, 0x0033, "Competition Pro Steering Wheel", 0, XTYPE_XBOX },
{ 0x06a3, 0x0200, "Saitek Racing Wheel", 0, XTYPE_XBOX },
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 009/644] pch_uart: Fix dma_sync_sg_for_device() nents value
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 008/644] Input: xpad - set correct controller type for Acer NGR200 Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 010/644] HID: core: ensure the allocated report buffer can contain the reserved report ID Greg Kroah-Hartman
` (640 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Thomas Fourier,
Andy Shevchenko
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 6c0e9f05c9d7875995b0e92ace71be947f280bbd upstream.
The dma_sync_sg_for_device() functions should be called with the same
nents as the dma_map_sg(), not the value the map function returned
according to the documentation in Documentation/core-api/dma-api.rst:450:
With the sync_sg API, all the parameters must be the same
as those passed into the sg mapping API.
Fixes: da3564ee027e ("pch_uart: add multi-scatter processing")
Cc: stable <stable@kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20250701113452.18590-2-fourier.thomas@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/pch_uart.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/pch_uart.c
+++ b/drivers/tty/serial/pch_uart.c
@@ -1014,7 +1014,7 @@ static unsigned int dma_handle_tx(struct
__func__);
return 0;
}
- dma_sync_sg_for_device(port->dev, priv->sg_tx_p, nent, DMA_TO_DEVICE);
+ dma_sync_sg_for_device(port->dev, priv->sg_tx_p, num, DMA_TO_DEVICE);
priv->desc_tx = desc;
desc->callback = pch_dma_tx_complete;
desc->callback_param = priv;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 010/644] HID: core: ensure the allocated report buffer can contain the reserved report ID
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 009/644] pch_uart: Fix dma_sync_sg_for_device() nents value Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 011/644] HID: core: ensure __hid_request reserves the report ID as the first byte Greg Kroah-Hartman
` (639 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern, Benjamin Tissoires
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Tissoires <bentiss@kernel.org>
commit 4f15ee98304b96e164ff2340e1dfd6181c3f42aa upstream.
When the report ID is not used, the low level transport drivers expect
the first byte to be 0. However, currently the allocated buffer not
account for that extra byte, meaning that instead of having 8 guaranteed
bytes for implement to be working, we only have 7.
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@rowland.harvard.edu/
Cc: stable@vger.kernel.org
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20250710-report-size-null-v2-1-ccf922b7c4e5@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1662,9 +1662,12 @@ u8 *hid_alloc_report_buf(struct hid_repo
/*
* 7 extra bytes are necessary to achieve proper functionality
* of implement() working on 8 byte chunks
+ * 1 extra byte for the report ID if it is null (not used) so
+ * we can reserve that extra byte in the first position of the buffer
+ * when sending it to .raw_request()
*/
- u32 len = hid_report_len(report) + 7;
+ u32 len = hid_report_len(report) + 7 + (report->id == 0);
return kzalloc(len, flags);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 011/644] HID: core: ensure __hid_request reserves the report ID as the first byte
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 010/644] HID: core: ensure the allocated report buffer can contain the reserved report ID Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 012/644] HID: core: do not bypass hid_hw_raw_request Greg Kroah-Hartman
` (638 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern,
syzbot+8258d5439c49d4c35f43, Benjamin Tissoires
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Tissoires <bentiss@kernel.org>
commit 0d0777ccaa2d46609d05b66ba0096802a2746193 upstream.
The low level transport driver expects the first byte to be the report
ID, even when the report ID is not use (in which case they just shift
the buffer).
However, __hid_request() whas not offsetting the buffer it used by one
in this case, meaning that the raw_request() callback emitted by the
transport driver would be stripped of the first byte.
Note: this changes the API for uhid devices when a request is made
through hid_hw_request. However, several considerations makes me think
this is fine:
- every request to a HID device made through hid_hw_request() would see
that change, but every request made through hid_hw_raw_request()
already has the new behaviour. So that means that the users are
already facing situations where they might have or not the first byte
being the null report ID when it is 0. We are making things more
straightforward in the end.
- uhid is mainly used for BLE devices
- uhid is also used for testing, but I don't see that change a big issue
- for BLE devices, we can check which kernel module is calling
hid_hw_request()
- and in those modules, we can check which are using a Bluetooth device
- and then we can check if the command is used with a report ID or not.
- surprise: none of the kernel module are using a report ID 0
- and finally, bluez, in its function set_report()[0], does the same
shift if the report ID is 0 and the given buffer has a size > 0.
[0] https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/profiles/input/hog-lib.c#n879
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@rowland.harvard.edu/
Reported-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8258d5439c49d4c35f43
Tested-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com
Fixes: 4fa5a7f76cc7 ("HID: core: implement generic .request()")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250710-report-size-null-v2-2-ccf922b7c4e5@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-core.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1730,7 +1730,7 @@ static struct hid_report *hid_get_report
int __hid_request(struct hid_device *hid, struct hid_report *report,
int reqtype)
{
- char *buf;
+ char *buf, *data_buf;
int ret;
u32 len;
@@ -1738,10 +1738,17 @@ int __hid_request(struct hid_device *hid
if (!buf)
return -ENOMEM;
+ data_buf = buf;
len = hid_report_len(report);
+ if (report->id == 0) {
+ /* reserve the first byte for the report ID */
+ data_buf++;
+ len++;
+ }
+
if (reqtype == HID_REQ_SET_REPORT)
- hid_output_report(report, buf);
+ hid_output_report(report, data_buf);
ret = hid->ll_driver->raw_request(hid, report->id, buf, len,
report->type, reqtype);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 012/644] HID: core: do not bypass hid_hw_raw_request
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 011/644] HID: core: ensure __hid_request reserves the report ID as the first byte Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 013/644] tracing: Add down_write(trace_event_sem) when adding trace event Greg Kroah-Hartman
` (637 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern, Benjamin Tissoires
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Tissoires <bentiss@kernel.org>
commit c2ca42f190b6714d6c481dfd3d9b62ea091c946b upstream.
hid_hw_raw_request() is actually useful to ensure the provided buffer
and length are valid. Directly calling in the low level transport driver
function bypassed those checks and allowed invalid paramto be used.
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@rowland.harvard.edu/
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250710-report-size-null-v2-3-ccf922b7c4e5@kernel.org
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1750,8 +1750,7 @@ int __hid_request(struct hid_device *hid
if (reqtype == HID_REQ_SET_REPORT)
hid_output_report(report, data_buf);
- ret = hid->ll_driver->raw_request(hid, report->id, buf, len,
- report->type, reqtype);
+ ret = hid_hw_raw_request(hid, report->id, buf, len, report->type, reqtype);
if (ret < 0) {
dbg_hid("unable to complete request: %d\n", ret);
goto out;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 013/644] tracing: Add down_write(trace_event_sem) when adding trace event
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 012/644] HID: core: do not bypass hid_hw_raw_request Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 014/644] phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() Greg Kroah-Hartman
` (636 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Desnoyers,
Masami Hiramatsu (Google), Fusheng Huang ,
Steven Rostedt (Google)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df upstream.
When a module is loaded, it adds trace events defined by the module. It
may also need to modify the modules trace printk formats to replace enum
names with their values.
If two modules are loaded at the same time, the adding of the event to the
ftrace_events list can corrupt the walking of the list in the code that is
modifying the printk format strings and crash the kernel.
The addition of the event should take the trace_event_sem for write while
it adds the new event.
Also add a lockdep_assert_held() on that semaphore in
__trace_add_event_dirs() as it iterates the list.
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Link: https://lore.kernel.org/20250718223158.799bfc0c@batman.local.home
Reported-by: Fusheng Huang(黄富生) <Fusheng.Huang@luxshare-ict.com>
Closes: https://lore.kernel.org/all/20250717105007.46ccd18f@batman.local.home/
Fixes: 110bf2b764eb6 ("tracing: add protection around module events unload")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -2685,7 +2685,10 @@ __register_event(struct trace_event_call
if (ret < 0)
return ret;
+ down_write(&trace_event_sem);
list_add(&call->list, &ftrace_events);
+ up_write(&trace_event_sem);
+
if (call->flags & TRACE_EVENT_FL_DYNAMIC)
atomic_set(&call->refcnt, 0);
else
@@ -3156,6 +3159,8 @@ __trace_add_event_dirs(struct trace_arra
struct trace_event_call *call;
int ret;
+ lockdep_assert_held(&trace_event_sem);
+
list_for_each_entry(call, &ftrace_events, list) {
ret = __trace_add_new_event(call, tr);
if (ret < 0)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 014/644] phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 013/644] tracing: Add down_write(trace_event_sem) when adding trace event Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 015/644] af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() Greg Kroah-Hartman
` (635 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 17ba793f381eb813596d6de1cc6820bcbda5ed8b upstream.
A new warning in clang [1] points out a place in pep_sock_accept() where
dst is uninitialized then passed as a const pointer to pep_find_pipe():
net/phonet/pep.c:829:37: error: variable 'dst' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer]
829 | newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle);
| ^~~:
Move the call to pn_skb_get_dst_sockaddr(), which initializes dst, to
before the call to pep_find_pipe(), so that dst is consistently used
initialized throughout the function.
Cc: stable@vger.kernel.org
Fixes: f7ae8d59f661 ("Phonet: allocate sock from accept syscall rather than soft IRQ")
Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1]
Closes: https://github.com/ClangBuiltLinux/linux/issues/2101
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Link: https://patch.msgid.link/20250715-net-phonet-fix-uninit-const-pointer-v1-1-8efd1bd188b3@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/phonet/pep.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -825,6 +825,7 @@ static struct sock *pep_sock_accept(stru
}
/* Check for duplicate pipe handle */
+ pn_skb_get_dst_sockaddr(skb, &dst);
newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle);
if (unlikely(newsk)) {
__sock_put(newsk);
@@ -849,7 +850,6 @@ static struct sock *pep_sock_accept(stru
newsk->sk_destruct = pipe_destruct;
newpn = pep_sk(newsk);
- pn_skb_get_dst_sockaddr(skb, &dst);
pn_skb_get_src_sockaddr(skb, &src);
newpn->pn_sk.sobject = pn_sockaddr_get_object(&dst);
newpn->pn_sk.dobject = pn_sockaddr_get_object(&src);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 015/644] af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 014/644] phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 016/644] af_packet: fix soft lockup issue caused by tpacket_snd() Greg Kroah-Hartman
` (634 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Eric Dumazet, Yun Lu,
Willem de Bruijn, David S. Miller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yun Lu <luyun@kylinos.cn>
commit c1ba3c0cbdb5e53a8ec5d708e99cd4c497028a13 upstream.
Due to the changes in commit 581073f626e3 ("af_packet: do not call
packet_read_pending() from tpacket_destruct_skb()"), every time
tpacket_destruct_skb() is executed, the skb_completion is marked as
completed. When wait_for_completion_interruptible_timeout() returns
completed, the pending_refcnt has not yet been reduced to zero.
Therefore, when ph is NULL, the wait function may need to be called
multiple times until packet_read_pending() finally returns zero.
We should call sock_sndtimeo() only once, otherwise the SO_SNDTIMEO
constraint could be way off.
Fixes: 581073f626e3 ("af_packet: do not call packet_read_pending() from tpacket_destruct_skb()")
Cc: stable@kernel.org
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Yun Lu <luyun@kylinos.cn>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/packet/af_packet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2742,7 +2742,7 @@ static int tpacket_snd(struct packet_soc
int len_sum = 0;
int status = TP_STATUS_AVAILABLE;
int hlen, tlen, copylen = 0;
- long timeo = 0;
+ long timeo;
mutex_lock(&po->pg_vec_lock);
@@ -2796,6 +2796,7 @@ static int tpacket_snd(struct packet_soc
if ((size_max > dev->mtu + reserve + VLAN_HLEN) && !po->has_vnet_hdr)
size_max = dev->mtu + reserve + VLAN_HLEN;
+ timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT);
reinit_completion(&po->skb_completion);
do {
@@ -2803,7 +2804,6 @@ static int tpacket_snd(struct packet_soc
TP_STATUS_SEND_REQUEST);
if (unlikely(ph == NULL)) {
if (need_wait && skb) {
- timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT);
timeo = wait_for_completion_interruptible_timeout(&po->skb_completion, timeo);
if (timeo <= 0) {
err = !timeo ? -ETIMEDOUT : -ERESTARTSYS;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 016/644] af_packet: fix soft lockup issue caused by tpacket_snd()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 015/644] af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 017/644] dmaengine: nbpfaxi: Fix memory corruption in probe() Greg Kroah-Hartman
` (633 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, LongJun Tang, Yun Lu,
Willem de Bruijn, David S. Miller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yun Lu <luyun@kylinos.cn>
commit 55f0bfc0370539213202f4ce1a07615327ac4713 upstream.
When MSG_DONTWAIT is not set, the tpacket_snd operation will wait for
pending_refcnt to decrement to zero before returning. The pending_refcnt
is decremented by 1 when the skb->destructor function is called,
indicating that the skb has been successfully sent and needs to be
destroyed.
If an error occurs during this process, the tpacket_snd() function will
exit and return error, but pending_refcnt may not yet have decremented to
zero. Assuming the next send operation is executed immediately, but there
are no available frames to be sent in tx_ring (i.e., packet_current_frame
returns NULL), and skb is also NULL, the function will not execute
wait_for_completion_interruptible_timeout() to yield the CPU. Instead, it
will enter a do-while loop, waiting for pending_refcnt to be zero. Even
if the previous skb has completed transmission, the skb->destructor
function can only be invoked in the ksoftirqd thread (assuming NAPI
threading is enabled). When both the ksoftirqd thread and the tpacket_snd
operation happen to run on the same CPU, and the CPU trapped in the
do-while loop without yielding, the ksoftirqd thread will not get
scheduled to run. As a result, pending_refcnt will never be reduced to
zero, and the do-while loop cannot exit, eventually leading to a CPU soft
lockup issue.
In fact, skb is true for all but the first iterations of that loop, and
as long as pending_refcnt is not zero, even if incremented by a previous
call, wait_for_completion_interruptible_timeout() should be executed to
yield the CPU, allowing the ksoftirqd thread to be scheduled. Therefore,
the execution condition of this function should be modified to check if
pending_refcnt is not zero, instead of check skb.
- if (need_wait && skb) {
+ if (need_wait && packet_read_pending(&po->tx_ring)) {
As a result, the judgment conditions are duplicated with the end code of
the while loop, and packet_read_pending() is a very expensive function.
Actually, this loop can only exit when ph is NULL, so the loop condition
can be changed to while (1), and in the "ph = NULL" branch, if the
subsequent condition of if is not met, the loop can break directly. Now,
the loop logic remains the same as origin but is clearer and more obvious.
Fixes: 89ed5b519004 ("af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET")
Cc: stable@kernel.org
Suggested-by: LongJun Tang <tanglongjun@kylinos.cn>
Signed-off-by: Yun Lu <luyun@kylinos.cn>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/packet/af_packet.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2803,15 +2803,21 @@ static int tpacket_snd(struct packet_soc
ph = packet_current_frame(po, &po->tx_ring,
TP_STATUS_SEND_REQUEST);
if (unlikely(ph == NULL)) {
- if (need_wait && skb) {
+ /* Note: packet_read_pending() might be slow if we
+ * have to call it as it's per_cpu variable, but in
+ * fast-path we don't have to call it, only when ph
+ * is NULL, we need to check the pending_refcnt.
+ */
+ if (need_wait && packet_read_pending(&po->tx_ring)) {
timeo = wait_for_completion_interruptible_timeout(&po->skb_completion, timeo);
if (timeo <= 0) {
err = !timeo ? -ETIMEDOUT : -ERESTARTSYS;
goto out_put;
}
- }
- /* check for additional frames */
- continue;
+ /* check for additional frames */
+ continue;
+ } else
+ break;
}
skb = NULL;
@@ -2901,14 +2907,7 @@ tpacket_error:
}
packet_increment_head(&po->tx_ring);
len_sum += tp_len;
- } while (likely((ph != NULL) ||
- /* Note: packet_read_pending() might be slow if we have
- * to call it as it's per_cpu variable, but in fast-path
- * we already short-circuit the loop with the first
- * condition, and luckily don't have to go that path
- * anyway.
- */
- (need_wait && packet_read_pending(&po->tx_ring))));
+ } while (1);
err = len_sum;
goto out_put;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 017/644] dmaengine: nbpfaxi: Fix memory corruption in probe()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 016/644] af_packet: fix soft lockup issue caused by tpacket_snd() Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 018/644] isofs: Verify inode mode when loading from disk Greg Kroah-Hartman
` (632 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Vinod Koul
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit 188c6ba1dd925849c5d94885c8bbdeb0b3dcf510 upstream.
The nbpf->chan[] array is allocated earlier in the nbpf_probe() function
and it has "num_channels" elements. These three loops iterate one
element farther than they should and corrupt memory.
The changes to the second loop are more involved. In this case, we're
copying data from the irqbuf[] array into the nbpf->chan[] array. If
the data in irqbuf[i] is the error IRQ then we skip it, so the iterators
are not in sync. I added a check to ensure that we don't go beyond the
end of the irqbuf[] array. I'm pretty sure this can't happen, but it
seemed harmless to add a check.
On the other hand, after the loop has ended there is a check to ensure
that the "chan" iterator is where we expect it to be. In the original
code we went one element beyond the end of the array so the iterator
wasn't in the correct place and it would always return -EINVAL. However,
now it will always be in the correct place. I deleted the check since
we know the result.
Cc: stable@vger.kernel.org
Fixes: b45b262cefd5 ("dmaengine: add a driver for AMBA AXI NBPF DMAC IP cores")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/b13c5225-7eff-448c-badc-a2c98e9bcaca@sabinyo.mountain
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/nbpfaxi.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/drivers/dma/nbpfaxi.c
+++ b/drivers/dma/nbpfaxi.c
@@ -1356,7 +1356,7 @@ static int nbpf_probe(struct platform_de
if (irqs == 1) {
eirq = irqbuf[0];
- for (i = 0; i <= num_channels; i++)
+ for (i = 0; i < num_channels; i++)
nbpf->chan[i].irq = irqbuf[0];
} else {
eirq = platform_get_irq_byname(pdev, "error");
@@ -1366,16 +1366,15 @@ static int nbpf_probe(struct platform_de
if (irqs == num_channels + 1) {
struct nbpf_channel *chan;
- for (i = 0, chan = nbpf->chan; i <= num_channels;
+ for (i = 0, chan = nbpf->chan; i < num_channels;
i++, chan++) {
/* Skip the error IRQ */
if (irqbuf[i] == eirq)
i++;
+ if (i >= ARRAY_SIZE(irqbuf))
+ return -EINVAL;
chan->irq = irqbuf[i];
}
-
- if (chan != nbpf->chan + num_channels)
- return -EINVAL;
} else {
/* 2 IRQs and more than one channel */
if (irqbuf[0] == eirq)
@@ -1383,7 +1382,7 @@ static int nbpf_probe(struct platform_de
else
irq = irqbuf[0];
- for (i = 0; i <= num_channels; i++)
+ for (i = 0; i < num_channels; i++)
nbpf->chan[i].irq = irq;
}
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 018/644] isofs: Verify inode mode when loading from disk
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 017/644] dmaengine: nbpfaxi: Fix memory corruption in probe() Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 019/644] memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() Greg Kroah-Hartman
` (631 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+895c23f6917da440ed0d,
Jan Kara, Christian Brauner
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 0a9e7405131380b57e155f10242b2e25d2e51852 upstream.
Verify that the inode mode is sane when loading it from the disk to
avoid complaints from VFS about setting up invalid inodes.
Reported-by: syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/20250709095545.31062-2-jack@suse.cz
Acked-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/isofs/inode.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/isofs/inode.c
+++ b/fs/isofs/inode.c
@@ -1493,9 +1493,16 @@ static int isofs_read_inode(struct inode
inode->i_op = &page_symlink_inode_operations;
inode_nohighmem(inode);
inode->i_data.a_ops = &isofs_symlink_aops;
- } else
+ } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||
+ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
/* XXX - parse_rock_ridge_inode() had already set i_rdev. */
init_special_inode(inode, inode->i_mode, inode->i_rdev);
+ } else {
+ printk(KERN_DEBUG "ISOFS: Invalid file type 0%04o for inode %lu.\n",
+ inode->i_mode, inode->i_ino);
+ ret = -EIO;
+ goto fail;
+ }
ret = 0;
out:
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 019/644] memstick: core: Zero initialize id_reg in h_memstick_read_dev_id()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 018/644] isofs: Verify inode mode when loading from disk Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 020/644] mmc: bcm2835: Fix dma_unmap_sg() nents value Greg Kroah-Hartman
` (630 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 21b34a3a204ed616373a12ec17dc127ebe51eab3 upstream.
A new warning in clang [1] points out that id_reg is uninitialized then
passed to memstick_init_req() as a const pointer:
drivers/memstick/core/memstick.c:330:59: error: variable 'id_reg' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer]
330 | memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg,
| ^~~~~~
Commit de182cc8e882 ("drivers/memstick/core/memstick.c: avoid -Wnonnull
warning") intentionally passed this variable uninitialized to avoid an
-Wnonnull warning from a NULL value that was previously there because
id_reg is never read from the call to memstick_init_req() in
h_memstick_read_dev_id(). Just zero initialize id_reg to avoid the
warning, which is likely happening in the majority of builds using
modern compilers that support '-ftrivial-auto-var-init=zero'.
Cc: stable@vger.kernel.org
Fixes: de182cc8e882 ("drivers/memstick/core/memstick.c: avoid -Wnonnull warning")
Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1]
Closes: https://github.com/ClangBuiltLinux/linux/issues/2105
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20250715-memstick-fix-uninit-const-pointer-v1-1-f6753829c27a@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memstick/core/memstick.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/memstick/core/memstick.c
+++ b/drivers/memstick/core/memstick.c
@@ -323,7 +323,7 @@ EXPORT_SYMBOL(memstick_init_req);
static int h_memstick_read_dev_id(struct memstick_dev *card,
struct memstick_request **mrq)
{
- struct ms_id_register id_reg;
+ struct ms_id_register id_reg = {};
if (!(*mrq)) {
memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 020/644] mmc: bcm2835: Fix dma_unmap_sg() nents value
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 019/644] memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 021/644] mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models Greg Kroah-Hartman
` (629 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit ff09b71bf9daeca4f21d6e5e449641c9fad75b53 upstream.
The dma_unmap_sg() functions should be called with the same nents as the
dma_map_sg(), not the value the map function returned.
Fixes: 2f5da678351f ("mmc: bcm2835: Properly handle dmaengine_prep_slave_sg")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250630093510.82871-2-fourier.thomas@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/bcm2835.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/mmc/host/bcm2835.c
+++ b/drivers/mmc/host/bcm2835.c
@@ -507,7 +507,8 @@ void bcm2835_prepare_dma(struct bcm2835_
DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
if (!desc) {
- dma_unmap_sg(dma_chan->device->dev, data->sg, sg_len, dir_data);
+ dma_unmap_sg(dma_chan->device->dev, data->sg, data->sg_len,
+ dir_data);
return;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 021/644] mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 020/644] mmc: bcm2835: Fix dma_unmap_sg() nents value Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 022/644] mmc: sdhci_am654: Workaround for Errata i2312 Greg Kroah-Hartman
` (628 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edson Juliano Drosdeck,
Adrian Hunter, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
commit 50c78f398e92fafa1cbba3469c95fe04b2e4206d upstream.
Disable command queuing on Intel GLK-based Positivo models.
Without this quirk, CQE (Command Queuing Engine) causes instability
or I/O errors during operation. Disabling it ensures stable
operation on affected devices.
Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
Fixes: bedf9fc01ff1 ("mmc: sdhci: Workaround broken command queuing on Intel GLK")
Cc: stable@vger.kernel.org
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20250626112442.9791-1-edson.drosdeck@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-pci-core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/mmc/host/sdhci-pci-core.c
+++ b/drivers/mmc/host/sdhci-pci-core.c
@@ -980,7 +980,8 @@ static bool glk_broken_cqhci(struct sdhc
{
return slot->chip->pdev->device == PCI_DEVICE_ID_INTEL_GLK_EMMC &&
(dmi_match(DMI_BIOS_VENDOR, "LENOVO") ||
- dmi_match(DMI_SYS_VENDOR, "IRBIS"));
+ dmi_match(DMI_SYS_VENDOR, "IRBIS") ||
+ dmi_match(DMI_SYS_VENDOR, "Positivo Tecnologia SA"));
}
static bool jsl_broken_hs400es(struct sdhci_pci_slot *slot)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 022/644] mmc: sdhci_am654: Workaround for Errata i2312
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 021/644] mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 023/644] pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov Greg Kroah-Hartman
` (627 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Judith Mendez, Adrian Hunter,
Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Judith Mendez <jm@ti.com>
commit 6d0b1c01847fedd7c85a5cdf59b8cfc7d14512e6 upstream.
Errata i2312 [0] for K3 silicon mentions the maximum obtainable
timeout through MMC host controller is 700ms. And for commands taking
longer than 700ms, hardware timeout should be disabled and software
timeout should be used.
The workaround for Errata i2312 can be achieved by adding
SDHCI_QUIRK2_DISABLE_HW_TIMEOUT quirk in sdhci_am654.
[0] https://www.ti.com/lit/pdf/sprz487
Signed-off-by: Judith Mendez <jm@ti.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Fixes: 41fd4caeb00b ("mmc: sdhci_am654: Add Initial Support for AM654 SDHCI driver")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250626231452.3460987-1-jm@ti.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci_am654.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/mmc/host/sdhci_am654.c
+++ b/drivers/mmc/host/sdhci_am654.c
@@ -558,7 +558,8 @@ static struct sdhci_ops sdhci_am654_ops
static const struct sdhci_pltfm_data sdhci_am654_pdata = {
.ops = &sdhci_am654_ops,
.quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
+ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN |
+ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT,
};
static const struct sdhci_am654_driver_data sdhci_am654_sr1_drvdata = {
@@ -588,7 +589,8 @@ static struct sdhci_ops sdhci_j721e_8bit
static const struct sdhci_pltfm_data sdhci_j721e_8bit_pdata = {
.ops = &sdhci_j721e_8bit_ops,
.quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
+ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN |
+ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT,
};
static const struct sdhci_am654_driver_data sdhci_j721e_8bit_drvdata = {
@@ -612,7 +614,8 @@ static struct sdhci_ops sdhci_j721e_4bit
static const struct sdhci_pltfm_data sdhci_j721e_4bit_pdata = {
.ops = &sdhci_j721e_4bit_ops,
.quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN,
+ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN |
+ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT,
};
static const struct sdhci_am654_driver_data sdhci_j721e_4bit_drvdata = {
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 023/644] pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 022/644] mmc: sdhci_am654: Workaround for Errata i2312 Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 024/644] soc: aspeed: lpc-snoop: Cleanup resources in stack-order Greg Kroah-Hartman
` (626 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maulik Shah, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maulik Shah <maulik.shah@oss.qualcomm.com>
commit 500ba33284416255b9a5b50ace24470b6fe77ea5 upstream.
pm_domain_cpu_gov is selecting a cluster idle state but does not consider
latency tolerance of child CPUs. This results in deeper cluster idle state
whose latency does not meet latency tolerance requirement.
Select deeper idle state only if global and device latency tolerance of all
child CPUs meet.
Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than
domain idle state entry (2150) + exit (1983) usec latency mentioned in
devicetree, demonstrate the issue.
# echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us
Before: (Usage is incrementing)
======
# cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
State Time Spent(ms) Usage Rejected Above Below
S0 29817 537 8 270 0
# cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
State Time Spent(ms) Usage Rejected Above Below
S0 30348 542 8 271 0
After: (Usage is not incrementing due to latency tolerance)
======
# cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
State Time Spent(ms) Usage Rejected Above Below
S0 39319 626 14 307 0
# cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
State Time Spent(ms) Usage Rejected Above Below
S0 39319 626 14 307 0
Signed-off-by: Maulik Shah <maulik.shah@oss.qualcomm.com>
Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualcomm.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/power/domain_governor.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/drivers/base/power/domain_governor.c
+++ b/drivers/base/power/domain_governor.c
@@ -8,6 +8,7 @@
#include <linux/pm_domain.h>
#include <linux/pm_qos.h>
#include <linux/hrtimer.h>
+#include <linux/cpu.h>
#include <linux/cpuidle.h>
#include <linux/cpumask.h>
#include <linux/ktime.h>
@@ -339,6 +340,8 @@ static bool cpu_power_down_ok(struct dev
struct cpuidle_device *dev;
ktime_t domain_wakeup, next_hrtimer;
ktime_t now = ktime_get();
+ struct device *cpu_dev;
+ s64 cpu_constraint, global_constraint;
s64 idle_duration_ns;
int cpu, i;
@@ -349,6 +352,7 @@ static bool cpu_power_down_ok(struct dev
if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN))
return true;
+ global_constraint = cpu_latency_qos_limit();
/*
* Find the next wakeup for any of the online CPUs within the PM domain
* and its subdomains. Note, we only need the genpd->cpus, as it already
@@ -362,8 +366,16 @@ static bool cpu_power_down_ok(struct dev
if (ktime_before(next_hrtimer, domain_wakeup))
domain_wakeup = next_hrtimer;
}
+
+ cpu_dev = get_cpu_device(cpu);
+ if (cpu_dev) {
+ cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev);
+ if (cpu_constraint < global_constraint)
+ global_constraint = cpu_constraint;
+ }
}
+ global_constraint *= NSEC_PER_USEC;
/* The minimum idle duration is from now - until the next wakeup. */
idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, now));
if (idle_duration_ns <= 0)
@@ -376,8 +388,10 @@ static bool cpu_power_down_ok(struct dev
*/
i = genpd->state_idx;
do {
- if (idle_duration_ns >= (genpd->states[i].residency_ns +
- genpd->states[i].power_off_latency_ns)) {
+ if ((idle_duration_ns >= (genpd->states[i].residency_ns +
+ genpd->states[i].power_off_latency_ns)) &&
+ (global_constraint >= (genpd->states[i].power_on_latency_ns +
+ genpd->states[i].power_off_latency_ns))) {
genpd->state_idx = i;
return true;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 024/644] soc: aspeed: lpc-snoop: Cleanup resources in stack-order
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 023/644] pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 025/644] soc: aspeed: lpc-snoop: Dont disable channels that arent enabled Greg Kroah-Hartman
` (625 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jean Delvare, Andrew Jeffery
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Jeffery <andrew@codeconstruct.com.au>
commit 8481d59be606d2338dbfe14b04cdbd1a3402c150 upstream.
Free the kfifo after unregistering the miscdev in
aspeed_lpc_disable_snoop() as the kfifo is initialised before the
miscdev in aspeed_lpc_enable_snoop().
Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev")
Cc: stable@vger.kernel.org
Cc: Jean Delvare <jdelvare@suse.de>
Acked-by: Jean Delvare <jdelvare@suse.de>
Link: https://patch.msgid.link/20250616-aspeed-lpc-snoop-fixes-v2-1-3cdd59c934d3@codeconstruct.com.au
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
+++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
@@ -264,8 +264,8 @@ static void aspeed_lpc_disable_snoop(str
return;
}
- kfifo_free(&lpc_snoop->chan[channel].fifo);
misc_deregister(&lpc_snoop->chan[channel].miscdev);
+ kfifo_free(&lpc_snoop->chan[channel].fifo);
}
static int aspeed_lpc_snoop_probe(struct platform_device *pdev)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 025/644] soc: aspeed: lpc-snoop: Dont disable channels that arent enabled
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 024/644] soc: aspeed: lpc-snoop: Cleanup resources in stack-order Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 026/644] iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] Greg Kroah-Hartman
` (624 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jean Delvare, Andrew Jeffery
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Jeffery <andrew@codeconstruct.com.au>
commit 56448e78a6bb4e1a8528a0e2efe94eff0400c247 upstream.
Mitigate e.g. the following:
# echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind
...
[ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write
[ 120.373866] [00000004] *pgd=00000000
[ 120.377910] Internal error: Oops: 805 [#1] SMP ARM
[ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE
...
[ 120.679543] Call trace:
[ 120.679559] misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac
[ 120.692462] aspeed_lpc_snoop_remove from platform_remove+0x28/0x38
[ 120.700996] platform_remove from device_release_driver_internal+0x188/0x200
...
Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver")
Cc: stable@vger.kernel.org
Cc: Jean Delvare <jdelvare@suse.de>
Acked-by: Jean Delvare <jdelvare@suse.de>
Link: https://patch.msgid.link/20250616-aspeed-lpc-snoop-fixes-v2-2-3cdd59c934d3@codeconstruct.com.au
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/aspeed/aspeed-lpc-snoop.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
+++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
@@ -59,6 +59,7 @@ struct aspeed_lpc_snoop_model_data {
};
struct aspeed_lpc_snoop_channel {
+ bool enabled;
struct kfifo fifo;
wait_queue_head_t wq;
struct miscdevice miscdev;
@@ -191,6 +192,9 @@ static int aspeed_lpc_enable_snoop(struc
const struct aspeed_lpc_snoop_model_data *model_data =
of_device_get_match_data(dev);
+ if (WARN_ON(lpc_snoop->chan[channel].enabled))
+ return -EBUSY;
+
init_waitqueue_head(&lpc_snoop->chan[channel].wq);
/* Create FIFO datastructure */
rc = kfifo_alloc(&lpc_snoop->chan[channel].fifo,
@@ -237,6 +241,8 @@ static int aspeed_lpc_enable_snoop(struc
regmap_update_bits(lpc_snoop->regmap, HICRB,
hicrb_en, hicrb_en);
+ lpc_snoop->chan[channel].enabled = true;
+
return 0;
err_misc_deregister:
@@ -249,6 +255,9 @@ err_free_fifo:
static void aspeed_lpc_disable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
int channel)
{
+ if (!lpc_snoop->chan[channel].enabled)
+ return;
+
switch (channel) {
case 0:
regmap_update_bits(lpc_snoop->regmap, HICR5,
@@ -264,6 +273,8 @@ static void aspeed_lpc_disable_snoop(str
return;
}
+ lpc_snoop->chan[channel].enabled = false;
+ /* Consider improving safety wrt concurrent reader(s) */
misc_deregister(&lpc_snoop->chan[channel].miscdev);
kfifo_free(&lpc_snoop->chan[channel].fifo);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 026/644] iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[]
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 025/644] soc: aspeed: lpc-snoop: Dont disable channels that arent enabled Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 027/644] iio: adc: max1363: Reorder mode_list[] entries Greg Kroah-Hartman
` (623 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Cameron, Fabio Estevam,
Matti Vaittinen, Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <festevam@denx.de>
commit 6d21f2c2dd843bceefd9455f2919f6bb526797f0 upstream.
Since commit 2718f15403fb ("iio: sanity check available_scan_masks array"),
booting a board populated with a MAX11601 results in a flood of warnings:
max1363 1-0064: available_scan_mask 8 subset of 0. Never used
max1363 1-0064: available_scan_mask 9 subset of 0. Never used
max1363 1-0064: available_scan_mask 10 subset of 0. Never used
max1363 1-0064: available_scan_mask 11 subset of 0. Never used
max1363 1-0064: available_scan_mask 12 subset of 0. Never used
max1363 1-0064: available_scan_mask 13 subset of 0. Never used
...
These warnings are caused by incorrect offsets used for differential
channels in the MAX1363_4X_CHANS() and MAX1363_8X_CHANS() macros.
The max1363_mode_table[] defines the differential channel mappings as
follows:
MAX1363_MODE_DIFF_SINGLE(0, 1, 1 << 12),
MAX1363_MODE_DIFF_SINGLE(2, 3, 1 << 13),
MAX1363_MODE_DIFF_SINGLE(4, 5, 1 << 14),
MAX1363_MODE_DIFF_SINGLE(6, 7, 1 << 15),
MAX1363_MODE_DIFF_SINGLE(8, 9, 1 << 16),
MAX1363_MODE_DIFF_SINGLE(10, 11, 1 << 17),
MAX1363_MODE_DIFF_SINGLE(1, 0, 1 << 18),
MAX1363_MODE_DIFF_SINGLE(3, 2, 1 << 19),
MAX1363_MODE_DIFF_SINGLE(5, 4, 1 << 20),
MAX1363_MODE_DIFF_SINGLE(7, 6, 1 << 21),
MAX1363_MODE_DIFF_SINGLE(9, 8, 1 << 22),
MAX1363_MODE_DIFF_SINGLE(11, 10, 1 << 23),
Update the macros to follow this same pattern, ensuring that the scan masks
are valid and preventing the warnings.
Cc: stable@vger.kernel.org
Suggested-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Fabio Estevam <festevam@denx.de>
Acked-by: Matti Vaittinen <mazziesaccount@gmail.com>
Link: https://patch.msgid.link/20250516173900.677821-1-festevam@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/max1363.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
--- a/drivers/iio/adc/max1363.c
+++ b/drivers/iio/adc/max1363.c
@@ -513,10 +513,10 @@ static const struct iio_event_spec max13
MAX1363_CHAN_U(1, _s1, 1, bits, ev_spec, num_ev_spec), \
MAX1363_CHAN_U(2, _s2, 2, bits, ev_spec, num_ev_spec), \
MAX1363_CHAN_U(3, _s3, 3, bits, ev_spec, num_ev_spec), \
- MAX1363_CHAN_B(0, 1, d0m1, 4, bits, ev_spec, num_ev_spec), \
- MAX1363_CHAN_B(2, 3, d2m3, 5, bits, ev_spec, num_ev_spec), \
- MAX1363_CHAN_B(1, 0, d1m0, 6, bits, ev_spec, num_ev_spec), \
- MAX1363_CHAN_B(3, 2, d3m2, 7, bits, ev_spec, num_ev_spec), \
+ MAX1363_CHAN_B(0, 1, d0m1, 12, bits, ev_spec, num_ev_spec), \
+ MAX1363_CHAN_B(2, 3, d2m3, 13, bits, ev_spec, num_ev_spec), \
+ MAX1363_CHAN_B(1, 0, d1m0, 18, bits, ev_spec, num_ev_spec), \
+ MAX1363_CHAN_B(3, 2, d3m2, 19, bits, ev_spec, num_ev_spec), \
IIO_CHAN_SOFT_TIMESTAMP(8) \
}
@@ -611,14 +611,14 @@ static const enum max1363_modes max11608
MAX1363_CHAN_U(5, _s5, 5, bits, NULL, 0), \
MAX1363_CHAN_U(6, _s6, 6, bits, NULL, 0), \
MAX1363_CHAN_U(7, _s7, 7, bits, NULL, 0), \
- MAX1363_CHAN_B(0, 1, d0m1, 8, bits, NULL, 0), \
- MAX1363_CHAN_B(2, 3, d2m3, 9, bits, NULL, 0), \
- MAX1363_CHAN_B(4, 5, d4m5, 10, bits, NULL, 0), \
- MAX1363_CHAN_B(6, 7, d6m7, 11, bits, NULL, 0), \
- MAX1363_CHAN_B(1, 0, d1m0, 12, bits, NULL, 0), \
- MAX1363_CHAN_B(3, 2, d3m2, 13, bits, NULL, 0), \
- MAX1363_CHAN_B(5, 4, d5m4, 14, bits, NULL, 0), \
- MAX1363_CHAN_B(7, 6, d7m6, 15, bits, NULL, 0), \
+ MAX1363_CHAN_B(0, 1, d0m1, 12, bits, NULL, 0), \
+ MAX1363_CHAN_B(2, 3, d2m3, 13, bits, NULL, 0), \
+ MAX1363_CHAN_B(4, 5, d4m5, 14, bits, NULL, 0), \
+ MAX1363_CHAN_B(6, 7, d6m7, 15, bits, NULL, 0), \
+ MAX1363_CHAN_B(1, 0, d1m0, 18, bits, NULL, 0), \
+ MAX1363_CHAN_B(3, 2, d3m2, 19, bits, NULL, 0), \
+ MAX1363_CHAN_B(5, 4, d5m4, 20, bits, NULL, 0), \
+ MAX1363_CHAN_B(7, 6, d7m6, 21, bits, NULL, 0), \
IIO_CHAN_SOFT_TIMESTAMP(16) \
}
static const struct iio_chan_spec max11602_channels[] = MAX1363_8X_CHANS(8);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 027/644] iio: adc: max1363: Reorder mode_list[] entries
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 026/644] iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 028/644] iio: adc: stm32-adc: Fix race in installing chained IRQ handler Greg Kroah-Hartman
` (622 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabio Estevam, Matti Vaittinen,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <festevam@denx.de>
commit 8d8d7c1dbc46aa07a76acab7336a42ddd900be10 upstream.
The IIO core issues warnings when a scan mask is a subset of a previous
entry in the available_scan_masks array.
On a board using a MAX11601, the following warning is observed:
max1363 1-0064: available_scan_mask 7 subset of 6. Never used
This occurs because the entries in the max11607_mode_list[] array are not
ordered correctly. To fix this, reorder the entries so that no scan mask is
a subset of an earlier one.
While at it, reorder the mode_list[] arrays for other supported chips as
well, to prevent similar warnings on different variants.
Note fixes tag dropped as these were introduced over many commits a long
time back and the side effect until recently was a reduction in sampling
rate due to reading too many channels when only a few were desired.
Now we have a sanity check that reports this error but that is not
where the issue was introduced.
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Estevam <festevam@denx.de>
Acked-by: Matti Vaittinen <mazziesaccount@gmail.com>
Link: https://patch.msgid.link/20250516173900.677821-2-festevam@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/max1363.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
--- a/drivers/iio/adc/max1363.c
+++ b/drivers/iio/adc/max1363.c
@@ -534,23 +534,23 @@ static const struct iio_chan_spec max136
/* Applies to max1236, max1237 */
static const enum max1363_modes max1236_mode_list[] = {
_s0, _s1, _s2, _s3,
- s0to1, s0to2, s0to3,
+ s0to1, s0to2, s2to3, s0to3,
d0m1, d2m3, d1m0, d3m2,
d0m1to2m3, d1m0to3m2,
- s2to3,
};
/* Applies to max1238, max1239 */
static const enum max1363_modes max1238_mode_list[] = {
_s0, _s1, _s2, _s3, _s4, _s5, _s6, _s7, _s8, _s9, _s10, _s11,
s0to1, s0to2, s0to3, s0to4, s0to5, s0to6,
+ s6to7, s6to8, s6to9, s6to10, s6to11,
s0to7, s0to8, s0to9, s0to10, s0to11,
d0m1, d2m3, d4m5, d6m7, d8m9, d10m11,
d1m0, d3m2, d5m4, d7m6, d9m8, d11m10,
- d0m1to2m3, d0m1to4m5, d0m1to6m7, d0m1to8m9, d0m1to10m11,
- d1m0to3m2, d1m0to5m4, d1m0to7m6, d1m0to9m8, d1m0to11m10,
- s6to7, s6to8, s6to9, s6to10, s6to11,
- d6m7to8m9, d6m7to10m11, d7m6to9m8, d7m6to11m10,
+ d0m1to2m3, d0m1to4m5, d0m1to6m7, d6m7to8m9,
+ d0m1to8m9, d6m7to10m11, d0m1to10m11, d1m0to3m2,
+ d1m0to5m4, d1m0to7m6, d7m6to9m8, d1m0to9m8,
+ d7m6to11m10, d1m0to11m10,
};
#define MAX1363_12X_CHANS(bits) { \
@@ -586,16 +586,15 @@ static const struct iio_chan_spec max123
static const enum max1363_modes max11607_mode_list[] = {
_s0, _s1, _s2, _s3,
- s0to1, s0to2, s0to3,
- s2to3,
+ s0to1, s0to2, s2to3,
+ s0to3,
d0m1, d2m3, d1m0, d3m2,
d0m1to2m3, d1m0to3m2,
};
static const enum max1363_modes max11608_mode_list[] = {
_s0, _s1, _s2, _s3, _s4, _s5, _s6, _s7,
- s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, s0to7,
- s6to7,
+ s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, s6to7, s0to7,
d0m1, d2m3, d4m5, d6m7,
d1m0, d3m2, d5m4, d7m6,
d0m1to2m3, d0m1to4m5, d0m1to6m7,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 028/644] iio: adc: stm32-adc: Fix race in installing chained IRQ handler
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 027/644] iio: adc: max1363: Reorder mode_list[] entries Greg Kroah-Hartman
@ 2025-08-26 11:01 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 029/644] comedi: pcl812: Fix bit shift out of bounds Greg Kroah-Hartman
` (621 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ni, Nuno Sá,
Fabrice Gasnier, Stable, Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ni <nichen@iscas.ac.cn>
commit e8ad595064f6ebd5d2d1a5d5d7ebe0efce623091 upstream.
Fix a race where a pending interrupt could be received and the handler
called before the handler's data has been setup, by converting to
irq_set_chained_handler_and_data().
Fixes: 1add69880240 ("iio: adc: Add support for STM32 ADC core")
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Tested-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
Reviewed-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
Link: https://patch.msgid.link/20250515083101.3811350-1-nichen@iscas.ac.cn
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/stm32-adc-core.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/iio/adc/stm32-adc-core.c
+++ b/drivers/iio/adc/stm32-adc-core.c
@@ -410,10 +410,9 @@ static int stm32_adc_irq_probe(struct pl
return -ENOMEM;
}
- for (i = 0; i < priv->cfg->num_irqs; i++) {
- irq_set_chained_handler(priv->irq[i], stm32_adc_irq_handler);
- irq_set_handler_data(priv->irq[i], priv);
- }
+ for (i = 0; i < priv->cfg->num_irqs; i++)
+ irq_set_chained_handler_and_data(priv->irq[i],
+ stm32_adc_irq_handler, priv);
return 0;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 029/644] comedi: pcl812: Fix bit shift out of bounds
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2025-08-26 11:01 ` [PATCH 5.15 028/644] iio: adc: stm32-adc: Fix race in installing chained IRQ handler Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 030/644] comedi: aio_iiro_16: " Greg Kroah-Hartman
` (620 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot+32de323b0addb9e114ff,
Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit b14b076ce593f72585412fc7fd3747e03a5e3632 upstream.
When checking for a supported IRQ number, the following test is used:
if ((1 << it->options[1]) & board->irq_bits) {
However, `it->options[i]` is an unchecked `int` value from userspace, so
the shift amount could be negative or out of bounds. Fix the test by
requiring `it->options[1]` to be within bounds before proceeding with
the original test. Valid `it->options[1]` values that select the IRQ
will be in the range [1,15]. The value 0 explicitly disables the use of
interrupts.
Reported-by: syzbot+32de323b0addb9e114ff@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=32de323b0addb9e114ff
Fixes: fcdb427bc7cf ("Staging: comedi: add pcl821 driver")
Cc: stable@vger.kernel.org # 5.13+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250707133429.73202-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/pcl812.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/comedi/drivers/pcl812.c
+++ b/drivers/comedi/drivers/pcl812.c
@@ -1151,7 +1151,8 @@ static int pcl812_attach(struct comedi_d
if (!dev->pacer)
return -ENOMEM;
- if ((1 << it->options[1]) & board->irq_bits) {
+ if (it->options[1] > 0 && it->options[1] < 16 &&
+ (1 << it->options[1]) & board->irq_bits) {
ret = request_irq(it->options[1], pcl812_interrupt, 0,
dev->board_name, dev);
if (ret == 0)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 030/644] comedi: aio_iiro_16: Fix bit shift out of bounds
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 029/644] comedi: pcl812: Fix bit shift out of bounds Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 031/644] comedi: das16m1: " Greg Kroah-Hartman
` (619 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 66acb1586737a22dd7b78abc63213b1bcaa100e4 upstream.
When checking for a supported IRQ number, the following test is used:
if ((1 << it->options[1]) & 0xdcfc) {
However, `it->options[i]` is an unchecked `int` value from userspace, so
the shift amount could be negative or out of bounds. Fix the test by
requiring `it->options[1]` to be within bounds before proceeding with
the original test. Valid `it->options[1]` values that select the IRQ
will be in the range [1,15]. The value 0 explicitly disables the use of
interrupts.
Fixes: ad7a370c8be4 ("staging: comedi: aio_iiro_16: add command support for change of state detection")
Cc: stable@vger.kernel.org # 5.13+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250707134622.75403-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/aio_iiro_16.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/comedi/drivers/aio_iiro_16.c
+++ b/drivers/comedi/drivers/aio_iiro_16.c
@@ -178,7 +178,8 @@ static int aio_iiro_16_attach(struct com
* Digital input change of state interrupts are optionally supported
* using IRQ 2-7, 10-12, 14, or 15.
*/
- if ((1 << it->options[1]) & 0xdcfc) {
+ if (it->options[1] > 0 && it->options[1] < 16 &&
+ (1 << it->options[1]) & 0xdcfc) {
ret = request_irq(it->options[1], aio_iiro_16_cos, 0,
dev->board_name, dev);
if (ret == 0)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 031/644] comedi: das16m1: Fix bit shift out of bounds
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 030/644] comedi: aio_iiro_16: " Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 032/644] comedi: das6402: " Greg Kroah-Hartman
` (618 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+c52293513298e0fd9a94,
Enju, Kohei, Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit ed93c6f68a3be06e4e0c331c6e751f462dee3932 upstream.
When checking for a supported IRQ number, the following test is used:
/* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */
if ((1 << it->options[1]) & 0xdcfc) {
However, `it->options[i]` is an unchecked `int` value from userspace, so
the shift amount could be negative or out of bounds. Fix the test by
requiring `it->options[1]` to be within bounds before proceeding with
the original test.
Reported-by: syzbot+c52293513298e0fd9a94@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c52293513298e0fd9a94
Fixes: 729988507680 ("staging: comedi: das16m1: tidy up the irq support in das16m1_attach()")
Tested-by: syzbot+c52293513298e0fd9a94@syzkaller.appspotmail.com
Suggested-by: "Enju, Kohei" <enjuk@amazon.co.jp>
Cc: stable@vger.kernel.org # 5.13+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250707130908.70758-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/das16m1.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/comedi/drivers/das16m1.c
+++ b/drivers/comedi/drivers/das16m1.c
@@ -523,7 +523,8 @@ static int das16m1_attach(struct comedi_
devpriv->extra_iobase = dev->iobase + DAS16M1_8255_IOBASE;
/* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */
- if ((1 << it->options[1]) & 0xdcfc) {
+ if (it->options[1] >= 2 && it->options[1] <= 15 &&
+ (1 << it->options[1]) & 0xdcfc) {
ret = request_irq(it->options[1], das16m1_interrupt, 0,
dev->board_name, dev);
if (ret == 0)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 032/644] comedi: das6402: Fix bit shift out of bounds
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 031/644] comedi: das16m1: " Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 033/644] comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large Greg Kroah-Hartman
` (617 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 70f2b28b5243df557f51c054c20058ae207baaac upstream.
When checking for a supported IRQ number, the following test is used:
/* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */
if ((1 << it->options[1]) & 0x8cec) {
However, `it->options[i]` is an unchecked `int` value from userspace, so
the shift amount could be negative or out of bounds. Fix the test by
requiring `it->options[1]` to be within bounds before proceeding with
the original test. Valid `it->options[1]` values that select the IRQ
will be in the range [1,15]. The value 0 explicitly disables the use of
interrupts.
Fixes: 79e5e6addbb1 ("staging: comedi: das6402: rewrite broken driver")
Cc: stable@vger.kernel.org # 5.13+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250707135737.77448-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/das6402.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/comedi/drivers/das6402.c
+++ b/drivers/comedi/drivers/das6402.c
@@ -569,7 +569,8 @@ static int das6402_attach(struct comedi_
das6402_reset(dev);
/* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */
- if ((1 << it->options[1]) & 0x8cec) {
+ if (it->options[1] > 0 && it->options[1] < 16 &&
+ (1 << it->options[1]) & 0x8cec) {
ret = request_irq(it->options[1], das6402_interrupt, 0,
dev->board_name, dev);
if (ret == 0) {
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 033/644] comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 032/644] comedi: das6402: " Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 034/644] comedi: Fix some signed shift left operations Greg Kroah-Hartman
` (616 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot+d6995b62e5ac7d79557a,
Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 08ae4b20f5e82101d77326ecab9089e110f224cc upstream.
The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to
hold the array of `struct comedi_insn`, getting the length from the
`n_insns` member of the `struct comedi_insnlist` supplied by the user.
The allocation will fail with a WARNING and a stack dump if it is too
large.
Avoid that by failing with an `-EINVAL` error if the supplied `n_insns`
value is unreasonable.
Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set
this to the same value as `MAX_SAMPLES` (65536), which is the maximum
allowed sum of the values of the member `n` in the array of `struct
comedi_insn`, and sensible comedi instructions will have an `n` of at
least 1.
Reported-by: syzbot+d6995b62e5ac7d79557a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d6995b62e5ac7d79557a
Fixes: ed9eccbe8970 ("Staging: add comedi core")
Tested-by: Ian Abbott <abbotti@mev.co.uk>
Cc: stable@vger.kernel.org # 5.13+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250704120405.83028-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/comedi_fops.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1584,6 +1584,16 @@ error:
return i;
}
+#define MAX_INSNS MAX_SAMPLES
+static int check_insnlist_len(struct comedi_device *dev, unsigned int n_insns)
+{
+ if (n_insns > MAX_INSNS) {
+ dev_dbg(dev->class_dev, "insnlist length too large\n");
+ return -EINVAL;
+ }
+ return 0;
+}
+
/*
* COMEDI_INSN ioctl
* synchronous instruction
@@ -2234,6 +2244,9 @@ static long comedi_unlocked_ioctl(struct
rc = -EFAULT;
break;
}
+ rc = check_insnlist_len(dev, insnlist.n_insns);
+ if (rc)
+ break;
insns = kcalloc(insnlist.n_insns, sizeof(*insns), GFP_KERNEL);
if (!insns) {
rc = -ENOMEM;
@@ -3085,6 +3098,9 @@ static int compat_insnlist(struct file *
if (copy_from_user(&insnlist32, compat_ptr(arg), sizeof(insnlist32)))
return -EFAULT;
+ rc = check_insnlist_len(dev, insnlist32.n_insns);
+ if (rc)
+ return rc;
insns = kcalloc(insnlist32.n_insns, sizeof(*insns), GFP_KERNEL);
if (!insns)
return -ENOMEM;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 034/644] comedi: Fix some signed shift left operations
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 033/644] comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 035/644] comedi: Fix use of uninitialized data in insn_rw_emulate_bits() Greg Kroah-Hartman
` (615 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit ab705c8c35e18652abc6239c07cf3441f03e2cda upstream.
Correct some left shifts of the signed integer constant 1 by some
unsigned number less than 32. Change the constant to 1U to avoid
shifting a 1 into the sign bit.
The corrected functions are comedi_dio_insn_config(),
comedi_dio_update_state(), and __comedi_device_postconfig().
Fixes: e523c6c86232 ("staging: comedi: drivers: introduce comedi_dio_insn_config()")
Fixes: 05e60b13a36b ("staging: comedi: drivers: introduce comedi_dio_update_state()")
Fixes: 09567cb4373e ("staging: comedi: initialize subdevice s->io_bits in postconfig")
Cc: stable@vger.kernel.org # 5.13+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250707121555.65424-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/comedi/drivers.c
+++ b/drivers/comedi/drivers.c
@@ -339,10 +339,10 @@ int comedi_dio_insn_config(struct comedi
unsigned int *data,
unsigned int mask)
{
- unsigned int chan_mask = 1 << CR_CHAN(insn->chanspec);
+ unsigned int chan = CR_CHAN(insn->chanspec);
- if (!mask)
- mask = chan_mask;
+ if (!mask && chan < 32)
+ mask = 1U << chan;
switch (data[0]) {
case INSN_CONFIG_DIO_INPUT:
@@ -382,7 +382,7 @@ EXPORT_SYMBOL_GPL(comedi_dio_insn_config
unsigned int comedi_dio_update_state(struct comedi_subdevice *s,
unsigned int *data)
{
- unsigned int chanmask = (s->n_chan < 32) ? ((1 << s->n_chan) - 1)
+ unsigned int chanmask = (s->n_chan < 32) ? ((1U << s->n_chan) - 1)
: 0xffffffff;
unsigned int mask = data[0] & chanmask;
unsigned int bits = data[1];
@@ -625,8 +625,8 @@ static int insn_rw_emulate_bits(struct c
if (insn->insn == INSN_WRITE) {
if (!(s->subdev_flags & SDF_WRITABLE))
return -EINVAL;
- _data[0] = 1 << (chan - base_chan); /* mask */
- _data[1] = data[0] ? (1 << (chan - base_chan)) : 0; /* bits */
+ _data[0] = 1U << (chan - base_chan); /* mask */
+ _data[1] = data[0] ? (1U << (chan - base_chan)) : 0; /* bits */
}
ret = s->insn_bits(dev, s, &_insn, _data);
@@ -709,7 +709,7 @@ static int __comedi_device_postconfig(st
if (s->type == COMEDI_SUBD_DO) {
if (s->n_chan < 32)
- s->io_bits = (1 << s->n_chan) - 1;
+ s->io_bits = (1U << s->n_chan) - 1;
else
s->io_bits = 0xffffffff;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 035/644] comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 034/644] comedi: Fix some signed shift left operations Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 036/644] comedi: Fix initialization of data for instructions that write to subdevice Greg Kroah-Hartman
` (614 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot+cb96ec476fb4914445c9,
Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit e9cb26291d009243a4478a7ffb37b3a9175bfce9 upstream.
For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital"
subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and
`COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have
`insn_read` and `insn_write` handler functions, but to have an
`insn_bits` handler function for handling Comedi `INSN_BITS`
instructions. In that case, the subdevice's `insn_read` and/or
`insn_write` function handler pointers are set to point to the
`insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`.
For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the
supplied `data[0]` value is a valid copy from user memory. It will at
least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in
"comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are
allocated. However, if `insn->n` is 0 (which is allowable for
`INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain
uninitialized data, and certainly contains invalid data, possibly from a
different instruction in the array of instructions handled by
`do_insnlist_ioctl()`. This will result in an incorrect value being
written to the digital output channel (or to the digital input/output
channel if configured as an output), and may be reflected in the
internal saved state of the channel.
Fix it by returning 0 early if `insn->n` is 0, before reaching the code
that accesses `data[0]`. Previously, the function always returned 1 on
success, but it is supposed to be the number of data samples actually
read or written up to `insn->n`, which is 0 in this case.
Reported-by: syzbot+cb96ec476fb4914445c9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cb96ec476fb4914445c9
Fixes: ed9eccbe8970 ("Staging: add comedi core")
Cc: stable@vger.kernel.org # 5.13+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250707153355.82474-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/comedi/drivers.c
+++ b/drivers/comedi/drivers.c
@@ -615,6 +615,9 @@ static int insn_rw_emulate_bits(struct c
unsigned int _data[2];
int ret;
+ if (insn->n == 0)
+ return 0;
+
memset(_data, 0, sizeof(_data));
memset(&_insn, 0, sizeof(_insn));
_insn.insn = INSN_BITS;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 036/644] comedi: Fix initialization of data for instructions that write to subdevice
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 035/644] comedi: Fix use of uninitialized data in insn_rw_emulate_bits() Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 037/644] bpf: Reject %p% format string in bprintf-like helpers Greg Kroah-Hartman
` (613 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 46d8c744136ce2454aa4c35c138cc06817f92b8e upstream.
Some Comedi subdevice instruction handlers are known to access
instruction data elements beyond the first `insn->n` elements in some
cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions
allocate at least `MIN_SAMPLES` (16) data elements to deal with this,
but they do not initialize all of that. For Comedi instruction codes
that write to the subdevice, the first `insn->n` data elements are
copied from user-space, but the remaining elements are left
uninitialized. That could be a problem if the subdevice instruction
handler reads the uninitialized data. Ensure that the first
`MIN_SAMPLES` elements are initialized before calling these instruction
handlers, filling the uncopied elements with 0. For
`do_insnlist_ioctl()`, the same data buffer elements are used for
handling a list of instructions, so ensure the first `MIN_SAMPLES`
elements are initialized for each instruction that writes to the
subdevice.
Fixes: ed9eccbe8970 ("Staging: add comedi core")
Cc: stable@vger.kernel.org # 5.13+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250707161439.88385-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/comedi_fops.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1551,21 +1551,27 @@ static int do_insnlist_ioctl(struct come
}
for (i = 0; i < n_insns; ++i) {
+ unsigned int n = insns[i].n;
+
if (insns[i].insn & INSN_MASK_WRITE) {
if (copy_from_user(data, insns[i].data,
- insns[i].n * sizeof(unsigned int))) {
+ n * sizeof(unsigned int))) {
dev_dbg(dev->class_dev,
"copy_from_user failed\n");
ret = -EFAULT;
goto error;
}
+ if (n < MIN_SAMPLES) {
+ memset(&data[n], 0, (MIN_SAMPLES - n) *
+ sizeof(unsigned int));
+ }
}
ret = parse_insn(dev, insns + i, data, file);
if (ret < 0)
goto error;
if (insns[i].insn & INSN_MASK_READ) {
if (copy_to_user(insns[i].data, data,
- insns[i].n * sizeof(unsigned int))) {
+ n * sizeof(unsigned int))) {
dev_dbg(dev->class_dev,
"copy_to_user failed\n");
ret = -EFAULT;
@@ -1638,6 +1644,10 @@ static int do_insn_ioctl(struct comedi_d
ret = -EFAULT;
goto error;
}
+ if (insn->n < MIN_SAMPLES) {
+ memset(&data[insn->n], 0,
+ (MIN_SAMPLES - insn->n) * sizeof(unsigned int));
+ }
}
ret = parse_insn(dev, insn, data, file);
if (ret < 0)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 037/644] bpf: Reject %p% format string in bprintf-like helpers
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 036/644] comedi: Fix initialization of data for instructions that write to subdevice Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 038/644] net: emaclite: Fix missing pointer increment in aligned_read() Greg Kroah-Hartman
` (612 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e2c932aec5c8a6e1d31c,
Yonghong Song, Paul Chaignon, Alexei Starovoitov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Chaignon <paul.chaignon@gmail.com>
[ Upstream commit f8242745871f81a3ac37f9f51853d12854fd0b58 ]
static const char fmt[] = "%p%";
bpf_trace_printk(fmt, sizeof(fmt));
The above BPF program isn't rejected and causes a kernel warning at
runtime:
Please remove unsupported %\x00 in format string
WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0
This happens because bpf_bprintf_prepare skips over the second %,
detected as punctuation, while processing %p. This patch fixes it by
not skipping over punctuation. %\x00 is then processed in the next
iteration and rejected.
Reported-by: syzbot+e2c932aec5c8a6e1d31c@syzkaller.appspotmail.com
Fixes: 48cac3f4a96d ("bpf: Implement formatted output helpers with bstr_printf")
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/a0e06cc479faec9e802ae51ba5d66420523251ee.1751395489.git.paul.chaignon@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/helpers.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index d3feaf6d68eba..b40ca025d9a44 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -832,6 +832,13 @@ int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args,
if (fmt[i] == 'p') {
sizeof_cur_arg = sizeof(long);
+ if (fmt[i + 1] == 0 || isspace(fmt[i + 1]) ||
+ ispunct(fmt[i + 1])) {
+ if (tmp_buf)
+ cur_arg = raw_args[num_spec];
+ goto nocopy_fmt;
+ }
+
if ((fmt[i + 1] == 'k' || fmt[i + 1] == 'u') &&
fmt[i + 2] == 's') {
fmt_ptype = fmt[i + 1];
@@ -839,11 +846,9 @@ int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args,
goto fmt_str;
}
- if (fmt[i + 1] == 0 || isspace(fmt[i + 1]) ||
- ispunct(fmt[i + 1]) || fmt[i + 1] == 'K' ||
+ if (fmt[i + 1] == 'K' ||
fmt[i + 1] == 'x' || fmt[i + 1] == 's' ||
fmt[i + 1] == 'S') {
- /* just kernel pointers */
if (tmp_buf)
cur_arg = raw_args[num_spec];
i++;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 038/644] net: emaclite: Fix missing pointer increment in aligned_read()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 037/644] bpf: Reject %p% format string in bprintf-like helpers Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 039/644] net/sched: sch_qfq: Fix race condition on qfq_aggregate Greg Kroah-Hartman
` (611 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 7727ec1523d7973defa1dff8f9c0aad288d04008 ]
Add missing post-increment operators for byte pointers in the
loop that copies remaining bytes in xemaclite_aligned_read().
Without the increment, the same byte was written repeatedly
to the destination.
This update aligns with xemaclite_aligned_write()
Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20250710173849.2381003-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
index 84e459358b055..81135fa5bd08b 100644
--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
@@ -294,7 +294,7 @@ static void xemaclite_aligned_read(u32 *src_ptr, u8 *dest_ptr,
/* Read the remaining data */
for (; length > 0; length--)
- *to_u8_ptr = *from_u8_ptr;
+ *to_u8_ptr++ = *from_u8_ptr++;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 039/644] net/sched: sch_qfq: Fix race condition on qfq_aggregate
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 038/644] net: emaclite: Fix missing pointer increment in aligned_read() Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 040/644] rpl: Fix use-after-free in rpl_do_srh_inline() Greg Kroah-Hartman
` (610 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Cong Wang,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit 5e28d5a3f774f118896aec17a3a20a9c5c9dfc64 ]
A race condition can occur when 'agg' is modified in qfq_change_agg
(called during qfq_enqueue) while other threads access it
concurrently. For example, qfq_dump_class may trigger a NULL
dereference, and qfq_delete_class may cause a use-after-free.
This patch addresses the issue by:
1. Moved qfq_destroy_class into the critical section.
2. Added sch_tree_lock protection to qfq_dump_class and
qfq_dump_class_stats.
Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_qfq.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index a198145f1251f..0ef66612a5484 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -414,7 +414,7 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
bool existing = false;
struct nlattr *tb[TCA_QFQ_MAX + 1];
struct qfq_aggregate *new_agg = NULL;
- u32 weight, lmax, inv_w;
+ u32 weight, lmax, inv_w, old_weight, old_lmax;
int err;
int delta_w;
@@ -448,12 +448,16 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
inv_w = ONE_FP / weight;
weight = ONE_FP / inv_w;
- if (cl != NULL &&
- lmax == cl->agg->lmax &&
- weight == cl->agg->class_weight)
- return 0; /* nothing to change */
+ if (cl != NULL) {
+ sch_tree_lock(sch);
+ old_weight = cl->agg->class_weight;
+ old_lmax = cl->agg->lmax;
+ sch_tree_unlock(sch);
+ if (lmax == old_lmax && weight == old_weight)
+ return 0; /* nothing to change */
+ }
- delta_w = weight - (cl ? cl->agg->class_weight : 0);
+ delta_w = weight - (cl ? old_weight : 0);
if (q->wsum + delta_w > QFQ_MAX_WSUM) {
pr_notice("qfq: total weight out of range (%d + %u)\n",
@@ -555,10 +559,10 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg,
qdisc_purge_queue(cl->qdisc);
qdisc_class_hash_remove(&q->clhash, &cl->common);
+ qfq_destroy_class(sch, cl);
sch_tree_unlock(sch);
- qfq_destroy_class(sch, cl);
return 0;
}
@@ -625,6 +629,7 @@ static int qfq_dump_class(struct Qdisc *sch, unsigned long arg,
{
struct qfq_class *cl = (struct qfq_class *)arg;
struct nlattr *nest;
+ u32 class_weight, lmax;
tcm->tcm_parent = TC_H_ROOT;
tcm->tcm_handle = cl->common.classid;
@@ -633,8 +638,13 @@ static int qfq_dump_class(struct Qdisc *sch, unsigned long arg,
nest = nla_nest_start_noflag(skb, TCA_OPTIONS);
if (nest == NULL)
goto nla_put_failure;
- if (nla_put_u32(skb, TCA_QFQ_WEIGHT, cl->agg->class_weight) ||
- nla_put_u32(skb, TCA_QFQ_LMAX, cl->agg->lmax))
+
+ sch_tree_lock(sch);
+ class_weight = cl->agg->class_weight;
+ lmax = cl->agg->lmax;
+ sch_tree_unlock(sch);
+ if (nla_put_u32(skb, TCA_QFQ_WEIGHT, class_weight) ||
+ nla_put_u32(skb, TCA_QFQ_LMAX, lmax))
goto nla_put_failure;
return nla_nest_end(skb, nest);
@@ -651,8 +661,10 @@ static int qfq_dump_class_stats(struct Qdisc *sch, unsigned long arg,
memset(&xstats, 0, sizeof(xstats));
+ sch_tree_lock(sch);
xstats.weight = cl->agg->class_weight;
xstats.lmax = cl->agg->lmax;
+ sch_tree_unlock(sch);
if (gnet_stats_copy_basic(qdisc_root_sleeping_running(sch),
d, NULL, &cl->bstats) < 0 ||
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 040/644] rpl: Fix use-after-free in rpl_do_srh_inline().
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 039/644] net/sched: sch_qfq: Fix race condition on qfq_aggregate Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 041/644] pinctrl: mediatek: moore: check if pin_desc is valid before use Greg Kroah-Hartman
` (609 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Simon Horman,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit b640daa2822a39ff76e70200cb2b7b892b896dce ]
Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers
the splat below [0].
rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after
skb_cow_head(), which is illegal as the header could be freed then.
Let's fix it by making oldhdr to a local struct instead of a pointer.
[0]:
[root@fedora net]# ./lwt_dst_cache_ref_loop.sh
...
TEST: rpl (input)
[ 57.631529] ==================================================================
BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)
Read of size 40 at addr ffff888122bf96d8 by task ping6/1543
CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl (lib/dump_stack.c:122)
print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)
kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)
kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))
__asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))
rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)
rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)
lwtunnel_input (net/core/lwtunnel.c:459)
ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))
__netif_receive_skb_one_core (net/core/dev.c:5967)
process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)
__napi_poll.constprop.0 (net/core/dev.c:7452)
net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)
handle_softirqs (kernel/softirq.c:579)
do_softirq (kernel/softirq.c:480 (discriminator 20))
</IRQ>
<TASK>
__local_bh_enable_ip (kernel/softirq.c:407)
__dev_queue_xmit (net/core/dev.c:4740)
ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)
ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)
ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)
ip6_send_skb (net/ipv6/ip6_output.c:1983)
rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)
__sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))
__x64_sys_sendto (net/socket.c:2231)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f68cffb2a06
Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08
RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06
RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003
RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4
R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0
</TASK>
Allocated by task 1543:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
__kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)
kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)
kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))
__alloc_skb (net/core/skbuff.c:669)
__ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))
ip6_append_data (net/ipv6/ip6_output.c:1859)
rawv6_sendmsg (net/ipv6/raw.c:911)
__sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))
__x64_sys_sendto (net/socket.c:2231)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Freed by task 1543:
kasan_save_stack (mm/kasan/common.c:48)
kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
kasan_save_free_info (mm/kasan/generic.c:579 (discriminator 1))
__kasan_slab_free (mm/kasan/common.c:271)
kmem_cache_free (mm/slub.c:4643 (discriminator 3) mm/slub.c:4745 (discriminator 3))
pskb_expand_head (net/core/skbuff.c:2274)
rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:158 (discriminator 1))
rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)
lwtunnel_input (net/core/lwtunnel.c:459)
ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))
__netif_receive_skb_one_core (net/core/dev.c:5967)
process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)
__napi_poll.constprop.0 (net/core/dev.c:7452)
net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)
handle_softirqs (kernel/softirq.c:579)
do_softirq (kernel/softirq.c:480 (discriminator 20))
__local_bh_enable_ip (kernel/softirq.c:407)
__dev_queue_xmit (net/core/dev.c:4740)
ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)
ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)
ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)
ip6_send_skb (net/ipv6/ip6_output.c:1983)
rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)
__sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))
__x64_sys_sendto (net/socket.c:2231)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
The buggy address belongs to the object at ffff888122bf96c0
which belongs to the cache skbuff_small_head of size 704
The buggy address is located 24 bytes inside of
freed 704-byte region [ffff888122bf96c0, ffff888122bf9980)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x122bf8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000000040(head|node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000040 ffff888101fc0a00 ffffea000464dc00 0000000000000002
raw: 0000000000000000 0000000080270027 00000000f5000000 0000000000000000
head: 0200000000000040 ffff888101fc0a00 ffffea000464dc00 0000000000000002
head: 0000000000000000 0000000080270027 00000000f5000000 0000000000000000
head: 0200000000000003 ffffea00048afe01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888122bf9580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888122bf9600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888122bf9680: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
^
ffff888122bf9700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888122bf9780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fixes: a7a29f9c361f8 ("net: ipv6: add rpl sr tunnel")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/rpl_iptunnel.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c
index 6bf95aba0efce..26ade9931d8ec 100644
--- a/net/ipv6/rpl_iptunnel.c
+++ b/net/ipv6/rpl_iptunnel.c
@@ -129,13 +129,13 @@ static int rpl_do_srh_inline(struct sk_buff *skb, const struct rpl_lwt *rlwt,
struct dst_entry *cache_dst)
{
struct ipv6_rpl_sr_hdr *isrh, *csrh;
- const struct ipv6hdr *oldhdr;
+ struct ipv6hdr oldhdr;
struct ipv6hdr *hdr;
unsigned char *buf;
size_t hdrlen;
int err;
- oldhdr = ipv6_hdr(skb);
+ memcpy(&oldhdr, ipv6_hdr(skb), sizeof(oldhdr));
buf = kcalloc(struct_size(srh, segments.addr, srh->segments_left), 2, GFP_ATOMIC);
if (!buf)
@@ -147,7 +147,7 @@ static int rpl_do_srh_inline(struct sk_buff *skb, const struct rpl_lwt *rlwt,
memcpy(isrh, srh, sizeof(*isrh));
memcpy(isrh->rpl_segaddr, &srh->rpl_segaddr[1],
(srh->segments_left - 1) * 16);
- isrh->rpl_segaddr[srh->segments_left - 1] = oldhdr->daddr;
+ isrh->rpl_segaddr[srh->segments_left - 1] = oldhdr.daddr;
ipv6_rpl_srh_compress(csrh, isrh, &srh->rpl_segaddr[0],
isrh->segments_left - 1);
@@ -169,7 +169,7 @@ static int rpl_do_srh_inline(struct sk_buff *skb, const struct rpl_lwt *rlwt,
skb_mac_header_rebuild(skb);
hdr = ipv6_hdr(skb);
- memmove(hdr, oldhdr, sizeof(*hdr));
+ memmove(hdr, &oldhdr, sizeof(*hdr));
isrh = (void *)hdr + sizeof(*hdr);
memcpy(isrh, csrh, hdrlen);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 041/644] pinctrl: mediatek: moore: check if pin_desc is valid before use
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 040/644] rpl: Fix use-after-free in rpl_do_srh_inline() Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 042/644] smb: client: fix use-after-free in cifs_oplock_break Greg Kroah-Hartman
` (608 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sam Shih, Sean Wang, Linus Walleij,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Shih <sam.shih@mediatek.com>
[ Upstream commit d8b94c9ff96c2024a527086d850eb0b314337ff9 ]
Certain SoC are missing the middle part gpios in consecutive pins,
it's better to check if mtk_pin_desc is a valid pin for the extensibility
Signed-off-by: Sam Shih <sam.shih@mediatek.com>
Acked-by: Sean Wang <sean.wang@mediatek.com>
Link: https://lore.kernel.org/r/20210914085137.31761-5-sam.shih@mediatek.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Stable-dep-of: 705c79101ccf ("smb: client: fix use-after-free in cifs_oplock_break")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/mediatek/pinctrl-moore.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/drivers/pinctrl/mediatek/pinctrl-moore.c b/drivers/pinctrl/mediatek/pinctrl-moore.c
index 3a4a23c40a719..ad3b671639735 100644
--- a/drivers/pinctrl/mediatek/pinctrl-moore.c
+++ b/drivers/pinctrl/mediatek/pinctrl-moore.c
@@ -60,6 +60,8 @@ static int mtk_pinmux_set_mux(struct pinctrl_dev *pctldev,
int pin = grp->pins[i];
desc = (const struct mtk_pin_desc *)&hw->soc->pins[pin];
+ if (!desc->name)
+ return -ENOTSUPP;
mtk_hw_set_value(hw, desc, PINCTRL_PIN_REG_MODE,
pin_modes[i]);
@@ -76,6 +78,8 @@ static int mtk_pinmux_gpio_request_enable(struct pinctrl_dev *pctldev,
const struct mtk_pin_desc *desc;
desc = (const struct mtk_pin_desc *)&hw->soc->pins[pin];
+ if (!desc->name)
+ return -ENOTSUPP;
return mtk_hw_set_value(hw, desc, PINCTRL_PIN_REG_MODE,
hw->soc->gpio_m);
@@ -89,6 +93,8 @@ static int mtk_pinmux_gpio_set_direction(struct pinctrl_dev *pctldev,
const struct mtk_pin_desc *desc;
desc = (const struct mtk_pin_desc *)&hw->soc->pins[pin];
+ if (!desc->name)
+ return -ENOTSUPP;
/* hardware would take 0 as input direction */
return mtk_hw_set_value(hw, desc, PINCTRL_PIN_REG_DIR, !input);
@@ -103,6 +109,8 @@ static int mtk_pinconf_get(struct pinctrl_dev *pctldev,
const struct mtk_pin_desc *desc;
desc = (const struct mtk_pin_desc *)&hw->soc->pins[pin];
+ if (!desc->name)
+ return -ENOTSUPP;
switch (param) {
case PIN_CONFIG_BIAS_DISABLE:
@@ -218,6 +226,8 @@ static int mtk_pinconf_set(struct pinctrl_dev *pctldev, unsigned int pin,
int cfg, err = 0;
desc = (const struct mtk_pin_desc *)&hw->soc->pins[pin];
+ if (!desc->name)
+ return -ENOTSUPP;
for (cfg = 0; cfg < num_configs; cfg++) {
param = pinconf_to_config_param(configs[cfg]);
@@ -435,6 +445,8 @@ static int mtk_gpio_get(struct gpio_chip *chip, unsigned int gpio)
int value, err;
desc = (const struct mtk_pin_desc *)&hw->soc->pins[gpio];
+ if (!desc->name)
+ return -ENOTSUPP;
err = mtk_hw_get_value(hw, desc, PINCTRL_PIN_REG_DI, &value);
if (err)
@@ -449,6 +461,10 @@ static void mtk_gpio_set(struct gpio_chip *chip, unsigned int gpio, int value)
const struct mtk_pin_desc *desc;
desc = (const struct mtk_pin_desc *)&hw->soc->pins[gpio];
+ if (!desc->name) {
+ dev_err(hw->dev, "Failed to set gpio %d\n", gpio);
+ return;
+ }
mtk_hw_set_value(hw, desc, PINCTRL_PIN_REG_DO, !!value);
}
@@ -490,6 +506,8 @@ static int mtk_gpio_set_config(struct gpio_chip *chip, unsigned int offset,
u32 debounce;
desc = (const struct mtk_pin_desc *)&hw->soc->pins[offset];
+ if (!desc->name)
+ return -ENOTSUPP;
if (!hw->eint ||
pinconf_to_config_param(config) != PIN_CONFIG_INPUT_DEBOUNCE ||
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 042/644] smb: client: fix use-after-free in cifs_oplock_break
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 041/644] pinctrl: mediatek: moore: check if pin_desc is valid before use Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 043/644] nvme: fix misaccounting of nvme-mpath inflight I/O Greg Kroah-Hartman
` (607 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Wang Zhaolong, Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
[ Upstream commit 705c79101ccf9edea5a00d761491a03ced314210 ]
A race condition can occur in cifs_oplock_break() leading to a
use-after-free of the cinode structure when unmounting:
cifs_oplock_break()
_cifsFileInfo_put(cfile)
cifsFileInfo_put_final()
cifs_sb_deactive()
[last ref, start releasing sb]
kill_sb()
kill_anon_super()
generic_shutdown_super()
evict_inodes()
dispose_list()
evict()
destroy_inode()
call_rcu(&inode->i_rcu, i_callback)
spin_lock(&cinode->open_file_lock) <- OK
[later] i_callback()
cifs_free_inode()
kmem_cache_free(cinode)
spin_unlock(&cinode->open_file_lock) <- UAF
cifs_done_oplock_break(cinode) <- UAF
The issue occurs when umount has already released its reference to the
superblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this
releases the last reference, triggering the immediate cleanup of all
inodes under RCU. However, cifs_oplock_break() continues to access the
cinode after this point, resulting in use-after-free.
Fix this by holding an extra reference to the superblock during the
entire oplock break operation. This ensures that the superblock and
its inodes remain valid until the oplock break completes.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220309
Fixes: b98749cac4a6 ("CIFS: keep FileInfo handle live during oplock break")
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/file.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index 9e8a69f9421e6..10bb1f9551887 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -4865,7 +4865,8 @@ void cifs_oplock_break(struct work_struct *work)
struct cifsFileInfo *cfile = container_of(work, struct cifsFileInfo,
oplock_break);
struct inode *inode = d_inode(cfile->dentry);
- struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
+ struct super_block *sb = inode->i_sb;
+ struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
struct cifsInodeInfo *cinode = CIFS_I(inode);
struct cifs_tcon *tcon;
struct TCP_Server_Info *server;
@@ -4875,6 +4876,12 @@ void cifs_oplock_break(struct work_struct *work)
__u64 persistent_fid, volatile_fid;
__u16 net_fid;
+ /*
+ * Hold a reference to the superblock to prevent it and its inodes from
+ * being freed while we are accessing cinode. Otherwise, _cifsFileInfo_put()
+ * may release the last reference to the sb and trigger inode eviction.
+ */
+ cifs_sb_active(sb);
wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS,
TASK_UNINTERRUPTIBLE);
@@ -4947,6 +4954,7 @@ void cifs_oplock_break(struct work_struct *work)
cifs_put_tlink(tlink);
out:
cifs_done_oplock_break(cinode);
+ cifs_sb_deactive(sb);
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 043/644] nvme: fix misaccounting of nvme-mpath inflight I/O
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 042/644] smb: client: fix use-after-free in cifs_oplock_break Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 044/644] selftests: udpgro: report error when receive failed Greg Kroah-Hartman
` (606 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yi Zhang, Yu Kuai, Christoph Hellwig,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
[ Upstream commit 71257925e83eae1cb6913d65ca71927d2220e6d1 ]
Procedures for nvme-mpath IO accounting:
1) initialize nvme_request and clear flags;
2) set NVME_MPATH_IO_STATS and increase inflight counter when IO
started;
3) check NVME_MPATH_IO_STATS and decrease inflight counter when IO is
done;
However, for the case nvme_fail_nonready_command(), both step 1) and 2)
are skipped, and if old nvme_request set NVME_MPATH_IO_STATS and then
request is reused, step 3) will still be executed, causing inflight I/O
counter to be negative.
Fix the problem by clearing nvme_request in nvme_fail_nonready_command().
Fixes: ea5e5f42cd2c ("nvme-fabrics: avoid double completions in nvmf_fail_nonready_command")
Reported-by: Yi Zhang <yi.zhang@redhat.com>
Closes: https://lore.kernel.org/all/CAHj4cs_+dauobyYyP805t33WMJVzOWj=7+51p4_j9rA63D9sog@mail.gmail.com/
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 7065f66ef8cf4..f3071bd11fdd3 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -675,6 +675,10 @@ blk_status_t nvme_fail_nonready_command(struct nvme_ctrl *ctrl,
!test_bit(NVME_CTRL_FAILFAST_EXPIRED, &ctrl->flags) &&
!blk_noretry_request(rq) && !(rq->cmd_flags & REQ_NVME_MPATH))
return BLK_STS_RESOURCE;
+
+ if (!(rq->rq_flags & RQF_DONTPREP))
+ nvme_clear_nvme_request(rq);
+
return nvme_host_path_error(rq);
}
EXPORT_SYMBOL_GPL(nvme_fail_nonready_command);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 044/644] selftests: udpgro: report error when receive failed
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 043/644] nvme: fix misaccounting of nvme-mpath inflight I/O Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 045/644] selftests: net: increase inter-packet timeout in udpgro.sh Greg Kroah-Hartman
` (605 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Hangbin Liu,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 7167395a4be7930ecac6a33b4e54d7e3dd9ee209 ]
Currently, we only check the latest senders's exit code. If the receiver
report failed, it is not recoreded. Fix it by checking the exit code
of all the involved processes.
Before:
bad GRO lookup ok
multiple GRO socks ./udpgso_bench_rx: recv: bad packet len, got 1452, expected 14520
./udpgso_bench_rx: recv: bad packet len, got 1452, expected 14520
failed
$ echo $?
0
After:
bad GRO lookup ok
multiple GRO socks ./udpgso_bench_rx: recv: bad packet len, got 1452, expected 14520
./udpgso_bench_rx: recv: bad packet len, got 1452, expected 14520
failed
$ echo $?
1
Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO")
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 0e9418961f89 ("selftests: net: increase inter-packet timeout in udpgro.sh")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/udpgro.sh | 44 ++++++++++++++++-----------
1 file changed, 27 insertions(+), 17 deletions(-)
diff --git a/tools/testing/selftests/net/udpgro.sh b/tools/testing/selftests/net/udpgro.sh
index 41d85eb745b7b..398f3bf969262 100755
--- a/tools/testing/selftests/net/udpgro.sh
+++ b/tools/testing/selftests/net/udpgro.sh
@@ -44,17 +44,19 @@ run_one() {
local -r all="$@"
local -r tx_args=${all%rx*}
local -r rx_args=${all#*rx}
+ local ret=0
cfg_veth
- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${rx_args} && \
- echo "ok" || \
- echo "failed" &
+ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${rx_args} &
+ local PID1=$!
wait_local_port_listen ${PEER_NS} 8000 udp
./udpgso_bench_tx ${tx_args}
- ret=$?
- wait $(jobs -p)
+ check_err $?
+ wait ${PID1}
+ check_err $?
+ [ "$ret" -eq 0 ] && echo "ok" || echo "failed"
return $ret
}
@@ -71,6 +73,7 @@ run_one_nat() {
local -r all="$@"
local -r tx_args=${all%rx*}
local -r rx_args=${all#*rx}
+ local ret=0
if [[ ${tx_args} = *-4* ]]; then
ipt_cmd=iptables
@@ -91,16 +94,17 @@ run_one_nat() {
# ... so that GRO will match the UDP_GRO enabled socket, but packets
# will land on the 'plain' one
ip netns exec "${PEER_NS}" ./udpgso_bench_rx -G ${family} -b ${addr1} -n 0 &
- pid=$!
- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${family} -b ${addr2%/*} ${rx_args} && \
- echo "ok" || \
- echo "failed"&
+ local PID1=$!
+ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${family} -b ${addr2%/*} ${rx_args} &
+ local PID2=$!
wait_local_port_listen "${PEER_NS}" 8000 udp
./udpgso_bench_tx ${tx_args}
- ret=$?
- kill -INT $pid
- wait $(jobs -p)
+ check_err $?
+ kill -INT ${PID1}
+ wait ${PID2}
+ check_err $?
+ [ "$ret" -eq 0 ] && echo "ok" || echo "failed"
return $ret
}
@@ -109,20 +113,26 @@ run_one_2sock() {
local -r all="$@"
local -r tx_args=${all%rx*}
local -r rx_args=${all#*rx}
+ local ret=0
cfg_veth
ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${rx_args} -p 12345 &
- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 2000 -R 10 ${rx_args} && \
- echo "ok" || \
- echo "failed" &
+ local PID1=$!
+ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 2000 -R 10 ${rx_args} &
+ local PID2=$!
wait_local_port_listen "${PEER_NS}" 12345 udp
./udpgso_bench_tx ${tx_args} -p 12345
+ check_err $?
wait_local_port_listen "${PEER_NS}" 8000 udp
./udpgso_bench_tx ${tx_args}
- ret=$?
- wait $(jobs -p)
+ check_err $?
+ wait ${PID1}
+ check_err $?
+ wait ${PID2}
+ check_err $?
+ [ "$ret" -eq 0 ] && echo "ok" || echo "failed"
return $ret
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 045/644] selftests: net: increase inter-packet timeout in udpgro.sh
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 044/644] selftests: udpgro: report error when receive failed Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 046/644] hwmon: (corsair-cpro) Validate the size of the received input buffer Greg Kroah-Hartman
` (604 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Simon Horman, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 0e9418961f897be59b1fab6e31ae1b09a0bae902 ]
The mentioned test is not very stable when running on top of
debug kernel build. Increase the inter-packet timeout to allow
more slack in such environments.
Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO")
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/b0370c06ddb3235debf642c17de0284b2cd3c652.1752163107.git.pabeni@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/udpgro.sh | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/net/udpgro.sh b/tools/testing/selftests/net/udpgro.sh
index 398f3bf969262..b38efda51b636 100755
--- a/tools/testing/selftests/net/udpgro.sh
+++ b/tools/testing/selftests/net/udpgro.sh
@@ -48,7 +48,7 @@ run_one() {
cfg_veth
- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${rx_args} &
+ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 100 ${rx_args} &
local PID1=$!
wait_local_port_listen ${PEER_NS} 8000 udp
@@ -95,7 +95,7 @@ run_one_nat() {
# will land on the 'plain' one
ip netns exec "${PEER_NS}" ./udpgso_bench_rx -G ${family} -b ${addr1} -n 0 &
local PID1=$!
- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${family} -b ${addr2%/*} ${rx_args} &
+ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 100 ${family} -b ${addr2%/*} ${rx_args} &
local PID2=$!
wait_local_port_listen "${PEER_NS}" 8000 udp
@@ -117,9 +117,9 @@ run_one_2sock() {
cfg_veth
- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 10 ${rx_args} -p 12345 &
+ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 1000 -R 100 ${rx_args} -p 12345 &
local PID1=$!
- ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 2000 -R 10 ${rx_args} &
+ ip netns exec "${PEER_NS}" ./udpgso_bench_rx -C 2000 -R 100 ${rx_args} &
local PID2=$!
wait_local_port_listen "${PEER_NS}" 12345 udp
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 046/644] hwmon: (corsair-cpro) Validate the size of the received input buffer
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 045/644] selftests: net: increase inter-packet timeout in udpgro.sh Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 047/644] usb: net: sierra: check for no status endpoint Greg Kroah-Hartman
` (603 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3bbbade4e1a7ab45ca3b,
Marius Zachmann, Guenter Roeck, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marius Zachmann <mail@mariuszachmann.de>
[ Upstream commit 495a4f0dce9c8c4478c242209748f1ee9e4d5820 ]
Add buffer_recv_size to store the size of the received bytes.
Validate buffer_recv_size in send_usb_cmd().
Reported-by: syzbot+3bbbade4e1a7ab45ca3b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-hwmon/61233ba1-e5ad-4d7a-ba31-3b5d0adcffcc@roeck-us.net
Fixes: 40c3a4454225 ("hwmon: add Corsair Commander Pro driver")
Signed-off-by: Marius Zachmann <mail@mariuszachmann.de>
Link: https://lore.kernel.org/r/20250619132817.39764-5-mail@mariuszachmann.de
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/corsair-cpro.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/hwmon/corsair-cpro.c b/drivers/hwmon/corsair-cpro.c
index 486fb6a8c3566..18da3e013c20b 100644
--- a/drivers/hwmon/corsair-cpro.c
+++ b/drivers/hwmon/corsair-cpro.c
@@ -84,6 +84,7 @@ struct ccp_device {
struct mutex mutex; /* whenever buffer is used, lock before send_usb_cmd */
u8 *cmd_buffer;
u8 *buffer;
+ int buffer_recv_size; /* number of received bytes in buffer */
int target[6];
DECLARE_BITMAP(temp_cnct, NUM_TEMP_SENSORS);
DECLARE_BITMAP(fan_cnct, NUM_FANS);
@@ -139,6 +140,9 @@ static int send_usb_cmd(struct ccp_device *ccp, u8 command, u8 byte1, u8 byte2,
if (!t)
return -ETIMEDOUT;
+ if (ccp->buffer_recv_size != IN_BUFFER_SIZE)
+ return -EPROTO;
+
return ccp_get_errno(ccp);
}
@@ -150,6 +154,7 @@ static int ccp_raw_event(struct hid_device *hdev, struct hid_report *report, u8
spin_lock(&ccp->wait_input_report_lock);
if (!completion_done(&ccp->wait_input_report)) {
memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size));
+ ccp->buffer_recv_size = size;
complete_all(&ccp->wait_input_report);
}
spin_unlock(&ccp->wait_input_report_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 047/644] usb: net: sierra: check for no status endpoint
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 046/644] hwmon: (corsair-cpro) Validate the size of the received input buffer Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 048/644] Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Greg Kroah-Hartman
` (602 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3f89ec3d1d0842e95d50,
Oliver Neukum, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 4c4ca3c46167518f8534ed70f6e3b4bf86c4d158 ]
The driver checks for having three endpoints and
having bulk in and out endpoints, but not that
the third endpoint is interrupt input.
Rectify the omission.
Reported-by: syzbot+3f89ec3d1d0842e95d50@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/686d5a9f.050a0220.1ffab7.0017.GAE@google.com/
Tested-by: syzbot+3f89ec3d1d0842e95d50@syzkaller.appspotmail.com
Fixes: eb4fd8cd355c8 ("net/usb: add sierra_net.c driver")
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20250714111326.258378-1-oneukum@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/sierra_net.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c
index bb4cbe8fc846b..2979236621961 100644
--- a/drivers/net/usb/sierra_net.c
+++ b/drivers/net/usb/sierra_net.c
@@ -689,6 +689,10 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf)
status);
return -ENODEV;
}
+ if (!dev->status) {
+ dev_err(&dev->udev->dev, "No status endpoint found");
+ return -ENODEV;
+ }
/* Initialize sierra private data */
priv = kzalloc(sizeof *priv, GFP_KERNEL);
if (!priv)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 048/644] Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 047/644] usb: net: sierra: check for no status endpoint Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 049/644] Bluetooth: SMP: If an unallowed command is received consider it a failure Greg Kroah-Hartman
` (601 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e4d73b165c3892852d22,
Kuniyuki Iwashima, Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit a0075accbf0d76c2dad1ad3993d2e944505d99a0 ]
syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0]
l2cap_sock_resume_cb() has a similar problem that was fixed by commit
1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()").
Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed
under l2cap_sock_resume_cb(), we can avoid the issue simply by checking
if chan->data is NULL.
Let's not access to the killed socket in l2cap_sock_resume_cb().
[0]:
BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline]
BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711
Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52
CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: hci0 hci_rx_work
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_report+0x58/0x84 mm/kasan/report.c:524
kasan_report+0xb0/0x110 mm/kasan/report.c:634
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
__kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37
instrument_atomic_write include/linux/instrumented.h:82 [inline]
clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711
l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357
hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline]
hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514
hci_event_func net/bluetooth/hci_event.c:7511 [inline]
hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565
hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070
process_one_work+0x7e8/0x155c kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3321 [inline]
worker_thread+0x958/0xed8 kernel/workqueue.c:3402
kthread+0x5fc/0x75c kernel/kthread.c:464
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847
Fixes: d97c899bde33 ("Bluetooth: Introduce L2CAP channel callback for resuming")
Reported-by: syzbot+e4d73b165c3892852d22@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/686c12bd.a70a0220.29fe6c.0b13.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_sock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 441dedd8277f5..b2719f1b8adff 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1678,6 +1678,9 @@ static void l2cap_sock_resume_cb(struct l2cap_chan *chan)
{
struct sock *sk = chan->data;
+ if (!sk)
+ return;
+
if (test_and_clear_bit(FLAG_PENDING_SECURITY, &chan->flags)) {
sk->sk_state = BT_CONNECTED;
chan->state = BT_CONNECTED;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 049/644] Bluetooth: SMP: If an unallowed command is received consider it a failure
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 048/644] Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 050/644] Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout Greg Kroah-Hartman
` (600 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit fe4840df0bdf341f376885271b7680764fe6b34e ]
If a command is received while a bonding is ongoing consider it a
pairing failure so the session is cleanup properly and the device is
disconnected immediately instead of continuing with other commands that
may result in the session to get stuck without ever completing such as
the case bellow:
> ACL Data RX: Handle 2048 flags 0x02 dlen 21
SMP: Identity Information (0x08) len 16
Identity resolving key[16]: d7e08edef97d3e62cd2331f82d8073b0
> ACL Data RX: Handle 2048 flags 0x02 dlen 21
SMP: Signing Information (0x0a) len 16
Signature key[16]: 1716c536f94e843a9aea8b13ffde477d
Bluetooth: hci0: unexpected SMP command 0x0a from XX:XX:XX:XX:XX:XX
> ACL Data RX: Handle 2048 flags 0x02 dlen 12
SMP: Identity Address Information (0x09) len 7
Address: XX:XX:XX:XX:XX:XX (Intel Corporate)
While accourding to core spec 6.1 the expected order is always BD_ADDR
first first then CSRK:
When using LE legacy pairing, the keys shall be distributed in the
following order:
LTK by the Peripheral
EDIV and Rand by the Peripheral
IRK by the Peripheral
BD_ADDR by the Peripheral
CSRK by the Peripheral
LTK by the Central
EDIV and Rand by the Central
IRK by the Central
BD_ADDR by the Central
CSRK by the Central
When using LE Secure Connections, the keys shall be distributed in the
following order:
IRK by the Peripheral
BD_ADDR by the Peripheral
CSRK by the Peripheral
IRK by the Central
BD_ADDR by the Central
CSRK by the Central
According to the Core 6.1 for commands used for key distribution "Key
Rejected" can be used:
'3.6.1. Key distribution and generation
A device may reject a distributed key by sending the Pairing Failed command
with the reason set to "Key Rejected".
Fixes: b28b4943660f ("Bluetooth: Add strict checks for allowed SMP PDUs")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/smp.c | 19 ++++++++++++++++++-
net/bluetooth/smp.h | 1 +
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 724dc901eaf27..0f4e92c4dc94a 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2971,8 +2971,25 @@ static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
if (code > SMP_CMD_MAX)
goto drop;
- if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
+ if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) {
+ /* If there is a context and the command is not allowed consider
+ * it a failure so the session is cleanup properly.
+ */
+ switch (code) {
+ case SMP_CMD_IDENT_INFO:
+ case SMP_CMD_IDENT_ADDR_INFO:
+ case SMP_CMD_SIGN_INFO:
+ /* 3.6.1. Key distribution and generation
+ *
+ * A device may reject a distributed key by sending the
+ * Pairing Failed command with the reason set to
+ * "Key Rejected".
+ */
+ smp_failure(conn, SMP_KEY_REJECTED);
+ break;
+ }
goto drop;
+ }
/* If we don't have a context the only allowed commands are
* pairing request and security request.
diff --git a/net/bluetooth/smp.h b/net/bluetooth/smp.h
index 87a59ec2c9f02..c5da53dfab04f 100644
--- a/net/bluetooth/smp.h
+++ b/net/bluetooth/smp.h
@@ -138,6 +138,7 @@ struct smp_cmd_keypress_notify {
#define SMP_NUMERIC_COMP_FAILED 0x0c
#define SMP_BREDR_PAIRING_IN_PROGRESS 0x0d
#define SMP_CROSS_TRANSP_NOT_ALLOWED 0x0e
+#define SMP_KEY_REJECTED 0x0f
#define SMP_MIN_ENC_KEY_SIZE 7
#define SMP_MAX_ENC_KEY_SIZE 16
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 050/644] Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 049/644] Bluetooth: SMP: If an unallowed command is received consider it a failure Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 051/644] lib: bitmap: Introduce node-aware alloc API Greg Kroah-Hartman
` (599 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 6ef99c917688a8510259e565bd1b168b7146295a ]
This replaces the usage of HCI_ERROR_REMOTE_USER_TERM, which as the name
suggest is to indicate a regular disconnection initiated by an user,
with HCI_ERROR_AUTH_FAILURE to indicate the session has timeout thus any
pairing shall be considered as failed.
Fixes: 1e91c29eb60c ("Bluetooth: Use hci_disconnect for immediate disconnection from SMP")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/smp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 0f4e92c4dc94a..697ec98b07982 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -1373,7 +1373,7 @@ static void smp_timeout(struct work_struct *work)
bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
- hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
+ hci_disconnect(conn->hcon, HCI_ERROR_AUTH_FAILURE);
}
static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 051/644] lib: bitmap: Introduce node-aware alloc API
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 050/644] Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 052/644] net/mlx5e: Add support to klm_umr_wqe Greg Kroah-Hartman
` (598 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tariq Toukan, Moshe Shemesh,
Saeed Mahameed, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tariq Toukan <tariqt@nvidia.com>
[ Upstream commit 7529cc7fbd9c02eda6851f3260416cbe198a321d ]
Expose new node-aware API for bitmap allocation:
bitmap_alloc_node() / bitmap_zalloc_node().
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Stable-dep-of: 531d0d32de3e ("net/mlx5: Correctly set gso_size when LRO is used")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/bitmap.h | 2 ++
lib/bitmap.c | 13 +++++++++++++
2 files changed, 15 insertions(+)
diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h
index ce03547d69f45..795d57d3ca086 100644
--- a/include/linux/bitmap.h
+++ b/include/linux/bitmap.h
@@ -123,6 +123,8 @@ struct device;
*/
unsigned long *bitmap_alloc(unsigned int nbits, gfp_t flags);
unsigned long *bitmap_zalloc(unsigned int nbits, gfp_t flags);
+unsigned long *bitmap_alloc_node(unsigned int nbits, gfp_t flags, int node);
+unsigned long *bitmap_zalloc_node(unsigned int nbits, gfp_t flags, int node);
void bitmap_free(const unsigned long *bitmap);
/* Managed variants of the above. */
diff --git a/lib/bitmap.c b/lib/bitmap.c
index 663dd81967d4e..9264088834566 100644
--- a/lib/bitmap.c
+++ b/lib/bitmap.c
@@ -1398,6 +1398,19 @@ unsigned long *bitmap_zalloc(unsigned int nbits, gfp_t flags)
}
EXPORT_SYMBOL(bitmap_zalloc);
+unsigned long *bitmap_alloc_node(unsigned int nbits, gfp_t flags, int node)
+{
+ return kmalloc_array_node(BITS_TO_LONGS(nbits), sizeof(unsigned long),
+ flags, node);
+}
+EXPORT_SYMBOL(bitmap_alloc_node);
+
+unsigned long *bitmap_zalloc_node(unsigned int nbits, gfp_t flags, int node)
+{
+ return bitmap_alloc_node(nbits, flags | __GFP_ZERO, node);
+}
+EXPORT_SYMBOL(bitmap_zalloc_node);
+
void bitmap_free(const unsigned long *bitmap)
{
kfree(bitmap);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 052/644] net/mlx5e: Add support to klm_umr_wqe
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 051/644] lib: bitmap: Introduce node-aware alloc API Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 053/644] net/mlx5: Correctly set gso_size when LRO is used Greg Kroah-Hartman
` (597 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Ben-Ishay, Tariq Toukan,
Saeed Mahameed, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Ben-Ishay <benishay@nvidia.com>
[ Upstream commit d7b896acbdcb3ef5dab1fd2f33ba5a8da6ba1dda ]
This commit adds the needed definitions for using the klm_umr_wqe.
UMR stands for user-mode memory registration, is a mechanism to alter
address translation properties of MKEY by posting WorkQueueElement
aka WQE on send queue.
MKEY stands for memory key, MKEY are used to describe a region in memory that
can be later used by HW.
KLM stands for {Key, Length, MemVa}, KLM_MKEY is indirect MKEY that enables
to map multiple memory spaces with different sizes in unified MKEY.
klm_umr_wqe is a UMR that use to update a KLM_MKEY.
SHAMPO feature uses KLM_MKEY for memory registration of his header buffer.
Signed-off-by: Ben Ben-Ishay <benishay@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Stable-dep-of: 531d0d32de3e ("net/mlx5: Correctly set gso_size when LRO is used")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en.h | 24 +++++++++++++++++++-
include/linux/mlx5/device.h | 1 +
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
index c822c3ac0544b..4f711f1af6c1c 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
@@ -152,6 +152,25 @@ struct page_pool;
#define MLX5E_UMR_WQEBBS \
(DIV_ROUND_UP(MLX5E_UMR_WQE_INLINE_SZ, MLX5_SEND_WQE_BB))
+#define MLX5E_KLM_UMR_WQE_SZ(sgl_len)\
+ (sizeof(struct mlx5e_umr_wqe) +\
+ (sizeof(struct mlx5_klm) * (sgl_len)))
+
+#define MLX5E_KLM_UMR_WQEBBS(klm_entries) \
+ (DIV_ROUND_UP(MLX5E_KLM_UMR_WQE_SZ(klm_entries), MLX5_SEND_WQE_BB))
+
+#define MLX5E_KLM_UMR_DS_CNT(klm_entries)\
+ (DIV_ROUND_UP(MLX5E_KLM_UMR_WQE_SZ(klm_entries), MLX5_SEND_WQE_DS))
+
+#define MLX5E_KLM_MAX_ENTRIES_PER_WQE(wqe_size)\
+ (((wqe_size) - sizeof(struct mlx5e_umr_wqe)) / sizeof(struct mlx5_klm))
+
+#define MLX5E_KLM_ENTRIES_PER_WQE(wqe_size)\
+ ALIGN_DOWN(MLX5E_KLM_MAX_ENTRIES_PER_WQE(wqe_size), MLX5_UMR_KLM_ALIGNMENT)
+
+#define MLX5E_MAX_KLM_PER_WQE(mdev) \
+ MLX5E_KLM_ENTRIES_PER_WQE(MLX5E_TX_MPW_MAX_NUM_DS << MLX5_MKEY_BSF_OCTO_SIZE)
+
#define MLX5E_MSG_LEVEL NETIF_MSG_LINK
#define mlx5e_dbg(mlevel, priv, format, ...) \
@@ -217,7 +236,10 @@ struct mlx5e_umr_wqe {
struct mlx5_wqe_ctrl_seg ctrl;
struct mlx5_wqe_umr_ctrl_seg uctrl;
struct mlx5_mkey_seg mkc;
- struct mlx5_mtt inline_mtts[0];
+ union {
+ struct mlx5_mtt inline_mtts[0];
+ struct mlx5_klm inline_klms[0];
+ };
};
extern const char mlx5e_self_tests[][ETH_GSTRING_LEN];
diff --git a/include/linux/mlx5/device.h b/include/linux/mlx5/device.h
index 476d8fd5a7e5b..afc7e2d81b6d8 100644
--- a/include/linux/mlx5/device.h
+++ b/include/linux/mlx5/device.h
@@ -290,6 +290,7 @@ enum {
MLX5_UMR_INLINE = (1 << 7),
};
+#define MLX5_UMR_KLM_ALIGNMENT 4
#define MLX5_UMR_MTT_ALIGNMENT 0x40
#define MLX5_UMR_MTT_MASK (MLX5_UMR_MTT_ALIGNMENT - 1)
#define MLX5_UMR_MTT_MIN_CHUNK_SIZE MLX5_UMR_MTT_ALIGNMENT
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 053/644] net/mlx5: Correctly set gso_size when LRO is used
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 052/644] net/mlx5e: Add support to klm_umr_wqe Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 054/644] ipv6: mcast: Delay put pmc->idev in mld_del_delrec() Greg Kroah-Hartman
` (596 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Paasch, Tariq Toukan,
Gal Pressman, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Paasch <cpaasch@openai.com>
[ Upstream commit 531d0d32de3e1b6b77a87bd37de0c2c6e17b496a ]
gso_size is expected by the networking stack to be the size of the
payload (thus, not including ethernet/IP/TCP-headers). However, cqe_bcnt
is the full sized frame (including the headers). Dividing cqe_bcnt by
lro_num_seg will then give incorrect results.
For example, running a bpftrace higher up in the TCP-stack
(tcp_event_data_recv), we commonly have gso_size set to 1450 or 1451 even
though in reality the payload was only 1448 bytes.
This can have unintended consequences:
- In tcp_measure_rcv_mss() len will be for example 1450, but. rcv_mss
will be 1448 (because tp->advmss is 1448). Thus, we will always
recompute scaling_ratio each time an LRO-packet is received.
- In tcp_gro_receive(), it will interfere with the decision whether or
not to flush and thus potentially result in less gro'ed packets.
So, we need to discount the protocol headers from cqe_bcnt so we can
actually divide the payload by lro_num_seg to get the real gso_size.
v2:
- Use "(unsigned char *)tcp + tcp->doff * 4 - skb->data)" to compute header-len
(Tariq Toukan <tariqt@nvidia.com>)
- Improve commit-message (Gal Pressman <gal@nvidia.com>)
Fixes: e586b3b0baee ("net/mlx5: Ethernet Datapath files")
Signed-off-by: Christoph Paasch <cpaasch@openai.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Gal Pressman <gal@nvidia.com>
Link: https://patch.msgid.link/20250715-cpaasch-pf-925-investigate-incorrect-gso_size-on-cx-7-nic-v2-1-e06c3475f3ac@openai.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
index d2de1e6c514c1..2f6d3473bcbf1 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -788,8 +788,9 @@ static void mlx5e_lro_update_tcp_hdr(struct mlx5_cqe64 *cqe, struct tcphdr *tcp)
}
}
-static void mlx5e_lro_update_hdr(struct sk_buff *skb, struct mlx5_cqe64 *cqe,
- u32 cqe_bcnt)
+static unsigned int mlx5e_lro_update_hdr(struct sk_buff *skb,
+ struct mlx5_cqe64 *cqe,
+ u32 cqe_bcnt)
{
struct ethhdr *eth = (struct ethhdr *)(skb->data);
struct tcphdr *tcp;
@@ -840,6 +841,8 @@ static void mlx5e_lro_update_hdr(struct sk_buff *skb, struct mlx5_cqe64 *cqe,
tcp->check = csum_ipv6_magic(&ipv6->saddr, &ipv6->daddr, payload_len,
IPPROTO_TCP, check);
}
+
+ return (unsigned int)((unsigned char *)tcp + tcp->doff * 4 - skb->data);
}
static inline void mlx5e_skb_set_hash(struct mlx5_cqe64 *cqe,
@@ -1055,8 +1058,9 @@ static inline void mlx5e_build_rx_skb(struct mlx5_cqe64 *cqe,
mlx5e_ipsec_offload_handle_rx_skb(netdev, skb, cqe);
if (lro_num_seg > 1) {
- mlx5e_lro_update_hdr(skb, cqe, cqe_bcnt);
- skb_shinfo(skb)->gso_size = DIV_ROUND_UP(cqe_bcnt, lro_num_seg);
+ unsigned int hdrlen = mlx5e_lro_update_hdr(skb, cqe, cqe_bcnt);
+
+ skb_shinfo(skb)->gso_size = DIV_ROUND_UP(cqe_bcnt - hdrlen, lro_num_seg);
/* Subtract one since we already counted this as one
* "regular" packet in mlx5e_complete_rx_cqe()
*/
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 054/644] ipv6: mcast: Delay put pmc->idev in mld_del_delrec()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 053/644] net/mlx5: Correctly set gso_size when LRO is used Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 055/644] Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU Greg Kroah-Hartman
` (595 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yue Haibing, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yue Haibing <yuehaibing@huawei.com>
[ Upstream commit ae3264a25a4635531264728859dbe9c659fad554 ]
pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec()
does, the reference should be put after ip6_mc_clear_src() return.
Fixes: 63ed8de4be81 ("mld: add mc_lock for protecting per-interface mld data")
Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
Link: https://patch.msgid.link/20250714141957.3301871-1-yuehaibing@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/mcast.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 1d038a0840994..574a30d7f930d 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -803,8 +803,8 @@ static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im)
} else {
im->mca_crcount = idev->mc_qrv;
}
- in6_dev_put(pmc->idev);
ip6_mc_clear_src(pmc);
+ in6_dev_put(pmc->idev);
kfree_rcu(pmc, rcu);
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 055/644] Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 054/644] ipv6: mcast: Delay put pmc->idev in mld_del_delrec() Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 056/644] net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Greg Kroah-Hartman
` (594 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit d24e4a7fedae121d33fb32ad785b87046527eedb ]
Configuration request only configure the incoming direction of the peer
initiating the request, so using the MTU is the other direction shall
not be used, that said the spec allows the peer responding to adjust:
Bluetooth Core 6.1, Vol 3, Part A, Section 4.5
'Each configuration parameter value (if any is present) in an
L2CAP_CONFIGURATION_RSP packet reflects an ‘adjustment’ to a
configuration parameter value that has been sent (or, in case of
default values, implied) in the corresponding
L2CAP_CONFIGURATION_REQ packet.'
That said adjusting the MTU in the response shall be limited to ERTM
channels only as for older modes the remote stack may not be able to
detect the adjustment causing it to silently drop packets.
Link: https://github.com/bluez/bluez/issues/1422
Link: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/issues/149
Link: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/4793
Fixes: 042bb9603c44 ("Bluetooth: L2CAP: Fix L2CAP MTU negotiation")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 089fca4f78124..1af639f1dd8d1 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3687,12 +3687,28 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
/* Configure output options and let the other side know
* which ones we don't like. */
- /* If MTU is not provided in configure request, use the most recently
- * explicitly or implicitly accepted value for the other direction,
- * or the default value.
+ /* If MTU is not provided in configure request, try adjusting it
+ * to the current output MTU if it has been set
+ *
+ * Bluetooth Core 6.1, Vol 3, Part A, Section 4.5
+ *
+ * Each configuration parameter value (if any is present) in an
+ * L2CAP_CONFIGURATION_RSP packet reflects an ‘adjustment’ to a
+ * configuration parameter value that has been sent (or, in case
+ * of default values, implied) in the corresponding
+ * L2CAP_CONFIGURATION_REQ packet.
*/
- if (mtu == 0)
- mtu = chan->imtu ? chan->imtu : L2CAP_DEFAULT_MTU;
+ if (!mtu) {
+ /* Only adjust for ERTM channels as for older modes the
+ * remote stack may not be able to detect that the
+ * adjustment causing it to silently drop packets.
+ */
+ if (chan->mode == L2CAP_MODE_ERTM &&
+ chan->omtu && chan->omtu != L2CAP_DEFAULT_MTU)
+ mtu = chan->omtu;
+ else
+ mtu = L2CAP_DEFAULT_MTU;
+ }
if (mtu < L2CAP_DEFAULT_MIN_MTU)
result = L2CAP_CONF_UNACCEPT;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 056/644] net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 055/644] Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 057/644] net: bridge: Do not offload IGMP/MLD messages Greg Kroah-Hartman
` (593 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a8b046e462915c65b10b,
Ido Schimmel, Dong Chenchen, Ido Schimmel, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dong Chenchen <dongchenchen2@huawei.com>
[ Upstream commit 579d4f9ca9a9a605184a9b162355f6ba131f678d ]
Assuming the "rx-vlan-filter" feature is enabled on a net device, the
8021q module will automatically add or remove VLAN 0 when the net device
is put administratively up or down, respectively. There are a couple of
problems with the above scheme.
The first problem is a memory leak that can happen if the "rx-vlan-filter"
feature is disabled while the device is running:
# ip link add bond1 up type bond mode 0
# ethtool -K bond1 rx-vlan-filter off
# ip link del dev bond1
When the device is put administratively down the "rx-vlan-filter"
feature is disabled, so the 8021q module will not remove VLAN 0 and the
memory will be leaked [1].
Another problem that can happen is that the kernel can automatically
delete VLAN 0 when the device is put administratively down despite not
adding it when the device was put administratively up since during that
time the "rx-vlan-filter" feature was disabled. null-ptr-unref or
bug_on[2] will be triggered by unregister_vlan_dev() for refcount
imbalance if toggling filtering during runtime:
$ ip link add bond0 type bond mode 0
$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q
$ ethtool -K bond0 rx-vlan-filter off
$ ifconfig bond0 up
$ ethtool -K bond0 rx-vlan-filter on
$ ifconfig bond0 down
$ ip link del vlan0
Root cause is as below:
step1: add vlan0 for real_dev, such as bond, team.
register_vlan_dev
vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1
step2: disable vlan filter feature and enable real_dev
step3: change filter from 0 to 1
vlan_device_event
vlan_filter_push_vids
ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0
step4: real_dev down
vlan_device_event
vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0
vlan_info_rcu_free //free vlan0
step5: delete vlan0
unregister_vlan_dev
BUG_ON(!vlan_info); //vlan_info is null
Fix both problems by noting in the VLAN info whether VLAN 0 was
automatically added upon NETDEV_UP and based on that decide whether it
should be deleted upon NETDEV_DOWN, regardless of the state of the
"rx-vlan-filter" feature.
[1]
unreferenced object 0xffff8880068e3100 (size 256):
comm "ip", pid 384, jiffies 4296130254
hex dump (first 32 bytes):
00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 81ce31fa):
__kmalloc_cache_noprof+0x2b5/0x340
vlan_vid_add+0x434/0x940
vlan_device_event.cold+0x75/0xa8
notifier_call_chain+0xca/0x150
__dev_notify_flags+0xe3/0x250
rtnl_configure_link+0x193/0x260
rtnl_newlink_create+0x383/0x8e0
__rtnl_newlink+0x22c/0xa40
rtnl_newlink+0x627/0xb00
rtnetlink_rcv_msg+0x6fb/0xb70
netlink_rcv_skb+0x11f/0x350
netlink_unicast+0x426/0x710
netlink_sendmsg+0x75a/0xc20
__sock_sendmsg+0xc1/0x150
____sys_sendmsg+0x5aa/0x7b0
___sys_sendmsg+0xfc/0x180
[2]
kernel BUG at net/8021q/vlan.c:99!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1))
RSP: 0018:ffff88810badf310 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8
RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80
R10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000
R13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e
FS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0
Call Trace:
<TASK>
rtnl_dellink (net/core/rtnetlink.c:3511 net/core/rtnetlink.c:3553)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6945)
netlink_rcv_skb (net/netlink/af_netlink.c:2535)
netlink_unicast (net/netlink/af_netlink.c:1314 net/netlink/af_netlink.c:1339)
netlink_sendmsg (net/netlink/af_netlink.c:1883)
____sys_sendmsg (net/socket.c:712 net/socket.c:727 net/socket.c:2566)
___sys_sendmsg (net/socket.c:2622)
__sys_sendmsg (net/socket.c:2652)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
Fixes: ad1afb003939 ("vlan_dev: VLAN 0 should be treated as "no vlan tag" (802.1p packet)")
Reported-by: syzbot+a8b046e462915c65b10b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a8b046e462915c65b10b
Suggested-by: Ido Schimmel <idosch@idosch.org>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20250716034504.2285203-2-dongchenchen2@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/8021q/vlan.c | 42 +++++++++++++++++++++++++++++++++---------
net/8021q/vlan.h | 1 +
2 files changed, 34 insertions(+), 9 deletions(-)
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index eba36453a51ad..2c5b532b0f054 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -359,6 +359,35 @@ static int __vlan_device_event(struct net_device *dev, unsigned long event)
return err;
}
+static void vlan_vid0_add(struct net_device *dev)
+{
+ struct vlan_info *vlan_info;
+ int err;
+
+ if (!(dev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
+ return;
+
+ pr_info("adding VLAN 0 to HW filter on device %s\n", dev->name);
+
+ err = vlan_vid_add(dev, htons(ETH_P_8021Q), 0);
+ if (err)
+ return;
+
+ vlan_info = rtnl_dereference(dev->vlan_info);
+ vlan_info->auto_vid0 = true;
+}
+
+static void vlan_vid0_del(struct net_device *dev)
+{
+ struct vlan_info *vlan_info = rtnl_dereference(dev->vlan_info);
+
+ if (!vlan_info || !vlan_info->auto_vid0)
+ return;
+
+ vlan_info->auto_vid0 = false;
+ vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
+}
+
static int vlan_device_event(struct notifier_block *unused, unsigned long event,
void *ptr)
{
@@ -380,15 +409,10 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event,
return notifier_from_errno(err);
}
- if ((event == NETDEV_UP) &&
- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) {
- pr_info("adding VLAN 0 to HW filter on device %s\n",
- dev->name);
- vlan_vid_add(dev, htons(ETH_P_8021Q), 0);
- }
- if (event == NETDEV_DOWN &&
- (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
- vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
+ if (event == NETDEV_UP)
+ vlan_vid0_add(dev);
+ else if (event == NETDEV_DOWN)
+ vlan_vid0_del(dev);
vlan_info = rtnl_dereference(dev->vlan_info);
if (!vlan_info)
diff --git a/net/8021q/vlan.h b/net/8021q/vlan.h
index 5eaf38875554b..c7ffe591d5936 100644
--- a/net/8021q/vlan.h
+++ b/net/8021q/vlan.h
@@ -33,6 +33,7 @@ struct vlan_info {
struct vlan_group grp;
struct list_head vid_list;
unsigned int nr_vids;
+ bool auto_vid0;
struct rcu_head rcu;
};
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 057/644] net: bridge: Do not offload IGMP/MLD messages
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 056/644] net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 058/644] net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree Greg Kroah-Hartman
` (592 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joseph Huang, Nikolay Aleksandrov,
Ido Schimmel, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Huang <Joseph.Huang@garmin.com>
[ Upstream commit 683dc24da8bf199bb7446e445ad7f801c79a550e ]
Do not offload IGMP/MLD messages as it could lead to IGMP/MLD Reports
being unintentionally flooded to Hosts. Instead, let the bridge decide
where to send these IGMP/MLD messages.
Consider the case where the local host is sending out reports in response
to a remote querier like the following:
mcast-listener-process (IP_ADD_MEMBERSHIP)
\
br0
/ \
swp1 swp2
| |
QUERIER SOME-OTHER-HOST
In the above setup, br0 will want to br_forward() reports for
mcast-listener-process's group(s) via swp1 to QUERIER; but since the
source hwdom is 0, the report is eligible for tx offloading, and is
flooded by hardware to both swp1 and swp2, reaching SOME-OTHER-HOST as
well. (Example and illustration provided by Tobias.)
Fixes: 472111920f1c ("net: bridge: switchdev: allow the TX data plane forwarding to be offloaded")
Signed-off-by: Joseph Huang <Joseph.Huang@garmin.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20250716153551.1830255-1-Joseph.Huang@garmin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_switchdev.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bridge/br_switchdev.c b/net/bridge/br_switchdev.c
index 6bf518d78f029..44ae2068045b1 100644
--- a/net/bridge/br_switchdev.c
+++ b/net/bridge/br_switchdev.c
@@ -16,6 +16,9 @@ static bool nbp_switchdev_can_offload_tx_fwd(const struct net_bridge_port *p,
if (!static_branch_unlikely(&br_switchdev_tx_fwd_offload))
return false;
+ if (br_multicast_igmp_type(skb))
+ return false;
+
return (p->flags & BR_TX_FWD_OFFLOAD) &&
(p->hwdom != BR_INPUT_SKB_CB(skb)->src_hwdom);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 058/644] net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 057/644] net: bridge: Do not offload IGMP/MLD messages Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 059/644] sched: Change nr_uninterruptible type to unsigned long Greg Kroah-Hartman
` (591 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William Liu, Savino Dicanosa,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: William Liu <will@willsroot.io>
[ Upstream commit 0e1d5d9b5c5966e2e42e298670808590db5ed628 ]
htb_lookup_leaf has a BUG_ON that can trigger with the following:
tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 htb rate 64bit
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2:1 handle 3: blackhole
ping -I lo -c1 -W0.001 127.0.0.1
The root cause is the following:
1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on
the selected leaf qdisc
2. netem_dequeue calls enqueue on the child qdisc
3. blackhole_enqueue drops the packet and returns a value that is not
just NET_XMIT_SUCCESS
4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and
since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate ->
htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase
5. As this is the only class in the selected hprio rbtree,
__rb_change_child in __rb_erase_augmented sets the rb_root pointer to
NULL
6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,
which causes htb_dequeue_tree to call htb_lookup_leaf with the same
hprio rbtree, and fail the BUG_ON
The function graph for this scenario is shown here:
0) | htb_enqueue() {
0) + 13.635 us | netem_enqueue();
0) 4.719 us | htb_activate_prios();
0) # 2249.199 us | }
0) | htb_dequeue() {
0) 2.355 us | htb_lookup_leaf();
0) | netem_dequeue() {
0) + 11.061 us | blackhole_enqueue();
0) | qdisc_tree_reduce_backlog() {
0) | qdisc_lookup_rcu() {
0) 1.873 us | qdisc_match_from_root();
0) 6.292 us | }
0) 1.894 us | htb_search();
0) | htb_qlen_notify() {
0) 2.655 us | htb_deactivate_prios();
0) 6.933 us | }
0) + 25.227 us | }
0) 1.983 us | blackhole_dequeue();
0) + 86.553 us | }
0) # 2932.761 us | qdisc_warn_nonwc();
0) | htb_lookup_leaf() {
0) | BUG_ON();
------------------------------------------
The full original bug report can be seen here [1].
We can fix this just by returning NULL instead of the BUG_ON,
as htb_dequeue_tree returns NULL when htb_lookup_leaf returns
NULL.
[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/
Fixes: 512bb43eb542 ("pkt_sched: sch_htb: Optimize WARN_ONs in htb_dequeue_tree() etc.")
Signed-off-by: William Liu <will@willsroot.io>
Signed-off-by: Savino Dicanosa <savy@syst3mfailure.io>
Link: https://patch.msgid.link/20250717022816.221364-1-will@willsroot.io
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_htb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 8ce999e4ca323..35eaf7c85ba08 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -817,7 +817,9 @@ static struct htb_class *htb_lookup_leaf(struct htb_prio *hprio, const int prio)
u32 *pid;
} stk[TC_HTB_MAXDEPTH], *sp = stk;
- BUG_ON(!hprio->row.rb_node);
+ if (unlikely(!hprio->row.rb_node))
+ return NULL;
+
sp->root = hprio->row.rb_node;
sp->pptr = &hprio->ptr;
sp->pid = &hprio->last_ptr_id;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 059/644] sched: Change nr_uninterruptible type to unsigned long
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 058/644] net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 060/644] clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns Greg Kroah-Hartman
` (590 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aruna Ramakrishna,
Peter Zijlstra (Intel)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
commit 36569780b0d64de283f9d6c2195fd1a43e221ee8 upstream.
The commit e6fe3f422be1 ("sched: Make multiple runqueue task counters
32-bit") changed nr_uninterruptible to an unsigned int. But the
nr_uninterruptible values for each of the CPU runqueues can grow to
large numbers, sometimes exceeding INT_MAX. This is valid, if, over
time, a large number of tasks are migrated off of one CPU after going
into an uninterruptible state. Only the sum of all nr_interruptible
values across all CPUs yields the correct result, as explained in a
comment in kernel/sched/loadavg.c.
Change the type of nr_uninterruptible back to unsigned long to prevent
overflows, and thus the miscalculation of load average.
Fixes: e6fe3f422be1 ("sched: Make multiple runqueue task counters 32-bit")
Signed-off-by: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20250709173328.606794-1-aruna.ramakrishna@oracle.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/loadavg.c | 2 +-
kernel/sched/sched.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/sched/loadavg.c
+++ b/kernel/sched/loadavg.c
@@ -81,7 +81,7 @@ long calc_load_fold_active(struct rq *th
long nr_active, delta = 0;
nr_active = this_rq->nr_running - adjust;
- nr_active += (int)this_rq->nr_uninterruptible;
+ nr_active += (long)this_rq->nr_uninterruptible;
if (nr_active != this_rq->calc_load_active) {
delta = nr_active - this_rq->calc_load_active;
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -971,7 +971,7 @@ struct rq {
* one CPU and if it got migrated afterwards it may decrease
* it on another CPU. Always updated under the runqueue lock:
*/
- unsigned int nr_uninterruptible;
+ unsigned long nr_uninterruptible;
struct task_struct __rcu *curr;
struct task_struct *idle;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 060/644] clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 059/644] sched: Change nr_uninterruptible type to unsigned long Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 061/644] usb: hub: fix detection of high tier USB3 devices behind suspended hubs Greg Kroah-Hartman
` (589 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner, Orlando, Noah,
Al Viro
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit c28f922c9dcee0e4876a2c095939d77fe7e15116 upstream.
What we want is to verify there is that clone won't expose something
hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo"
may be a result of MNT_LOCKED on a child, but it may also come from
lacking admin rights in the userns of the namespace mount belongs to.
clone_private_mnt() checks the former, but not the latter.
There's a number of rather confusing CAP_SYS_ADMIN checks in various
userns during the mount, especially with the new mount API; they serve
different purposes and in case of clone_private_mnt() they usually,
but not always end up covering the missing check mentioned above.
Reviewed-by: Christian Brauner <brauner@kernel.org>
Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com>
Fixes: 427215d85e8d ("ovl: prevent private clone if bind mount is not allowed")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[ merge conflict resolution: clone_private_mount() was reworked in
db04662e2f4f ("fs: allow detached mounts in clone_private_mount()").
Tweak the relevant ns_capable check so that it works on older kernels ]
Signed-off-by: Noah Orlando <Noah.Orlando@deshaw.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/namespace.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1975,6 +1975,11 @@ struct vfsmount *clone_private_mount(con
if (!check_mnt(old_mnt))
goto invalid;
+ if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN)) {
+ up_read(&namespace_sem);
+ return ERR_PTR(-EPERM);
+ }
+
if (has_locked_children(old_mnt, path->dentry))
goto invalid;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 061/644] usb: hub: fix detection of high tier USB3 devices behind suspended hubs
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 060/644] clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 062/644] usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm Greg Kroah-Hartman
` (588 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alan Stern, Mathias Nyman
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 8f5b7e2bec1c36578fdaa74a6951833541103e27 upstream.
USB3 devices connected behind several external suspended hubs may not
be detected when plugged in due to aggressive hub runtime pm suspend.
The hub driver immediately runtime-suspends hubs if there are no
active children or port activity.
There is a delay between the wake signal causing hub resume, and driver
visible port activity on the hub downstream facing ports.
Most of the LFPS handshake, resume signaling and link training done
on the downstream ports is not visible to the hub driver until completed,
when device then will appear fully enabled and running on the port.
This delay between wake signal and detectable port change is even more
significant with chained suspended hubs where the wake signal will
propagate upstream first. Suspended hubs will only start resuming
downstream ports after upstream facing port resumes.
The hub driver may resume a USB3 hub, read status of all ports, not
yet see any activity, and runtime suspend back the hub before any
port activity is visible.
This exact case was seen when conncting USB3 devices to a suspended
Thunderbolt dock.
USB3 specification defines a 100ms tU3WakeupRetryDelay, indicating
USB3 devices expect to be resumed within 100ms after signaling wake.
if not then device will resend the wake signal.
Give the USB3 hubs twice this time (200ms) to detect any port
changes after resume, before allowing hub to runtime suspend again.
Cc: stable <stable@kernel.org>
Fixes: 2839f5bcfcfc ("USB: Turn on auto-suspend for USB 3.0 hubs.")
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250611112441.2267883-1-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 33 ++++++++++++++++++++++++++++++++-
1 file changed, 32 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -53,6 +53,12 @@
#define USB_TP_TRANSMISSION_DELAY_MAX 65535 /* ns */
#define USB_PING_RESPONSE_TIME 400 /* ns */
+/*
+ * Give SS hubs 200ms time after wake to train downstream links before
+ * assuming no port activity and allowing hub to runtime suspend back.
+ */
+#define USB_SS_PORT_U0_WAKE_TIME 200 /* ms */
+
/* Protect struct usb_device->state and ->children members
* Note: Both are also protected by ->dev.sem, except that ->state can
* change to USB_STATE_NOTATTACHED even when the semaphore isn't held. */
@@ -1025,11 +1031,12 @@ int usb_remove_device(struct usb_device
enum hub_activation_type {
HUB_INIT, HUB_INIT2, HUB_INIT3, /* INITs must come first */
- HUB_POST_RESET, HUB_RESUME, HUB_RESET_RESUME,
+ HUB_POST_RESET, HUB_RESUME, HUB_RESET_RESUME, HUB_POST_RESUME,
};
static void hub_init_func2(struct work_struct *ws);
static void hub_init_func3(struct work_struct *ws);
+static void hub_post_resume(struct work_struct *ws);
static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
{
@@ -1052,6 +1059,13 @@ static void hub_activate(struct usb_hub
goto init2;
goto init3;
}
+
+ if (type == HUB_POST_RESUME) {
+ usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
+ hub_put(hub);
+ return;
+ }
+
hub_get(hub);
/* The superspeed hub except for root hub has to use Hub Depth
@@ -1300,6 +1314,16 @@ static void hub_activate(struct usb_hub
device_unlock(&hdev->dev);
}
+ if (type == HUB_RESUME && hub_is_superspeed(hub->hdev)) {
+ /* give usb3 downstream links training time after hub resume */
+ INIT_DELAYED_WORK(&hub->init_work, hub_post_resume);
+ queue_delayed_work(system_power_efficient_wq, &hub->init_work,
+ msecs_to_jiffies(USB_SS_PORT_U0_WAKE_TIME));
+ usb_autopm_get_interface_no_resume(
+ to_usb_interface(hub->intfdev));
+ return;
+ }
+
hub_put(hub);
}
@@ -1318,6 +1342,13 @@ static void hub_init_func3(struct work_s
hub_activate(hub, HUB_INIT3);
}
+static void hub_post_resume(struct work_struct *ws)
+{
+ struct usb_hub *hub = container_of(ws, struct usb_hub, init_work.work);
+
+ hub_activate(hub, HUB_POST_RESUME);
+}
+
enum hub_quiescing_type {
HUB_DISCONNECT, HUB_PRE_RESET, HUB_SUSPEND
};
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 062/644] usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 061/644] usb: hub: fix detection of high tier USB3 devices behind suspended hubs Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 063/644] usb: hub: Fix flushing of delayed work used for post resume purposes Greg Kroah-Hartman
` (587 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Konrad Dybcio, Alan Stern,
Mathias Nyman
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit a49e1e2e785fb3621f2d748581881b23a364998a upstream.
Delayed work to prevent USB3 hubs from runtime-suspending immediately
after resume was added in commit 8f5b7e2bec1c ("usb: hub: fix detection
of high tier USB3 devices behind suspended hubs").
This delayed work needs be flushed if system suspends, or hub needs to
be quiesced for other reasons right after resume. Not flushing it
triggered issues on QC SC8280XP CRD board during suspend/resume testing.
Fix it by flushing the delayed resume work in hub_quiesce()
The delayed work item that allow hub runtime suspend is also scheduled
just before calling autopm get. Alan pointed out there is a small risk
that work is run before autopm get, which would call autopm put before
get, and mess up the runtime pm usage order.
Swap the order of work sheduling and calling autopm get to solve this.
Cc: stable <stable@kernel.org>
Fixes: 8f5b7e2bec1c ("usb: hub: fix detection of high tier USB3 devices behind suspended hubs")
Reported-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Closes: https://lore.kernel.org/linux-usb/acaaa928-832c-48ca-b0ea-d202d5cd3d6c@oss.qualcomm.com
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Closes: https://lore.kernel.org/linux-usb/c73fbead-66d7-497a-8fa1-75ea4761090a@rowland.harvard.edu
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250626130102.3639861-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1316,11 +1316,12 @@ static void hub_activate(struct usb_hub
if (type == HUB_RESUME && hub_is_superspeed(hub->hdev)) {
/* give usb3 downstream links training time after hub resume */
+ usb_autopm_get_interface_no_resume(
+ to_usb_interface(hub->intfdev));
+
INIT_DELAYED_WORK(&hub->init_work, hub_post_resume);
queue_delayed_work(system_power_efficient_wq, &hub->init_work,
msecs_to_jiffies(USB_SS_PORT_U0_WAKE_TIME));
- usb_autopm_get_interface_no_resume(
- to_usb_interface(hub->intfdev));
return;
}
@@ -1374,6 +1375,7 @@ static void hub_quiesce(struct usb_hub *
/* Stop hub_wq and related activity */
del_timer_sync(&hub->irq_urb_retry);
+ flush_delayed_work(&hub->init_work);
usb_kill_urb(hub->urb);
if (hub->has_indicators)
cancel_delayed_work_sync(&hub->leds);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 063/644] usb: hub: Fix flushing of delayed work used for post resume purposes
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 062/644] usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 064/644] usb: musb: Add and use inline functions musb_{get,set}_state Greg Kroah-Hartman
` (586 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Mark Brown, Mathias Nyman,
Konrad Dybcio
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit 9bd9c8026341f75f25c53104eb7e656e357ca1a2 upstream.
Delayed work that prevents USB3 hubs from runtime-suspending too early
needed to be flushed in hub_quiesce() to resolve issues detected on
QC SC8280XP CRD board during suspend resume testing.
This flushing did however trigger new issues on Raspberry Pi 3B+, which
doesn't have USB3 ports, and doesn't queue any post resume delayed work.
The flushed 'hub->init_work' item is used for several purposes, and
is originally initialized with a 'NULL' work function. The work function
is also changed on the fly, which may contribute to the issue.
Solve this by creating a dedicated delayed work item for post resume work,
and flush that delayed work in hub_quiesce()
Cc: stable <stable@kernel.org>
Fixes: a49e1e2e785f ("usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm")
Reported-by: Mark Brown <broonie@kernel.org>
Closes: https://lore.kernel.org/linux-usb/aF5rNp1l0LWITnEB@finisterre.sirena.org.uk
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Tested-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> # SC8280XP CRD
Tested-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20250627164348.3982628-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 21 ++++++++-------------
drivers/usb/core/hub.h | 1 +
2 files changed, 9 insertions(+), 13 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -1031,12 +1031,11 @@ int usb_remove_device(struct usb_device
enum hub_activation_type {
HUB_INIT, HUB_INIT2, HUB_INIT3, /* INITs must come first */
- HUB_POST_RESET, HUB_RESUME, HUB_RESET_RESUME, HUB_POST_RESUME,
+ HUB_POST_RESET, HUB_RESUME, HUB_RESET_RESUME,
};
static void hub_init_func2(struct work_struct *ws);
static void hub_init_func3(struct work_struct *ws);
-static void hub_post_resume(struct work_struct *ws);
static void hub_activate(struct usb_hub *hub, enum hub_activation_type type)
{
@@ -1060,12 +1059,6 @@ static void hub_activate(struct usb_hub
goto init3;
}
- if (type == HUB_POST_RESUME) {
- usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
- hub_put(hub);
- return;
- }
-
hub_get(hub);
/* The superspeed hub except for root hub has to use Hub Depth
@@ -1319,8 +1312,8 @@ static void hub_activate(struct usb_hub
usb_autopm_get_interface_no_resume(
to_usb_interface(hub->intfdev));
- INIT_DELAYED_WORK(&hub->init_work, hub_post_resume);
- queue_delayed_work(system_power_efficient_wq, &hub->init_work,
+ queue_delayed_work(system_power_efficient_wq,
+ &hub->post_resume_work,
msecs_to_jiffies(USB_SS_PORT_U0_WAKE_TIME));
return;
}
@@ -1345,9 +1338,10 @@ static void hub_init_func3(struct work_s
static void hub_post_resume(struct work_struct *ws)
{
- struct usb_hub *hub = container_of(ws, struct usb_hub, init_work.work);
+ struct usb_hub *hub = container_of(ws, struct usb_hub, post_resume_work.work);
- hub_activate(hub, HUB_POST_RESUME);
+ usb_autopm_put_interface_async(to_usb_interface(hub->intfdev));
+ hub_put(hub);
}
enum hub_quiescing_type {
@@ -1375,7 +1369,7 @@ static void hub_quiesce(struct usb_hub *
/* Stop hub_wq and related activity */
del_timer_sync(&hub->irq_urb_retry);
- flush_delayed_work(&hub->init_work);
+ flush_delayed_work(&hub->post_resume_work);
usb_kill_urb(hub->urb);
if (hub->has_indicators)
cancel_delayed_work_sync(&hub->leds);
@@ -1932,6 +1926,7 @@ static int hub_probe(struct usb_interfac
hub->hdev = hdev;
INIT_DELAYED_WORK(&hub->leds, led_work);
INIT_DELAYED_WORK(&hub->init_work, NULL);
+ INIT_DELAYED_WORK(&hub->post_resume_work, hub_post_resume);
INIT_WORK(&hub->events, hub_event);
spin_lock_init(&hub->irq_urb_lock);
timer_setup(&hub->irq_urb_retry, hub_retry_irq_urb, 0);
--- a/drivers/usb/core/hub.h
+++ b/drivers/usb/core/hub.h
@@ -69,6 +69,7 @@ struct usb_hub {
u8 indicator[USB_MAXCHILDREN];
struct delayed_work leds;
struct delayed_work init_work;
+ struct delayed_work post_resume_work;
struct work_struct events;
spinlock_t irq_urb_lock;
struct timer_list irq_urb_retry;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 064/644] usb: musb: Add and use inline functions musb_{get,set}_state
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 063/644] usb: hub: Fix flushing of delayed work used for post resume purposes Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 065/644] usb: musb: fix gadget state on disconnect Greg Kroah-Hartman
` (585 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paul Cercueil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Cercueil <paul@crapouillou.net>
commit 21acc656a06e912341d9db66c67b58cc7ed071e7 upstream.
Instead of manipulating musb->xceiv->otg->state directly, use the newly
introduced musb_get_state() and musb_set_state() inline functions.
Later, these inline functions will be modified to get rid of the
musb->xceiv dependency, which prevents the musb code from using the
generic PHY subsystem.
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Link: https://lore.kernel.org/r/20221026182657.146630-2-paul@crapouillou.net
Stable-dep-of: 67a59f82196c ("usb: musb: fix gadget state on disconnect")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/musb/musb_core.c | 62 ++++++++++++++++++++--------------------
drivers/usb/musb/musb_core.h | 11 +++++++
drivers/usb/musb/musb_debugfs.c | 6 +--
drivers/usb/musb/musb_gadget.c | 28 +++++++++---------
drivers/usb/musb/musb_host.c | 6 +--
drivers/usb/musb/musb_virthub.c | 18 +++++------
6 files changed, 71 insertions(+), 60 deletions(-)
--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -502,7 +502,7 @@ int musb_set_host(struct musb *musb)
init_data:
musb->is_active = 1;
- musb->xceiv->otg->state = OTG_STATE_A_IDLE;
+ musb_set_state(musb, OTG_STATE_A_IDLE);
MUSB_HST_MODE(musb);
return error;
@@ -549,7 +549,7 @@ int musb_set_peripheral(struct musb *mus
init_data:
musb->is_active = 0;
- musb->xceiv->otg->state = OTG_STATE_B_IDLE;
+ musb_set_state(musb, OTG_STATE_B_IDLE);
MUSB_DEV_MODE(musb);
return error;
@@ -599,12 +599,12 @@ static void musb_otg_timer_func(struct t
unsigned long flags;
spin_lock_irqsave(&musb->lock, flags);
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_B_WAIT_ACON:
musb_dbg(musb,
"HNP: b_wait_acon timeout; back to b_peripheral");
musb_g_disconnect(musb);
- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL;
+ musb_set_state(musb, OTG_STATE_B_PERIPHERAL);
musb->is_active = 0;
break;
case OTG_STATE_A_SUSPEND:
@@ -612,7 +612,7 @@ static void musb_otg_timer_func(struct t
musb_dbg(musb, "HNP: %s timeout",
usb_otg_state_string(musb->xceiv->otg->state));
musb_platform_set_vbus(musb, 0);
- musb->xceiv->otg->state = OTG_STATE_A_WAIT_VFALL;
+ musb_set_state(musb, OTG_STATE_A_WAIT_VFALL);
break;
default:
musb_dbg(musb, "HNP: Unhandled mode %s",
@@ -633,7 +633,7 @@ void musb_hnp_stop(struct musb *musb)
musb_dbg(musb, "HNP: stop from %s",
usb_otg_state_string(musb->xceiv->otg->state));
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_PERIPHERAL:
musb_g_disconnect(musb);
musb_dbg(musb, "HNP: back to %s",
@@ -643,7 +643,7 @@ void musb_hnp_stop(struct musb *musb)
musb_dbg(musb, "HNP: Disabling HR");
if (hcd)
hcd->self.is_b_host = 0;
- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL;
+ musb_set_state(musb, OTG_STATE_B_PERIPHERAL);
MUSB_DEV_MODE(musb);
reg = musb_readb(mbase, MUSB_POWER);
reg |= MUSB_POWER_SUSPENDM;
@@ -671,7 +671,7 @@ static void musb_handle_intr_resume(stru
usb_otg_state_string(musb->xceiv->otg->state));
if (devctl & MUSB_DEVCTL_HM) {
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_SUSPEND:
/* remote wakeup? */
musb->port1_status |=
@@ -679,14 +679,14 @@ static void musb_handle_intr_resume(stru
| MUSB_PORT_STAT_RESUME;
musb->rh_timer = jiffies
+ msecs_to_jiffies(USB_RESUME_TIMEOUT);
- musb->xceiv->otg->state = OTG_STATE_A_HOST;
+ musb_set_state(musb, OTG_STATE_A_HOST);
musb->is_active = 1;
musb_host_resume_root_hub(musb);
schedule_delayed_work(&musb->finish_resume_work,
msecs_to_jiffies(USB_RESUME_TIMEOUT));
break;
case OTG_STATE_B_WAIT_ACON:
- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL;
+ musb_set_state(musb, OTG_STATE_B_PERIPHERAL);
musb->is_active = 1;
MUSB_DEV_MODE(musb);
break;
@@ -696,10 +696,10 @@ static void musb_handle_intr_resume(stru
usb_otg_state_string(musb->xceiv->otg->state));
}
} else {
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_SUSPEND:
/* possibly DISCONNECT is upcoming */
- musb->xceiv->otg->state = OTG_STATE_A_HOST;
+ musb_set_state(musb, OTG_STATE_A_HOST);
musb_host_resume_root_hub(musb);
break;
case OTG_STATE_B_WAIT_ACON:
@@ -750,7 +750,7 @@ static irqreturn_t musb_handle_intr_sess
*/
musb_writeb(mbase, MUSB_DEVCTL, MUSB_DEVCTL_SESSION);
musb->ep0_stage = MUSB_EP0_START;
- musb->xceiv->otg->state = OTG_STATE_A_IDLE;
+ musb_set_state(musb, OTG_STATE_A_IDLE);
MUSB_HST_MODE(musb);
musb_platform_set_vbus(musb, 1);
@@ -777,7 +777,7 @@ static void musb_handle_intr_vbuserr(str
* REVISIT: do delays from lots of DEBUG_KERNEL checks
* make trouble here, keeping VBUS < 4.4V ?
*/
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_HOST:
/* recovery is dicey once we've gotten past the
* initial stages of enumeration, but if VBUS
@@ -833,7 +833,7 @@ static void musb_handle_intr_suspend(str
musb_dbg(musb, "SUSPEND (%s) devctl %02x",
usb_otg_state_string(musb->xceiv->otg->state), devctl);
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_PERIPHERAL:
/* We also come here if the cable is removed, since
* this silicon doesn't report ID-no-longer-grounded.
@@ -858,7 +858,7 @@ static void musb_handle_intr_suspend(str
musb_g_suspend(musb);
musb->is_active = musb->g.b_hnp_enable;
if (musb->is_active) {
- musb->xceiv->otg->state = OTG_STATE_B_WAIT_ACON;
+ musb_set_state(musb, OTG_STATE_B_WAIT_ACON);
musb_dbg(musb, "HNP: Setting timer for b_ase0_brst");
mod_timer(&musb->otg_timer, jiffies
+ msecs_to_jiffies(
@@ -871,7 +871,7 @@ static void musb_handle_intr_suspend(str
+ msecs_to_jiffies(musb->a_wait_bcon));
break;
case OTG_STATE_A_HOST:
- musb->xceiv->otg->state = OTG_STATE_A_SUSPEND;
+ musb_set_state(musb, OTG_STATE_A_SUSPEND);
musb->is_active = musb->hcd->self.b_hnp_enable;
break;
case OTG_STATE_B_HOST:
@@ -909,7 +909,7 @@ static void musb_handle_intr_connect(str
musb->port1_status |= USB_PORT_STAT_LOW_SPEED;
/* indicate new connection to OTG machine */
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_B_PERIPHERAL:
if (int_usb & MUSB_INTR_SUSPEND) {
musb_dbg(musb, "HNP: SUSPEND+CONNECT, now b_host");
@@ -921,7 +921,7 @@ static void musb_handle_intr_connect(str
case OTG_STATE_B_WAIT_ACON:
musb_dbg(musb, "HNP: CONNECT, now b_host");
b_host:
- musb->xceiv->otg->state = OTG_STATE_B_HOST;
+ musb_set_state(musb, OTG_STATE_B_HOST);
if (musb->hcd)
musb->hcd->self.is_b_host = 1;
del_timer(&musb->otg_timer);
@@ -929,7 +929,7 @@ b_host:
default:
if ((devctl & MUSB_DEVCTL_VBUS)
== (3 << MUSB_DEVCTL_VBUS_SHIFT)) {
- musb->xceiv->otg->state = OTG_STATE_A_HOST;
+ musb_set_state(musb, OTG_STATE_A_HOST);
if (hcd)
hcd->self.is_b_host = 0;
}
@@ -948,7 +948,7 @@ static void musb_handle_intr_disconnect(
usb_otg_state_string(musb->xceiv->otg->state),
MUSB_MODE(musb), devctl);
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_HOST:
case OTG_STATE_A_SUSPEND:
musb_host_resume_root_hub(musb);
@@ -966,7 +966,7 @@ static void musb_handle_intr_disconnect(
musb_root_disconnect(musb);
if (musb->hcd)
musb->hcd->self.is_b_host = 0;
- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL;
+ musb_set_state(musb, OTG_STATE_B_PERIPHERAL);
MUSB_DEV_MODE(musb);
musb_g_disconnect(musb);
break;
@@ -1006,7 +1006,7 @@ static void musb_handle_intr_reset(struc
} else {
musb_dbg(musb, "BUS RESET as %s",
usb_otg_state_string(musb->xceiv->otg->state));
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_SUSPEND:
musb_g_reset(musb);
fallthrough;
@@ -1025,11 +1025,11 @@ static void musb_handle_intr_reset(struc
case OTG_STATE_B_WAIT_ACON:
musb_dbg(musb, "HNP: RESET (%s), to b_peripheral",
usb_otg_state_string(musb->xceiv->otg->state));
- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL;
+ musb_set_state(musb, OTG_STATE_B_PERIPHERAL);
musb_g_reset(musb);
break;
case OTG_STATE_B_IDLE:
- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL;
+ musb_set_state(musb, OTG_STATE_B_PERIPHERAL);
fallthrough;
case OTG_STATE_B_PERIPHERAL:
musb_g_reset(musb);
@@ -1216,8 +1216,8 @@ void musb_start(struct musb *musb)
* (c) peripheral initiates, using SRP
*/
if (musb->port_mode != MUSB_HOST &&
- musb->xceiv->otg->state != OTG_STATE_A_WAIT_BCON &&
- (devctl & MUSB_DEVCTL_VBUS) == MUSB_DEVCTL_VBUS) {
+ musb_get_state(musb) != OTG_STATE_A_WAIT_BCON &&
+ (devctl & MUSB_DEVCTL_VBUS) == MUSB_DEVCTL_VBUS) {
musb->is_active = 1;
} else {
devctl |= MUSB_DEVCTL_SESSION;
@@ -1908,7 +1908,7 @@ vbus_store(struct device *dev, struct de
spin_lock_irqsave(&musb->lock, flags);
/* force T(a_wait_bcon) to be zero/unlimited *OR* valid */
musb->a_wait_bcon = val ? max_t(int, val, OTG_TIME_A_WAIT_BCON) : 0 ;
- if (musb->xceiv->otg->state == OTG_STATE_A_WAIT_BCON)
+ if (musb_get_state(musb) == OTG_STATE_A_WAIT_BCON)
musb->is_active = 0;
musb_platform_try_idle(musb, jiffies + msecs_to_jiffies(val));
spin_unlock_irqrestore(&musb->lock, flags);
@@ -2089,8 +2089,8 @@ static void musb_irq_work(struct work_st
musb_pm_runtime_check_session(musb);
- if (musb->xceiv->otg->state != musb->xceiv_old_state) {
- musb->xceiv_old_state = musb->xceiv->otg->state;
+ if (musb_get_state(musb) != musb->xceiv_old_state) {
+ musb->xceiv_old_state = musb_get_state(musb);
sysfs_notify(&musb->controller->kobj, NULL, "mode");
}
@@ -2532,7 +2532,7 @@ musb_init_controller(struct device *dev,
}
MUSB_DEV_MODE(musb);
- musb->xceiv->otg->state = OTG_STATE_B_IDLE;
+ musb_set_state(musb, OTG_STATE_B_IDLE);
switch (musb->port_mode) {
case MUSB_HOST:
--- a/drivers/usb/musb/musb_core.h
+++ b/drivers/usb/musb/musb_core.h
@@ -592,6 +592,17 @@ static inline void musb_platform_clear_e
musb->ops->clear_ep_rxintr(musb, epnum);
}
+static inline void musb_set_state(struct musb *musb,
+ enum usb_otg_state otg_state)
+{
+ musb->xceiv->otg->state = otg_state;
+}
+
+static inline enum usb_otg_state musb_get_state(struct musb *musb)
+{
+ return musb->xceiv->otg->state;
+}
+
/*
* gets the "dr_mode" property from DT and converts it into musb_mode
* if the property is not found or not recognized returns MUSB_OTG
--- a/drivers/usb/musb/musb_debugfs.c
+++ b/drivers/usb/musb/musb_debugfs.c
@@ -235,7 +235,7 @@ static int musb_softconnect_show(struct
u8 reg;
int connect;
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_HOST:
case OTG_STATE_A_WAIT_BCON:
pm_runtime_get_sync(musb->controller);
@@ -275,7 +275,7 @@ static ssize_t musb_softconnect_write(st
pm_runtime_get_sync(musb->controller);
if (!strncmp(buf, "0", 1)) {
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_HOST:
musb_root_disconnect(musb);
reg = musb_readb(musb->mregs, MUSB_DEVCTL);
@@ -286,7 +286,7 @@ static ssize_t musb_softconnect_write(st
break;
}
} else if (!strncmp(buf, "1", 1)) {
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_WAIT_BCON:
/*
* musb_save_context() called in musb_runtime_suspend()
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -1523,7 +1523,7 @@ static int musb_gadget_wakeup(struct usb
spin_lock_irqsave(&musb->lock, flags);
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_B_PERIPHERAL:
/* NOTE: OTG state machine doesn't include B_SUSPENDED;
* that's part of the standard usb 1.1 state machine, and
@@ -1785,7 +1785,7 @@ int musb_gadget_setup(struct musb *musb)
musb->g.speed = USB_SPEED_UNKNOWN;
MUSB_DEV_MODE(musb);
- musb->xceiv->otg->state = OTG_STATE_B_IDLE;
+ musb_set_state(musb, OTG_STATE_B_IDLE);
/* this "gadget" abstracts/virtualizes the controller */
musb->g.name = musb_driver_name;
@@ -1850,7 +1850,7 @@ static int musb_gadget_start(struct usb_
musb->is_active = 1;
otg_set_peripheral(otg, &musb->g);
- musb->xceiv->otg->state = OTG_STATE_B_IDLE;
+ musb_set_state(musb, OTG_STATE_B_IDLE);
spin_unlock_irqrestore(&musb->lock, flags);
musb_start(musb);
@@ -1895,7 +1895,7 @@ static int musb_gadget_stop(struct usb_g
(void) musb_gadget_vbus_draw(&musb->g, 0);
- musb->xceiv->otg->state = OTG_STATE_UNDEFINED;
+ musb_set_state(musb, OTG_STATE_UNDEFINED);
musb_stop(musb);
otg_set_peripheral(musb->xceiv->otg, NULL);
@@ -1926,7 +1926,7 @@ static int musb_gadget_stop(struct usb_g
void musb_g_resume(struct musb *musb)
{
musb->is_suspended = 0;
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_B_IDLE:
break;
case OTG_STATE_B_WAIT_ACON:
@@ -1952,10 +1952,10 @@ void musb_g_suspend(struct musb *musb)
devctl = musb_readb(musb->mregs, MUSB_DEVCTL);
musb_dbg(musb, "musb_g_suspend: devctl %02x", devctl);
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_B_IDLE:
if ((devctl & MUSB_DEVCTL_VBUS) == MUSB_DEVCTL_VBUS)
- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL;
+ musb_set_state(musb, OTG_STATE_B_PERIPHERAL);
break;
case OTG_STATE_B_PERIPHERAL:
musb->is_suspended = 1;
@@ -2001,22 +2001,22 @@ void musb_g_disconnect(struct musb *musb
spin_lock(&musb->lock);
}
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
default:
musb_dbg(musb, "Unhandled disconnect %s, setting a_idle",
usb_otg_state_string(musb->xceiv->otg->state));
- musb->xceiv->otg->state = OTG_STATE_A_IDLE;
+ musb_set_state(musb, OTG_STATE_A_IDLE);
MUSB_HST_MODE(musb);
break;
case OTG_STATE_A_PERIPHERAL:
- musb->xceiv->otg->state = OTG_STATE_A_WAIT_BCON;
+ musb_set_state(musb, OTG_STATE_A_WAIT_BCON);
MUSB_HST_MODE(musb);
break;
case OTG_STATE_B_WAIT_ACON:
case OTG_STATE_B_HOST:
case OTG_STATE_B_PERIPHERAL:
case OTG_STATE_B_IDLE:
- musb->xceiv->otg->state = OTG_STATE_B_IDLE;
+ musb_set_state(musb, OTG_STATE_B_IDLE);
break;
case OTG_STATE_B_SRP_INIT:
break;
@@ -2080,13 +2080,13 @@ __acquires(musb->lock)
* In that case, do not rely on devctl for setting
* peripheral mode.
*/
- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL;
+ musb_set_state(musb, OTG_STATE_B_PERIPHERAL);
musb->g.is_a_peripheral = 0;
} else if (devctl & MUSB_DEVCTL_BDEVICE) {
- musb->xceiv->otg->state = OTG_STATE_B_PERIPHERAL;
+ musb_set_state(musb, OTG_STATE_B_PERIPHERAL);
musb->g.is_a_peripheral = 0;
} else {
- musb->xceiv->otg->state = OTG_STATE_A_PERIPHERAL;
+ musb_set_state(musb, OTG_STATE_A_PERIPHERAL);
musb->g.is_a_peripheral = 1;
}
--- a/drivers/usb/musb/musb_host.c
+++ b/drivers/usb/musb/musb_host.c
@@ -2508,7 +2508,7 @@ static int musb_bus_suspend(struct usb_h
if (!is_host_active(musb))
return 0;
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_SUSPEND:
return 0;
case OTG_STATE_A_WAIT_VRISE:
@@ -2518,7 +2518,7 @@ static int musb_bus_suspend(struct usb_h
*/
devctl = musb_readb(musb->mregs, MUSB_DEVCTL);
if ((devctl & MUSB_DEVCTL_VBUS) == MUSB_DEVCTL_VBUS)
- musb->xceiv->otg->state = OTG_STATE_A_WAIT_BCON;
+ musb_set_state(musb, OTG_STATE_A_WAIT_BCON);
break;
default:
break;
@@ -2727,7 +2727,7 @@ int musb_host_setup(struct musb *musb, i
if (musb->port_mode == MUSB_HOST) {
MUSB_HST_MODE(musb);
- musb->xceiv->otg->state = OTG_STATE_A_IDLE;
+ musb_set_state(musb, OTG_STATE_A_IDLE);
}
otg_set_host(musb->xceiv->otg, &hcd->self);
/* don't support otg protocols */
--- a/drivers/usb/musb/musb_virthub.c
+++ b/drivers/usb/musb/musb_virthub.c
@@ -43,7 +43,7 @@ void musb_host_finish_resume(struct work
musb->port1_status |= USB_PORT_STAT_C_SUSPEND << 16;
usb_hcd_poll_rh_status(musb->hcd);
/* NOTE: it might really be A_WAIT_BCON ... */
- musb->xceiv->otg->state = OTG_STATE_A_HOST;
+ musb_set_state(musb, OTG_STATE_A_HOST);
spin_unlock_irqrestore(&musb->lock, flags);
}
@@ -85,9 +85,9 @@ int musb_port_suspend(struct musb *musb,
musb_dbg(musb, "Root port suspended, power %02x", power);
musb->port1_status |= USB_PORT_STAT_SUSPEND;
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_HOST:
- musb->xceiv->otg->state = OTG_STATE_A_SUSPEND;
+ musb_set_state(musb, OTG_STATE_A_SUSPEND);
musb->is_active = otg->host->b_hnp_enable;
if (musb->is_active)
mod_timer(&musb->otg_timer, jiffies
@@ -96,7 +96,7 @@ int musb_port_suspend(struct musb *musb,
musb_platform_try_idle(musb, 0);
break;
case OTG_STATE_B_HOST:
- musb->xceiv->otg->state = OTG_STATE_B_WAIT_ACON;
+ musb_set_state(musb, OTG_STATE_B_WAIT_ACON);
musb->is_active = otg->host->b_hnp_enable;
musb_platform_try_idle(musb, 0);
break;
@@ -123,7 +123,7 @@ void musb_port_reset(struct musb *musb,
u8 power;
void __iomem *mbase = musb->mregs;
- if (musb->xceiv->otg->state == OTG_STATE_B_IDLE) {
+ if (musb_get_state(musb) == OTG_STATE_B_IDLE) {
musb_dbg(musb, "HNP: Returning from HNP; no hub reset from b_idle");
musb->port1_status &= ~USB_PORT_STAT_RESET;
return;
@@ -204,20 +204,20 @@ void musb_root_disconnect(struct musb *m
usb_hcd_poll_rh_status(musb->hcd);
musb->is_active = 0;
- switch (musb->xceiv->otg->state) {
+ switch (musb_get_state(musb)) {
case OTG_STATE_A_SUSPEND:
if (otg->host->b_hnp_enable) {
- musb->xceiv->otg->state = OTG_STATE_A_PERIPHERAL;
+ musb_set_state(musb, OTG_STATE_A_PERIPHERAL);
musb->g.is_a_peripheral = 1;
break;
}
fallthrough;
case OTG_STATE_A_HOST:
- musb->xceiv->otg->state = OTG_STATE_A_WAIT_BCON;
+ musb_set_state(musb, OTG_STATE_A_WAIT_BCON);
musb->is_active = 0;
break;
case OTG_STATE_A_WAIT_VFALL:
- musb->xceiv->otg->state = OTG_STATE_B_IDLE;
+ musb_set_state(musb, OTG_STATE_B_IDLE);
break;
default:
musb_dbg(musb, "host disconnect (%s)",
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 065/644] usb: musb: fix gadget state on disconnect
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 064/644] usb: musb: Add and use inline functions musb_{get,set}_state Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 066/644] usb: dwc3: qcom: Dont leave BCR asserted Greg Kroah-Hartman
` (584 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yehowshua Immanuel, Drew Hamilton,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Drew Hamilton <drew.hamilton@zetier.com>
commit 67a59f82196c8c4f50c83329f0577acfb1349b50 upstream.
When unplugging the USB cable or disconnecting a gadget in usb peripheral mode with
echo "" > /sys/kernel/config/usb_gadget/<your_gadget>/UDC,
/sys/class/udc/musb-hdrc.0/state does not change from USB_STATE_CONFIGURED.
Testing on dwc2/3 shows they both update the state to USB_STATE_NOTATTACHED.
Add calls to usb_gadget_set_state in musb_g_disconnect and musb_gadget_stop
to fix both cases.
Fixes: 49401f4169c0 ("usb: gadget: introduce gadget state tracking")
Cc: stable@vger.kernel.org
Co-authored-by: Yehowshua Immanuel <yehowshua.immanuel@twosixtech.com>
Signed-off-by: Yehowshua Immanuel <yehowshua.immanuel@twosixtech.com>
Signed-off-by: Drew Hamilton <drew.hamilton@zetier.com>
Link: https://lore.kernel.org/r/20250701154126.8543-1-drew.hamilton@zetier.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/musb/musb_gadget.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -1909,6 +1909,7 @@ static int musb_gadget_stop(struct usb_g
* gadget driver here and have everything work;
* that currently misbehaves.
*/
+ usb_gadget_set_state(g, USB_STATE_NOTATTACHED);
/* Force check of devctl register for PM runtime */
schedule_delayed_work(&musb->irq_work, 0);
@@ -2017,6 +2018,7 @@ void musb_g_disconnect(struct musb *musb
case OTG_STATE_B_PERIPHERAL:
case OTG_STATE_B_IDLE:
musb_set_state(musb, OTG_STATE_B_IDLE);
+ usb_gadget_set_state(&musb->g, USB_STATE_NOTATTACHED);
break;
case OTG_STATE_B_SRP_INIT:
break;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 066/644] usb: dwc3: qcom: Dont leave BCR asserted
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 065/644] usb: musb: fix gadget state on disconnect Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 067/644] ASoC: fsl_sai: Force a software reset when starting in consumer mode Greg Kroah-Hartman
` (583 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Thinh Nguyen, Konrad Dybcio,
Krishna Kurapati, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Kurapati <krishna.kurapati@oss.qualcomm.com>
commit ef8abc0ba49ce717e6bc4124e88e59982671f3b5 upstream.
Leaving the USB BCR asserted prevents the associated GDSC to turn on. This
blocks any subsequent attempts of probing the device, e.g. after a probe
deferral, with the following showing in the log:
[ 1.332226] usb30_prim_gdsc status stuck at 'off'
Leave the BCR deasserted when exiting the driver to avoid this issue.
Cc: stable <stable@kernel.org>
Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver")
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Signed-off-by: Krishna Kurapati <krishna.kurapati@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250709132900.3408752-1-krishna.kurapati@oss.qualcomm.com
[ adapted to individual clock management API instead of bulk clock operations ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-qcom.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/drivers/usb/dwc3/dwc3-qcom.c
+++ b/drivers/usb/dwc3/dwc3-qcom.c
@@ -791,13 +791,13 @@ static int dwc3_qcom_probe(struct platfo
ret = reset_control_deassert(qcom->resets);
if (ret) {
dev_err(&pdev->dev, "failed to deassert resets, err=%d\n", ret);
- goto reset_assert;
+ return ret;
}
ret = dwc3_qcom_clk_init(qcom, of_clk_get_parent_count(np));
if (ret) {
dev_err(dev, "failed to get clocks\n");
- goto reset_assert;
+ return ret;
}
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
@@ -898,8 +898,6 @@ clk_disable:
clk_disable_unprepare(qcom->clks[i]);
clk_put(qcom->clks[i]);
}
-reset_assert:
- reset_control_assert(qcom->resets);
return ret;
}
@@ -929,7 +927,6 @@ static int dwc3_qcom_remove(struct platf
qcom->num_clocks = 0;
dwc3_qcom_interconnect_exit(qcom);
- reset_control_assert(qcom->resets);
pm_runtime_allow(dev);
pm_runtime_disable(dev);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 067/644] ASoC: fsl_sai: Force a software reset when starting in consumer mode
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 066/644] usb: dwc3: qcom: Dont leave BCR asserted Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 068/644] mm/vmalloc: leave lazy MMU mode on PTE mapping error Greg Kroah-Hartman
` (582 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arun Raghavan, Pieterjan Camerlynck,
Fabio Estevam, Mark Brown
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arun Raghavan <arun@asymptotic.io>
commit dc78f7e59169d3f0e6c3c95d23dc8e55e95741e2 upstream.
On an imx8mm platform with an external clock provider, when running the
receiver (arecord) and triggering an xrun with xrun_injection, we see a
channel swap/offset. This happens sometimes when running only the
receiver, but occurs reliably if a transmitter (aplay) is also
concurrently running.
It seems that the SAI loses track of frame sync during the trigger stop
-> trigger start cycle that occurs during an xrun. Doing just a FIFO
reset in this case does not suffice, and only a software reset seems to
get it back on track.
This looks like the same h/w bug that is already handled for the
producer case, so we now do the reset unconditionally on config disable.
Signed-off-by: Arun Raghavan <arun@asymptotic.io>
Reported-by: Pieterjan Camerlynck <p.camerlynck@televic.com>
Fixes: 3e3f8bd56955 ("ASoC: fsl_sai: fix no frame clk in master mode")
Cc: stable@vger.kernel.org
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Link: https://patch.msgid.link/20250626130858.163825-1-arun@arunraghavan.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/fsl/fsl_sai.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/sound/soc/fsl/fsl_sai.c
+++ b/sound/soc/fsl/fsl_sai.c
@@ -580,13 +580,15 @@ static void fsl_sai_config_disable(struc
* anymore. Add software reset to fix this issue.
* This is a hardware bug, and will be fix in the
* next sai version.
+ *
+ * In consumer mode, this can happen even after a
+ * single open/close, especially if both tx and rx
+ * are running concurrently.
*/
- if (!sai->is_consumer_mode) {
- /* Software Reset */
- regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR);
- /* Clear SR bit to finish the reset */
- regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0);
- }
+ /* Software Reset */
+ regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR);
+ /* Clear SR bit to finish the reset */
+ regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0);
}
static int fsl_sai_trigger(struct snd_pcm_substream *substream, int cmd,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 068/644] mm/vmalloc: leave lazy MMU mode on PTE mapping error
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 067/644] ASoC: fsl_sai: Force a software reset when starting in consumer mode Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 069/644] powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed Greg Kroah-Hartman
` (581 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Gordeev, kernel test robot,
Dan Carpenter, Ryan Roberts, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Gordeev <agordeev@linux.ibm.com>
commit fea18c686320a53fce7ad62a87a3e1d10ad02f31 upstream.
vmap_pages_pte_range() enters the lazy MMU mode, but fails to leave it in
case an error is encountered.
Link: https://lkml.kernel.org/r/20250623075721.2817094-1-agordeev@linux.ibm.com
Fixes: 2ba3e6947aed ("mm/vmalloc: track which page-table levels were modified")
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202506132017.T1l1l6ME-lkp@intel.com/
Reviewed-by: Ryan Roberts <ryan.roberts@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/vmalloc.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -460,6 +460,7 @@ static int vmap_pages_pte_range(pmd_t *p
unsigned long end, pgprot_t prot, struct page **pages, int *nr,
pgtbl_mod_mask *mask)
{
+ int err = 0;
pte_t *pte;
/*
@@ -473,15 +474,21 @@ static int vmap_pages_pte_range(pmd_t *p
do {
struct page *page = pages[*nr];
- if (WARN_ON(!pte_none(*pte)))
- return -EBUSY;
- if (WARN_ON(!page))
- return -ENOMEM;
+ if (WARN_ON(!pte_none(*pte))) {
+ err = -EBUSY;
+ break;
+ }
+ if (WARN_ON(!page)) {
+ err = -ENOMEM;
+ break;
+ }
+
set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
(*nr)++;
} while (pte++, addr += PAGE_SIZE, addr != end);
*mask |= PGTBL_PTE_MODIFIED;
- return 0;
+
+ return err;
}
static int vmap_pages_pmd_range(pud_t *pud, unsigned long addr,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 069/644] powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 068/644] mm/vmalloc: leave lazy MMU mode on PTE mapping error Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 070/644] platform/x86: think-lmi: Fix kobject cleanup Greg Kroah-Hartman
` (580 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Pandruvada, Zhang Rui,
Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Rui <rui.zhang@intel.com>
commit 964209202ebe1569c858337441e87ef0f9d71416 upstream.
PL1 cannot be disabled on some platforms. The ENABLE bit is still set
after software clears it. This behavior leads to a scenario where, upon
user request to disable the Power Limit through the powercap sysfs, the
ENABLE bit remains set while the CLAMPING bit is inadvertently cleared.
According to the Intel Software Developer's Manual, the CLAMPING bit,
"When set, allows the processor to go below the OS requested P states in
order to maintain the power below specified Platform Power Limit value."
Thus this means the system may operate at higher power levels than
intended on such platforms.
Enhance the code to check ENABLE bit after writing to it, and stop
further processing if ENABLE bit cannot be changed.
Reported-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Fixes: 2d281d8196e3 ("PowerCap: Introduce Intel RAPL power capping driver")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Link: https://patch.msgid.link/20250619071340.384782-1-rui.zhang@intel.com
[ rjw: Use str_enabled_disabled() instead of open-coded equivalent ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ replaced rapl_write_pl_data() and rapl_read_pl_data() with rapl_write_data_raw() and rapl_read_data_raw() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/powercap/intel_rapl_common.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
--- a/drivers/powercap/intel_rapl_common.c
+++ b/drivers/powercap/intel_rapl_common.c
@@ -212,12 +212,33 @@ static int find_nr_power_limit(struct ra
static int set_domain_enable(struct powercap_zone *power_zone, bool mode)
{
struct rapl_domain *rd = power_zone_to_rapl_domain(power_zone);
+ u64 val;
+ int ret;
if (rd->state & DOMAIN_STATE_BIOS_LOCKED)
return -EACCES;
cpus_read_lock();
- rapl_write_data_raw(rd, PL1_ENABLE, mode);
+ ret = rapl_write_data_raw(rd, PL1_ENABLE, mode);
+ if (ret) {
+ cpus_read_unlock();
+ return ret;
+ }
+
+ /* Check if the ENABLE bit was actually changed */
+ ret = rapl_read_data_raw(rd, PL1_ENABLE, true, &val);
+ if (ret) {
+ cpus_read_unlock();
+ return ret;
+ }
+
+ if (mode != val) {
+ pr_debug("%s cannot be %s\n", power_zone->name,
+ mode ? "enabled" : "disabled");
+ cpus_read_unlock();
+ return 0;
+ }
+
if (rapl_defaults->set_floor_freq)
rapl_defaults->set_floor_freq(rd, mode);
cpus_read_unlock();
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 070/644] platform/x86: think-lmi: Fix kobject cleanup
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 069/644] powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 071/644] bpf, sockmap: Fix panic when calling skb_linearize Greg Kroah-Hartman
` (579 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Pearson, Ilpo Järvinen,
Kurt Borja, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kurt Borja <kuurtb@gmail.com>
commit 9110056fe10b0519529bdbbac37311a5037ea0c2 upstream.
In tlmi_analyze(), allocated structs with an embedded kobject are freed
in error paths after the they were already initialized.
Fix this by first by avoiding the initialization of kobjects in
tlmi_analyze() and then by correctly cleaning them up in
tlmi_release_attr() using their kset's kobject list.
Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms")
Fixes: 30e78435d3bf ("platform/x86: think-lmi: Split kobject_init() and kobject_add() calls")
Cc: stable@vger.kernel.org
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Kurt Borja <kuurtb@gmail.com>
Link: https://lore.kernel.org/r/20250630-lmi-fix-v3-2-ce4f81c9c481@gmail.com
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Adapted kobject cleanup to only pwd_admin and pwd_power password types present in 5.15. ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/think-lmi.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
--- a/drivers/platform/x86/think-lmi.c
+++ b/drivers/platform/x86/think-lmi.c
@@ -765,25 +765,31 @@ static struct kobj_attribute debug_cmd =
/* ---- Initialisation --------------------------------------------------------- */
static void tlmi_release_attr(void)
{
+ struct kobject *pos, *n;
int i;
/* Attribute structures */
for (i = 0; i < TLMI_SETTINGS_COUNT; i++) {
if (tlmi_priv.setting[i]) {
sysfs_remove_group(&tlmi_priv.setting[i]->kobj, &tlmi_attr_group);
- kobject_put(&tlmi_priv.setting[i]->kobj);
}
}
sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &pending_reboot.attr);
if (tlmi_priv.can_debug_cmd && debug_support)
sysfs_remove_file(&tlmi_priv.attribute_kset->kobj, &debug_cmd.attr);
+
+ list_for_each_entry_safe(pos, n, &tlmi_priv.attribute_kset->list, entry)
+ kobject_put(pos);
+
kset_unregister(tlmi_priv.attribute_kset);
/* Authentication structures */
sysfs_remove_group(&tlmi_priv.pwd_admin->kobj, &auth_attr_group);
- kobject_put(&tlmi_priv.pwd_admin->kobj);
sysfs_remove_group(&tlmi_priv.pwd_power->kobj, &auth_attr_group);
- kobject_put(&tlmi_priv.pwd_power->kobj);
+
+ list_for_each_entry_safe(pos, n, &tlmi_priv.authentication_kset->list, entry)
+ kobject_put(pos);
+
kset_unregister(tlmi_priv.authentication_kset);
}
@@ -851,8 +857,8 @@ static int tlmi_sysfs_init(void)
/* Build attribute */
tlmi_priv.setting[i]->kobj.kset = tlmi_priv.attribute_kset;
- ret = kobject_add(&tlmi_priv.setting[i]->kobj, NULL,
- "%s", tlmi_priv.setting[i]->display_name);
+ ret = kobject_init_and_add(&tlmi_priv.setting[i]->kobj, &tlmi_attr_setting_ktype,
+ NULL, "%s", tlmi_priv.setting[i]->display_name);
if (ret)
goto fail_create_attr;
@@ -872,7 +878,8 @@ static int tlmi_sysfs_init(void)
}
/* Create authentication entries */
tlmi_priv.pwd_admin->kobj.kset = tlmi_priv.authentication_kset;
- ret = kobject_add(&tlmi_priv.pwd_admin->kobj, NULL, "%s", "Admin");
+ ret = kobject_init_and_add(&tlmi_priv.pwd_admin->kobj, &tlmi_pwd_setting_ktype,
+ NULL, "%s", "Admin");
if (ret)
goto fail_create_attr;
@@ -881,7 +888,8 @@ static int tlmi_sysfs_init(void)
goto fail_create_attr;
tlmi_priv.pwd_power->kobj.kset = tlmi_priv.authentication_kset;
- ret = kobject_add(&tlmi_priv.pwd_power->kobj, NULL, "%s", "System");
+ ret = kobject_init_and_add(&tlmi_priv.pwd_power->kobj, &tlmi_pwd_setting_ktype,
+ NULL, "%s", "Power-on");
if (ret)
goto fail_create_attr;
@@ -995,7 +1003,6 @@ static int tlmi_analyze(void)
if (setting->possible_values)
strreplace(setting->possible_values, ',', ';');
- kobject_init(&setting->kobj, &tlmi_attr_setting_ktype);
tlmi_priv.setting[i] = setting;
kfree(item);
}
@@ -1021,8 +1028,6 @@ static int tlmi_analyze(void)
if (pwdcfg.password_state & TLMI_PAP_PWD)
tlmi_priv.pwd_admin->valid = true;
- kobject_init(&tlmi_priv.pwd_admin->kobj, &tlmi_pwd_setting_ktype);
-
tlmi_priv.pwd_power = kzalloc(sizeof(struct tlmi_pwd_setting), GFP_KERNEL);
if (!tlmi_priv.pwd_power) {
ret = -ENOMEM;
@@ -1038,8 +1043,6 @@ static int tlmi_analyze(void)
if (pwdcfg.password_state & TLMI_POP_PWD)
tlmi_priv.pwd_power->valid = true;
- kobject_init(&tlmi_priv.pwd_power->kobj, &tlmi_pwd_setting_ktype);
-
return 0;
fail_free_pwd_admin:
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 071/644] bpf, sockmap: Fix panic when calling skb_linearize
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 070/644] platform/x86: think-lmi: Fix kobject cleanup Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 072/644] x86: Fix get_wchan() to support the ORC unwinder Greg Kroah-Hartman
` (578 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Alexei Starovoitov,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
commit 5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e upstream.
The panic can be reproduced by executing the command:
./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000
Then a kernel panic was captured:
'''
[ 657.460555] kernel BUG at net/core/skbuff.c:2178!
[ 657.462680] Tainted: [W]=WARN
[ 657.463287] Workqueue: events sk_psock_backlog
...
[ 657.469610] <TASK>
[ 657.469738] ? die+0x36/0x90
[ 657.469916] ? do_trap+0x1d0/0x270
[ 657.470118] ? pskb_expand_head+0x612/0xf40
[ 657.470376] ? pskb_expand_head+0x612/0xf40
[ 657.470620] ? do_error_trap+0xa3/0x170
[ 657.470846] ? pskb_expand_head+0x612/0xf40
[ 657.471092] ? handle_invalid_op+0x2c/0x40
[ 657.471335] ? pskb_expand_head+0x612/0xf40
[ 657.471579] ? exc_invalid_op+0x2d/0x40
[ 657.471805] ? asm_exc_invalid_op+0x1a/0x20
[ 657.472052] ? pskb_expand_head+0xd1/0xf40
[ 657.472292] ? pskb_expand_head+0x612/0xf40
[ 657.472540] ? lock_acquire+0x18f/0x4e0
[ 657.472766] ? find_held_lock+0x2d/0x110
[ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10
[ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470
[ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10
[ 657.473826] __pskb_pull_tail+0xfd/0x1d20
[ 657.474062] ? __kasan_slab_alloc+0x4e/0x90
[ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510
[ 657.475392] ? __kasan_kmalloc+0xaa/0xb0
[ 657.476010] sk_psock_backlog+0x5cf/0xd70
[ 657.476637] process_one_work+0x858/0x1a20
'''
The panic originates from the assertion BUG_ON(skb_shared(skb)) in
skb_linearize(). A previous commit(see Fixes tag) introduced skb_get()
to avoid race conditions between skb operations in the backlog and skb
release in the recvmsg path. However, this caused the panic to always
occur when skb_linearize is executed.
The "--rx-strp 100000" parameter forces the RX path to use the strparser
module which aggregates data until it reaches 100KB before calling sockmap
logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.
To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.
'''
sk_psock_backlog:
sk_psock_handle_skb
skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue'
sk_psock_skb_ingress____________
↓
|
| → sk_psock_skb_ingress_self
| sk_psock_skb_ingress_enqueue
sk_psock_verdict_apply_________________↑ skb_linearize
'''
Note that for verdict_apply path, the skb_get operation is unnecessary so
we add 'take_ref' param to control it's behavior.
Fixes: a454d84ee20b ("bpf, sockmap: Fix skb refcnt race after locking changes")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://lore.kernel.org/r/20250407142234.47591-4-jiayuan.chen@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
[ adapted skb_linearize() fix to 5.15's sk_psock_skb_ingress_enqueue implementation without the s_data parameter ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/skmsg.c | 50 +++++++++++++++++++++++++++-----------------------
1 file changed, 27 insertions(+), 23 deletions(-)
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -525,26 +525,35 @@ static int sk_psock_skb_ingress_enqueue(
u32 off, u32 len,
struct sk_psock *psock,
struct sock *sk,
- struct sk_msg *msg)
+ struct sk_msg *msg,
+ bool take_ref)
{
int num_sge, copied;
- /* skb linearize may fail with ENOMEM, but lets simply try again
- * later if this happens. Under memory pressure we don't want to
- * drop the skb. We need to linearize the skb so that the mapping
- * in skb_to_sgvec can not error.
+ /* skb_to_sgvec will fail when the total number of fragments in
+ * frag_list and frags exceeds MAX_MSG_FRAGS. For example, the
+ * caller may aggregate multiple skbs.
*/
- if (skb_linearize(skb))
- return -EAGAIN;
num_sge = skb_to_sgvec(skb, msg->sg.data, off, len);
- if (unlikely(num_sge < 0))
- return num_sge;
+ if (num_sge < 0) {
+ /* skb linearize may fail with ENOMEM, but lets simply try again
+ * later if this happens. Under memory pressure we don't want to
+ * drop the skb. We need to linearize the skb so that the mapping
+ * in skb_to_sgvec can not error.
+ * Note that skb_linearize requires the skb not to be shared.
+ */
+ if (skb_linearize(skb))
+ return -EAGAIN;
+ num_sge = skb_to_sgvec(skb, msg->sg.data, off, len);
+ if (unlikely(num_sge < 0))
+ return num_sge;
+ }
copied = len;
msg->sg.start = 0;
msg->sg.size = copied;
msg->sg.end = num_sge;
- msg->skb = skb;
+ msg->skb = take_ref ? skb_get(skb) : skb;
sk_psock_queue_msg(psock, msg);
sk_psock_data_ready(sk, psock);
@@ -552,7 +561,7 @@ static int sk_psock_skb_ingress_enqueue(
}
static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb,
- u32 off, u32 len);
+ u32 off, u32 len, bool take_ref);
static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
u32 off, u32 len)
@@ -566,7 +575,7 @@ static int sk_psock_skb_ingress(struct s
* correctly.
*/
if (unlikely(skb->sk == sk))
- return sk_psock_skb_ingress_self(psock, skb, off, len);
+ return sk_psock_skb_ingress_self(psock, skb, off, len, true);
msg = sk_psock_create_ingress_msg(sk, skb);
if (!msg)
return -EAGAIN;
@@ -578,7 +587,7 @@ static int sk_psock_skb_ingress(struct s
* into user buffers.
*/
skb_set_owner_r(skb, sk);
- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg);
+ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, true);
if (err < 0)
kfree(msg);
return err;
@@ -589,7 +598,7 @@ static int sk_psock_skb_ingress(struct s
* because the skb is already accounted for here.
*/
static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb,
- u32 off, u32 len)
+ u32 off, u32 len, bool take_ref)
{
struct sk_msg *msg = kzalloc(sizeof(*msg), __GFP_NOWARN | GFP_ATOMIC);
struct sock *sk = psock->sk;
@@ -599,7 +608,7 @@ static int sk_psock_skb_ingress_self(str
return -EAGAIN;
sk_msg_init(msg);
skb_set_owner_r(skb, sk);
- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg);
+ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, take_ref);
if (err < 0)
kfree(msg);
return err;
@@ -608,18 +617,13 @@ static int sk_psock_skb_ingress_self(str
static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb,
u32 off, u32 len, bool ingress)
{
- int err = 0;
-
if (!ingress) {
if (!sock_writeable(psock->sk))
return -EAGAIN;
return skb_send_sock(psock->sk, skb, off, len);
}
- skb_get(skb);
- err = sk_psock_skb_ingress(psock, skb, off, len);
- if (err < 0)
- kfree_skb(skb);
- return err;
+
+ return sk_psock_skb_ingress(psock, skb, off, len);
}
static void sk_psock_skb_state(struct sk_psock *psock,
@@ -1016,7 +1020,7 @@ static int sk_psock_verdict_apply(struct
off = stm->offset;
len = stm->full_len;
}
- err = sk_psock_skb_ingress_self(psock, skb, off, len);
+ err = sk_psock_skb_ingress_self(psock, skb, off, len, false);
}
if (err < 0) {
spin_lock_bh(&psock->ingress_lock);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 072/644] x86: Fix get_wchan() to support the ORC unwinder
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 071/644] bpf, sockmap: Fix panic when calling skb_linearize Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 073/644] sched: Add wrapper for get_wchan() to keep task blocked Greg Kroah-Hartman
` (577 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qi Zheng, Kees Cook,
Peter Zijlstra (Intel), Siddhi Katage
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qi Zheng <zhengqi.arch@bytedance.com>
commit bc9bbb81730ea667c31c5b284f95ee312bab466f upstream.
Currently, the kernel CONFIG_UNWINDER_ORC option is enabled by default
on x86, but the implementation of get_wchan() is still based on the frame
pointer unwinder, so the /proc/<pid>/wchan usually returned 0 regardless
of whether the task <pid> is running.
Reimplement get_wchan() by calling stack_trace_save_tsk(), which is
adapted to the ORC and frame pointer unwinders.
Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder")
Signed-off-by: Qi Zheng <zhengqi.arch@bytedance.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20211008111626.271115116@infradead.org
Signed-off-by: Siddhi Katage <siddhi.katage@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/process.c | 51 ++--------------------------------------------
1 file changed, 3 insertions(+), 48 deletions(-)
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -971,58 +971,13 @@ unsigned long arch_randomize_brk(struct
*/
unsigned long get_wchan(struct task_struct *p)
{
- unsigned long start, bottom, top, sp, fp, ip, ret = 0;
- int count = 0;
+ unsigned long entry = 0;
if (p == current || task_is_running(p))
return 0;
- if (!try_get_task_stack(p))
- return 0;
-
- start = (unsigned long)task_stack_page(p);
- if (!start)
- goto out;
-
- /*
- * Layout of the stack page:
- *
- * ----------- topmax = start + THREAD_SIZE - sizeof(unsigned long)
- * PADDING
- * ----------- top = topmax - TOP_OF_KERNEL_STACK_PADDING
- * stack
- * ----------- bottom = start
- *
- * The tasks stack pointer points at the location where the
- * framepointer is stored. The data on the stack is:
- * ... IP FP ... IP FP
- *
- * We need to read FP and IP, so we need to adjust the upper
- * bound by another unsigned long.
- */
- top = start + THREAD_SIZE - TOP_OF_KERNEL_STACK_PADDING;
- top -= 2 * sizeof(unsigned long);
- bottom = start;
-
- sp = READ_ONCE(p->thread.sp);
- if (sp < bottom || sp > top)
- goto out;
-
- fp = READ_ONCE_NOCHECK(((struct inactive_task_frame *)sp)->bp);
- do {
- if (fp < bottom || fp > top)
- goto out;
- ip = READ_ONCE_NOCHECK(*(unsigned long *)(fp + sizeof(unsigned long)));
- if (!in_sched_functions(ip)) {
- ret = ip;
- goto out;
- }
- fp = READ_ONCE_NOCHECK(*(unsigned long *)fp);
- } while (count++ < 16 && !task_is_running(p));
-
-out:
- put_task_stack(p);
- return ret;
+ stack_trace_save_tsk(p, &entry, 1, 0);
+ return entry;
}
long do_arch_prctl_common(struct task_struct *task, int option,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 073/644] sched: Add wrapper for get_wchan() to keep task blocked
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 072/644] x86: Fix get_wchan() to support the ORC unwinder Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 074/644] x86: Fix __get_wchan() for !STACKTRACE Greg Kroah-Hartman
` (576 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra, Kees Cook,
Geert Uytterhoeven, Siddhi Katage, Russell King (Oracle),
Mark Rutland
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 42a20f86dc19f9282d974df0ba4d226c865ab9dd upstream.
Having a stable wchan means the process must be blocked and for it to
stay that way while performing stack unwinding.
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk> [arm]
Tested-by: Mark Rutland <mark.rutland@arm.com> [arm64]
Link: https://lkml.kernel.org/r/20211008111626.332092234@infradead.org
Signed-off-by: Siddhi Katage <siddhi.katage@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/alpha/include/asm/processor.h | 2 +-
arch/alpha/kernel/process.c | 5 ++---
arch/arc/include/asm/processor.h | 2 +-
arch/arc/kernel/stacktrace.c | 4 ++--
arch/arm/include/asm/processor.h | 2 +-
arch/arm/kernel/process.c | 4 +---
arch/arm64/include/asm/processor.h | 2 +-
arch/arm64/kernel/process.c | 4 +---
arch/csky/include/asm/processor.h | 2 +-
arch/csky/kernel/stacktrace.c | 5 ++---
arch/h8300/include/asm/processor.h | 2 +-
arch/h8300/kernel/process.c | 5 +----
arch/hexagon/include/asm/processor.h | 2 +-
arch/hexagon/kernel/process.c | 4 +---
arch/ia64/include/asm/processor.h | 2 +-
arch/ia64/kernel/process.c | 5 +----
arch/m68k/include/asm/processor.h | 2 +-
arch/m68k/kernel/process.c | 4 +---
arch/microblaze/include/asm/processor.h | 2 +-
arch/microblaze/kernel/process.c | 2 +-
arch/mips/include/asm/processor.h | 2 +-
arch/mips/kernel/process.c | 8 +++-----
arch/nds32/include/asm/processor.h | 2 +-
arch/nds32/kernel/process.c | 7 +------
arch/nios2/include/asm/processor.h | 2 +-
arch/nios2/kernel/process.c | 5 +----
arch/openrisc/include/asm/processor.h | 2 +-
arch/openrisc/kernel/process.c | 2 +-
arch/parisc/include/asm/processor.h | 2 +-
arch/parisc/kernel/process.c | 5 +----
arch/powerpc/include/asm/processor.h | 2 +-
arch/powerpc/kernel/process.c | 9 +++------
arch/riscv/include/asm/processor.h | 2 +-
arch/riscv/kernel/stacktrace.c | 12 +++++-------
arch/s390/include/asm/processor.h | 2 +-
arch/s390/kernel/process.c | 4 ++--
arch/sh/include/asm/processor_32.h | 2 +-
arch/sh/kernel/process_32.c | 5 +----
arch/sparc/include/asm/processor_32.h | 2 +-
arch/sparc/include/asm/processor_64.h | 2 +-
arch/sparc/kernel/process_32.c | 5 +----
arch/sparc/kernel/process_64.c | 5 +----
arch/um/include/asm/processor-generic.h | 2 +-
arch/um/kernel/process.c | 5 +----
arch/x86/include/asm/processor.h | 2 +-
arch/x86/kernel/process.c | 5 +----
arch/xtensa/include/asm/processor.h | 2 +-
arch/xtensa/kernel/process.c | 5 +----
include/linux/sched.h | 1 +
kernel/sched/core.c | 19 +++++++++++++++++++
50 files changed, 80 insertions(+), 112 deletions(-)
--- a/arch/alpha/include/asm/processor.h
+++ b/arch/alpha/include/asm/processor.h
@@ -38,7 +38,7 @@ extern void start_thread(struct pt_regs
struct task_struct;
extern void release_thread(struct task_struct *);
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
#define KSTK_EIP(tsk) (task_pt_regs(tsk)->pc)
--- a/arch/alpha/kernel/process.c
+++ b/arch/alpha/kernel/process.c
@@ -376,12 +376,11 @@ thread_saved_pc(struct task_struct *t)
}
unsigned long
-get_wchan(struct task_struct *p)
+__get_wchan(struct task_struct *p)
{
unsigned long schedule_frame;
unsigned long pc;
- if (!p || p == current || task_is_running(p))
- return 0;
+
/*
* This one depends on the frame size of schedule(). Do a
* "disass schedule" in gdb to find the frame size. Also, the
--- a/arch/arc/include/asm/processor.h
+++ b/arch/arc/include/asm/processor.h
@@ -70,7 +70,7 @@ struct task_struct;
extern void start_thread(struct pt_regs * regs, unsigned long pc,
unsigned long usp);
-extern unsigned int get_wchan(struct task_struct *p);
+extern unsigned int __get_wchan(struct task_struct *p);
#endif /* !__ASSEMBLY__ */
--- a/arch/arc/kernel/stacktrace.c
+++ b/arch/arc/kernel/stacktrace.c
@@ -15,7 +15,7 @@
* = specifics of data structs where trace is saved(CONFIG_STACKTRACE etc)
*
* vineetg: March 2009
- * -Implemented correct versions of thread_saved_pc() and get_wchan()
+ * -Implemented correct versions of thread_saved_pc() and __get_wchan()
*
* rajeshwarr: 2008
* -Initial implementation
@@ -248,7 +248,7 @@ void show_stack(struct task_struct *tsk,
* Of course just returning schedule( ) would be pointless so unwind until
* the function is not in schedular code
*/
-unsigned int get_wchan(struct task_struct *tsk)
+unsigned int __get_wchan(struct task_struct *tsk)
{
return arc_unwind_core(tsk, NULL, __get_first_nonsched, NULL);
}
--- a/arch/arm/include/asm/processor.h
+++ b/arch/arm/include/asm/processor.h
@@ -84,7 +84,7 @@ struct task_struct;
/* Free all resources held by a thread. */
extern void release_thread(struct task_struct *);
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
#define task_pt_regs(p) \
((struct pt_regs *)(THREAD_START_SP + task_stack_page(p)) - 1)
--- a/arch/arm/kernel/process.c
+++ b/arch/arm/kernel/process.c
@@ -276,13 +276,11 @@ int copy_thread(unsigned long clone_flag
return 0;
}
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
struct stackframe frame;
unsigned long stack_page;
int count = 0;
- if (!p || p == current || task_is_running(p))
- return 0;
frame.fp = thread_saved_fp(p);
frame.sp = thread_saved_sp(p);
--- a/arch/arm64/include/asm/processor.h
+++ b/arch/arm64/include/asm/processor.h
@@ -265,7 +265,7 @@ struct task_struct;
/* Free all resources held by a thread. */
extern void release_thread(struct task_struct *);
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
void update_sctlr_el1(u64 sctlr);
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -523,13 +523,11 @@ __notrace_funcgraph struct task_struct *
return last;
}
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
struct stackframe frame;
unsigned long stack_page, ret = 0;
int count = 0;
- if (!p || p == current || task_is_running(p))
- return 0;
stack_page = (unsigned long)try_get_task_stack(p);
if (!stack_page)
--- a/arch/csky/include/asm/processor.h
+++ b/arch/csky/include/asm/processor.h
@@ -81,7 +81,7 @@ static inline void release_thread(struct
extern int kernel_thread(int (*fn)(void *), void *arg, unsigned long flags);
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
#define KSTK_EIP(tsk) (task_pt_regs(tsk)->pc)
#define KSTK_ESP(tsk) (task_pt_regs(tsk)->usp)
--- a/arch/csky/kernel/stacktrace.c
+++ b/arch/csky/kernel/stacktrace.c
@@ -111,12 +111,11 @@ static bool save_wchan(unsigned long pc,
return false;
}
-unsigned long get_wchan(struct task_struct *task)
+unsigned long __get_wchan(struct task_struct *task)
{
unsigned long pc = 0;
- if (likely(task && task != current && !task_is_running(task)))
- walk_stackframe(task, NULL, save_wchan, &pc);
+ walk_stackframe(task, NULL, save_wchan, &pc);
return pc;
}
--- a/arch/h8300/include/asm/processor.h
+++ b/arch/h8300/include/asm/processor.h
@@ -105,7 +105,7 @@ static inline void release_thread(struct
{
}
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
#define KSTK_EIP(tsk) \
({ \
--- a/arch/h8300/kernel/process.c
+++ b/arch/h8300/kernel/process.c
@@ -128,15 +128,12 @@ int copy_thread(unsigned long clone_flag
return 0;
}
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
unsigned long fp, pc;
unsigned long stack_page;
int count = 0;
- if (!p || p == current || task_is_running(p))
- return 0;
-
stack_page = (unsigned long)p;
fp = ((struct pt_regs *)p->thread.ksp)->er6;
do {
--- a/arch/hexagon/include/asm/processor.h
+++ b/arch/hexagon/include/asm/processor.h
@@ -64,7 +64,7 @@ struct thread_struct {
extern void release_thread(struct task_struct *dead_task);
/* Get wait channel for task P. */
-extern unsigned long get_wchan(struct task_struct *p);
+extern unsigned long __get_wchan(struct task_struct *p);
/* The following stuff is pretty HEXAGON specific. */
--- a/arch/hexagon/kernel/process.c
+++ b/arch/hexagon/kernel/process.c
@@ -130,13 +130,11 @@ void flush_thread(void)
* is an identification of the point at which the scheduler
* was invoked by a blocked thread.
*/
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
unsigned long fp, pc;
unsigned long stack_page;
int count = 0;
- if (!p || p == current || task_is_running(p))
- return 0;
stack_page = (unsigned long)task_stack_page(p);
fp = ((struct hexagon_switch_stack *)p->thread.switch_sp)->fp;
--- a/arch/ia64/include/asm/processor.h
+++ b/arch/ia64/include/asm/processor.h
@@ -330,7 +330,7 @@ struct task_struct;
#define release_thread(dead_task)
/* Get wait channel for task P. */
-extern unsigned long get_wchan (struct task_struct *p);
+extern unsigned long __get_wchan (struct task_struct *p);
/* Return instruction pointer of blocked task TSK. */
#define KSTK_EIP(tsk) \
--- a/arch/ia64/kernel/process.c
+++ b/arch/ia64/kernel/process.c
@@ -523,15 +523,12 @@ exit_thread (struct task_struct *tsk)
}
unsigned long
-get_wchan (struct task_struct *p)
+__get_wchan (struct task_struct *p)
{
struct unw_frame_info info;
unsigned long ip;
int count = 0;
- if (!p || p == current || task_is_running(p))
- return 0;
-
/*
* Note: p may not be a blocked task (it could be current or
* another process running on some other CPU. Rather than
--- a/arch/m68k/include/asm/processor.h
+++ b/arch/m68k/include/asm/processor.h
@@ -150,7 +150,7 @@ static inline void release_thread(struct
{
}
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
#define KSTK_EIP(tsk) \
({ \
--- a/arch/m68k/kernel/process.c
+++ b/arch/m68k/kernel/process.c
@@ -263,13 +263,11 @@ int dump_fpu (struct pt_regs *regs, stru
}
EXPORT_SYMBOL(dump_fpu);
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
unsigned long fp, pc;
unsigned long stack_page;
int count = 0;
- if (!p || p == current || task_is_running(p))
- return 0;
stack_page = (unsigned long)task_stack_page(p);
fp = ((struct switch_stack *)p->thread.ksp)->a6;
--- a/arch/microblaze/include/asm/processor.h
+++ b/arch/microblaze/include/asm/processor.h
@@ -68,7 +68,7 @@ static inline void release_thread(struct
{
}
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
/* The size allocated for kernel stacks. This _must_ be a power of two! */
# define KERNEL_STACK_SIZE 0x2000
--- a/arch/microblaze/kernel/process.c
+++ b/arch/microblaze/kernel/process.c
@@ -112,7 +112,7 @@ int copy_thread(unsigned long clone_flag
return 0;
}
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
/* TBD (used by procfs) */
return 0;
--- a/arch/mips/include/asm/processor.h
+++ b/arch/mips/include/asm/processor.h
@@ -369,7 +369,7 @@ static inline void flush_thread(void)
{
}
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
#define __KSTK_TOS(tsk) ((unsigned long)task_stack_page(tsk) + \
THREAD_SIZE - 32 - sizeof(struct pt_regs))
--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -511,7 +511,7 @@ static int __init frame_info_init(void)
/*
* Without schedule() frame info, result given by
- * thread_saved_pc() and get_wchan() are not reliable.
+ * thread_saved_pc() and __get_wchan() are not reliable.
*/
if (schedule_mfi.pc_offset < 0)
printk("Can't analyze schedule() prologue at %p\n", schedule);
@@ -652,9 +652,9 @@ unsigned long unwind_stack(struct task_s
#endif
/*
- * get_wchan - a maintenance nightmare^W^Wpain in the ass ...
+ * __get_wchan - a maintenance nightmare^W^Wpain in the ass ...
*/
-unsigned long get_wchan(struct task_struct *task)
+unsigned long __get_wchan(struct task_struct *task)
{
unsigned long pc = 0;
#ifdef CONFIG_KALLSYMS
@@ -662,8 +662,6 @@ unsigned long get_wchan(struct task_stru
unsigned long ra = 0;
#endif
- if (!task || task == current || task_is_running(task))
- goto out;
if (!task_stack_page(task))
goto out;
--- a/arch/nds32/include/asm/processor.h
+++ b/arch/nds32/include/asm/processor.h
@@ -83,7 +83,7 @@ extern struct task_struct *last_task_use
/* Prepare to copy thread state - unlazy all lazy status */
#define prepare_to_copy(tsk) do { } while (0)
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
#define cpu_relax() barrier()
--- a/arch/nds32/kernel/process.c
+++ b/arch/nds32/kernel/process.c
@@ -233,15 +233,12 @@ int dump_fpu(struct pt_regs *regs, elf_f
EXPORT_SYMBOL(dump_fpu);
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
unsigned long fp, lr;
unsigned long stack_start, stack_end;
int count = 0;
- if (!p || p == current || task_is_running(p))
- return 0;
-
if (IS_ENABLED(CONFIG_FRAME_POINTER)) {
stack_start = (unsigned long)end_of_stack(p);
stack_end = (unsigned long)task_stack_page(p) + THREAD_SIZE;
@@ -258,5 +255,3 @@ unsigned long get_wchan(struct task_stru
}
return 0;
}
-
-EXPORT_SYMBOL(get_wchan);
--- a/arch/nios2/include/asm/processor.h
+++ b/arch/nios2/include/asm/processor.h
@@ -69,7 +69,7 @@ static inline void release_thread(struct
{
}
-extern unsigned long get_wchan(struct task_struct *p);
+extern unsigned long __get_wchan(struct task_struct *p);
#define task_pt_regs(p) \
((struct pt_regs *)(THREAD_SIZE + task_stack_page(p)) - 1)
--- a/arch/nios2/kernel/process.c
+++ b/arch/nios2/kernel/process.c
@@ -217,15 +217,12 @@ void dump(struct pt_regs *fp)
pr_emerg("\n\n");
}
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
unsigned long fp, pc;
unsigned long stack_page;
int count = 0;
- if (!p || p == current || task_is_running(p))
- return 0;
-
stack_page = (unsigned long)p;
fp = ((struct switch_stack *)p->thread.ksp)->fp; /* ;dgt2 */
do {
--- a/arch/openrisc/include/asm/processor.h
+++ b/arch/openrisc/include/asm/processor.h
@@ -73,7 +73,7 @@ struct thread_struct {
void start_thread(struct pt_regs *regs, unsigned long nip, unsigned long sp);
void release_thread(struct task_struct *);
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
#define cpu_relax() barrier()
--- a/arch/openrisc/kernel/process.c
+++ b/arch/openrisc/kernel/process.c
@@ -263,7 +263,7 @@ void dump_elf_thread(elf_greg_t *dest, s
dest[35] = 0;
}
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
/* TODO */
--- a/arch/parisc/include/asm/processor.h
+++ b/arch/parisc/include/asm/processor.h
@@ -273,7 +273,7 @@ struct mm_struct;
/* Free all resources held by a thread. */
extern void release_thread(struct task_struct *);
-extern unsigned long get_wchan(struct task_struct *p);
+extern unsigned long __get_wchan(struct task_struct *p);
#define KSTK_EIP(tsk) ((tsk)->thread.regs.iaoq[0])
#define KSTK_ESP(tsk) ((tsk)->thread.regs.gr[30])
--- a/arch/parisc/kernel/process.c
+++ b/arch/parisc/kernel/process.c
@@ -245,15 +245,12 @@ copy_thread(unsigned long clone_flags, u
}
unsigned long
-get_wchan(struct task_struct *p)
+__get_wchan(struct task_struct *p)
{
struct unwind_frame_info info;
unsigned long ip;
int count = 0;
- if (!p || p == current || task_is_running(p))
- return 0;
-
/*
* These bracket the sleeping functions..
*/
--- a/arch/powerpc/include/asm/processor.h
+++ b/arch/powerpc/include/asm/processor.h
@@ -300,7 +300,7 @@ struct thread_struct {
#define task_pt_regs(tsk) ((tsk)->thread.regs)
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
#define KSTK_EIP(tsk) ((tsk)->thread.regs? (tsk)->thread.regs->nip: 0)
#define KSTK_ESP(tsk) ((tsk)->thread.regs? (tsk)->thread.regs->gpr[1]: 0)
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -2111,14 +2111,11 @@ int validate_sp(unsigned long sp, struct
EXPORT_SYMBOL(validate_sp);
-static unsigned long __get_wchan(struct task_struct *p)
+static unsigned long ___get_wchan(struct task_struct *p)
{
unsigned long ip, sp;
int count = 0;
- if (!p || p == current || task_is_running(p))
- return 0;
-
sp = p->thread.ksp;
if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD))
return 0;
@@ -2137,14 +2134,14 @@ static unsigned long __get_wchan(struct
return 0;
}
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
unsigned long ret;
if (!try_get_task_stack(p))
return 0;
- ret = __get_wchan(p);
+ ret = ___get_wchan(p);
put_task_stack(p);
--- a/arch/riscv/include/asm/processor.h
+++ b/arch/riscv/include/asm/processor.h
@@ -66,7 +66,7 @@ static inline void release_thread(struct
{
}
-extern unsigned long get_wchan(struct task_struct *p);
+extern unsigned long __get_wchan(struct task_struct *p);
static inline void wait_for_interrupt(void)
--- a/arch/riscv/kernel/stacktrace.c
+++ b/arch/riscv/kernel/stacktrace.c
@@ -148,16 +148,14 @@ static bool save_wchan(void *arg, unsign
return true;
}
-unsigned long get_wchan(struct task_struct *task)
+unsigned long __get_wchan(struct task_struct *task)
{
unsigned long pc = 0;
- if (likely(task && task != current && !task_is_running(task))) {
- if (!try_get_task_stack(task))
- return 0;
- walk_stackframe(task, NULL, save_wchan, &pc);
- put_task_stack(task);
- }
+ if (!try_get_task_stack(task))
+ return 0;
+ walk_stackframe(task, NULL, save_wchan, &pc);
+ put_task_stack(task);
return pc;
}
--- a/arch/s390/include/asm/processor.h
+++ b/arch/s390/include/asm/processor.h
@@ -192,7 +192,7 @@ static inline void release_thread(struct
void guarded_storage_release(struct task_struct *tsk);
void gs_load_bc_cb(struct pt_regs *regs);
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
#define task_pt_regs(tsk) ((struct pt_regs *) \
(task_stack_page(tsk) + THREAD_SIZE) - 1)
#define KSTK_EIP(tsk) (task_pt_regs(tsk)->psw.addr)
--- a/arch/s390/kernel/process.c
+++ b/arch/s390/kernel/process.c
@@ -191,12 +191,12 @@ void execve_tail(void)
asm volatile("sfpc %0" : : "d" (0));
}
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
struct unwind_state state;
unsigned long ip = 0;
- if (!p || p == current || task_is_running(p) || !task_stack_page(p))
+ if (!task_stack_page(p))
return 0;
if (!try_get_task_stack(p))
--- a/arch/sh/include/asm/processor_32.h
+++ b/arch/sh/include/asm/processor_32.h
@@ -181,7 +181,7 @@ static inline void show_code(struct pt_r
}
#endif
-extern unsigned long get_wchan(struct task_struct *p);
+extern unsigned long __get_wchan(struct task_struct *p);
#define KSTK_EIP(tsk) (task_pt_regs(tsk)->pc)
#define KSTK_ESP(tsk) (task_pt_regs(tsk)->regs[15])
--- a/arch/sh/kernel/process_32.c
+++ b/arch/sh/kernel/process_32.c
@@ -182,13 +182,10 @@ __switch_to(struct task_struct *prev, st
return prev;
}
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
unsigned long pc;
- if (!p || p == current || task_is_running(p))
- return 0;
-
/*
* The same comment as on the Alpha applies here, too ...
*/
--- a/arch/sparc/include/asm/processor_32.h
+++ b/arch/sparc/include/asm/processor_32.h
@@ -89,7 +89,7 @@ static inline void start_thread(struct p
/* Free all resources held by a thread. */
#define release_thread(tsk) do { } while(0)
-unsigned long get_wchan(struct task_struct *);
+unsigned long __get_wchan(struct task_struct *);
#define task_pt_regs(tsk) ((tsk)->thread.kregs)
#define KSTK_EIP(tsk) ((tsk)->thread.kregs->pc)
--- a/arch/sparc/include/asm/processor_64.h
+++ b/arch/sparc/include/asm/processor_64.h
@@ -183,7 +183,7 @@ do { \
/* Free all resources held by a thread. */
#define release_thread(tsk) do { } while (0)
-unsigned long get_wchan(struct task_struct *task);
+unsigned long __get_wchan(struct task_struct *task);
#define task_pt_regs(tsk) (task_thread_info(tsk)->kregs)
#define KSTK_EIP(tsk) (task_pt_regs(tsk)->tpc)
--- a/arch/sparc/kernel/process_32.c
+++ b/arch/sparc/kernel/process_32.c
@@ -365,7 +365,7 @@ int copy_thread(unsigned long clone_flag
return 0;
}
-unsigned long get_wchan(struct task_struct *task)
+unsigned long __get_wchan(struct task_struct *task)
{
unsigned long pc, fp, bias = 0;
unsigned long task_base = (unsigned long) task;
@@ -373,9 +373,6 @@ unsigned long get_wchan(struct task_stru
struct reg_window32 *rw;
int count = 0;
- if (!task || task == current || task_is_running(task))
- goto out;
-
fp = task_thread_info(task)->ksp + bias;
do {
/* Bogus frame pointer? */
--- a/arch/sparc/kernel/process_64.c
+++ b/arch/sparc/kernel/process_64.c
@@ -663,7 +663,7 @@ int arch_dup_task_struct(struct task_str
return 0;
}
-unsigned long get_wchan(struct task_struct *task)
+unsigned long __get_wchan(struct task_struct *task)
{
unsigned long pc, fp, bias = 0;
struct thread_info *tp;
@@ -671,9 +671,6 @@ unsigned long get_wchan(struct task_stru
unsigned long ret = 0;
int count = 0;
- if (!task || task == current || task_is_running(task))
- goto out;
-
tp = task_thread_info(task);
bias = STACK_BIAS;
fp = task_thread_info(task)->ksp + bias;
--- a/arch/um/include/asm/processor-generic.h
+++ b/arch/um/include/asm/processor-generic.h
@@ -106,6 +106,6 @@ extern struct cpuinfo_um boot_cpu_data;
#define cache_line_size() (boot_cpu_data.cache_alignment)
#define KSTK_REG(tsk, reg) get_thread_reg(reg, &tsk->thread.switch_buf)
-extern unsigned long get_wchan(struct task_struct *p);
+extern unsigned long __get_wchan(struct task_struct *p);
#endif
--- a/arch/um/kernel/process.c
+++ b/arch/um/kernel/process.c
@@ -364,14 +364,11 @@ unsigned long arch_align_stack(unsigned
}
#endif
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
unsigned long stack_page, sp, ip;
bool seen_sched = 0;
- if ((p == NULL) || (p == current) || task_is_running(p))
- return 0;
-
stack_page = (unsigned long) task_stack_page(p);
/* Bail if the process has no kernel stack for some reason */
if (stack_page == 0)
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -591,7 +591,7 @@ static inline void load_sp0(unsigned lon
/* Free all resources held by a thread. */
extern void release_thread(struct task_struct *);
-unsigned long get_wchan(struct task_struct *p);
+unsigned long __get_wchan(struct task_struct *p);
/*
* Generic CPUID function
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -969,13 +969,10 @@ unsigned long arch_randomize_brk(struct
* because the task might wake up and we might look at a stack
* changing under us.
*/
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
unsigned long entry = 0;
- if (p == current || task_is_running(p))
- return 0;
-
stack_trace_save_tsk(p, &entry, 1, 0);
return entry;
}
--- a/arch/xtensa/include/asm/processor.h
+++ b/arch/xtensa/include/asm/processor.h
@@ -215,7 +215,7 @@ struct mm_struct;
/* Free all resources held by a thread. */
#define release_thread(thread) do { } while(0)
-extern unsigned long get_wchan(struct task_struct *p);
+extern unsigned long __get_wchan(struct task_struct *p);
#define KSTK_EIP(tsk) (task_pt_regs(tsk)->pc)
#define KSTK_ESP(tsk) (task_pt_regs(tsk)->areg[1])
--- a/arch/xtensa/kernel/process.c
+++ b/arch/xtensa/kernel/process.c
@@ -298,15 +298,12 @@ int copy_thread(unsigned long clone_flag
* These bracket the sleeping functions..
*/
-unsigned long get_wchan(struct task_struct *p)
+unsigned long __get_wchan(struct task_struct *p)
{
unsigned long sp, pc;
unsigned long stack_page = (unsigned long) task_stack_page(p);
int count = 0;
- if (!p || p == current || task_is_running(p))
- return 0;
-
sp = p->thread.sp;
pc = MAKE_PC_FROM_RA(p->thread.ra, p->thread.sp);
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -2141,6 +2141,7 @@ static inline void set_task_cpu(struct t
#endif /* CONFIG_SMP */
extern bool sched_task_on_rq(struct task_struct *p);
+extern unsigned long get_wchan(struct task_struct *p);
/*
* In order to reduce various lock holder preemption latencies provide an
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -1963,6 +1963,25 @@ bool sched_task_on_rq(struct task_struct
return task_on_rq_queued(p);
}
+unsigned long get_wchan(struct task_struct *p)
+{
+ unsigned long ip = 0;
+ unsigned int state;
+
+ if (!p || p == current)
+ return 0;
+
+ /* Only get wchan if task is blocked and we can keep it that way. */
+ raw_spin_lock_irq(&p->pi_lock);
+ state = READ_ONCE(p->__state);
+ smp_rmb(); /* see try_to_wake_up() */
+ if (state != TASK_RUNNING && state != TASK_WAKING && !p->on_rq)
+ ip = __get_wchan(p);
+ raw_spin_unlock_irq(&p->pi_lock);
+
+ return ip;
+}
+
static inline void enqueue_task(struct rq *rq, struct task_struct *p, int flags)
{
if (!(flags & ENQUEUE_NOCLOCK))
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 074/644] x86: Fix __get_wchan() for !STACKTRACE
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 073/644] sched: Add wrapper for get_wchan() to keep task blocked Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 075/644] x86: Pin task-stack in __get_wchan() Greg Kroah-Hartman
` (575 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell,
Peter Zijlstra (Intel), Kees Cook, Siddhi Katage
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 5d1ceb3969b6b2e47e2df6d17790a7c5a20fcbb4 upstream.
Use asm/unwind.h to implement wchan, since we cannot always rely on
STACKTRACE=y.
Fixes: bc9bbb81730e ("x86: Fix get_wchan() to support the ORC unwinder")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lkml.kernel.org/r/20211022152104.137058575@infradead.org
Signed-off-by: Siddhi Katage <siddhi.katage@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/process.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -43,6 +43,7 @@
#include <asm/io_bitmap.h>
#include <asm/proto.h>
#include <asm/frame.h>
+#include <asm/unwind.h>
#include "process.h"
@@ -971,10 +972,20 @@ unsigned long arch_randomize_brk(struct
*/
unsigned long __get_wchan(struct task_struct *p)
{
- unsigned long entry = 0;
+ struct unwind_state state;
+ unsigned long addr = 0;
- stack_trace_save_tsk(p, &entry, 1, 0);
- return entry;
+ for (unwind_start(&state, p, NULL, NULL); !unwind_done(&state);
+ unwind_next_frame(&state)) {
+ addr = unwind_get_return_address(&state);
+ if (!addr)
+ break;
+ if (in_sched_functions(addr))
+ continue;
+ break;
+ }
+
+ return addr;
}
long do_arch_prctl_common(struct task_struct *task, int option,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 075/644] x86: Pin task-stack in __get_wchan()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 074/644] x86: Fix __get_wchan() for !STACKTRACE Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 076/644] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT Greg Kroah-Hartman
` (574 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel),
Justin Forbes, Holger Hoffstätte, Qi Zheng, Kees Cook,
Thomas Gleixner, Linus Torvalds, Siddhi Katage
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 0dc636b3b757a6b747a156de613275f9d74a4a66 upstream.
When commit 5d1ceb3969b6 ("x86: Fix __get_wchan() for !STACKTRACE")
moved from stacktrace to native unwind_*() usage, the
try_get_task_stack() got lost, leading to use-after-free issues for
dying tasks.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Fixes: 5d1ceb3969b6 ("x86: Fix __get_wchan() for !STACKTRACE")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=215031
Link: https://lore.kernel.org/stable/YZV02RCRVHIa144u@fedora64.linuxtx.org/
Reported-by: Justin Forbes <jmforbes@linuxtx.org>
Reported-by: Holger Hoffstätte <holger@applied-asynchrony.com>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Siddhi Katage <siddhi.katage@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/process.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -975,6 +975,9 @@ unsigned long __get_wchan(struct task_st
struct unwind_state state;
unsigned long addr = 0;
+ if (!try_get_task_stack(p))
+ return 0;
+
for (unwind_start(&state, p, NULL, NULL); !unwind_done(&state);
unwind_next_frame(&state)) {
addr = unwind_get_return_address(&state);
@@ -985,6 +988,8 @@ unsigned long __get_wchan(struct task_st
break;
}
+ put_task_stack(p);
+
return addr;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 076/644] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 075/644] x86: Pin task-stack in __get_wchan() Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 077/644] regulator: core: fix NULL dereference on unbind due to stale coupling data Greg Kroah-Hartman
` (573 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Fabrice Gasnier, Gatien Chevallier, Dmitry Torokhov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
commit f4a8f561d08e39f7833d4a278ebfb12a41eef15f upstream.
When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in
hard irq context, but the input_event() takes a spin_lock, which isn't
allowed there as it is converted to a rt_spin_lock().
[ 4054.289999] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
[ 4054.290028] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/0
...
[ 4054.290195] __might_resched+0x13c/0x1f4
[ 4054.290209] rt_spin_lock+0x54/0x11c
[ 4054.290219] input_event+0x48/0x80
[ 4054.290230] gpio_keys_irq_timer+0x4c/0x78
[ 4054.290243] __hrtimer_run_queues+0x1a4/0x438
[ 4054.290257] hrtimer_interrupt+0xe4/0x240
[ 4054.290269] arch_timer_handler_phys+0x2c/0x44
[ 4054.290283] handle_percpu_devid_irq+0x8c/0x14c
[ 4054.290297] handle_irq_desc+0x40/0x58
[ 4054.290307] generic_handle_domain_irq+0x1c/0x28
[ 4054.290316] gic_handle_irq+0x44/0xcc
Considering the gpio_keys_irq_isr() can run in any context, e.g. it can
be threaded, it seems there's no point in requesting the timer isr to
run in hard irq context.
Relax the hrtimer not to use the hard context.
Fixes: 019002f20cb5 ("Input: gpio-keys - use hrtimer for release timer")
Suggested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Link: https://lore.kernel.org/r/20250528-gpio_keys_preempt_rt-v2-1-3fc55a9c3619@foss.st.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
[ adjusted context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/gpio_keys.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/input/keyboard/gpio_keys.c
+++ b/drivers/input/keyboard/gpio_keys.c
@@ -493,7 +493,7 @@ static irqreturn_t gpio_keys_irq_isr(int
if (bdata->release_delay)
hrtimer_start(&bdata->release_timer,
ms_to_ktime(bdata->release_delay),
- HRTIMER_MODE_REL_HARD);
+ HRTIMER_MODE_REL);
out:
spin_unlock_irqrestore(&bdata->lock, flags);
return IRQ_HANDLED;
@@ -633,7 +633,7 @@ static int gpio_keys_setup_key(struct pl
bdata->release_delay = button->debounce_interval;
hrtimer_init(&bdata->release_timer,
- CLOCK_REALTIME, HRTIMER_MODE_REL_HARD);
+ CLOCK_REALTIME, HRTIMER_MODE_REL);
bdata->release_timer.function = gpio_keys_irq_timer;
isr = gpio_keys_irq_isr;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 077/644] regulator: core: fix NULL dereference on unbind due to stale coupling data
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 076/644] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 078/644] RDMA/core: Rate limit GID cache warning messages Greg Kroah-Hartman
` (572 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alessandro Carminati, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alessandro Carminati <acarmina@redhat.com>
[ Upstream commit ca46946a482238b0cdea459fb82fc837fb36260e ]
Failing to reset coupling_desc.n_coupled after freeing coupled_rdevs can
lead to NULL pointer dereference when regulators are accessed post-unbind.
This can happen during runtime PM or other regulator operations that rely
on coupling metadata.
For example, on ridesx4, unbinding the 'reg-dummy' platform device triggers
a panic in regulator_lock_recursive() due to stale coupling state.
Ensure n_coupled is set to 0 to prevent access to invalid pointers.
Signed-off-by: Alessandro Carminati <acarmina@redhat.com>
Link: https://patch.msgid.link/20250626083809.314842-1-acarmina@redhat.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 18f13b9601b5b..ed5d58baa1f75 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -5359,6 +5359,7 @@ static void regulator_remove_coupling(struct regulator_dev *rdev)
ERR_PTR(err));
}
+ rdev->coupling_desc.n_coupled = 0;
kfree(rdev->coupling_desc.coupled_rdevs);
rdev->coupling_desc.coupled_rdevs = NULL;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 078/644] RDMA/core: Rate limit GID cache warning messages
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 077/644] regulator: core: fix NULL dereference on unbind due to stale coupling data Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 079/644] interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node Greg Kroah-Hartman
` (571 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maor Gottlieb, Leon Romanovsky,
Jason Gunthorpe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maor Gottlieb <maorg@nvidia.com>
[ Upstream commit 333e4d79316c9ed5877d7aac8b8ed22efc74e96d ]
The GID cache warning messages can flood the kernel log when there are
multiple failed attempts to add GIDs. This can happen when creating many
virtual interfaces without having enough space for their GIDs in the GID
table.
Change pr_warn to pr_warn_ratelimited to prevent log flooding while still
maintaining visibility of the issue.
Link: https://patch.msgid.link/r/fd45ed4a1078e743f498b234c3ae816610ba1b18.1750062357.git.leon@kernel.org
Signed-off-by: Maor Gottlieb <maorg@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/cache.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
index b534ef03168c6..91ee3e823a9fe 100644
--- a/drivers/infiniband/core/cache.c
+++ b/drivers/infiniband/core/cache.c
@@ -582,8 +582,8 @@ static int __ib_cache_gid_add(struct ib_device *ib_dev, u32 port,
out_unlock:
mutex_unlock(&table->lock);
if (ret)
- pr_warn("%s: unable to add gid %pI6 error=%d\n",
- __func__, gid->raw, ret);
+ pr_warn_ratelimited("%s: unable to add gid %pI6 error=%d\n",
+ __func__, gid->raw, ret);
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 079/644] interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 078/644] RDMA/core: Rate limit GID cache warning messages Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 080/644] regmap: fix potential memory leak of regmap_bus Greg Kroah-Hartman
` (570 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xilin Wu, Dmitry Baryshkov,
Georgi Djakov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xilin Wu <sophon@radxa.com>
[ Upstream commit 886a94f008dd1a1702ee66dd035c266f70fd9e90 ]
This allows adding interconnect paths for PCIe 1 in device tree later.
Fixes: 46bdcac533cc ("interconnect: qcom: Add SC7280 interconnect provider driver")
Signed-off-by: Xilin Wu <sophon@radxa.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250613-sc7280-icc-pcie1-fix-v1-1-0b09813e3b09@radxa.com
Signed-off-by: Georgi Djakov <djakov@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/interconnect/qcom/sc7280.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/interconnect/qcom/sc7280.c b/drivers/interconnect/qcom/sc7280.c
index f8b34f6cbb0d1..cd5efeb764044 100644
--- a/drivers/interconnect/qcom/sc7280.c
+++ b/drivers/interconnect/qcom/sc7280.c
@@ -164,6 +164,7 @@ static struct qcom_icc_node xm_pcie3_1 = {
.id = SC7280_MASTER_PCIE_1,
.channels = 1,
.buswidth = 8,
+ .num_links = 1,
.links = { SC7280_SLAVE_ANOC_PCIE_GEM_NOC },
};
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 080/644] regmap: fix potential memory leak of regmap_bus
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 079/644] interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 081/644] i40e: Add rx_missed_errors for buffer exhaustion Greg Kroah-Hartman
` (569 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <abdun.nihaal@gmail.com>
[ Upstream commit c871c199accb39d0f4cb941ad0dccabfc21e9214 ]
When __regmap_init() is called from __regmap_init_i2c() and
__regmap_init_spi() (and their devm versions), the bus argument
obtained from regmap_get_i2c_bus() and regmap_get_spi_bus(), may be
allocated using kmemdup() to support quirks. In those cases, the
bus->free_on_exit field is set to true.
However, inside __regmap_init(), buf is not freed on any error path.
This could lead to a memory leak of regmap_bus when __regmap_init()
fails. Fix that by freeing bus on error path when free_on_exit is set.
Fixes: ea030ca68819 ("regmap-i2c: Set regmap max raw r/w from quirks")
Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Link: https://patch.msgid.link/20250626172823.18725-1-abdun.nihaal@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/regmap/regmap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index 6d94ad8bf1eb7..ebddc69bc969c 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -1264,6 +1264,8 @@ struct regmap *__regmap_init(struct device *dev,
err_map:
kfree(map);
err:
+ if (bus && bus->free_on_exit)
+ kfree(bus);
return ERR_PTR(ret);
}
EXPORT_SYMBOL_GPL(__regmap_init);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 081/644] i40e: Add rx_missed_errors for buffer exhaustion
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 080/644] regmap: fix potential memory leak of regmap_bus Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 082/644] i40e: report VF tx_dropped with tx_errors instead of tx_discards Greg Kroah-Hartman
` (568 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yajun Deng, Tony Nguyen, Sasha Levin,
Arpana Arland
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yajun Deng <yajun.deng@linux.dev>
[ Upstream commit 5337d294973331660e84e41836a54014de22e5b0 ]
As the comment in struct rtnl_link_stats64, rx_dropped should not
include packets dropped by the device due to buffer exhaustion.
They are counted in rx_missed_errors, procfs folds those two counters
together.
Add rx_missed_errors for buffer exhaustion, rx_missed_errors corresponds
to rx_discards, rx_dropped corresponds to rx_discards_other.
Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Stable-dep-of: 50b2af451597 ("i40e: report VF tx_dropped with tx_errors instead of tx_discards")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 3 ++-
drivers/net/ethernet/intel/i40e/i40e_main.c | 18 +++++++-----------
.../net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 +-
3 files changed, 10 insertions(+), 13 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
index d0b9ee756b306..504edc8ec531c 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
@@ -247,6 +247,7 @@ static const struct i40e_stats i40e_gstrings_net_stats[] = {
I40E_NETDEV_STAT(rx_errors),
I40E_NETDEV_STAT(tx_errors),
I40E_NETDEV_STAT(rx_dropped),
+ I40E_NETDEV_STAT(rx_missed_errors),
I40E_NETDEV_STAT(tx_dropped),
I40E_NETDEV_STAT(collisions),
I40E_NETDEV_STAT(rx_length_errors),
@@ -317,7 +318,7 @@ static const struct i40e_stats i40e_gstrings_stats[] = {
I40E_PF_STAT("port.rx_broadcast", stats.eth.rx_broadcast),
I40E_PF_STAT("port.tx_broadcast", stats.eth.tx_broadcast),
I40E_PF_STAT("port.tx_errors", stats.eth.tx_errors),
- I40E_PF_STAT("port.rx_dropped", stats.eth.rx_discards),
+ I40E_PF_STAT("port.rx_discards", stats.eth.rx_discards),
I40E_PF_STAT("port.tx_dropped_link_down", stats.tx_dropped_link_down),
I40E_PF_STAT("port.rx_crc_errors", stats.crc_errors),
I40E_PF_STAT("port.illegal_bytes", stats.illegal_bytes),
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index bc5da0b8648c1..2a3b8dd72686d 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -493,6 +493,7 @@ static void i40e_get_netdev_stats_struct(struct net_device *netdev,
stats->tx_dropped = vsi_stats->tx_dropped;
stats->rx_errors = vsi_stats->rx_errors;
stats->rx_dropped = vsi_stats->rx_dropped;
+ stats->rx_missed_errors = vsi_stats->rx_missed_errors;
stats->rx_crc_errors = vsi_stats->rx_crc_errors;
stats->rx_length_errors = vsi_stats->rx_length_errors;
}
@@ -684,17 +685,13 @@ i40e_stats_update_rx_discards(struct i40e_vsi *vsi, struct i40e_hw *hw,
struct i40e_eth_stats *stat_offset,
struct i40e_eth_stats *stat)
{
- u64 rx_rdpc, rx_rxerr;
-
i40e_stat_update32(hw, I40E_GLV_RDPC(stat_idx), offset_loaded,
- &stat_offset->rx_discards, &rx_rdpc);
+ &stat_offset->rx_discards, &stat->rx_discards);
i40e_stat_update64(hw,
I40E_GL_RXERR1H(i40e_compute_pci_to_hw_id(vsi, hw)),
I40E_GL_RXERR1L(i40e_compute_pci_to_hw_id(vsi, hw)),
offset_loaded, &stat_offset->rx_discards_other,
- &rx_rxerr);
-
- stat->rx_discards = rx_rdpc + rx_rxerr;
+ &stat->rx_discards_other);
}
/**
@@ -716,9 +713,6 @@ void i40e_update_eth_stats(struct i40e_vsi *vsi)
i40e_stat_update32(hw, I40E_GLV_TEPC(stat_idx),
vsi->stat_offsets_loaded,
&oes->tx_errors, &es->tx_errors);
- i40e_stat_update32(hw, I40E_GLV_RDPC(stat_idx),
- vsi->stat_offsets_loaded,
- &oes->rx_discards, &es->rx_discards);
i40e_stat_update32(hw, I40E_GLV_RUPP(stat_idx),
vsi->stat_offsets_loaded,
&oes->rx_unknown_protocol, &es->rx_unknown_protocol);
@@ -959,8 +953,10 @@ static void i40e_update_vsi_stats(struct i40e_vsi *vsi)
ns->tx_errors = es->tx_errors;
ons->multicast = oes->rx_multicast;
ns->multicast = es->rx_multicast;
- ons->rx_dropped = oes->rx_discards;
- ns->rx_dropped = es->rx_discards;
+ ons->rx_dropped = oes->rx_discards_other;
+ ns->rx_dropped = es->rx_discards_other;
+ ons->rx_missed_errors = oes->rx_discards;
+ ns->rx_missed_errors = es->rx_discards;
ons->tx_dropped = oes->tx_discards;
ns->tx_dropped = es->tx_discards;
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index d5b8462aa3eae..cc0c775d5d057 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -4879,7 +4879,7 @@ int i40e_get_vf_stats(struct net_device *netdev, int vf_id,
vf_stats->tx_bytes = stats->tx_bytes;
vf_stats->broadcast = stats->rx_broadcast;
vf_stats->multicast = stats->rx_multicast;
- vf_stats->rx_dropped = stats->rx_discards;
+ vf_stats->rx_dropped = stats->rx_discards + stats->rx_discards_other;
vf_stats->tx_dropped = stats->tx_discards;
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 082/644] i40e: report VF tx_dropped with tx_errors instead of tx_discards
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 081/644] i40e: Add rx_missed_errors for buffer exhaustion Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 083/644] net: appletalk: Fix use-after-free in AARP proxy probe Greg Kroah-Hartman
` (567 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dennis Chen, Simon Horman,
Rafal Romanowski, Tony Nguyen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dennis Chen <dechen@redhat.com>
[ Upstream commit 50b2af451597ca6eefe9d4543f8bbf8de8aa00e7 ]
Currently the tx_dropped field in VF stats is not updated correctly
when reading stats from the PF. This is because it reads from
i40e_eth_stats.tx_discards which seems to be unused for per VSI stats,
as it is not updated by i40e_update_eth_stats() and the corresponding
register, GLV_TDPC, is not implemented[1].
Use i40e_eth_stats.tx_errors instead, which is actually updated by
i40e_update_eth_stats() by reading from GLV_TEPC.
To test, create a VF and try to send bad packets through it:
$ echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs
$ cat test.py
from scapy.all import *
vlan_pkt = Ether(dst="ff:ff:ff:ff:ff:ff") / Dot1Q(vlan=999) / IP(dst="192.168.0.1") / ICMP()
ttl_pkt = IP(dst="8.8.8.8", ttl=0) / ICMP()
print("Send packet with bad VLAN tag")
sendp(vlan_pkt, iface="enp2s0f0v0")
print("Send packet with TTL=0")
sendp(ttl_pkt, iface="enp2s0f0v0")
$ ip -s link show dev enp2s0f0
16: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 3c:ec:ef:b7:e0:ac brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped missed mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
vf 0 link/ether e2:c6:fd:c1:1e:92 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off
RX: bytes packets mcast bcast dropped
0 0 0 0 0
TX: bytes packets dropped
0 0 0
$ python test.py
Send packet with bad VLAN tag
.
Sent 1 packets.
Send packet with TTL=0
.
Sent 1 packets.
$ ip -s link show dev enp2s0f0
16: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 3c:ec:ef:b7:e0:ac brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped missed mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
vf 0 link/ether e2:c6:fd:c1:1e:92 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off
RX: bytes packets mcast bcast dropped
0 0 0 0 0
TX: bytes packets dropped
0 0 0
A packet with non-existent VLAN tag and a packet with TTL = 0 are sent,
but tx_dropped is not incremented.
After patch:
$ ip -s link show dev enp2s0f0
19: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 3c:ec:ef:b7:e0:ac brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped missed mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
vf 0 link/ether 4a:b7:3d:37:f7:56 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off
RX: bytes packets mcast bcast dropped
0 0 0 0 0
TX: bytes packets dropped
0 0 2
Fixes: dc645daef9af5bcbd9c ("i40e: implement VF stats NDO")
Signed-off-by: Dennis Chen <dechen@redhat.com>
Link: https://www.intel.com/content/www/us/en/content-details/596333/intel-ethernet-controller-x710-tm4-at2-carlsville-datasheet.html
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index cc0c775d5d057..7673ce2be1c02 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -4880,7 +4880,7 @@ int i40e_get_vf_stats(struct net_device *netdev, int vf_id,
vf_stats->broadcast = stats->rx_broadcast;
vf_stats->multicast = stats->rx_multicast;
vf_stats->rx_dropped = stats->rx_discards + stats->rx_discards_other;
- vf_stats->tx_dropped = stats->tx_discards;
+ vf_stats->tx_dropped = stats->tx_errors;
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 083/644] net: appletalk: Fix use-after-free in AARP proxy probe
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 082/644] i40e: report VF tx_dropped with tx_errors instead of tx_discards Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 084/644] net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class Greg Kroah-Hartman
` (566 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kito Xu (veritas501), Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kito Xu (veritas501) <hxzene@gmail.com>
[ Upstream commit 6c4a92d07b0850342d3becf2e608f805e972467c ]
The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe,
releases the aarp_lock, sleeps, then re-acquires the lock. During that
window an expire timer thread (__aarp_expire_timer) can remove and
kfree() the same entry, leading to a use-after-free.
race condition:
cpu 0 | cpu 1
atalk_sendmsg() | atif_proxy_probe_device()
aarp_send_ddp() | aarp_proxy_probe_network()
mod_timer() | lock(aarp_lock) // LOCK!!
timeout around 200ms | alloc(aarp_entry)
and then call | proxies[hash] = aarp_entry
aarp_expire_timeout() | aarp_send_probe()
| unlock(aarp_lock) // UNLOCK!!
lock(aarp_lock) // LOCK!! | msleep(100);
__aarp_expire_timer(&proxies[ct]) |
free(aarp_entry) |
unlock(aarp_lock) // UNLOCK!! |
| lock(aarp_lock) // LOCK!!
| UAF aarp_entry !!
==================================================================
BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493
Read of size 4 at addr ffff8880123aa360 by task repro/13278
CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc1/0x630 mm/kasan/report.c:521
kasan_report+0xca/0x100 mm/kasan/report.c:634
aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493
atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]
atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857
atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818
sock_do_ioctl+0xdc/0x260 net/socket.c:1190
sock_ioctl+0x239/0x6a0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Allocated:
aarp_alloc net/appletalk/aarp.c:382 [inline]
aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468
atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]
atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857
atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818
Freed:
kfree+0x148/0x4d0 mm/slub.c:4841
__aarp_expire net/appletalk/aarp.c:90 [inline]
__aarp_expire_timer net/appletalk/aarp.c:261 [inline]
aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317
The buggy address belongs to the object at ffff8880123aa300
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 96 bytes inside of
freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0)
Memory state around the buggy address:
ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kito Xu (veritas501) <hxzene@gmail.com>
Link: https://patch.msgid.link/20250717012843.880423-1-hxzene@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/appletalk/aarp.c | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c
index c7236daa24152..0d7c14a496681 100644
--- a/net/appletalk/aarp.c
+++ b/net/appletalk/aarp.c
@@ -35,6 +35,7 @@
#include <linux/seq_file.h>
#include <linux/export.h>
#include <linux/etherdevice.h>
+#include <linux/refcount.h>
int sysctl_aarp_expiry_time = AARP_EXPIRY_TIME;
int sysctl_aarp_tick_time = AARP_TICK_TIME;
@@ -44,6 +45,7 @@ int sysctl_aarp_resolve_time = AARP_RESOLVE_TIME;
/* Lists of aarp entries */
/**
* struct aarp_entry - AARP entry
+ * @refcnt: Reference count
* @last_sent: Last time we xmitted the aarp request
* @packet_queue: Queue of frames wait for resolution
* @status: Used for proxy AARP
@@ -55,6 +57,7 @@ int sysctl_aarp_resolve_time = AARP_RESOLVE_TIME;
* @next: Next entry in chain
*/
struct aarp_entry {
+ refcount_t refcnt;
/* These first two are only used for unresolved entries */
unsigned long last_sent;
struct sk_buff_head packet_queue;
@@ -79,6 +82,17 @@ static DEFINE_RWLOCK(aarp_lock);
/* Used to walk the list and purge/kick entries. */
static struct timer_list aarp_timer;
+static inline void aarp_entry_get(struct aarp_entry *a)
+{
+ refcount_inc(&a->refcnt);
+}
+
+static inline void aarp_entry_put(struct aarp_entry *a)
+{
+ if (refcount_dec_and_test(&a->refcnt))
+ kfree(a);
+}
+
/*
* Delete an aarp queue
*
@@ -87,7 +101,7 @@ static struct timer_list aarp_timer;
static void __aarp_expire(struct aarp_entry *a)
{
skb_queue_purge(&a->packet_queue);
- kfree(a);
+ aarp_entry_put(a);
}
/*
@@ -380,9 +394,11 @@ static void aarp_purge(void)
static struct aarp_entry *aarp_alloc(void)
{
struct aarp_entry *a = kmalloc(sizeof(*a), GFP_ATOMIC);
+ if (!a)
+ return NULL;
- if (a)
- skb_queue_head_init(&a->packet_queue);
+ refcount_set(&a->refcnt, 1);
+ skb_queue_head_init(&a->packet_queue);
return a;
}
@@ -508,6 +524,7 @@ int aarp_proxy_probe_network(struct atalk_iface *atif, struct atalk_addr *sa)
entry->dev = atif->dev;
write_lock_bh(&aarp_lock);
+ aarp_entry_get(entry);
hash = sa->s_node % (AARP_HASH_SIZE - 1);
entry->next = proxies[hash];
@@ -533,6 +550,7 @@ int aarp_proxy_probe_network(struct atalk_iface *atif, struct atalk_addr *sa)
retval = 1;
}
+ aarp_entry_put(entry);
write_unlock_bh(&aarp_lock);
out:
return retval;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 084/644] net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 083/644] net: appletalk: Fix use-after-free in AARP proxy probe Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 085/644] net: hns3: fix concurrent setting vlan filter issue Greg Kroah-Hartman
` (565 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Xiang Mei, Cong Wang,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit cf074eca0065bc5142e6004ae236bb35a2687fdf ]
might_sleep could be trigger in the atomic context in qfq_delete_class.
qfq_destroy_class was moved into atomic context locked
by sch_tree_lock to avoid a race condition bug on
qfq_aggregate. However, might_sleep could be triggered by
qfq_destroy_class, which introduced sleeping in atomic context (path:
qfq_destroy_class->qdisc_put->__qdisc_destroy->lockdep_unregister_key
->might_sleep).
Considering the race is on the qfq_aggregate objects, keeping
qfq_rm_from_agg in the lock but moving the left part out can solve
this issue.
Fixes: 5e28d5a3f774 ("net/sched: sch_qfq: Fix race condition on qfq_aggregate")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Link: https://patch.msgid.link/4a04e0cc-a64b-44e7-9213-2880ed641d77@sabinyo.mountain
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/20250717230128.159766-1-xmei5@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_qfq.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index 0ef66612a5484..a00f6a9bcf367 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -538,9 +538,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
static void qfq_destroy_class(struct Qdisc *sch, struct qfq_class *cl)
{
- struct qfq_sched *q = qdisc_priv(sch);
-
- qfq_rm_from_agg(q, cl);
gen_kill_estimator(&cl->rate_est);
qdisc_put(cl->qdisc);
kfree(cl);
@@ -559,10 +556,11 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg,
qdisc_purge_queue(cl->qdisc);
qdisc_class_hash_remove(&q->clhash, &cl->common);
- qfq_destroy_class(sch, cl);
+ qfq_rm_from_agg(q, cl);
sch_tree_unlock(sch);
+ qfq_destroy_class(sch, cl);
return 0;
}
@@ -1510,6 +1508,7 @@ static void qfq_destroy_qdisc(struct Qdisc *sch)
for (i = 0; i < q->clhash.hashsize; i++) {
hlist_for_each_entry_safe(cl, next, &q->clhash.hash[i],
common.hnode) {
+ qfq_rm_from_agg(q, cl);
qfq_destroy_class(sch, cl);
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 085/644] net: hns3: fix concurrent setting vlan filter issue
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 084/644] net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 086/644] net: hns3: disable interrupt when ptp init failed Greg Kroah-Hartman
` (564 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Jijie Shao, Simon Horman,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit 4555f8f8b6aa46940f55feb6a07704c2935b6d6e ]
The vport->req_vlan_fltr_en may be changed concurrently by function
hclge_sync_vlan_fltr_state() called in periodic work task and
function hclge_enable_vport_vlan_filter() called by user configuration.
It may cause the user configuration inoperative. Fixes it by protect
the vport->req_vlan_fltr by vport_lock.
Fixes: 2ba306627f59 ("net: hns3: add support for modify VLAN filter state")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250722125423.1270673-2-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../hisilicon/hns3/hns3pf/hclge_main.c | 36 +++++++++++--------
1 file changed, 21 insertions(+), 15 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index a0284a9d90e89..d228e37f8b3d9 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -9709,33 +9709,36 @@ static bool hclge_need_enable_vport_vlan_filter(struct hclge_vport *vport)
return false;
}
-int hclge_enable_vport_vlan_filter(struct hclge_vport *vport, bool request_en)
+static int __hclge_enable_vport_vlan_filter(struct hclge_vport *vport,
+ bool request_en)
{
- struct hclge_dev *hdev = vport->back;
bool need_en;
int ret;
- mutex_lock(&hdev->vport_lock);
-
- vport->req_vlan_fltr_en = request_en;
-
need_en = hclge_need_enable_vport_vlan_filter(vport);
- if (need_en == vport->cur_vlan_fltr_en) {
- mutex_unlock(&hdev->vport_lock);
+ if (need_en == vport->cur_vlan_fltr_en)
return 0;
- }
ret = hclge_set_vport_vlan_filter(vport, need_en);
- if (ret) {
- mutex_unlock(&hdev->vport_lock);
+ if (ret)
return ret;
- }
vport->cur_vlan_fltr_en = need_en;
+ return 0;
+}
+
+int hclge_enable_vport_vlan_filter(struct hclge_vport *vport, bool request_en)
+{
+ struct hclge_dev *hdev = vport->back;
+ int ret;
+
+ mutex_lock(&hdev->vport_lock);
+ vport->req_vlan_fltr_en = request_en;
+ ret = __hclge_enable_vport_vlan_filter(vport, request_en);
mutex_unlock(&hdev->vport_lock);
- return 0;
+ return ret;
}
static int hclge_enable_vlan_filter(struct hnae3_handle *handle, bool enable)
@@ -10743,16 +10746,19 @@ static void hclge_sync_vlan_fltr_state(struct hclge_dev *hdev)
&vport->state))
continue;
- ret = hclge_enable_vport_vlan_filter(vport,
- vport->req_vlan_fltr_en);
+ mutex_lock(&hdev->vport_lock);
+ ret = __hclge_enable_vport_vlan_filter(vport,
+ vport->req_vlan_fltr_en);
if (ret) {
dev_err(&hdev->pdev->dev,
"failed to sync vlan filter state for vport%u, ret = %d\n",
vport->vport_id, ret);
set_bit(HCLGE_VPORT_STATE_VLAN_FLTR_CHANGE,
&vport->state);
+ mutex_unlock(&hdev->vport_lock);
return;
}
+ mutex_unlock(&hdev->vport_lock);
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 086/644] net: hns3: disable interrupt when ptp init failed
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 085/644] net: hns3: fix concurrent setting vlan filter issue Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 087/644] net: hns3: fixed vf get max channels bug Greg Kroah-Hartman
` (563 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yonglong Liu, Jijie Shao,
Simon Horman, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonglong Liu <liuyonglong@huawei.com>
[ Upstream commit cde304655f25d94a996c45b0f9956e7dcc2bc4c0 ]
When ptp init failed, we'd better disable the interrupt and clear the
flag, to avoid early report interrupt at next probe.
Fixes: 0bf5eb788512 ("net: hns3: add support for PTP")
Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250722125423.1270673-3-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c
index b7cf9fbf97183..6d7aeac600128 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c
@@ -509,14 +509,14 @@ int hclge_ptp_init(struct hclge_dev *hdev)
if (ret) {
dev_err(&hdev->pdev->dev,
"failed to init freq, ret = %d\n", ret);
- goto out;
+ goto out_clear_int;
}
ret = hclge_ptp_set_ts_mode(hdev, &hdev->ptp->ts_cfg);
if (ret) {
dev_err(&hdev->pdev->dev,
"failed to init ts mode, ret = %d\n", ret);
- goto out;
+ goto out_clear_int;
}
ktime_get_real_ts64(&ts);
@@ -524,7 +524,7 @@ int hclge_ptp_init(struct hclge_dev *hdev)
if (ret) {
dev_err(&hdev->pdev->dev,
"failed to init ts time, ret = %d\n", ret);
- goto out;
+ goto out_clear_int;
}
set_bit(HCLGE_STATE_PTP_EN, &hdev->state);
@@ -532,6 +532,9 @@ int hclge_ptp_init(struct hclge_dev *hdev)
return 0;
+out_clear_int:
+ clear_bit(HCLGE_PTP_FLAG_EN, &hdev->ptp->flags);
+ hclge_ptp_int_en(hdev, false);
out:
hclge_ptp_destroy_clock(hdev);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 087/644] net: hns3: fixed vf get max channels bug
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 086/644] net: hns3: disable interrupt when ptp init failed Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 088/644] platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots Greg Kroah-Hartman
` (562 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Hao Lan, Jijie Shao,
Simon Horman, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit b3e75c0bcc53f647311960bc1b0970b9b480ca5a ]
Currently, the queried maximum of vf channels is the maximum of channels
supported by each TC. However, the actual maximum of channels is
the maximum of channels supported by the device.
Fixes: 849e46077689 ("net: hns3: add ethtool_ops.get_channels support for VF")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Hao Lan <lanhao@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250722125423.1270673-4-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
index 628d5c5ad75de..94e615177ff14 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
@@ -3571,11 +3571,7 @@ static void hclgevf_uninit_ae_dev(struct hnae3_ae_dev *ae_dev)
static u32 hclgevf_get_max_channels(struct hclgevf_dev *hdev)
{
- struct hnae3_handle *nic = &hdev->nic;
- struct hnae3_knic_private_info *kinfo = &nic->kinfo;
-
- return min_t(u32, hdev->rss_size_max,
- hdev->num_tqps / kinfo->tc_info.num_tc);
+ return min(hdev->rss_size_max, hdev->num_tqps);
}
/**
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 088/644] platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 087/644] net: hns3: fixed vf get max channels bug Greg Kroah-Hartman
@ 2025-08-26 11:02 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 089/644] i2c: qup: jump out of the loop in case of timeout Greg Kroah-Hartman
` (561 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rong Zhang, Hans de Goede,
Ilpo Järvinen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rong Zhang <i@rong.moe>
commit e10981075adce203eac0be866389309eeb8ef11e upstream.
On some models supported by ideapad-laptop, the HW/FW can remember the
state of keyboard backlight among boots. However, it is always turned
off while shutting down, as a side effect of the LED class device
unregistering sequence.
This is inconvenient for users who always prefer turning on the
keyboard backlight. Thus, set LED_RETAIN_AT_SHUTDOWN on the LED class
device so that the state of keyboard backlight gets remembered, which
also aligns with the behavior of manufacturer utilities on Windows.
Fixes: 503325f84bc0 ("platform/x86: ideapad-laptop: add keyboard backlight control support")
Cc: stable@vger.kernel.org
Signed-off-by: Rong Zhang <i@rong.moe>
Reviewed-by: Hans de Goede <hansg@kernel.org>
Link: https://lore.kernel.org/r/20250707163808.155876-3-i@rong.moe
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/ideapad-laptop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/platform/x86/ideapad-laptop.c
+++ b/drivers/platform/x86/ideapad-laptop.c
@@ -1357,7 +1357,7 @@ static int ideapad_kbd_bl_init(struct id
priv->kbd_bl.led.max_brightness = 1;
priv->kbd_bl.led.brightness_get = ideapad_kbd_bl_led_cdev_brightness_get;
priv->kbd_bl.led.brightness_set_blocking = ideapad_kbd_bl_led_cdev_brightness_set;
- priv->kbd_bl.led.flags = LED_BRIGHT_HW_CHANGED;
+ priv->kbd_bl.led.flags = LED_BRIGHT_HW_CHANGED | LED_RETAIN_AT_SHUTDOWN;
err = led_classdev_register(&priv->platform_device->dev, &priv->kbd_bl.led);
if (err)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 089/644] i2c: qup: jump out of the loop in case of timeout
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2025-08-26 11:02 ` [PATCH 5.15 088/644] platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 090/644] i2c: virtio: Avoid hang by using interruptible completion wait Greg Kroah-Hartman
` (560 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Xiwen, Andi Shyti
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Xiwen <forbidden405@outlook.com>
commit a7982a14b3012527a9583d12525cd0dc9f8d8934 upstream.
Original logic only sets the return value but doesn't jump out of the
loop if the bus is kept active by a client. This is not expected. A
malicious or buggy i2c client can hang the kernel in this case and
should be avoided. This is observed during a long time test with a
PCA953x GPIO extender.
Fix it by changing the logic to not only sets the return value, but also
jumps out of the loop and return to the caller with -ETIMEDOUT.
Fixes: fbfab1ab0658 ("i2c: qup: reorganization of driver code to remove polling for qup v1")
Signed-off-by: Yang Xiwen <forbidden405@outlook.com>
Cc: <stable@vger.kernel.org> # v4.17+
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20250616-qca-i2c-v1-1-2a8d37ee0a30@outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-qup.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-qup.c
+++ b/drivers/i2c/busses/i2c-qup.c
@@ -452,8 +452,10 @@ static int qup_i2c_bus_active(struct qup
if (!(status & I2C_STATUS_BUS_ACTIVE))
break;
- if (time_after(jiffies, timeout))
+ if (time_after(jiffies, timeout)) {
ret = -ETIMEDOUT;
+ break;
+ }
usleep_range(len, len * 2);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 090/644] i2c: virtio: Avoid hang by using interruptible completion wait
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 089/644] i2c: qup: jump out of the loop in case of timeout Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 091/644] bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() Greg Kroah-Hartman
` (559 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Viresh Kumar, Andi Shyti
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viresh Kumar <viresh.kumar@linaro.org>
commit a663b3c47ab10f66130818cf94eb59c971541c3f upstream.
The current implementation uses wait_for_completion(), which can cause
the caller to hang indefinitely if the transfer never completes.
Switch to wait_for_completion_interruptible() so that the operation can
be interrupted by signals.
Fixes: 84e1d0bf1d71 ("i2c: virtio: disable timeout handling")
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Cc: <stable@vger.kernel.org> # v5.16+
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/b8944e9cab8eb959d888ae80add6f2a686159ba2.1751541962.git.viresh.kumar@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-virtio.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/drivers/i2c/busses/i2c-virtio.c
+++ b/drivers/i2c/busses/i2c-virtio.c
@@ -118,15 +118,16 @@ static int virtio_i2c_complete_reqs(stru
for (i = 0; i < num; i++) {
struct virtio_i2c_req *req = &reqs[i];
- wait_for_completion(&req->completion);
-
- if (!failed && req->in_hdr.status != VIRTIO_I2C_MSG_OK)
- failed = true;
+ if (!failed) {
+ if (wait_for_completion_interruptible(&req->completion))
+ failed = true;
+ else if (req->in_hdr.status != VIRTIO_I2C_MSG_OK)
+ failed = true;
+ else
+ j++;
+ }
i2c_put_dma_safe_msg_buf(reqs[i].buf, &msgs[i], !failed);
-
- if (!failed)
- j++;
}
return j;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 091/644] bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 090/644] i2c: virtio: Avoid hang by using interruptible completion wait Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 092/644] ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx Greg Kroah-Hartman
` (558 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Ioana Ciornei, Simon Horman,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit bddbe13d36a02d5097b99cf02354d5752ad1ac60 upstream.
The fsl_mc_get_endpoint() function may call fsl_mc_device_lookup()
twice, which would increment the device's reference count twice if
both lookups find a device. This could lead to a reference count leak.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 1ac210d128ef ("bus: fsl-mc: add the fsl_mc_get_endpoint function")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: 8567494cebe5 ("bus: fsl-mc: rescan devices if endpoint not found")
Link: https://patch.msgid.link/20250717022309.3339976-1-make24@iscas.ac.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/fsl-mc/fsl-mc-bus.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
+++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
@@ -944,6 +944,7 @@ struct fsl_mc_device *fsl_mc_get_endpoin
struct fsl_mc_obj_desc endpoint_desc = {{ 0 }};
struct dprc_endpoint endpoint1 = {{ 0 }};
struct dprc_endpoint endpoint2 = {{ 0 }};
+ struct fsl_mc_bus *mc_bus;
int state, err;
mc_bus_dev = to_fsl_mc_device(mc_dev->dev.parent);
@@ -967,6 +968,8 @@ struct fsl_mc_device *fsl_mc_get_endpoin
strcpy(endpoint_desc.type, endpoint2.type);
endpoint_desc.id = endpoint2.id;
endpoint = fsl_mc_device_lookup(&endpoint_desc, mc_bus_dev);
+ if (endpoint)
+ return endpoint;
/*
* We know that the device has an endpoint because we verified by
@@ -974,17 +977,13 @@ struct fsl_mc_device *fsl_mc_get_endpoin
* yet discovered by the fsl-mc bus, thus the lookup returned NULL.
* Force a rescan of the devices in this container and retry the lookup.
*/
- if (!endpoint) {
- struct fsl_mc_bus *mc_bus = to_fsl_mc_bus(mc_bus_dev);
-
- if (mutex_trylock(&mc_bus->scan_mutex)) {
- err = dprc_scan_objects(mc_bus_dev, true);
- mutex_unlock(&mc_bus->scan_mutex);
- }
-
- if (err < 0)
- return ERR_PTR(err);
+ mc_bus = to_fsl_mc_bus(mc_bus_dev);
+ if (mutex_trylock(&mc_bus->scan_mutex)) {
+ err = dprc_scan_objects(mc_bus_dev, true);
+ mutex_unlock(&mc_bus->scan_mutex);
}
+ if (err < 0)
+ return ERR_PTR(err);
endpoint = fsl_mc_device_lookup(&endpoint_desc, mc_bus_dev);
/*
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 092/644] ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 091/644] bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 093/644] dpaa2-eth: Fix device reference count leak in MAC endpoint handling Greg Kroah-Hartman
` (557 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dawid Rezler, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawid Rezler <dawidrezler.patches@gmail.com>
commit 9744ede7099e8a69c04aa23fbea44c15bc390c04 upstream.
The mute LED on the HP Pavilion Laptop 15-eg0xxx,
which uses the ALC287 codec, didn't work.
This patch fixes the issue by enabling the ALC287_FIXUP_HP_GPIO_LED quirk.
Tested on a physical device, the LED now works as intended.
Signed-off-by: Dawid Rezler <dawidrezler.patches@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250720154907.80815-2-dawidrezler.patches@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9350,6 +9350,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x103c, 0x8788, "HP OMEN 15", ALC285_FIXUP_HP_MUTE_LED),
SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87cc, "HP Pavilion 15-eg0xxx", ALC287_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 093/644] dpaa2-eth: Fix device reference count leak in MAC endpoint handling
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 092/644] ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 094/644] dpaa2-switch: " Greg Kroah-Hartman
` (556 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Ioana Ciornei, Simon Horman,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit ee9f3a81ab08dfe0538dbd1746f81fd4d5147fdc upstream.
The fsl_mc_get_endpoint() function uses device_find_child() for
localization, which implicitly calls get_device() to increment the
device's reference count before returning the pointer. However, the
caller dpaa2_eth_connect_mac() fails to properly release this
reference in multiple scenarios. We should call put_device() to
decrement reference count properly.
As comment of device_find_child() says, 'NOTE: you will need to drop
the reference with put_device() after use'.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 719479230893 ("dpaa2-eth: add MAC/PHY support through phylink")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250717022309.3339976-2-make24@iscas.ac.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
@@ -4228,12 +4228,19 @@ static int dpaa2_eth_connect_mac(struct
if (PTR_ERR(dpmac_dev) == -EPROBE_DEFER)
return PTR_ERR(dpmac_dev);
- if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type)
+ if (IS_ERR(dpmac_dev))
return 0;
+ if (dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) {
+ err = 0;
+ goto out_put_device;
+ }
+
mac = kzalloc(sizeof(struct dpaa2_mac), GFP_KERNEL);
- if (!mac)
- return -ENOMEM;
+ if (!mac) {
+ err = -ENOMEM;
+ goto out_put_device;
+ }
mac->mc_dev = dpmac_dev;
mac->mc_io = priv->mc_io;
@@ -4260,6 +4267,8 @@ err_close_mac:
priv->mac = NULL;
err_free_mac:
kfree(mac);
+out_put_device:
+ put_device(&dpmac_dev->dev);
return err;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 094/644] dpaa2-switch: Fix device reference count leak in MAC endpoint handling
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 093/644] dpaa2-eth: Fix device reference count leak in MAC endpoint handling Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 095/644] e1000e: disregard NVM checksum on tgp when valid checksum bit is not set Greg Kroah-Hartman
` (555 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Ioana Ciornei, Simon Horman,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 96e056ffba912ef18a72177f71956a5b347b5177 upstream.
The fsl_mc_get_endpoint() function uses device_find_child() for
localization, which implicitly calls get_device() to increment the
device's reference count before returning the pointer. However, the
caller dpaa2_switch_port_connect_mac() fails to properly release this
reference in multiple scenarios. We should call put_device() to
decrement reference count properly.
As comment of device_find_child() says, 'NOTE: you will need to drop
the reference with put_device() after use'.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 84cba72956fd ("dpaa2-switch: integrate the MAC endpoint support")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250717022309.3339976-3-make24@iscas.ac.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
@@ -1435,12 +1435,19 @@ static int dpaa2_switch_port_connect_mac
if (PTR_ERR(dpmac_dev) == -EPROBE_DEFER)
return PTR_ERR(dpmac_dev);
- if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type)
+ if (IS_ERR(dpmac_dev))
return 0;
+ if (dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) {
+ err = 0;
+ goto out_put_device;
+ }
+
mac = kzalloc(sizeof(*mac), GFP_KERNEL);
- if (!mac)
- return -ENOMEM;
+ if (!mac) {
+ err = -ENOMEM;
+ goto out_put_device;
+ }
mac->mc_dev = dpmac_dev;
mac->mc_io = port_priv->ethsw_data->mc_io;
@@ -1468,6 +1475,8 @@ err_close_mac:
port_priv->mac = NULL;
err_free_mac:
kfree(mac);
+out_put_device:
+ put_device(&dpmac_dev->dev);
return err;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 095/644] e1000e: disregard NVM checksum on tgp when valid checksum bit is not set
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 094/644] dpaa2-switch: " Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 096/644] e1000e: ignore uninitialized checksum word on tgp Greg Kroah-Hartman
` (554 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacek Kowalski, Simon Horman,
Vitaly Lifshits, Mor Bar-Gabay, Tony Nguyen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacek Kowalski <jacek@jacekk.info>
commit 536fd741c7ac907d63166cdae1081b1febfab613 upstream.
As described by Vitaly Lifshits:
> Starting from Tiger Lake, LAN NVM is locked for writes by SW, so the
> driver cannot perform checksum validation and correction. This means
> that all NVM images must leave the factory with correct checksum and
> checksum valid bit set. Since Tiger Lake devices were the first to have
> this lock, some systems in the field did not meet this requirement.
> Therefore, for these transitional devices we skip checksum update and
> verification, if the valid bit is not set.
Signed-off-by: Jacek Kowalski <jacek@jacekk.info>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
Fixes: 4051f68318ca9 ("e1000e: Do not take care about recovery NVM checksum")
Cc: stable@vger.kernel.org
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
+++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
@@ -4146,6 +4146,8 @@ static s32 e1000_validate_nvm_checksum_i
ret_val = e1000e_update_nvm_checksum(hw);
if (ret_val)
return ret_val;
+ } else if (hw->mac.type == e1000_pch_tgp) {
+ return 0;
}
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 096/644] e1000e: ignore uninitialized checksum word on tgp
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 095/644] e1000e: disregard NVM checksum on tgp when valid checksum bit is not set Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 097/644] gve: Fix stuck TX queue for DQ queue format Greg Kroah-Hartman
` (553 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacek Kowalski, Vlad URSU,
Simon Horman, Vitaly Lifshits, Mor Bar-Gabay, Tony Nguyen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacek Kowalski <jacek@jacekk.info>
commit 61114910a5f6a71d0b6ea3b95082dfe031b19dfe upstream.
As described by Vitaly Lifshits:
> Starting from Tiger Lake, LAN NVM is locked for writes by SW, so the
> driver cannot perform checksum validation and correction. This means
> that all NVM images must leave the factory with correct checksum and
> checksum valid bit set.
Unfortunately some systems have left the factory with an uninitialized
value of 0xFFFF at register address 0x3F (checksum word location).
So on Tiger Lake platform we ignore the computed checksum when such
condition is encountered.
Signed-off-by: Jacek Kowalski <jacek@jacekk.info>
Tested-by: Vlad URSU <vlad@ursu.me>
Fixes: 4051f68318ca9 ("e1000e: Do not take care about recovery NVM checksum")
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/e1000e/defines.h | 3 +++
drivers/net/ethernet/intel/e1000e/nvm.c | 6 ++++++
2 files changed, 9 insertions(+)
--- a/drivers/net/ethernet/intel/e1000e/defines.h
+++ b/drivers/net/ethernet/intel/e1000e/defines.h
@@ -638,6 +638,9 @@
/* For checksumming, the sum of all words in the NVM should equal 0xBABA. */
#define NVM_SUM 0xBABA
+/* Uninitialized ("empty") checksum word value */
+#define NVM_CHECKSUM_UNINITIALIZED 0xFFFF
+
/* PBA (printed board assembly) number words */
#define NVM_PBA_OFFSET_0 8
#define NVM_PBA_OFFSET_1 9
--- a/drivers/net/ethernet/intel/e1000e/nvm.c
+++ b/drivers/net/ethernet/intel/e1000e/nvm.c
@@ -558,6 +558,12 @@ s32 e1000e_validate_nvm_checksum_generic
checksum += nvm_data;
}
+ if (hw->mac.type == e1000_pch_tgp &&
+ nvm_data == NVM_CHECKSUM_UNINITIALIZED) {
+ e_dbg("Uninitialized NVM Checksum on TGP platform - ignoring\n");
+ return 0;
+ }
+
if (checksum != (u16)NVM_SUM) {
e_dbg("NVM Checksum Invalid\n");
return -E1000_ERR_NVM;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 097/644] gve: Fix stuck TX queue for DQ queue format
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 096/644] e1000e: ignore uninitialized checksum word on tgp Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 098/644] nilfs2: reject invalid file types when reading inodes Greg Kroah-Hartman
` (552 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Hostetler, Praveen Kaligineedi,
Harshitha Ramamurthy, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Praveen Kaligineedi <pkaligineedi@google.com>
commit b03f15c0192b184078206760c839054ae6eb4eaa upstream.
gve_tx_timeout was calculating missed completions in a way that is only
relevant in the GQ queue format. Additionally, it was attempting to
disable device interrupts, which is not needed in either GQ or DQ queue
formats.
As a result, TX timeouts with the DQ queue format likely would have
triggered early resets without kicking the queue at all.
This patch drops the check for pending work altogether and always kicks
the queue after validating the queue has not seen a TX timeout too
recently.
Cc: stable@vger.kernel.org
Fixes: 87a7f321bb6a ("gve: Recover from queue stall due to missed IRQ")
Co-developed-by: Tim Hostetler <thostet@google.com>
Signed-off-by: Tim Hostetler <thostet@google.com>
Signed-off-by: Praveen Kaligineedi <pkaligineedi@google.com>
Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com>
Link: https://patch.msgid.link/20250717192024.1820931-1-hramamurthy@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/google/gve/gve_main.c | 71 +++++++++++++++--------------
1 file changed, 39 insertions(+), 32 deletions(-)
--- a/drivers/net/ethernet/google/gve/gve_main.c
+++ b/drivers/net/ethernet/google/gve/gve_main.c
@@ -1111,49 +1111,56 @@ static void gve_turnup(struct gve_priv *
gve_set_napi_enabled(priv);
}
-static void gve_tx_timeout(struct net_device *dev, unsigned int txqueue)
+static struct gve_notify_block *gve_get_tx_notify_block(struct gve_priv *priv,
+ unsigned int txqueue)
{
- struct gve_notify_block *block;
- struct gve_tx_ring *tx = NULL;
- struct gve_priv *priv;
- u32 last_nic_done;
- u32 current_time;
u32 ntfy_idx;
- netdev_info(dev, "Timeout on tx queue, %d", txqueue);
- priv = netdev_priv(dev);
if (txqueue > priv->tx_cfg.num_queues)
- goto reset;
+ return NULL;
ntfy_idx = gve_tx_idx_to_ntfy(priv, txqueue);
if (ntfy_idx >= priv->num_ntfy_blks)
- goto reset;
+ return NULL;
+
+ return &priv->ntfy_blocks[ntfy_idx];
+}
+
+static bool gve_tx_timeout_try_q_kick(struct gve_priv *priv,
+ unsigned int txqueue)
+{
+ struct gve_notify_block *block;
+ u32 current_time;
- block = &priv->ntfy_blocks[ntfy_idx];
- tx = block->tx;
+ block = gve_get_tx_notify_block(priv, txqueue);
+
+ if (!block)
+ return false;
current_time = jiffies_to_msecs(jiffies);
- if (tx->last_kick_msec + MIN_TX_TIMEOUT_GAP > current_time)
- goto reset;
+ if (block->tx->last_kick_msec + MIN_TX_TIMEOUT_GAP > current_time)
+ return false;
+
+ netdev_info(priv->dev, "Kicking queue %d", txqueue);
+ napi_schedule(&block->napi);
+ block->tx->last_kick_msec = current_time;
+ return true;
+}
+
+static void gve_tx_timeout(struct net_device *dev, unsigned int txqueue)
+{
+ struct gve_notify_block *block;
+ struct gve_priv *priv;
+
+ netdev_info(dev, "Timeout on tx queue, %d", txqueue);
+ priv = netdev_priv(dev);
+
+ if (!gve_tx_timeout_try_q_kick(priv, txqueue))
+ gve_schedule_reset(priv);
- /* Check to see if there are missed completions, which will allow us to
- * kick the queue.
- */
- last_nic_done = gve_tx_load_event_counter(priv, tx);
- if (last_nic_done - tx->done) {
- netdev_info(dev, "Kicking queue %d", txqueue);
- iowrite32be(GVE_IRQ_MASK, gve_irq_doorbell(priv, block));
- napi_schedule(&block->napi);
- tx->last_kick_msec = current_time;
- goto out;
- } // Else reset.
-
-reset:
- gve_schedule_reset(priv);
-
-out:
- if (tx)
- tx->queue_timeout++;
+ block = gve_get_tx_notify_block(priv, txqueue);
+ if (block)
+ block->tx->queue_timeout++;
priv->tx_timeo_cnt++;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 098/644] nilfs2: reject invalid file types when reading inodes
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 097/644] gve: Fix stuck TX queue for DQ queue format Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 099/644] mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n Greg Kroah-Hartman
` (551 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi,
syzbot+895c23f6917da440ed0d, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit 4aead50caf67e01020c8be1945c3201e8a972a27 upstream.
To prevent inodes with invalid file types from tripping through the vfs
and causing malfunctions or assertion failures, add a missing sanity check
when reading an inode from a block device. If the file type is not valid,
treat it as a filesystem error.
Link: https://lkml.kernel.org/r/20250710134952.29862-1-konishi.ryusuke@gmail.com
Fixes: 05fe58fdc10d ("nilfs2: inode operations")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/inode.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -517,11 +517,18 @@ static int __nilfs_read_inode(struct sup
inode->i_op = &nilfs_symlink_inode_operations;
inode_nohighmem(inode);
inode->i_mapping->a_ops = &nilfs_aops;
- } else {
+ } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) ||
+ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
inode->i_op = &nilfs_special_inode_operations;
init_special_inode(
inode, inode->i_mode,
huge_decode_dev(le64_to_cpu(raw_inode->i_device_code)));
+ } else {
+ nilfs_error(sb,
+ "invalid file type bits in mode 0%o for inode %lu",
+ inode->i_mode, ino);
+ err = -EIO;
+ goto failed_unmap;
}
nilfs_ifile_unmap_inode(root->ifile, ino, bh);
brelse(bh);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 099/644] mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 098/644] nilfs2: reject invalid file types when reading inodes Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 100/644] usb: typec: tcpm: allow to use sink in accessory mode Greg Kroah-Hartman
` (550 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Yoo, David Hildenbrand,
Sergey Senozhatsky, Minchan Kim, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harry Yoo <harry.yoo@oracle.com>
commit 694d6b99923eb05a8fd188be44e26077d19f0e21 upstream.
Commit 48b4800a1c6a ("zsmalloc: page migration support") added support for
migrating zsmalloc pages using the movable_operations migration framework.
However, the commit did not take into account that zsmalloc supports
migration only when CONFIG_COMPACTION is enabled. Tracing shows that
zsmalloc was still passing the __GFP_MOVABLE flag even when compaction is
not supported.
This can result in unmovable pages being allocated from movable page
blocks (even without stealing page blocks), ZONE_MOVABLE and CMA area.
Possible user visible effects:
- Some ZONE_MOVABLE memory can be not actually movable
- CMA allocation can fail because of this
- Increased memory fragmentation due to ignoring the page mobility
grouping feature
I'm not really sure who uses kernels without compaction support, though :(
To fix this, clear the __GFP_MOVABLE flag when
!IS_ENABLED(CONFIG_COMPACTION).
Link: https://lkml.kernel.org/r/20250704103053.6913-1-harry.yoo@oracle.com
Fixes: 48b4800a1c6a ("zsmalloc: page migration support")
Signed-off-by: Harry Yoo <harry.yoo@oracle.com>
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Minchan Kim <minchan@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/zsmalloc.c | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/zsmalloc.c
+++ b/mm/zsmalloc.c
@@ -1064,6 +1064,9 @@ static struct zspage *alloc_zspage(struc
if (!zspage)
return NULL;
+ if (!IS_ENABLED(CONFIG_COMPACTION))
+ gfp &= ~__GFP_MOVABLE;
+
zspage->magic = ZSPAGE_MAGIC;
migrate_lock_init(zspage);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 100/644] usb: typec: tcpm: allow to use sink in accessory mode
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 099/644] mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 101/644] usb: typec: tcpm: allow switching to mode accessory to mux properly Greg Kroah-Hartman
` (549 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Grzeschik, Heikki Krogerus,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Grzeschik <m.grzeschik@pengutronix.de>
commit 64843d0ba96d3eae297025562111d57585273366 upstream.
Since the function tcpm_acc_attach is not setting the data and role for
for the sink case we extend it to check for it first.
Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250404-ml-topic-tcpm-v1-1-b99f44badce8@pengutronix.de
Stable-dep-of: bec15191d523 ("usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -3794,12 +3794,17 @@ static void tcpm_snk_detach(struct tcpm_
static int tcpm_acc_attach(struct tcpm_port *port)
{
int ret;
+ enum typec_role role;
+ enum typec_data_role data;
if (port->attached)
return 0;
- ret = tcpm_set_roles(port, true, TYPEC_SOURCE,
- tcpm_data_role_for_source(port));
+ role = tcpm_port_is_sink(port) ? TYPEC_SINK : TYPEC_SOURCE;
+ data = tcpm_port_is_sink(port) ? tcpm_data_role_for_sink(port)
+ : tcpm_data_role_for_source(port);
+
+ ret = tcpm_set_roles(port, true, role, data);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 101/644] usb: typec: tcpm: allow switching to mode accessory to mux properly
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 100/644] usb: typec: tcpm: allow to use sink in accessory mode Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 102/644] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach Greg Kroah-Hartman
` (548 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Grzeschik, Heikki Krogerus,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Grzeschik <m.grzeschik@pengutronix.de>
commit 8a50da849151e7e12b43c1d8fe7ad302223aef6b upstream.
The funciton tcpm_acc_attach is not setting the proper state when
calling tcpm_set_role. The function tcpm_set_role is currently only
handling TYPEC_STATE_USB. For the tcpm_acc_attach to switch into other
modal states tcpm_set_role needs to be extended by an extra state
parameter. This patch is handling the proper state change when calling
tcpm_acc_attach.
Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250404-ml-topic-tcpm-v1-3-b99f44badce8@pengutronix.de
Stable-dep-of: bec15191d523 ("usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 27 ++++++++++++++++++---------
1 file changed, 18 insertions(+), 9 deletions(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -1024,7 +1024,7 @@ static int tcpm_set_attached_state(struc
port->data_role);
}
-static int tcpm_set_roles(struct tcpm_port *port, bool attached,
+static int tcpm_set_roles(struct tcpm_port *port, bool attached, int state,
enum typec_role role, enum typec_data_role data)
{
enum typec_orientation orientation;
@@ -1061,7 +1061,7 @@ static int tcpm_set_roles(struct tcpm_po
}
}
- ret = tcpm_mux_set(port, TYPEC_STATE_USB, usb_role, orientation);
+ ret = tcpm_mux_set(port, state, usb_role, orientation);
if (ret < 0)
return ret;
@@ -3622,7 +3622,8 @@ static int tcpm_src_attach(struct tcpm_p
tcpm_enable_auto_vbus_discharge(port, true);
- ret = tcpm_set_roles(port, true, TYPEC_SOURCE, tcpm_data_role_for_source(port));
+ ret = tcpm_set_roles(port, true, TYPEC_STATE_USB,
+ TYPEC_SOURCE, tcpm_data_role_for_source(port));
if (ret < 0)
return ret;
@@ -3772,7 +3773,8 @@ static int tcpm_snk_attach(struct tcpm_p
tcpm_enable_auto_vbus_discharge(port, true);
- ret = tcpm_set_roles(port, true, TYPEC_SINK, tcpm_data_role_for_sink(port));
+ ret = tcpm_set_roles(port, true, TYPEC_STATE_USB,
+ TYPEC_SINK, tcpm_data_role_for_sink(port));
if (ret < 0)
return ret;
@@ -3796,6 +3798,7 @@ static int tcpm_acc_attach(struct tcpm_p
int ret;
enum typec_role role;
enum typec_data_role data;
+ int state = TYPEC_STATE_USB;
if (port->attached)
return 0;
@@ -3804,7 +3807,13 @@ static int tcpm_acc_attach(struct tcpm_p
data = tcpm_port_is_sink(port) ? tcpm_data_role_for_sink(port)
: tcpm_data_role_for_source(port);
- ret = tcpm_set_roles(port, true, role, data);
+ if (tcpm_port_is_audio(port))
+ state = TYPEC_MODE_AUDIO;
+
+ if (tcpm_port_is_debug(port))
+ state = TYPEC_MODE_DEBUG;
+
+ ret = tcpm_set_roles(port, true, state, role, data);
if (ret < 0)
return ret;
@@ -4484,7 +4493,7 @@ static void run_state_machine(struct tcp
*/
tcpm_set_vconn(port, false);
tcpm_set_vbus(port, false);
- tcpm_set_roles(port, port->self_powered, TYPEC_SOURCE,
+ tcpm_set_roles(port, port->self_powered, TYPEC_STATE_USB, TYPEC_SOURCE,
tcpm_data_role_for_source(port));
/*
* If tcpc fails to notify vbus off, TCPM will wait for PD_T_SAFE_0V +
@@ -4516,7 +4525,7 @@ static void run_state_machine(struct tcp
tcpm_set_vconn(port, false);
if (port->pd_capable)
tcpm_set_charge(port, false);
- tcpm_set_roles(port, port->self_powered, TYPEC_SINK,
+ tcpm_set_roles(port, port->self_powered, TYPEC_STATE_USB, TYPEC_SINK,
tcpm_data_role_for_sink(port));
/*
* VBUS may or may not toggle, depending on the adapter.
@@ -4615,10 +4624,10 @@ static void run_state_machine(struct tcp
case DR_SWAP_CHANGE_DR:
tcpm_unregister_altmodes(port);
if (port->data_role == TYPEC_HOST)
- tcpm_set_roles(port, true, port->pwr_role,
+ tcpm_set_roles(port, true, TYPEC_STATE_USB, port->pwr_role,
TYPEC_DEVICE);
else
- tcpm_set_roles(port, true, port->pwr_role,
+ tcpm_set_roles(port, true, TYPEC_STATE_USB, port->pwr_role,
TYPEC_HOST);
tcpm_ams_finish(port);
tcpm_set_state(port, ready_state(port), 0);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 102/644] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 101/644] usb: typec: tcpm: allow switching to mode accessory to mux properly Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 103/644] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode() Greg Kroah-Hartman
` (547 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, RD Babiera,
Badhri Jagan Sridharan, Heikki Krogerus, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: RD Babiera <rdbabiera@google.com>
commit bec15191d52300defa282e3fd83820f69e447116 upstream.
This patch fixes Type-C compliance test TD 4.7.6 - Try.SNK DRP Connect
SNKAS.
tVbusON has a limit of 275ms when entering SRC_ATTACHED. Compliance
testers can interpret the TryWait.Src to Attached.Src transition after
Try.Snk as being in Attached.Src the entire time, so ~170ms is lost
to the debounce timer.
Setting the data role can be a costly operation in host mode, and when
completed after 100ms can cause Type-C compliance test check TD 4.7.5.V.4
to fail.
Turn VBUS on before tcpm_set_roles to meet timing requirement.
Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
Cc: stable <stable@kernel.org>
Signed-off-by: RD Babiera <rdbabiera@google.com>
Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250618230606.3272497-2-rdbabiera@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -3622,17 +3622,6 @@ static int tcpm_src_attach(struct tcpm_p
tcpm_enable_auto_vbus_discharge(port, true);
- ret = tcpm_set_roles(port, true, TYPEC_STATE_USB,
- TYPEC_SOURCE, tcpm_data_role_for_source(port));
- if (ret < 0)
- return ret;
-
- if (port->pd_supported) {
- ret = port->tcpc->set_pd_rx(port->tcpc, true);
- if (ret < 0)
- goto out_disable_mux;
- }
-
/*
* USB Type-C specification, version 1.2,
* chapter 4.5.2.2.8.1 (Attached.SRC Requirements)
@@ -3642,13 +3631,24 @@ static int tcpm_src_attach(struct tcpm_p
(polarity == TYPEC_POLARITY_CC2 && port->cc1 == TYPEC_CC_RA)) {
ret = tcpm_set_vconn(port, true);
if (ret < 0)
- goto out_disable_pd;
+ return ret;
}
ret = tcpm_set_vbus(port, true);
if (ret < 0)
goto out_disable_vconn;
+ ret = tcpm_set_roles(port, true, TYPEC_STATE_USB, TYPEC_SOURCE,
+ tcpm_data_role_for_source(port));
+ if (ret < 0)
+ goto out_disable_vbus;
+
+ if (port->pd_supported) {
+ ret = port->tcpc->set_pd_rx(port->tcpc, true);
+ if (ret < 0)
+ goto out_disable_mux;
+ }
+
port->pd_capable = false;
port->partner = NULL;
@@ -3658,14 +3658,14 @@ static int tcpm_src_attach(struct tcpm_p
return 0;
-out_disable_vconn:
- tcpm_set_vconn(port, false);
-out_disable_pd:
- if (port->pd_supported)
- port->tcpc->set_pd_rx(port->tcpc, false);
out_disable_mux:
tcpm_mux_set(port, TYPEC_STATE_SAFE, USB_ROLE_NONE,
TYPEC_ORIENTATION_NONE);
+out_disable_vbus:
+ tcpm_set_vbus(port, false);
+out_disable_vconn:
+ tcpm_set_vconn(port, false);
+
return ret;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 103/644] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 102/644] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 104/644] jfs: reject on-disk inodes of an unsupported type Greg Kroah-Hartman
` (546 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Zhivich
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Zhivich <mzhivich@akamai.com>
For kernels compiled with CONFIG_INIT_STACK_NONE=y, the value of __reserved
field in zen_patch_rev union on the stack may be garbage. If so, it will
prevent correct microcode check when consulting p.ucode_rev, resulting in
incorrect mitigation selection.
This is a stable-only fix.
Cc: <stable@vger.kernel.org>
Signed-off-by: Michael Zhivich <mzhivich@akamai.com>
Fixes: f2b75f1368af ("x86/bugs: Add a Transient Scheduler Attacks mitigation")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/amd.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/x86/kernel/cpu/amd.c
+++ b/arch/x86/kernel/cpu/amd.c
@@ -592,6 +592,8 @@ static bool amd_check_tsa_microcode(void
p.model = c->x86_model;
p.ext_model = c->x86_model >> 4;
p.stepping = c->x86_stepping;
+ /* reserved bits are expected to be 0 in test below */
+ p.__reserved = 0;
if (c->x86 == 0x19) {
switch (p.ucode_rev >> 8) {
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 104/644] jfs: reject on-disk inodes of an unsupported type
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 103/644] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode() Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 105/644] comedi: comedi_test: Fix possible deletion of uninitialized timers Greg Kroah-Hartman
` (545 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ac2116e48989e84a2893,
Dmitry Antipov, Dave Kleikamp, Aditya Dutt
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
commit 8c3f9a70d2d4dd6c640afe294b05c6a0a45434d9 upstream.
Syzbot has reported the following BUG:
kernel BUG at fs/inode.c:668!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 3 UID: 0 PID: 139 Comm: jfsCommit Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
RIP: 0010:clear_inode+0x168/0x190
Code: 4c 89 f7 e8 ba fe e5 ff e9 61 ff ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 7c c1 4c 89 f7 e8 90 ff e5 ff eb b7
0b e8 01 5d 7f ff 90 0f 0b e8 f9 5c 7f ff 90 0f 0b e8 f1 5c 7f
RSP: 0018:ffffc900027dfae8 EFLAGS: 00010093
RAX: ffffffff82157a87 RBX: 0000000000000001 RCX: ffff888104d4b980
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc900027dfc90 R08: ffffffff82157977 R09: fffff520004fbf38
R10: dffffc0000000000 R11: fffff520004fbf38 R12: dffffc0000000000
R13: ffff88811315bc00 R14: ffff88811315bda8 R15: ffff88811315bb80
FS: 0000000000000000(0000) GS:ffff888135f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005565222e0578 CR3: 0000000026ef0000 CR4: 00000000000006f0
Call Trace:
<TASK>
? __die_body+0x5f/0xb0
? die+0x9e/0xc0
? do_trap+0x15a/0x3a0
? clear_inode+0x168/0x190
? do_error_trap+0x1dc/0x2c0
? clear_inode+0x168/0x190
? __pfx_do_error_trap+0x10/0x10
? report_bug+0x3cd/0x500
? handle_invalid_op+0x34/0x40
? clear_inode+0x168/0x190
? exc_invalid_op+0x38/0x50
? asm_exc_invalid_op+0x1a/0x20
? clear_inode+0x57/0x190
? clear_inode+0x167/0x190
? clear_inode+0x168/0x190
? clear_inode+0x167/0x190
jfs_evict_inode+0xb5/0x440
? __pfx_jfs_evict_inode+0x10/0x10
evict+0x4ea/0x9b0
? __pfx_evict+0x10/0x10
? iput+0x713/0xa50
txUpdateMap+0x931/0xb10
? __pfx_txUpdateMap+0x10/0x10
jfs_lazycommit+0x49a/0xb80
? _raw_spin_unlock_irqrestore+0x8f/0x140
? lockdep_hardirqs_on+0x99/0x150
? __pfx_jfs_lazycommit+0x10/0x10
? __pfx_default_wake_function+0x10/0x10
? __kthread_parkme+0x169/0x1d0
? __pfx_jfs_lazycommit+0x10/0x10
kthread+0x2f2/0x390
? __pfx_jfs_lazycommit+0x10/0x10
? __pfx_kthread+0x10/0x10
ret_from_fork+0x4d/0x80
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
This happens when 'clear_inode()' makes an attempt to finalize an underlying
JFS inode of unknown type. According to JFS layout description from
https://jfs.sourceforge.net/project/pub/jfslayout.pdf, inode types from 5 to
15 are reserved for future extensions and should not be encountered on a valid
filesystem. So add an extra check for valid inode type in 'copy_from_dinode()'.
Reported-by: syzbot+ac2116e48989e84a2893@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ac2116e48989e84a2893
Fixes: 79ac5a46c5c1 ("jfs_lookup(): don't bother with . or ..")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Aditya Dutt <duttaditya18@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jfs/jfs_imap.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -3029,14 +3029,23 @@ static void duplicateIXtree(struct super
*
* RETURN VALUES:
* 0 - success
- * -ENOMEM - insufficient memory
+ * -EINVAL - unexpected inode type
*/
static int copy_from_dinode(struct dinode * dip, struct inode *ip)
{
struct jfs_inode_info *jfs_ip = JFS_IP(ip);
struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb);
+ int fileset = le32_to_cpu(dip->di_fileset);
- jfs_ip->fileset = le32_to_cpu(dip->di_fileset);
+ switch (fileset) {
+ case AGGR_RESERVED_I: case AGGREGATE_I: case BMAP_I:
+ case LOG_I: case BADBLOCK_I: case FILESYSTEM_I:
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ jfs_ip->fileset = fileset;
jfs_ip->mode2 = le32_to_cpu(dip->di_mode);
jfs_set_inode_flags(ip);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 105/644] comedi: comedi_test: Fix possible deletion of uninitialized timers
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 104/644] jfs: reject on-disk inodes of an unsupported type Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 106/644] ALSA: hda: Add missing NVIDIA HDA codec IDs Greg Kroah-Hartman
` (544 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Abbott, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 1b98304c09a0192598d0767f1eb8c83d7e793091 upstream.
In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and
`&devpriv->ao_timer` are initialized after the allocation of the device
private data by `comedi_alloc_devpriv()` and the subdevices by
`comedi_alloc_subdevices()`. The function may return with an error
between those function calls. In that case, `waveform_detach()` will be
called by the Comedi core to clean up. The check that
`waveform_detach()` uses to decide whether to delete the timers is
incorrect. It only checks that the device private data was allocated,
but that does not guarantee that the timers were initialized. It also
needs to check that the subdevices were allocated. Fix it.
Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up")
Cc: stable@vger.kernel.org # 6.15+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk
[ changed timer_delete_sync() to del_timer_sync() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/comedi_test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/comedi/drivers/comedi_test.c
+++ b/drivers/comedi/drivers/comedi_test.c
@@ -790,7 +790,7 @@ static void waveform_detach(struct comed
{
struct waveform_private *devpriv = dev->private;
- if (devpriv) {
+ if (devpriv && dev->n_subdevices) {
del_timer_sync(&devpriv->ai_timer);
del_timer_sync(&devpriv->ao_timer);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 106/644] ALSA: hda: Add missing NVIDIA HDA codec IDs
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 105/644] comedi: comedi_test: Fix possible deletion of uninitialized timers Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 107/644] usb: chipidea: add USB PHY event Greg Kroah-Hartman
` (543 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Daniel Dadap, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Dadap <ddadap@nvidia.com>
commit e0a911ac86857a73182edde9e50d9b4b949b7f01 upstream.
Add codec IDs for several NVIDIA products with HDA controllers to the
snd_hda_id_hdmi[] patch table.
Signed-off-by: Daniel Dadap <ddadap@nvidia.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/aF24rqwMKFWoHu12@ddadap-lakeline.nvidia.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[ change patch_tegra234_hdmi function calls to patch_tegra_hdmi ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_hdmi.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -4364,6 +4364,8 @@ HDA_CODEC_ENTRY(0x10de002d, "Tegra186 HD
HDA_CODEC_ENTRY(0x10de002e, "Tegra186 HDMI/DP1", patch_tegra_hdmi),
HDA_CODEC_ENTRY(0x10de002f, "Tegra194 HDMI/DP2", patch_tegra_hdmi),
HDA_CODEC_ENTRY(0x10de0030, "Tegra194 HDMI/DP3", patch_tegra_hdmi),
+HDA_CODEC_ENTRY(0x10de0033, "SoC 33 HDMI/DP", patch_tegra_hdmi),
+HDA_CODEC_ENTRY(0x10de0035, "SoC 35 HDMI/DP", patch_tegra_hdmi),
HDA_CODEC_ENTRY(0x10de0040, "GPU 40 HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de0041, "GPU 41 HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de0042, "GPU 42 HDMI/DP", patch_nvhdmi),
@@ -4402,15 +4404,32 @@ HDA_CODEC_ENTRY(0x10de0097, "GPU 97 HDMI
HDA_CODEC_ENTRY(0x10de0098, "GPU 98 HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de0099, "GPU 99 HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de009a, "GPU 9a HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de009b, "GPU 9b HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de009c, "GPU 9c HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00a1, "GPU a1 HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00a8, "GPU a8 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00a9, "GPU a9 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00aa, "GPU aa HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00ab, "GPU ab HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00ad, "GPU ad HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00ae, "GPU ae HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00af, "GPU af HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00b0, "GPU b0 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00b1, "GPU b1 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00c0, "GPU c0 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00c1, "GPU c1 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00c3, "GPU c3 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00c4, "GPU c4 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00c5, "GPU c5 HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch),
HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch),
HDA_CODEC_ENTRY(0x67663d82, "Arise 82 HDMI/DP", patch_gf_hdmi),
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 107/644] usb: chipidea: add USB PHY event
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 106/644] ALSA: hda: Add missing NVIDIA HDA codec IDs Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 108/644] usb: phy: mxs: disconnect line when USB charger is attached Greg Kroah-Hartman
` (542 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xu Yang, Peter Chen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
[ Upstream commit b7a62611fab72e585c729a7fcf666aa9c4144214 ]
Add USB PHY event for below situation:
- usb role changed
- vbus connect
- vbus disconnect
- gadget driver is enumerated
USB PHY driver can get the last event after above situation occurs
and deal with different situations.
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/20230627110353.1879477-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/chipidea/ci.h | 18 ++++++++++++++++--
drivers/usb/chipidea/udc.c | 10 ++++++++++
2 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/chipidea/ci.h b/drivers/usb/chipidea/ci.h
index 50e37846f037..2615afd76561 100644
--- a/drivers/usb/chipidea/ci.h
+++ b/drivers/usb/chipidea/ci.h
@@ -276,8 +276,19 @@ static inline int ci_role_start(struct ci_hdrc *ci, enum ci_role role)
return -ENXIO;
ret = ci->roles[role]->start(ci);
- if (!ret)
- ci->role = role;
+ if (ret)
+ return ret;
+
+ ci->role = role;
+
+ if (ci->usb_phy) {
+ if (role == CI_ROLE_HOST)
+ usb_phy_set_event(ci->usb_phy, USB_EVENT_ID);
+ else
+ /* in device mode but vbus is invalid*/
+ usb_phy_set_event(ci->usb_phy, USB_EVENT_NONE);
+ }
+
return ret;
}
@@ -291,6 +302,9 @@ static inline void ci_role_stop(struct ci_hdrc *ci)
ci->role = CI_ROLE_END;
ci->roles[role]->stop(ci);
+
+ if (ci->usb_phy)
+ usb_phy_set_event(ci->usb_phy, USB_EVENT_NONE);
}
static inline enum usb_role ci_role_to_usb_role(struct ci_hdrc *ci)
diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
index 187c13af4b35..386019484ede 100644
--- a/drivers/usb/chipidea/udc.c
+++ b/drivers/usb/chipidea/udc.c
@@ -1703,6 +1703,13 @@ static int ci_udc_vbus_session(struct usb_gadget *_gadget, int is_active)
ret = ci->platdata->notify_event(ci,
CI_HDRC_CONTROLLER_VBUS_EVENT);
+ if (ci->usb_phy) {
+ if (is_active)
+ usb_phy_set_event(ci->usb_phy, USB_EVENT_VBUS);
+ else
+ usb_phy_set_event(ci->usb_phy, USB_EVENT_NONE);
+ }
+
if (ci->driver)
ci_hdrc_gadget_connect(_gadget, is_active);
@@ -2018,6 +2025,9 @@ static irqreturn_t udc_irq(struct ci_hdrc *ci)
if (USBi_PCI & intr) {
ci->gadget.speed = hw_port_is_high_speed(ci) ?
USB_SPEED_HIGH : USB_SPEED_FULL;
+ if (ci->usb_phy)
+ usb_phy_set_event(ci->usb_phy,
+ USB_EVENT_ENUMERATED);
if (ci->suspended) {
if (ci->driver->resume) {
spin_unlock(&ci->lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 108/644] usb: phy: mxs: disconnect line when USB charger is attached
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 107/644] usb: chipidea: add USB PHY event Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 109/644] ethernet: intel: fix building with large NR_CPUS Greg Kroah-Hartman
` (541 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xu Yang, Peter Chen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
[ Upstream commit 87ed257acb0934e08644568df6495988631afd4c ]
For mxs PHY, if there is a vbus but the bus is not enumerated, we need
to force the dp/dm as SE0 from the controller side. If not, there is
possible USB wakeup due to unstable dp/dm, since there is possible no
pull on dp/dm, such as there is a USB charger on the port.
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/20230627110353.1879477-3-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/phy/phy-mxs-usb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/phy/phy-mxs-usb.c b/drivers/usb/phy/phy-mxs-usb.c
index 19b54c1cb779..404da4615611 100644
--- a/drivers/usb/phy/phy-mxs-usb.c
+++ b/drivers/usb/phy/phy-mxs-usb.c
@@ -394,6 +394,7 @@ static bool mxs_phy_is_otg_host(struct mxs_phy *mxs_phy)
static void mxs_phy_disconnect_line(struct mxs_phy *mxs_phy, bool on)
{
bool vbus_is_on = false;
+ enum usb_phy_events last_event = mxs_phy->phy.last_event;
/* If the SoCs don't need to disconnect line without vbus, quit */
if (!(mxs_phy->data->flags & MXS_PHY_DISCONNECT_LINE_WITHOUT_VBUS))
@@ -405,7 +406,8 @@ static void mxs_phy_disconnect_line(struct mxs_phy *mxs_phy, bool on)
vbus_is_on = mxs_phy_get_vbus_status(mxs_phy);
- if (on && !vbus_is_on && !mxs_phy_is_otg_host(mxs_phy))
+ if (on && ((!vbus_is_on && !mxs_phy_is_otg_host(mxs_phy))
+ || (last_event == USB_EVENT_VBUS)))
__mxs_phy_disconnect_line(mxs_phy, true);
else
__mxs_phy_disconnect_line(mxs_phy, false);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 109/644] ethernet: intel: fix building with large NR_CPUS
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 108/644] usb: phy: mxs: disconnect line when USB charger is attached Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 110/644] ASoC: Intel: fix SND_SOC_SOF dependencies Greg Kroah-Hartman
` (540 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, David S. Miller,
Aleksandr Loktionov, Alexander Lobakin, Tony Nguyen, Sasha Levin,
Sunitha Mekala
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 24171a5a4a952c26568ff0d2a0bc8c4708a95e1d ]
With large values of CONFIG_NR_CPUS, three Intel ethernet drivers fail to
compile like:
In function ‘i40e_free_q_vector’,
inlined from ‘i40e_vsi_alloc_q_vectors’ at drivers/net/ethernet/intel/i40e/i40e_main.c:12112:3:
571 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
include/linux/rcupdate.h:1084:17: note: in expansion of macro ‘BUILD_BUG_ON’
1084 | BUILD_BUG_ON(offsetof(typeof(*(ptr)), rhf) >= 4096); \
drivers/net/ethernet/intel/i40e/i40e_main.c:5113:9: note: in expansion of macro ‘kfree_rcu’
5113 | kfree_rcu(q_vector, rcu);
| ^~~~~~~~~
The problem is that the 'rcu' member in 'q_vector' is too far from the start
of the structure. Move this member before the CPU mask instead, in all three
drivers.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: David S. Miller <davem@davemloft.net>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Tested-by: Sunitha Mekala <sunithax.d.mekala@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/fm10k/fm10k.h | 3 ++-
drivers/net/ethernet/intel/i40e/i40e.h | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe.h | 3 ++-
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/fm10k/fm10k.h b/drivers/net/ethernet/intel/fm10k/fm10k.h
index 6119a4108838..65a2816142d9 100644
--- a/drivers/net/ethernet/intel/fm10k/fm10k.h
+++ b/drivers/net/ethernet/intel/fm10k/fm10k.h
@@ -189,13 +189,14 @@ struct fm10k_q_vector {
struct fm10k_ring_container rx, tx;
struct napi_struct napi;
+ struct rcu_head rcu; /* to avoid race with update stats on free */
+
cpumask_t affinity_mask;
char name[IFNAMSIZ + 9];
#ifdef CONFIG_DEBUG_FS
struct dentry *dbg_q_vector;
#endif /* CONFIG_DEBUG_FS */
- struct rcu_head rcu; /* to avoid race with update stats on free */
/* for dynamic allocation of rings associated with this q_vector */
struct fm10k_ring ring[] ____cacheline_internodealigned_in_smp;
diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
index a143440f3db6..223d5831a5bb 100644
--- a/drivers/net/ethernet/intel/i40e/i40e.h
+++ b/drivers/net/ethernet/intel/i40e/i40e.h
@@ -961,6 +961,7 @@ struct i40e_q_vector {
u16 reg_idx; /* register index of the interrupt */
struct napi_struct napi;
+ struct rcu_head rcu; /* to avoid race with update stats on free */
struct i40e_ring_container rx;
struct i40e_ring_container tx;
@@ -971,7 +972,6 @@ struct i40e_q_vector {
cpumask_t affinity_mask;
struct irq_affinity_notify affinity_notify;
- struct rcu_head rcu; /* to avoid race with update stats on free */
char name[I40E_INT_NAME_STR_LEN];
bool arm_wb_state;
bool in_busy_poll;
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe.h b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
index 737590a0d849..09f7a3787f27 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe.h
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe.h
@@ -458,9 +458,10 @@ struct ixgbe_q_vector {
struct ixgbe_ring_container rx, tx;
struct napi_struct napi;
+ struct rcu_head rcu; /* to avoid race with update stats on free */
+
cpumask_t affinity_mask;
int numa_node;
- struct rcu_head rcu; /* to avoid race with update stats on free */
char name[IFNAMSIZ + 9];
/* for dynamic allocation of rings associated with this q_vector */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 110/644] ASoC: Intel: fix SND_SOC_SOF dependencies
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 109/644] ethernet: intel: fix building with large NR_CPUS Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 111/644] fs_context: fix parameter name in infofc() macro Greg Kroah-Hartman
` (539 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit e837b59f8b411b5baf5e3de7a5aea10b1c545a63 ]
It is currently possible to configure a kernel with all Intel SoC
configs as loadable modules, but the board config as built-in. This
causes a link failure in the reference to the snd_soc_sof.ko module:
x86_64-linux-ld: sound/soc/intel/boards/sof_rt5682.o: in function `sof_rt5682_hw_params':
sof_rt5682.c:(.text+0x1f9): undefined reference to `sof_dai_get_mclk'
x86_64-linux-ld: sof_rt5682.c:(.text+0x234): undefined reference to `sof_dai_get_bclk'
x86_64-linux-ld: sound/soc/intel/boards/sof_rt5682.o: in function `sof_rt5682_codec_init':
sof_rt5682.c:(.text+0x3e0): undefined reference to `sof_dai_get_mclk'
x86_64-linux-ld: sound/soc/intel/boards/sof_cs42l42.o: in function `sof_cs42l42_hw_params':
sof_cs42l42.c:(.text+0x2a): undefined reference to `sof_dai_get_bclk'
x86_64-linux-ld: sound/soc/intel/boards/sof_nau8825.o: in function `sof_nau8825_hw_params':
sof_nau8825.c:(.text+0x7f): undefined reference to `sof_dai_get_bclk'
x86_64-linux-ld: sound/soc/intel/boards/sof_da7219.o: in function `da7219_codec_init':
sof_da7219.c:(.text+0xbf): undefined reference to `sof_dai_get_mclk'
x86_64-linux-ld: sound/soc/intel/boards/sof_maxim_common.o: in function `max_98373_hw_params':
sof_maxim_common.c:(.text+0x6f9): undefined reference to `sof_dai_get_tdm_slots'
x86_64-linux-ld: sound/soc/intel/boards/sof_realtek_common.o: in function `rt1015_hw_params':
sof_realtek_common.c:(.text+0x54c): undefined reference to `sof_dai_get_bclk'
x86_64-linux-ld: sound/soc/intel/boards/sof_realtek_common.o: in function `rt1308_hw_params':
sof_realtek_common.c:(.text+0x702): undefined reference to `sof_dai_get_mclk'
x86_64-linux-ld: sound/soc/intel/boards/sof_cirrus_common.o: in function `cs35l41_hw_params':
sof_cirrus_common.c:(.text+0x2f): undefined reference to `sof_dai_get_bclk'
Add an optional dependency on SND_SOC_SOF_INTEL_COMMON, to ensure that whenever
the SOF support is in a loadable module, none of the board code can be built-in.
This may be be a little heavy-handed, but I also don't see a reason why one would
want the boards to be built-in but not the SoC, so it shouldn't actually cause
any usability problems.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://patch.msgid.link/20250709145626.64125-1-arnd@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/boards/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/intel/boards/Kconfig b/sound/soc/intel/boards/Kconfig
index 61b71d6c44cf..960a1bd79489 100644
--- a/sound/soc/intel/boards/Kconfig
+++ b/sound/soc/intel/boards/Kconfig
@@ -11,7 +11,7 @@ menuconfig SND_SOC_INTEL_MACH
kernel: saying N will just cause the configurator to skip all
the questions about Intel ASoC machine drivers.
-if SND_SOC_INTEL_MACH
+if SND_SOC_INTEL_MACH && (SND_SOC_SOF_INTEL_COMMON || !SND_SOC_SOF_INTEL_COMMON)
config SND_SOC_INTEL_USER_FRIENDLY_LONG_NAMES
bool "Use more user friendly long card names"
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 111/644] fs_context: fix parameter name in infofc() macro
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 110/644] ASoC: Intel: fix SND_SOC_SOF dependencies Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 112/644] hfsplus: remove mutex_lock check in hfsplus_free_extents Greg Kroah-Hartman
` (538 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, RubenKelevra, Christian Brauner,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: RubenKelevra <rubenkelevra@gmail.com>
[ Upstream commit ffaf1bf3737f706e4e9be876de4bc3c8fc578091 ]
The macro takes a parameter called "p" but references "fc" internally.
This happens to compile as long as callers pass a variable named fc,
but breaks otherwise. Rename the first parameter to “fc” to match the
usage and to be consistent with warnfc() / errorfc().
Fixes: a3ff937b33d9 ("prefix-handling analogues of errorf() and friends")
Signed-off-by: RubenKelevra <rubenkelevra@gmail.com>
Link: https://lore.kernel.org/20250617230927.1790401-1-rubenkelevra@gmail.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/fs_context.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h
index 13fa6f3df8e4..c861b2c894ba 100644
--- a/include/linux/fs_context.h
+++ b/include/linux/fs_context.h
@@ -209,7 +209,7 @@ void logfc(struct fc_log *log, const char *prefix, char level, const char *fmt,
*/
#define infof(fc, fmt, ...) __logfc(fc, 'i', fmt, ## __VA_ARGS__)
#define info_plog(p, fmt, ...) __plog(p, 'i', fmt, ## __VA_ARGS__)
-#define infofc(p, fmt, ...) __plog((&(fc)->log), 'i', fmt, ## __VA_ARGS__)
+#define infofc(fc, fmt, ...) __plog((&(fc)->log), 'i', fmt, ## __VA_ARGS__)
/**
* warnf - Store supplementary warning message
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 112/644] hfsplus: remove mutex_lock check in hfsplus_free_extents
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 111/644] fs_context: fix parameter name in infofc() macro Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 113/644] Revert "fs/ntfs3: Replace inode_trylock with inode_lock" Greg Kroah-Hartman
` (537 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8c0bc9f818702ff75b76,
Yangtao Li, Viacheslav Dubeyko, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yangtao Li <frank.li@vivo.com>
[ Upstream commit fcb96956c921f1aae7e7b477f2435c56f77a31b4 ]
Syzbot reported an issue in hfsplus filesystem:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346
hfsplus_free_extents+0x700/0xad0
Call Trace:
<TASK>
hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606
hfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56
cont_expand_zero fs/buffer.c:2383 [inline]
cont_write_begin+0x2cf/0x860 fs/buffer.c:2446
hfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52
generic_cont_expand_simple+0x151/0x250 fs/buffer.c:2347
hfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263
notify_change+0xe38/0x10f0 fs/attr.c:420
do_truncate+0x1fb/0x2e0 fs/open.c:65
do_sys_ftruncate+0x2eb/0x380 fs/open.c:193
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
To avoid deadlock, Commit 31651c607151 ("hfsplus: avoid deadlock
on file truncation") unlock extree before hfsplus_free_extents(),
and add check wheather extree is locked in hfsplus_free_extents().
However, when operations such as hfsplus_file_release,
hfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed
concurrently in different files, it is very likely to trigger the
WARN_ON, which will lead syzbot and xfstest to consider it as an
abnormality.
The comment above this warning also describes one of the easy
triggering situations, which can easily trigger and cause
xfstest&syzbot to report errors.
[task A] [task B]
->hfsplus_file_release
->hfsplus_file_truncate
->hfs_find_init
->mutex_lock
->mutex_unlock
->hfsplus_write_begin
->hfsplus_get_block
->hfsplus_file_extend
->hfsplus_ext_read_extent
->hfs_find_init
->mutex_lock
->hfsplus_free_extents
WARN_ON(mutex_is_locked) !!!
Several threads could try to lock the shared extents tree.
And warning can be triggered in one thread when another thread
has locked the tree. This is the wrong behavior of the code and
we need to remove the warning.
Fixes: 31651c607151f ("hfsplus: avoid deadlock on file truncation")
Reported-by: syzbot+8c0bc9f818702ff75b76@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/00000000000057fa4605ef101c4c@google.com/
Signed-off-by: Yangtao Li <frank.li@vivo.com>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20250529061807.2213498-1-frank.li@vivo.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/extents.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c
index c95a2f0ed4a7..fad1c250f150 100644
--- a/fs/hfsplus/extents.c
+++ b/fs/hfsplus/extents.c
@@ -342,9 +342,6 @@ static int hfsplus_free_extents(struct super_block *sb,
int i;
int err = 0;
- /* Mapping the allocation file may lock the extent tree */
- WARN_ON(mutex_is_locked(&HFSPLUS_SB(sb)->ext_tree->tree_lock));
-
hfsplus_dump_extent(extent);
for (i = 0; i < 8; extent++, i++) {
count = be32_to_cpu(extent->block_count);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 113/644] Revert "fs/ntfs3: Replace inode_trylock with inode_lock"
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 112/644] hfsplus: remove mutex_lock check in hfsplus_free_extents Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 114/644] ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() Greg Kroah-Hartman
` (536 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a91fcdbd2698f99db8f4,
Lorenzo Stoakes, Konstantin Komarov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
[ Upstream commit a49f0abd8959048af18c6c690b065eb0d65b2d21 ]
This reverts commit 69505fe98f198ee813898cbcaf6770949636430b.
Initially, conditional lock acquisition was removed to fix an xfstest bug
that was observed during internal testing. The deadlock reported by syzbot
is resolved by reintroducing conditional acquisition. The xfstest bug no
longer occurs on kernel version 6.16-rc1 during internal testing. I
assume that changes in other modules may have contributed to this.
Fixes: 69505fe98f19 ("fs/ntfs3: Replace inode_trylock with inode_lock")
Reported-by: syzbot+a91fcdbd2698f99db8f4@syzkaller.appspotmail.com
Suggested-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/file.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
index 74cf9c51e322..ffb31420085f 100644
--- a/fs/ntfs3/file.c
+++ b/fs/ntfs3/file.c
@@ -398,7 +398,10 @@ static int ntfs_file_mmap(struct file *file, struct vm_area_struct *vma)
}
if (ni->i_valid < to) {
- inode_lock(inode);
+ if (!inode_trylock(inode)) {
+ err = -EAGAIN;
+ goto out;
+ }
err = ntfs_extend_initialized_size(file, ni,
ni->i_valid, to);
inode_unlock(inode);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 114/644] ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 113/644] Revert "fs/ntfs3: Replace inode_trylock with inode_lock" Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 115/644] ASoC: ops: dynamically allocate struct snd_ctl_elem_value Greg Kroah-Hartman
` (535 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Giedrius Trainavičius,
Kuninori Morimoto, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit f4c77d5af0a9cd0ee22617baa8b49d0e151fbda7 ]
commit 7f1186a8d738661 ("ASoC: soc-dai: check return value at
snd_soc_dai_set_tdm_slot()") checks return value of
xlate_tdm_slot_mask() (A1)(A2).
/*
* ...
(Y) * TDM mode can be disabled by passing 0 for @slots. In this case @tx_mask,
* @rx_mask and @slot_width will be ignored.
* ...
*/
int snd_soc_dai_set_tdm_slot(...)
{
...
if (...)
(A1) ret = dai->driver->ops->xlate_tdm_slot_mask(...);
else
(A2) ret = snd_soc_xlate_tdm_slot_mask(...);
if (ret)
goto err;
...
}
snd_soc_xlate_tdm_slot_mask() (A2) will return -EINVAL if slots was 0 (X),
but snd_soc_dai_set_tdm_slot() allow to use it (Y).
(A) static int snd_soc_xlate_tdm_slot_mask(...)
{
...
if (!slots)
(X) return -EINVAL;
...
}
Call xlate_tdm_slot_mask() only if slots was non zero.
Reported-by: Giedrius Trainavičius <giedrius@blokas.io>
Closes: https://lore.kernel.org/r/CAMONXLtSL7iKyvH6w=CzPTxQdBECf++hn8RKL6Y4=M_ou2YHow@mail.gmail.com
Fixes: 7f1186a8d738661 ("ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot()")
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/8734cdfx59.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-dai.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/sound/soc/soc-dai.c b/sound/soc/soc-dai.c
index 05a9404544de..8165f5537043 100644
--- a/sound/soc/soc-dai.c
+++ b/sound/soc/soc-dai.c
@@ -269,13 +269,15 @@ int snd_soc_dai_set_tdm_slot(struct snd_soc_dai *dai,
{
int ret = -ENOTSUPP;
- if (dai->driver->ops &&
- dai->driver->ops->xlate_tdm_slot_mask)
- ret = dai->driver->ops->xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask);
- else
- ret = snd_soc_xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask);
- if (ret)
- goto err;
+ if (slots) {
+ if (dai->driver->ops &&
+ dai->driver->ops->xlate_tdm_slot_mask)
+ ret = dai->driver->ops->xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask);
+ else
+ ret = snd_soc_xlate_tdm_slot_mask(slots, &tx_mask, &rx_mask);
+ if (ret)
+ goto err;
+ }
dai->tx_mask = tx_mask;
dai->rx_mask = rx_mask;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 115/644] ASoC: ops: dynamically allocate struct snd_ctl_elem_value
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 114/644] ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 116/644] selftests: Fix errno checking in syscall_user_dispatch test Greg Kroah-Hartman
` (534 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 7e10d7242ea8a5947878880b912ffa5806520705 ]
This structure is really too larget to be allocated on the stack:
sound/soc/soc-ops.c:435:5: error: stack frame size (1296) exceeds limit (1280) in 'snd_soc_limit_volume' [-Werror,-Wframe-larger-than]
Change the function to dynamically allocate it instead.
There is probably a better way to do it since only two integer fields
inside of that structure are actually used, but this is the simplest
rework for the moment.
Fixes: 783db6851c18 ("ASoC: ops: Enforce platform maximum on initial value")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://patch.msgid.link/20250610093057.2643233-1-arnd@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-ops.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
index 9eb4181c6697..7cb3a3f9d3ae 100644
--- a/sound/soc/soc-ops.c
+++ b/sound/soc/soc-ops.c
@@ -624,28 +624,32 @@ EXPORT_SYMBOL_GPL(snd_soc_get_volsw_range);
static int snd_soc_clip_to_platform_max(struct snd_kcontrol *kctl)
{
struct soc_mixer_control *mc = (struct soc_mixer_control *)kctl->private_value;
- struct snd_ctl_elem_value uctl;
+ struct snd_ctl_elem_value *uctl;
int ret;
if (!mc->platform_max)
return 0;
- ret = kctl->get(kctl, &uctl);
+ uctl = kzalloc(sizeof(*uctl), GFP_KERNEL);
+ if (!uctl)
+ return -ENOMEM;
+
+ ret = kctl->get(kctl, uctl);
if (ret < 0)
- return ret;
+ goto out;
- if (uctl.value.integer.value[0] > mc->platform_max)
- uctl.value.integer.value[0] = mc->platform_max;
+ if (uctl->value.integer.value[0] > mc->platform_max)
+ uctl->value.integer.value[0] = mc->platform_max;
if (snd_soc_volsw_is_stereo(mc) &&
- uctl.value.integer.value[1] > mc->platform_max)
- uctl.value.integer.value[1] = mc->platform_max;
+ uctl->value.integer.value[1] > mc->platform_max)
+ uctl->value.integer.value[1] = mc->platform_max;
- ret = kctl->put(kctl, &uctl);
- if (ret < 0)
- return ret;
+ ret = kctl->put(kctl, uctl);
- return 0;
+out:
+ kfree(uctl);
+ return ret;
}
/**
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 116/644] selftests: Fix errno checking in syscall_user_dispatch test
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 115/644] ASoC: ops: dynamically allocate struct snd_ctl_elem_value Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 117/644] ARM: dts: vfxxx: Correctly use two tuples for timer address Greg Kroah-Hartman
` (533 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Vyukov, Thomas Gleixner,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Vyukov <dvyukov@google.com>
[ Upstream commit b89732c8c8357487185f260a723a060b3476144e ]
Successful syscalls don't change errno, so checking errno is wrong
to ensure that a syscall has failed. For example for the following
sequence:
prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0xff, 0);
EXPECT_EQ(EINVAL, errno);
prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, &sel);
EXPECT_EQ(EINVAL, errno);
only the first syscall may fail and set errno, but the second may succeed
and keep errno intact, and the check will falsely pass.
Or if errno happened to be EINVAL before, even the first check may falsely
pass.
Also use EXPECT/ASSERT consistently. Currently there is an inconsistent mix
without obvious reasons for usage of one or another.
Fixes: 179ef035992e ("selftests: Add kselftest for syscall user dispatch")
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/af6a04dbfef9af8570f5bab43e3ef1416b62699a.1747839857.git.dvyukov@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../syscall_user_dispatch/sud_test.c | 50 +++++++++----------
1 file changed, 25 insertions(+), 25 deletions(-)
diff --git a/tools/testing/selftests/syscall_user_dispatch/sud_test.c b/tools/testing/selftests/syscall_user_dispatch/sud_test.c
index d975a6767329..48cf01aeec3e 100644
--- a/tools/testing/selftests/syscall_user_dispatch/sud_test.c
+++ b/tools/testing/selftests/syscall_user_dispatch/sud_test.c
@@ -79,6 +79,21 @@ TEST_SIGNAL(dispatch_trigger_sigsys, SIGSYS)
}
}
+static void prctl_valid(struct __test_metadata *_metadata,
+ unsigned long op, unsigned long off,
+ unsigned long size, void *sel)
+{
+ EXPECT_EQ(0, prctl(PR_SET_SYSCALL_USER_DISPATCH, op, off, size, sel));
+}
+
+static void prctl_invalid(struct __test_metadata *_metadata,
+ unsigned long op, unsigned long off,
+ unsigned long size, void *sel, int err)
+{
+ EXPECT_EQ(-1, prctl(PR_SET_SYSCALL_USER_DISPATCH, op, off, size, sel));
+ EXPECT_EQ(err, errno);
+}
+
TEST(bad_prctl_param)
{
char sel = SYSCALL_DISPATCH_FILTER_ALLOW;
@@ -86,57 +101,42 @@ TEST(bad_prctl_param)
/* Invalid op */
op = -1;
- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0, 0, &sel);
- ASSERT_EQ(EINVAL, errno);
+ prctl_invalid(_metadata, op, 0, 0, &sel, EINVAL);
/* PR_SYS_DISPATCH_OFF */
op = PR_SYS_DISPATCH_OFF;
/* offset != 0 */
- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x1, 0x0, 0);
- EXPECT_EQ(EINVAL, errno);
+ prctl_invalid(_metadata, op, 0x1, 0x0, 0, EINVAL);
/* len != 0 */
- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0xff, 0);
- EXPECT_EQ(EINVAL, errno);
+ prctl_invalid(_metadata, op, 0x0, 0xff, 0, EINVAL);
/* sel != NULL */
- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, &sel);
- EXPECT_EQ(EINVAL, errno);
+ prctl_invalid(_metadata, op, 0x0, 0x0, &sel, EINVAL);
/* Valid parameter */
- errno = 0;
- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x0, 0x0);
- EXPECT_EQ(0, errno);
+ prctl_valid(_metadata, op, 0x0, 0x0, 0x0);
/* PR_SYS_DISPATCH_ON */
op = PR_SYS_DISPATCH_ON;
/* Dispatcher region is bad (offset > 0 && len == 0) */
- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x1, 0x0, &sel);
- EXPECT_EQ(EINVAL, errno);
- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, -1L, 0x0, &sel);
- EXPECT_EQ(EINVAL, errno);
+ prctl_invalid(_metadata, op, 0x1, 0x0, &sel, EINVAL);
+ prctl_invalid(_metadata, op, -1L, 0x0, &sel, EINVAL);
/* Invalid selector */
- prctl(PR_SET_SYSCALL_USER_DISPATCH, op, 0x0, 0x1, (void *) -1);
- ASSERT_EQ(EFAULT, errno);
+ prctl_invalid(_metadata, op, 0x0, 0x1, (void *) -1, EFAULT);
/*
* Dispatcher range overflows unsigned long
*/
- prctl(PR_SET_SYSCALL_USER_DISPATCH, PR_SYS_DISPATCH_ON, 1, -1L, &sel);
- ASSERT_EQ(EINVAL, errno) {
- TH_LOG("Should reject bad syscall range");
- }
+ prctl_invalid(_metadata, PR_SYS_DISPATCH_ON, 1, -1L, &sel, EINVAL);
/*
* Allowed range overflows usigned long
*/
- prctl(PR_SET_SYSCALL_USER_DISPATCH, PR_SYS_DISPATCH_ON, -1L, 0x1, &sel);
- ASSERT_EQ(EINVAL, errno) {
- TH_LOG("Should reject bad syscall range");
- }
+ prctl_invalid(_metadata, PR_SYS_DISPATCH_ON, -1L, 0x1, &sel, EINVAL);
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 117/644] ARM: dts: vfxxx: Correctly use two tuples for timer address
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 116/644] selftests: Fix errno checking in syscall_user_dispatch test Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 118/644] usb: misc: apple-mfi-fastcharge: Make power supply names unique Greg Kroah-Hartman
` (532 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Shawn Guo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit f3440dcf8b994197c968fbafe047ce27eed226e8 ]
Address and size-cells are 1 and the ftm timer node takes two address
spaces in "reg" property, so this should be in two <> tuples. Change
has no functional impact, but original code is confusing/less readable.
Fixes: 07513e1330a9 ("ARM: dts: vf610: Add Freescale FlexTimer Module timer node.")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/vfxxx.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/vfxxx.dtsi b/arch/arm/boot/dts/vfxxx.dtsi
index d53f9c9db8bf..eb7973fb4713 100644
--- a/arch/arm/boot/dts/vfxxx.dtsi
+++ b/arch/arm/boot/dts/vfxxx.dtsi
@@ -617,7 +617,7 @@ usbmisc1: usb@400b4800 {
ftm: ftm@400b8000 {
compatible = "fsl,ftm-timer";
- reg = <0x400b8000 0x1000 0x400b9000 0x1000>;
+ reg = <0x400b8000 0x1000>, <0x400b9000 0x1000>;
interrupts = <44 IRQ_TYPE_LEVEL_HIGH>;
clock-names = "ftm-evt", "ftm-src",
"ftm-evt-counter-en", "ftm-src-counter-en";
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 118/644] usb: misc: apple-mfi-fastcharge: Make power supply names unique
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 117/644] ARM: dts: vfxxx: Correctly use two tuples for timer address Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 119/644] staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() Greg Kroah-Hartman
` (531 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Charalampos Mitrodimas, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charalampos Mitrodimas <charmitro@posteo.net>
[ Upstream commit 43007b89fb2de746443fbbb84aedd1089afdf582 ]
When multiple Apple devices are connected concurrently, the
apple-mfi-fastcharge driver fails to probe the subsequent devices with
the following error:
sysfs: cannot create duplicate filename '/class/power_supply/apple_mfi_fastcharge'
apple-mfi-fastcharge 5-2.4.3.3: probe of 5-2.4.3.3 failed with error -17
This happens because the driver uses a fixed power supply name
("apple_mfi_fastcharge") for all devices, causing a sysfs name
conflict when a second device is connected.
Fix this by generating unique names using the USB bus and device
number (e.g., "apple_mfi_fastcharge_5-12"). This ensures each
connected device gets a unique power supply entry in sysfs.
The change requires storing a copy of the power_supply_desc structure
in the per-device mfi_device struct, since the name pointer needs to
remain valid for the lifetime of the power supply registration.
Fixes: 249fa8217b84 ("USB: Add driver to control USB fast charge for iOS devices")
Signed-off-by: Charalampos Mitrodimas <charmitro@posteo.net>
Link: https://lore.kernel.org/r/20250602-apple-mfi-fastcharge-duplicate-sysfs-v1-1-5d84de34fac6@posteo.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/misc/apple-mfi-fastcharge.c | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/misc/apple-mfi-fastcharge.c b/drivers/usb/misc/apple-mfi-fastcharge.c
index ac8695195c13..8e852f4b8262 100644
--- a/drivers/usb/misc/apple-mfi-fastcharge.c
+++ b/drivers/usb/misc/apple-mfi-fastcharge.c
@@ -44,6 +44,7 @@ MODULE_DEVICE_TABLE(usb, mfi_fc_id_table);
struct mfi_device {
struct usb_device *udev;
struct power_supply *battery;
+ struct power_supply_desc battery_desc;
int charge_type;
};
@@ -178,6 +179,7 @@ static int mfi_fc_probe(struct usb_device *udev)
{
struct power_supply_config battery_cfg = {};
struct mfi_device *mfi = NULL;
+ char *battery_name;
int err;
if (!mfi_fc_match(udev))
@@ -187,23 +189,38 @@ static int mfi_fc_probe(struct usb_device *udev)
if (!mfi)
return -ENOMEM;
+ battery_name = kasprintf(GFP_KERNEL, "apple_mfi_fastcharge_%d-%d",
+ udev->bus->busnum, udev->devnum);
+ if (!battery_name) {
+ err = -ENOMEM;
+ goto err_free_mfi;
+ }
+
+ mfi->battery_desc = apple_mfi_fc_desc;
+ mfi->battery_desc.name = battery_name;
+
battery_cfg.drv_data = mfi;
mfi->charge_type = POWER_SUPPLY_CHARGE_TYPE_TRICKLE;
mfi->battery = power_supply_register(&udev->dev,
- &apple_mfi_fc_desc,
+ &mfi->battery_desc,
&battery_cfg);
if (IS_ERR(mfi->battery)) {
dev_err(&udev->dev, "Can't register battery\n");
err = PTR_ERR(mfi->battery);
- kfree(mfi);
- return err;
+ goto err_free_name;
}
mfi->udev = usb_get_dev(udev);
dev_set_drvdata(&udev->dev, mfi);
return 0;
+
+err_free_name:
+ kfree(battery_name);
+err_free_mfi:
+ kfree(mfi);
+ return err;
}
static void mfi_fc_disconnect(struct usb_device *udev)
@@ -213,6 +230,7 @@ static void mfi_fc_disconnect(struct usb_device *udev)
mfi = dev_get_drvdata(&udev->dev);
if (mfi->battery)
power_supply_unregister(mfi->battery);
+ kfree(mfi->battery_desc.name);
dev_set_drvdata(&udev->dev, NULL);
usb_put_dev(mfi->udev);
kfree(mfi);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 119/644] staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 118/644] usb: misc: apple-mfi-fastcharge: Make power supply names unique Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 120/644] vmci: Prevent the dispatching of uninitialized payloads Greg Kroah-Hartman
` (530 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Dan Carpenter,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <abdun.nihaal@gmail.com>
[ Upstream commit eb2cb7dab60f9be0b435ac4a674255429a36d72c ]
In the error paths after fb_info structure is successfully allocated,
the memory allocated in fb_deferred_io_init() for info->pagerefs is not
freed. Fix that by adding the cleanup function on the error path.
Fixes: c296d5f9957c ("staging: fbtft: core support")
Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/20250626172412.18355-1-abdun.nihaal@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/fbtft/fbtft-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
index 810ed1fca10b..54620ae6919b 100644
--- a/drivers/staging/fbtft/fbtft-core.c
+++ b/drivers/staging/fbtft/fbtft-core.c
@@ -747,6 +747,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display,
return info;
release_framebuf:
+ fb_deferred_io_cleanup(info);
framebuffer_release(info);
alloc_fail:
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 120/644] vmci: Prevent the dispatching of uninitialized payloads
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 119/644] staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 121/644] pps: fix poll support Greg Kroah-Hartman
` (529 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9b9124ae9b12d5af5d95,
Lizhi Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
[ Upstream commit bfb4cf9fb97e4063f0aa62e9e398025fb6625031 ]
The reproducer executes the host's unlocked_ioctl call in two different
tasks. When init_context fails, the struct vmci_event_ctx is not fully
initialized when executing vmci_datagram_dispatch() to send events to all
vm contexts. This affects the datagram taken from the datagram queue of
its context by another task, because the datagram payload is not initialized
according to the size payload_size, which causes the kernel data to leak
to the user space.
Before dispatching the datagram, and before setting the payload content,
explicitly set the payload content to 0 to avoid data leakage caused by
incomplete payload initialization.
Fixes: 28d6692cd8fb ("VMCI: context implementation.")
Reported-by: syzbot+9b9124ae9b12d5af5d95@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9b9124ae9b12d5af5d95
Tested-by: syzbot+9b9124ae9b12d5af5d95@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Link: https://lore.kernel.org/r/20250627055214.2967129-1-lizhi.xu@windriver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/vmw_vmci/vmci_context.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c
index c0b5e339d5a1..a8df60b9301c 100644
--- a/drivers/misc/vmw_vmci/vmci_context.c
+++ b/drivers/misc/vmw_vmci/vmci_context.c
@@ -251,6 +251,8 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags)
ev.msg.hdr.src = vmci_make_handle(VMCI_HYPERVISOR_CONTEXT_ID,
VMCI_CONTEXT_RESOURCE_ID);
ev.msg.hdr.payload_size = sizeof(ev) - sizeof(ev.msg.hdr);
+ memset((char*)&ev.msg.hdr + sizeof(ev.msg.hdr), 0,
+ ev.msg.hdr.payload_size);
ev.msg.event_data.event = VMCI_EVENT_CTX_REMOVED;
ev.payload.context_id = context_id;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 121/644] pps: fix poll support
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 120/644] vmci: Prevent the dispatching of uninitialized payloads Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 122/644] Revert "vmci: Prevent the dispatching of uninitialized payloads" Greg Kroah-Hartman
` (528 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis OSTERLAND-HEIM,
Rodolfo Giometti, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis OSTERLAND-HEIM <denis.osterland@diehl.com>
[ Upstream commit 12c409aa1ec2592280a2ddcc66ff8f3c7f7bb171 ]
Because pps_cdev_poll() returns unconditionally EPOLLIN,
a user space program that calls select/poll get always an immediate data
ready-to-read response. As a result the intended use to wait until next
data becomes ready does not work.
User space snippet:
struct pollfd pollfd = {
.fd = open("/dev/pps0", O_RDONLY),
.events = POLLIN|POLLERR,
.revents = 0 };
while(1) {
poll(&pollfd, 1, 2000/*ms*/); // returns immediate, but should wait
if(revents & EPOLLIN) { // always true
struct pps_fdata fdata;
memset(&fdata, 0, sizeof(memdata));
ioctl(PPS_FETCH, &fdata); // currently fetches data at max speed
}
}
Lets remember the last fetch event counter and compare this value
in pps_cdev_poll() with most recent event counter
and return 0 if they are equal.
Signed-off-by: Denis OSTERLAND-HEIM <denis.osterland@diehl.com>
Co-developed-by: Rodolfo Giometti <giometti@enneenne.com>
Signed-off-by: Rodolfo Giometti <giometti@enneenne.com>
Fixes: eae9d2ba0cfc ("LinuxPPS: core support")
Link: https://lore.kernel.org/all/f6bed779-6d59-4f0f-8a59-b6312bd83b4e@enneenne.com/
Acked-by: Rodolfo Giometti <giometti@enneenne.com>
Link: https://lore.kernel.org/r/c3c50ad1eb19ef553eca8a57c17f4c006413ab70.camel@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pps/pps.c | 11 +++++++++--
include/linux/pps_kernel.h | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c
index 2d008e0d116a..ea966fc67d28 100644
--- a/drivers/pps/pps.c
+++ b/drivers/pps/pps.c
@@ -41,6 +41,9 @@ static __poll_t pps_cdev_poll(struct file *file, poll_table *wait)
poll_wait(file, &pps->queue, wait);
+ if (pps->last_fetched_ev == pps->last_ev)
+ return 0;
+
return EPOLLIN | EPOLLRDNORM;
}
@@ -186,9 +189,11 @@ static long pps_cdev_ioctl(struct file *file,
if (err)
return err;
- /* Return the fetched timestamp */
+ /* Return the fetched timestamp and save last fetched event */
spin_lock_irq(&pps->lock);
+ pps->last_fetched_ev = pps->last_ev;
+
fdata.info.assert_sequence = pps->assert_sequence;
fdata.info.clear_sequence = pps->clear_sequence;
fdata.info.assert_tu = pps->assert_tu;
@@ -272,9 +277,11 @@ static long pps_cdev_compat_ioctl(struct file *file,
if (err)
return err;
- /* Return the fetched timestamp */
+ /* Return the fetched timestamp and save last fetched event */
spin_lock_irq(&pps->lock);
+ pps->last_fetched_ev = pps->last_ev;
+
compat.info.assert_sequence = pps->assert_sequence;
compat.info.clear_sequence = pps->clear_sequence;
compat.info.current_mode = pps->current_mode;
diff --git a/include/linux/pps_kernel.h b/include/linux/pps_kernel.h
index c7abce28ed29..aab0aebb529e 100644
--- a/include/linux/pps_kernel.h
+++ b/include/linux/pps_kernel.h
@@ -52,6 +52,7 @@ struct pps_device {
int current_mode; /* PPS mode at event time */
unsigned int last_ev; /* last PPS event id */
+ unsigned int last_fetched_ev; /* last fetched PPS event id */
wait_queue_head_t queue; /* PPS event queue */
unsigned int id; /* PPS source unique ID */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 122/644] Revert "vmci: Prevent the dispatching of uninitialized payloads"
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 121/644] pps: fix poll support Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 123/644] usb: early: xhci-dbc: Fix early_ioremap leak Greg Kroah-Hartman
` (527 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stephen Rothwell, Lizhi Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 8f5d9bed6122b8d96508436e5ad2498bb797eb6b ]
This reverts commit bfb4cf9fb97e4063f0aa62e9e398025fb6625031.
While the code "looks" correct, the compiler has no way to know that
doing "fun" pointer math like this really isn't a write off the end of
the structure as there is no hint anywhere that the structure has data
at the end of it.
This causes the following build warning:
In function 'fortify_memset_chk',
inlined from 'ctx_fire_notification.isra' at drivers/misc/vmw_vmci/vmci_context.c:254:3:
include/linux/fortify-string.h:480:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
480 | __write_overflow_field(p_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So revert it for now and it can come back in the future in a "sane" way
that either correctly makes the structure know that there is trailing
data, OR just the payload structure is properly referenced and zeroed
out.
Fixes: bfb4cf9fb97e ("vmci: Prevent the dispatching of uninitialized payloads")
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Lizhi Xu <lizhi.xu@windriver.com>
Link: https://lore.kernel.org/r/20250703171021.0aee1482@canb.auug.org.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/vmw_vmci/vmci_context.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c
index a8df60b9301c..c0b5e339d5a1 100644
--- a/drivers/misc/vmw_vmci/vmci_context.c
+++ b/drivers/misc/vmw_vmci/vmci_context.c
@@ -251,8 +251,6 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags)
ev.msg.hdr.src = vmci_make_handle(VMCI_HYPERVISOR_CONTEXT_ID,
VMCI_CONTEXT_RESOURCE_ID);
ev.msg.hdr.payload_size = sizeof(ev) - sizeof(ev.msg.hdr);
- memset((char*)&ev.msg.hdr + sizeof(ev.msg.hdr), 0,
- ev.msg.hdr.payload_size);
ev.msg.event_data.event = VMCI_EVENT_CTX_REMOVED;
ev.payload.context_id = context_id;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 123/644] usb: early: xhci-dbc: Fix early_ioremap leak
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 122/644] Revert "vmci: Prevent the dispatching of uninitialized payloads" Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 124/644] arm: dts: ti: omap: Fixup pinheader typo Greg Kroah-Hartman
` (526 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lucas De Marchi, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lucas De Marchi <lucas.demarchi@intel.com>
[ Upstream commit 2b7eec2ec3015f52fc74cf45d0408925e984ecd1 ]
Using the kernel param earlyprintk=xdbc,keep without proper hardware
setup leads to this:
[ ] xhci_dbc:early_xdbc_parse_parameter: dbgp_num: 0
...
[ ] xhci_dbc:early_xdbc_setup_hardware: failed to setup the connection to host
...
[ ] calling kmemleak_late_init+0x0/0xa0 @ 1
[ ] kmemleak: Kernel memory leak detector initialized (mem pool available: 14919)
[ ] kmemleak: Automatic memory scanning thread started
[ ] initcall kmemleak_late_init+0x0/0xa0 returned 0 after 417 usecs
[ ] calling check_early_ioremap_leak+0x0/0x70 @ 1
[ ] ------------[ cut here ]------------
[ ] Debug warning: early ioremap leak of 1 areas detected.
please boot with early_ioremap_debug and report the dmesg.
[ ] WARNING: CPU: 11 PID: 1 at mm/early_ioremap.c:90 check_early_ioremap_leak+0x4e/0x70
When early_xdbc_setup_hardware() fails, make sure to call
early_iounmap() since xdbc_init() won't handle it.
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Fixes: aeb9dd1de98c ("usb/early: Add driver for xhci debug capability")
Link: https://lore.kernel.org/r/20250627-xdbc-v1-1-43cc8c317b1b@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/early/xhci-dbc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/early/xhci-dbc.c b/drivers/usb/early/xhci-dbc.c
index b0c4071f0b16..8963d2b8d8f7 100644
--- a/drivers/usb/early/xhci-dbc.c
+++ b/drivers/usb/early/xhci-dbc.c
@@ -679,6 +679,10 @@ int __init early_xdbc_setup_hardware(void)
xdbc.table_base = NULL;
xdbc.out_buf = NULL;
+
+ early_iounmap(xdbc.xhci_base, xdbc.xhci_length);
+ xdbc.xhci_base = NULL;
+ xdbc.xhci_length = 0;
}
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 124/644] arm: dts: ti: omap: Fixup pinheader typo
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 123/644] usb: early: xhci-dbc: Fix early_ioremap leak Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 125/644] ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface Greg Kroah-Hartman
` (525 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Albin Törnqvist, Kevin Hilman,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Albin Törnqvist <albin.tornqvist@codiax.se>
[ Upstream commit a3a4be32b69c99fc20a66e0de83b91f8c882bf4c ]
This commit fixes a typo introduced in commit
ee368a10d0df ("ARM: dts: am335x-boneblack.dts: unique gpio-line-names").
gpio0_7 is located on the P9 header on the BBB.
This was verified with a BeagleBone Black by toggling the pin and
checking with a multimeter that it corresponds to pin 42 on the P9
header.
Signed-off-by: Albin Törnqvist <albin.tornqvist@codiax.se>
Link: https://lore.kernel.org/r/20250624114839.1465115-2-albin.tornqvist@codiax.se
Fixes: ee368a10d0df ("ARM: dts: am335x-boneblack.dts: unique gpio-line-names")
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/am335x-boneblack.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts
index 9312197316f0..db1bf9452e57 100644
--- a/arch/arm/boot/dts/am335x-boneblack.dts
+++ b/arch/arm/boot/dts/am335x-boneblack.dts
@@ -34,7 +34,7 @@ &gpio0 {
"P9_18 [spi0_d1]",
"P9_17 [spi0_cs0]",
"[mmc0_cd]",
- "P8_42A [ecappwm0]",
+ "P9_42A [ecappwm0]",
"P8_35 [lcd d12]",
"P8_33 [lcd d13]",
"P8_31 [lcd d14]",
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 125/644] ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 124/644] arm: dts: ti: omap: Fixup pinheader typo Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 126/644] arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed Greg Kroah-Hartman
` (524 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Annette Kobou, Frieder Schrempf,
Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Annette Kobou <annette.kobou@kontron.de>
[ Upstream commit 47ef5256124fb939d8157b13ca048c902435cf23 ]
The polarity of the DE signal of the transceiver is active-high for
sending. Therefore rs485-rts-active-low is wrong and needs to be
removed to make RS485 transmissions work.
Signed-off-by: Annette Kobou <annette.kobou@kontron.de>
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Fixes: 1ea4b76cdfde ("ARM: dts: imx6ul-kontron-n6310: Add Kontron i.MX6UL N6310 SoM and boards")
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx6ul-kontron-n6x1x-s.dtsi | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm/boot/dts/imx6ul-kontron-n6x1x-s.dtsi b/arch/arm/boot/dts/imx6ul-kontron-n6x1x-s.dtsi
index 770f59b23102..44477206ba0f 100644
--- a/arch/arm/boot/dts/imx6ul-kontron-n6x1x-s.dtsi
+++ b/arch/arm/boot/dts/imx6ul-kontron-n6x1x-s.dtsi
@@ -170,7 +170,6 @@ &uart2 {
pinctrl-0 = <&pinctrl_uart2>;
linux,rs485-enabled-at-boot-time;
rs485-rx-during-tx;
- rs485-rts-active-low;
uart-has-rtscts;
status = "okay";
};
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 126/644] arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 125/644] ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 127/644] arm64: dts: imx8mn-beacon: " Greg Kroah-Hartman
` (523 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adam Ford, Fabio Estevam, Shawn Guo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Ford <aford173@gmail.com>
[ Upstream commit f83f69097a302ed2a2775975ddcf12e6a5ac6ec3 ]
The reference manual for the i.MX8MM states the clock rate in
MMC mode is 1/2 of the input clock, therefore to properly run
at HS400 rates, the input clock must be 400MHz to operate at
200MHz. Currently the clock is set to 200MHz which is half the
rate it should be, so the throughput is half of what it should be
for HS400 operation.
Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit")
Signed-off-by: Adam Ford <aford173@gmail.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
index 7ed267bf9b8f..c4b97cbb55d6 100644
--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
@@ -285,6 +285,8 @@ &usdhc3 {
pinctrl-0 = <&pinctrl_usdhc3>;
pinctrl-1 = <&pinctrl_usdhc3_100mhz>;
pinctrl-2 = <&pinctrl_usdhc3_200mhz>;
+ assigned-clocks = <&clk IMX8MM_CLK_USDHC3>;
+ assigned-clock-rates = <400000000>;
bus-width = <8>;
non-removable;
status = "okay";
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 127/644] arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 126/644] arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 128/644] PM / devfreq: Check governor before using governor->name Greg Kroah-Hartman
` (522 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adam Ford, Fabio Estevam, Shawn Guo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Ford <aford173@gmail.com>
[ Upstream commit e16ad6c79906bba5e2ac499492b6a5b29ab19d6c ]
The reference manual for the i.MX8MN states the clock rate in
MMC mode is 1/2 of the input clock, therefore to properly run
at HS400 rates, the input clock must be 400MHz to operate at
200MHz. Currently the clock is set to 200MHz which is half the
rate it should be, so the throughput is half of what it should be
for HS400 operation.
Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit")
Signed-off-by: Adam Ford <aford173@gmail.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
index 4c339b06c87e..d197319e3b58 100644
--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
@@ -296,6 +296,8 @@ &usdhc3 {
pinctrl-0 = <&pinctrl_usdhc3>;
pinctrl-1 = <&pinctrl_usdhc3_100mhz>;
pinctrl-2 = <&pinctrl_usdhc3_200mhz>;
+ assigned-clocks = <&clk IMX8MN_CLK_USDHC3>;
+ assigned-clock-rates = <400000000>;
bus-width = <8>;
non-removable;
status = "okay";
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 128/644] PM / devfreq: Check governor before using governor->name
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 127/644] arm64: dts: imx8mn-beacon: " Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 129/644] cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode Greg Kroah-Hartman
` (521 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lifeng Zheng, Chanwoo Choi,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lifeng Zheng <zhenglifeng1@huawei.com>
[ Upstream commit bab7834c03820eb11269bc48f07c3800192460d2 ]
Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from
struct devfreq") removes governor_name and uses governor->name to replace
it. But devfreq->governor may be NULL and directly using
devfreq->governor->name may cause null pointer exception. Move the check of
governor to before using governor->name.
Fixes: 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from struct devfreq")
Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
Link: https://lore.kernel.org/lkml/20250421030020.3108405-5-zhenglifeng1@huawei.com/
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/devfreq/devfreq.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
index 237362316edb..02f86879a5be 100644
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -1347,15 +1347,11 @@ int devfreq_remove_governor(struct devfreq_governor *governor)
int ret;
struct device *dev = devfreq->dev.parent;
+ if (!devfreq->governor)
+ continue;
+
if (!strncmp(devfreq->governor->name, governor->name,
DEVFREQ_NAME_LEN)) {
- /* we should have a devfreq governor! */
- if (!devfreq->governor) {
- dev_warn(dev, "%s: Governor %s NOT present\n",
- __func__, governor->name);
- continue;
- /* Fall through */
- }
ret = devfreq->governor->event_handler(devfreq,
DEVFREQ_GOV_STOP, NULL);
if (ret) {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 129/644] cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 128/644] PM / devfreq: Check governor before using governor->name Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 130/644] cpufreq: Initialize cpufreq-based frequency-invariance later Greg Kroah-Hartman
` (520 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Shashank Balaji,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 1cefe495cacba5fb0417da3a75a1a76e3546d176 ]
In the passive mode, intel_cpufreq_update_pstate() sets HWP_MIN_PERF in
accordance with the target frequency to ensure delivering adequate
performance, but it sets HWP_DESIRED_PERF to 0, so the processor has no
indication that the desired performance level is actually equal to the
floor one. This may cause it to choose a performance point way above
the desired level.
Moreover, this is inconsistent with intel_cpufreq_adjust_perf() which
actually sets HWP_DESIRED_PERF in accordance with the target performance
value.
Address this by adjusting intel_cpufreq_update_pstate() to pass
target_pstate as both the minimum and the desired performance levels
to intel_cpufreq_hwp_update().
Fixes: a365ab6b9dfb ("cpufreq: intel_pstate: Implement the ->adjust_perf() callback")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Tested-by: Shashank Balaji <shashank.mahadasyam@sony.com>
Link: https://patch.msgid.link/6173276.lOV4Wx5bFT@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/intel_pstate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
index 4de71e772f51..9d7a4ef21077 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -2703,8 +2703,8 @@ static int intel_cpufreq_update_pstate(struct cpufreq_policy *policy,
int max_pstate = policy->strict_target ?
target_pstate : cpu->max_perf_ratio;
- intel_cpufreq_hwp_update(cpu, target_pstate, max_pstate, 0,
- fast_switch);
+ intel_cpufreq_hwp_update(cpu, target_pstate, max_pstate,
+ target_pstate, fast_switch);
} else if (target_pstate != old_pstate) {
intel_cpufreq_perf_ctl_update(cpu, target_pstate, fast_switch);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 130/644] cpufreq: Initialize cpufreq-based frequency-invariance later
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 129/644] cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 131/644] cpufreq: Init policy->rwsem before it may be possibly used Greg Kroah-Hartman
` (519 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lifeng Zheng, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lifeng Zheng <zhenglifeng1@huawei.com>
[ Upstream commit 2a6c727387062a2ea79eb6cf5004820cb1b0afe2 ]
The cpufreq-based invariance is enabled in cpufreq_register_driver(),
but never disabled after registration fails. Move the invariance
initialization to where all other initializations have been successfully
done to solve this problem.
Fixes: 874f63531064 ("cpufreq: report whether cpufreq supports Frequency Invariance (FI)")
Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
Link: https://patch.msgid.link/20250709104145.2348017-2-zhenglifeng1@huawei.com
[ rjw: New subject ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/cpufreq.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
index bbb0cbb2eb8c..7d7158fa70c5 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -2841,15 +2841,6 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
cpufreq_driver = driver_data;
write_unlock_irqrestore(&cpufreq_driver_lock, flags);
- /*
- * Mark support for the scheduler's frequency invariance engine for
- * drivers that implement target(), target_index() or fast_switch().
- */
- if (!cpufreq_driver->setpolicy) {
- static_branch_enable_cpuslocked(&cpufreq_freq_invariance);
- pr_debug("supports frequency invariance");
- }
-
if (driver_data->setpolicy)
driver_data->flags |= CPUFREQ_CONST_LOOPS;
@@ -2880,6 +2871,15 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
hp_online = ret;
ret = 0;
+ /*
+ * Mark support for the scheduler's frequency invariance engine for
+ * drivers that implement target(), target_index() or fast_switch().
+ */
+ if (!cpufreq_driver->setpolicy) {
+ static_branch_enable_cpuslocked(&cpufreq_freq_invariance);
+ pr_debug("supports frequency invariance");
+ }
+
pr_debug("driver %s up and running\n", driver_data->name);
goto out;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 131/644] cpufreq: Init policy->rwsem before it may be possibly used
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 130/644] cpufreq: Initialize cpufreq-based frequency-invariance later Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 132/644] samples: mei: Fix building on musl libc Greg Kroah-Hartman
` (518 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lifeng Zheng, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lifeng Zheng <zhenglifeng1@huawei.com>
[ Upstream commit d1378d1d7edb3a4c4935a44fe834ae135be03564 ]
In cpufreq_policy_put_kobj(), policy->rwsem is used. But in
cpufreq_policy_alloc(), if freq_qos_add_notifier() returns an error, error
path via err_kobj_remove or err_min_qos_notifier will be reached and
cpufreq_policy_put_kobj() will be called before policy->rwsem is
initialized. Thus, the calling of init_rwsem() should be moved to where
before these two error paths can be reached.
Fixes: 67d874c3b2c6 ("cpufreq: Register notifiers with the PM QoS framework")
Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
Link: https://patch.msgid.link/20250709104145.2348017-3-zhenglifeng1@huawei.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/cpufreq.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
index 7d7158fa70c5..33c080e08623 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -1228,6 +1228,8 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu)
goto err_free_real_cpus;
}
+ init_rwsem(&policy->rwsem);
+
freq_constraints_init(&policy->constraints);
policy->nb_min.notifier_call = cpufreq_notifier_min;
@@ -1250,7 +1252,6 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu)
}
INIT_LIST_HEAD(&policy->policy_list);
- init_rwsem(&policy->rwsem);
spin_lock_init(&policy->transition_lock);
init_waitqueue_head(&policy->transition_wait);
INIT_WORK(&policy->update, handle_update);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 132/644] samples: mei: Fix building on musl libc
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 131/644] cpufreq: Init policy->rwsem before it may be possibly used Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 133/644] staging: nvec: Fix incorrect null termination of battery manufacturer Greg Kroah-Hartman
` (517 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Brahmajit Das, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brahmajit Das <listout@listout.xyz>
[ Upstream commit 239df3e4b4752524e7c0fb3417c218d8063654b4 ]
The header bits/wordsize.h is glibc specific and on building on musl
with allyesconfig results in
samples/mei/mei-amt-version.c:77:10: fatal error: bits/wordsize.h: No such file or directory
77 | #include <bits/wordsize.h>
| ^~~~~~~~~~~~~~~~~
mei-amt-version.c build file without bits/wordsize.h on musl and glibc.
However on musl we get the follwing error without sys/time.h
samples/mei/mei-amt-version.c: In function 'mei_recv_msg':
samples/mei/mei-amt-version.c:159:24: error: storage size of 'tv' isn't known
159 | struct timeval tv;
| ^~
samples/mei/mei-amt-version.c:160:9: error: unknown type name 'fd_set'
160 | fd_set set;
| ^~~~~~
samples/mei/mei-amt-version.c:168:9: error: implicit declaration of function 'FD_ZERO' [-Wimplicit-function-declaration]
168 | FD_ZERO(&set);
| ^~~~~~~
samples/mei/mei-amt-version.c:169:9: error: implicit declaration of function 'FD_SET'; did you mean 'L_SET'? [-Wimplicit-function-declaration]
169 | FD_SET(me->fd, &set);
| ^~~~~~
| L_SET
samples/mei/mei-amt-version.c:170:14: error: implicit declaration of function 'select' [-Wimplicit-function-declaration]
170 | rc = select(me->fd + 1, &set, NULL, NULL, &tv);
| ^~~~~~
samples/mei/mei-amt-version.c:171:23: error: implicit declaration of function 'FD_ISSET' [-Wimplicit-function-declaration]
171 | if (rc > 0 && FD_ISSET(me->fd, &set)) {
| ^~~~~~~~
samples/mei/mei-amt-version.c:159:24: warning: unused variable 'tv' [-Wunused-variable]
159 | struct timeval tv;
| ^~
Hence the the file has been included.
Fixes: c52827cc4ddf ("staging/mei: add mei user space example")
Signed-off-by: Brahmajit Das <listout@listout.xyz>
Link: https://lore.kernel.org/r/20250702135955.24955-1-listout@listout.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
samples/mei/mei-amt-version.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/samples/mei/mei-amt-version.c b/samples/mei/mei-amt-version.c
index 867debd3b912..1d7254bcb44c 100644
--- a/samples/mei/mei-amt-version.c
+++ b/samples/mei/mei-amt-version.c
@@ -69,11 +69,11 @@
#include <string.h>
#include <fcntl.h>
#include <sys/ioctl.h>
+#include <sys/time.h>
#include <unistd.h>
#include <errno.h>
#include <stdint.h>
#include <stdbool.h>
-#include <bits/wordsize.h>
#include <linux/mei.h>
/*****************************************************************************
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 133/644] staging: nvec: Fix incorrect null termination of battery manufacturer
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 132/644] samples: mei: Fix building on musl libc Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 134/644] selftests/tracing: Fix false failure of subsystem event test Greg Kroah-Hartman
` (516 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Dan Carpenter,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit a8934352ba01081c51d2df428e9d540aae0e88b5 ]
The battery manufacturer string was incorrectly null terminated using
bat_model instead of bat_manu. This could result in an unintended
write to the wrong field and potentially incorrect behavior.
fixe the issue by correctly null terminating the bat_manu string.
Fixes: 32890b983086 ("Staging: initial version of the nvec driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/20250719080755.3954373-1-alok.a.tiwari@oracle.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/nvec/nvec_power.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/nvec/nvec_power.c b/drivers/staging/nvec/nvec_power.c
index b1ef196e1cfe..622d99ea9555 100644
--- a/drivers/staging/nvec/nvec_power.c
+++ b/drivers/staging/nvec/nvec_power.c
@@ -194,7 +194,7 @@ static int nvec_power_bat_notifier(struct notifier_block *nb,
break;
case MANUFACTURER:
memcpy(power->bat_manu, &res->plc, res->length - 2);
- power->bat_model[res->length - 2] = '\0';
+ power->bat_manu[res->length - 2] = '\0';
break;
case MODEL:
memcpy(power->bat_model, &res->plc, res->length - 2);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 134/644] selftests/tracing: Fix false failure of subsystem event test
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 133/644] staging: nvec: Fix incorrect null termination of battery manufacturer Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 135/644] drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed Greg Kroah-Hartman
` (515 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tengda Wu, Steven Rostedt (Google),
Shuah Khan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit 213879061a9c60200ba971330dbefec6df3b4a30 ]
The subsystem event test enables all "sched" events and makes sure there's
at least 3 different events in the output. It used to cat the entire trace
file to | wc -l, but on slow machines, that could last a very long time.
To solve that, it was changed to just read the first 100 lines of the
trace file. This can cause false failures as some events repeat so often,
that the 100 lines that are examined could possibly be of only one event.
Instead, create an awk script that looks for 3 different events and will
exit out after it finds them. This will find the 3 events the test looks
for (eventually if it works), and still exit out after the test is
satisfied and not cause slower machines to run forever.
Link: https://lore.kernel.org/r/20250721134212.53c3e140@batman.local.home
Reported-by: Tengda Wu <wutengda@huaweicloud.com>
Closes: https://lore.kernel.org/all/20250710130134.591066-1-wutengda@huaweicloud.com/
Fixes: 1a4ea83a6e67 ("selftests/ftrace: Limit length in subsystem-enable tests")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ftrace/test.d/event/subsystem-enable.tc | 28 +++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc
index b7c8f29c09a9..65916bb55dfb 100644
--- a/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc
+++ b/tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc
@@ -14,11 +14,35 @@ fail() { #msg
exit_fail
}
+# As reading trace can last forever, simply look for 3 different
+# events then exit out of reading the file. If there's not 3 different
+# events, then the test has failed.
+check_unique() {
+ cat trace | grep -v '^#' | awk '
+ BEGIN { cnt = 0; }
+ {
+ for (i = 0; i < cnt; i++) {
+ if (event[i] == $5) {
+ break;
+ }
+ }
+ if (i == cnt) {
+ event[cnt++] = $5;
+ if (cnt > 2) {
+ exit;
+ }
+ }
+ }
+ END {
+ printf "%d", cnt;
+ }'
+}
+
echo 'sched:*' > set_event
yield
-count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l`
+count=`check_unique`
if [ $count -lt 3 ]; then
fail "at least fork, exec and exit events should be recorded"
fi
@@ -29,7 +53,7 @@ echo 1 > events/sched/enable
yield
-count=`head -n 100 trace | grep -v ^# | awk '{ print $5 }' | sort -u | wc -l`
+count=`check_unique`
if [ $count -lt 3 ]; then
fail "at least fork, exec and exit events should be recorded"
fi
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 135/644] drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 134/644] selftests/tracing: Fix false failure of subsystem event test Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 136/644] bpf, sockmap: Fix psock incorrectly pointing to sk Greg Kroah-Hartman
` (514 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Yan, Heiko Stuebner,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Yan <andy.yan@rock-chips.com>
[ Upstream commit 099593a28138b48feea5be8ce700e5bc4565e31d ]
In the function drm_gem_fb_init_with_funcs, the framebuffer (fb)
and its corresponding object ID have already been registered.
So we need to cleanup the drm framebuffer if the subsequent
execution of drm_gem_fb_afbc_init fails.
Directly call drm_framebuffer_put to ensure that all fb related
resources are cleanup.
Fixes: 7707f7227f09 ("drm/rockchip: Add support for afbc")
Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://lore.kernel.org/r/20250509031607.2542187-1-andyshrk@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/rockchip/rockchip_drm_fb.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_fb.c b/drivers/gpu/drm/rockchip/rockchip_drm_fb.c
index 3aa37e177667..b386c17e8668 100644
--- a/drivers/gpu/drm/rockchip/rockchip_drm_fb.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_fb.c
@@ -81,16 +81,9 @@ rockchip_fb_create(struct drm_device *dev, struct drm_file *file,
}
if (drm_is_afbc(mode_cmd->modifier[0])) {
- int ret, i;
-
ret = drm_gem_fb_afbc_init(dev, mode_cmd, afbc_fb);
if (ret) {
- struct drm_gem_object **obj = afbc_fb->base.obj;
-
- for (i = 0; i < info->num_planes; ++i)
- drm_gem_object_put(obj[i]);
-
- kfree(afbc_fb);
+ drm_framebuffer_put(&afbc_fb->base);
return ERR_PTR(ret);
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 136/644] bpf, sockmap: Fix psock incorrectly pointing to sk
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 135/644] drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 137/644] bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls Greg Kroah-Hartman
` (513 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Daniel Borkmann,
John Fastabend, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 76be5fae32febb1fdb848ba09f78c4b2c76cb337 ]
We observed an issue from the latest selftest: sockmap_redir where
sk_psock(psock->sk) != psock in the backlog. The root cause is the special
behavior in sockmap_redir - it frequently performs map_update() and
map_delete() on the same socket. During map_update(), we create a new
psock and during map_delete(), we eventually free the psock via rcu_work
in sk_psock_drop(). However, pending workqueues might still exist and not
be processed yet. If users immediately perform another map_update(), a new
psock will be allocated for the same sk, resulting in two psocks pointing
to the same sk.
When the pending workqueue is later triggered, it uses the old psock to
access sk for I/O operations, which is incorrect.
Timing Diagram:
cpu0 cpu1
map_update(sk):
sk->psock = psock1
psock1->sk = sk
map_delete(sk):
rcu_work_free(psock1)
map_update(sk):
sk->psock = psock2
psock2->sk = sk
workqueue:
wakeup with psock1, but the sk of psock1
doesn't belong to psock1
rcu_handler:
clean psock1
free(psock1)
Previously, we used reference counting to address the concurrency issue
between backlog and sock_map_close(). This logic remains necessary as it
prevents the sk from being freed while processing the backlog. But this
patch prevents pending backlogs from using a psock after it has been
stopped.
Note: We cannot call cancel_delayed_work_sync() in map_delete() since this
might be invoked in BPF context by BPF helper, and the function may sleep.
Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20250609025908.79331-1-jiayuan.chen@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skmsg.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index 1d7cf920bf4e..68e5fd7aa128 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -648,6 +648,13 @@ static void sk_psock_backlog(struct work_struct *work)
bool ingress;
int ret;
+ /* If sk is quickly removed from the map and then added back, the old
+ * psock should not be scheduled, because there are now two psocks
+ * pointing to the same sk.
+ */
+ if (!sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED))
+ return;
+
/* Increment the psock refcnt to synchronize with close(fd) path in
* sock_map_close(), ensuring we wait for backlog thread completion
* before sk_socket freed. If refcnt increment fails, it indicates
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 137/644] bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 136/644] bpf, sockmap: Fix psock incorrectly pointing to sk Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 138/644] bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure Greg Kroah-Hartman
` (512 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cong Wang, Jiayuan Chen,
Daniel Borkmann, John Fastabend, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 178f6a5c8cb3b6be1602de0964cd440243f493c9 ]
When sending plaintext data, we initially calculated the corresponding
ciphertext length. However, if we later reduced the plaintext data length
via socket policy, we failed to recalculate the ciphertext length.
This results in transmitting buffers containing uninitialized data during
ciphertext transmission.
This causes uninitialized bytes to be appended after a complete
"Application Data" packet, leading to errors on the receiving end when
parsing TLS record.
Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Jakub Kicinski <kuba@kernel.org>
Link: https://lore.kernel.org/bpf/20250609020910.397930-2-jiayuan.chen@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 6648008f5da7..6b0fd0e5fc88 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -857,6 +857,19 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
delta = msg->sg.size;
psock->eval = sk_psock_msg_verdict(sk, psock, msg);
delta -= msg->sg.size;
+
+ if ((s32)delta > 0) {
+ /* It indicates that we executed bpf_msg_pop_data(),
+ * causing the plaintext data size to decrease.
+ * Therefore the encrypted data size also needs to
+ * correspondingly decrease. We only need to subtract
+ * delta to calculate the new ciphertext length since
+ * ktls does not support block encryption.
+ */
+ struct sk_msg *enc = &ctx->open_rec->msg_encrypted;
+
+ sk_msg_trim(sk, enc, enc->sg.size - delta);
+ }
}
if (msg->cork_bytes && msg->cork_bytes > msg->sg.size &&
!enospc && !full_record) {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 138/644] bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 137/644] bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 139/644] caif: reduce stack size, again Greg Kroah-Hartman
` (511 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Chen, Quentin Monnet,
Alexei Starovoitov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Chen <chenyuan@kylinos.cn>
[ Upstream commit 99fe8af069a9fa5b09140518b1364e35713a642e ]
In function dump_xx_nlmsg(), when realloc() fails to allocate memory,
the original pointer to the buffer is overwritten with NULL. This causes
a memory leak because the previously allocated buffer becomes unreachable
without being freed.
Fixes: 7900efc19214 ("tools/bpf: bpftool: improve output format for bpftool net")
Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
Reviewed-by: Quentin Monnet <qmo@kernel.org>
Link: https://lore.kernel.org/r/20250620012133.14819-1-chenyuan_fl@163.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/bpf/bpftool/net.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c
index 649053704bd7..18e5e5faa2aa 100644
--- a/tools/bpf/bpftool/net.c
+++ b/tools/bpf/bpftool/net.c
@@ -353,17 +353,18 @@ static int dump_link_nlmsg(void *cookie, void *msg, struct nlattr **tb)
{
struct bpf_netdev_t *netinfo = cookie;
struct ifinfomsg *ifinfo = msg;
+ struct ip_devname_ifindex *tmp;
if (netinfo->filter_idx > 0 && netinfo->filter_idx != ifinfo->ifi_index)
return 0;
if (netinfo->used_len == netinfo->array_len) {
- netinfo->devices = realloc(netinfo->devices,
- (netinfo->array_len + 16) *
- sizeof(struct ip_devname_ifindex));
- if (!netinfo->devices)
+ tmp = realloc(netinfo->devices,
+ (netinfo->array_len + 16) * sizeof(struct ip_devname_ifindex));
+ if (!tmp)
return -ENOMEM;
+ netinfo->devices = tmp;
netinfo->array_len += 16;
}
netinfo->devices[netinfo->used_len].ifindex = ifinfo->ifi_index;
@@ -382,6 +383,7 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb)
{
struct bpf_tcinfo_t *tcinfo = cookie;
struct tcmsg *info = msg;
+ struct tc_kind_handle *tmp;
if (tcinfo->is_qdisc) {
/* skip clsact qdisc */
@@ -393,11 +395,12 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb)
}
if (tcinfo->used_len == tcinfo->array_len) {
- tcinfo->handle_array = realloc(tcinfo->handle_array,
+ tmp = realloc(tcinfo->handle_array,
(tcinfo->array_len + 16) * sizeof(struct tc_kind_handle));
- if (!tcinfo->handle_array)
+ if (!tmp)
return -ENOMEM;
+ tcinfo->handle_array = tmp;
tcinfo->array_len += 16;
}
tcinfo->handle_array[tcinfo->used_len].handle = info->tcm_handle;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 139/644] caif: reduce stack size, again
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 138/644] bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 140/644] wifi: rtl818x: Kill URBs before clearing tx status queue Greg Kroah-Hartman
` (510 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit b630c781bcf6ff87657146661816d0d30a902139 ]
I tried to fix the stack usage in this function a couple of years ago,
but there is still a problem with the latest gcc versions in some
configurations:
net/caif/cfctrl.c:553:1: error: the frame size of 1296 bytes is larger than 1280 bytes [-Werror=frame-larger-than=]
Reduce this once again, with a separate cfctrl_link_setup() function that
holds the bulk of all the local variables. It also turns out that the
param[] array that takes up a large portion of the stack is write-only
and can be left out here.
Fixes: ce6289661b14 ("caif: reduce stack size with KASAN")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://patch.msgid.link/20250620112244.3425554-1-arnd@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/caif/cfctrl.c | 294 +++++++++++++++++++++++-----------------------
1 file changed, 144 insertions(+), 150 deletions(-)
diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
index d8cb4b2a076b..3eec293ab22f 100644
--- a/net/caif/cfctrl.c
+++ b/net/caif/cfctrl.c
@@ -351,17 +351,154 @@ int cfctrl_cancel_req(struct cflayer *layr, struct cflayer *adap_layer)
return found;
}
+static int cfctrl_link_setup(struct cfctrl *cfctrl, struct cfpkt *pkt, u8 cmdrsp)
+{
+ u8 len;
+ u8 linkid = 0;
+ enum cfctrl_srv serv;
+ enum cfctrl_srv servtype;
+ u8 endpoint;
+ u8 physlinkid;
+ u8 prio;
+ u8 tmp;
+ u8 *cp;
+ int i;
+ struct cfctrl_link_param linkparam;
+ struct cfctrl_request_info rsp, *req;
+
+ memset(&linkparam, 0, sizeof(linkparam));
+
+ tmp = cfpkt_extr_head_u8(pkt);
+
+ serv = tmp & CFCTRL_SRV_MASK;
+ linkparam.linktype = serv;
+
+ servtype = tmp >> 4;
+ linkparam.chtype = servtype;
+
+ tmp = cfpkt_extr_head_u8(pkt);
+ physlinkid = tmp & 0x07;
+ prio = tmp >> 3;
+
+ linkparam.priority = prio;
+ linkparam.phyid = physlinkid;
+ endpoint = cfpkt_extr_head_u8(pkt);
+ linkparam.endpoint = endpoint & 0x03;
+
+ switch (serv) {
+ case CFCTRL_SRV_VEI:
+ case CFCTRL_SRV_DBG:
+ if (CFCTRL_ERR_BIT & cmdrsp)
+ break;
+ /* Link ID */
+ linkid = cfpkt_extr_head_u8(pkt);
+ break;
+ case CFCTRL_SRV_VIDEO:
+ tmp = cfpkt_extr_head_u8(pkt);
+ linkparam.u.video.connid = tmp;
+ if (CFCTRL_ERR_BIT & cmdrsp)
+ break;
+ /* Link ID */
+ linkid = cfpkt_extr_head_u8(pkt);
+ break;
+
+ case CFCTRL_SRV_DATAGRAM:
+ linkparam.u.datagram.connid = cfpkt_extr_head_u32(pkt);
+ if (CFCTRL_ERR_BIT & cmdrsp)
+ break;
+ /* Link ID */
+ linkid = cfpkt_extr_head_u8(pkt);
+ break;
+ case CFCTRL_SRV_RFM:
+ /* Construct a frame, convert
+ * DatagramConnectionID
+ * to network format long and copy it out...
+ */
+ linkparam.u.rfm.connid = cfpkt_extr_head_u32(pkt);
+ cp = (u8 *) linkparam.u.rfm.volume;
+ for (tmp = cfpkt_extr_head_u8(pkt);
+ cfpkt_more(pkt) && tmp != '\0';
+ tmp = cfpkt_extr_head_u8(pkt))
+ *cp++ = tmp;
+ *cp = '\0';
+
+ if (CFCTRL_ERR_BIT & cmdrsp)
+ break;
+ /* Link ID */
+ linkid = cfpkt_extr_head_u8(pkt);
+
+ break;
+ case CFCTRL_SRV_UTIL:
+ /* Construct a frame, convert
+ * DatagramConnectionID
+ * to network format long and copy it out...
+ */
+ /* Fifosize KB */
+ linkparam.u.utility.fifosize_kb = cfpkt_extr_head_u16(pkt);
+ /* Fifosize bufs */
+ linkparam.u.utility.fifosize_bufs = cfpkt_extr_head_u16(pkt);
+ /* name */
+ cp = (u8 *) linkparam.u.utility.name;
+ caif_assert(sizeof(linkparam.u.utility.name)
+ >= UTILITY_NAME_LENGTH);
+ for (i = 0; i < UTILITY_NAME_LENGTH && cfpkt_more(pkt); i++) {
+ tmp = cfpkt_extr_head_u8(pkt);
+ *cp++ = tmp;
+ }
+ /* Length */
+ len = cfpkt_extr_head_u8(pkt);
+ linkparam.u.utility.paramlen = len;
+ /* Param Data */
+ cp = linkparam.u.utility.params;
+ while (cfpkt_more(pkt) && len--) {
+ tmp = cfpkt_extr_head_u8(pkt);
+ *cp++ = tmp;
+ }
+ if (CFCTRL_ERR_BIT & cmdrsp)
+ break;
+ /* Link ID */
+ linkid = cfpkt_extr_head_u8(pkt);
+ /* Length */
+ len = cfpkt_extr_head_u8(pkt);
+ /* Param Data */
+ cfpkt_extr_head(pkt, NULL, len);
+ break;
+ default:
+ pr_warn("Request setup, invalid type (%d)\n", serv);
+ return -1;
+ }
+
+ rsp.cmd = CFCTRL_CMD_LINK_SETUP;
+ rsp.param = linkparam;
+ spin_lock_bh(&cfctrl->info_list_lock);
+ req = cfctrl_remove_req(cfctrl, &rsp);
+
+ if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
+ cfpkt_erroneous(pkt)) {
+ pr_err("Invalid O/E bit or parse error "
+ "on CAIF control channel\n");
+ cfctrl->res.reject_rsp(cfctrl->serv.layer.up, 0,
+ req ? req->client_layer : NULL);
+ } else {
+ cfctrl->res.linksetup_rsp(cfctrl->serv.layer.up, linkid,
+ serv, physlinkid,
+ req ? req->client_layer : NULL);
+ }
+
+ kfree(req);
+
+ spin_unlock_bh(&cfctrl->info_list_lock);
+
+ return 0;
+}
+
static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
{
u8 cmdrsp;
u8 cmd;
- int ret = -1;
- u8 len;
- u8 param[255];
+ int ret = 0;
u8 linkid = 0;
struct cfctrl *cfctrl = container_obj(layer);
- struct cfctrl_request_info rsp, *req;
-
cmdrsp = cfpkt_extr_head_u8(pkt);
cmd = cmdrsp & CFCTRL_CMD_MASK;
@@ -374,150 +511,7 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
switch (cmd) {
case CFCTRL_CMD_LINK_SETUP:
- {
- enum cfctrl_srv serv;
- enum cfctrl_srv servtype;
- u8 endpoint;
- u8 physlinkid;
- u8 prio;
- u8 tmp;
- u8 *cp;
- int i;
- struct cfctrl_link_param linkparam;
- memset(&linkparam, 0, sizeof(linkparam));
-
- tmp = cfpkt_extr_head_u8(pkt);
-
- serv = tmp & CFCTRL_SRV_MASK;
- linkparam.linktype = serv;
-
- servtype = tmp >> 4;
- linkparam.chtype = servtype;
-
- tmp = cfpkt_extr_head_u8(pkt);
- physlinkid = tmp & 0x07;
- prio = tmp >> 3;
-
- linkparam.priority = prio;
- linkparam.phyid = physlinkid;
- endpoint = cfpkt_extr_head_u8(pkt);
- linkparam.endpoint = endpoint & 0x03;
-
- switch (serv) {
- case CFCTRL_SRV_VEI:
- case CFCTRL_SRV_DBG:
- if (CFCTRL_ERR_BIT & cmdrsp)
- break;
- /* Link ID */
- linkid = cfpkt_extr_head_u8(pkt);
- break;
- case CFCTRL_SRV_VIDEO:
- tmp = cfpkt_extr_head_u8(pkt);
- linkparam.u.video.connid = tmp;
- if (CFCTRL_ERR_BIT & cmdrsp)
- break;
- /* Link ID */
- linkid = cfpkt_extr_head_u8(pkt);
- break;
-
- case CFCTRL_SRV_DATAGRAM:
- linkparam.u.datagram.connid =
- cfpkt_extr_head_u32(pkt);
- if (CFCTRL_ERR_BIT & cmdrsp)
- break;
- /* Link ID */
- linkid = cfpkt_extr_head_u8(pkt);
- break;
- case CFCTRL_SRV_RFM:
- /* Construct a frame, convert
- * DatagramConnectionID
- * to network format long and copy it out...
- */
- linkparam.u.rfm.connid =
- cfpkt_extr_head_u32(pkt);
- cp = (u8 *) linkparam.u.rfm.volume;
- for (tmp = cfpkt_extr_head_u8(pkt);
- cfpkt_more(pkt) && tmp != '\0';
- tmp = cfpkt_extr_head_u8(pkt))
- *cp++ = tmp;
- *cp = '\0';
-
- if (CFCTRL_ERR_BIT & cmdrsp)
- break;
- /* Link ID */
- linkid = cfpkt_extr_head_u8(pkt);
-
- break;
- case CFCTRL_SRV_UTIL:
- /* Construct a frame, convert
- * DatagramConnectionID
- * to network format long and copy it out...
- */
- /* Fifosize KB */
- linkparam.u.utility.fifosize_kb =
- cfpkt_extr_head_u16(pkt);
- /* Fifosize bufs */
- linkparam.u.utility.fifosize_bufs =
- cfpkt_extr_head_u16(pkt);
- /* name */
- cp = (u8 *) linkparam.u.utility.name;
- caif_assert(sizeof(linkparam.u.utility.name)
- >= UTILITY_NAME_LENGTH);
- for (i = 0;
- i < UTILITY_NAME_LENGTH
- && cfpkt_more(pkt); i++) {
- tmp = cfpkt_extr_head_u8(pkt);
- *cp++ = tmp;
- }
- /* Length */
- len = cfpkt_extr_head_u8(pkt);
- linkparam.u.utility.paramlen = len;
- /* Param Data */
- cp = linkparam.u.utility.params;
- while (cfpkt_more(pkt) && len--) {
- tmp = cfpkt_extr_head_u8(pkt);
- *cp++ = tmp;
- }
- if (CFCTRL_ERR_BIT & cmdrsp)
- break;
- /* Link ID */
- linkid = cfpkt_extr_head_u8(pkt);
- /* Length */
- len = cfpkt_extr_head_u8(pkt);
- /* Param Data */
- cfpkt_extr_head(pkt, ¶m, len);
- break;
- default:
- pr_warn("Request setup, invalid type (%d)\n",
- serv);
- goto error;
- }
-
- rsp.cmd = cmd;
- rsp.param = linkparam;
- spin_lock_bh(&cfctrl->info_list_lock);
- req = cfctrl_remove_req(cfctrl, &rsp);
-
- if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
- cfpkt_erroneous(pkt)) {
- pr_err("Invalid O/E bit or parse error "
- "on CAIF control channel\n");
- cfctrl->res.reject_rsp(cfctrl->serv.layer.up,
- 0,
- req ? req->client_layer
- : NULL);
- } else {
- cfctrl->res.linksetup_rsp(cfctrl->serv.
- layer.up, linkid,
- serv, physlinkid,
- req ? req->
- client_layer : NULL);
- }
-
- kfree(req);
-
- spin_unlock_bh(&cfctrl->info_list_lock);
- }
+ ret = cfctrl_link_setup(cfctrl, pkt, cmdrsp);
break;
case CFCTRL_CMD_LINK_DESTROY:
linkid = cfpkt_extr_head_u8(pkt);
@@ -544,9 +538,9 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
break;
default:
pr_err("Unrecognized Control Frame\n");
+ ret = -1;
goto error;
}
- ret = 0;
error:
cfpkt_destroy(pkt);
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 140/644] wifi: rtl818x: Kill URBs before clearing tx status queue
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 139/644] caif: reduce stack size, again Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 141/644] wifi: iwlwifi: Fix memory leak in iwl_mvm_init() Greg Kroah-Hartman
` (509 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Daniil Dulov, Ping-Ke Shih,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniil Dulov <d.dulov@aladdin.ru>
[ Upstream commit 16d8fd74dbfca0ea58645cd2fca13be10cae3cdd ]
In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing
b_tx_status.queue. This change prevents callbacks from using already freed
skb due to anchor was not killed before freeing such skb.
BUG: kernel NULL pointer dereference, address: 0000000000000080
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]
Call Trace:
<IRQ>
rtl8187_tx_cb+0x116/0x150 [rtl8187]
__usb_hcd_giveback_urb+0x9d/0x120
usb_giveback_urb_bh+0xbb/0x140
process_one_work+0x19b/0x3c0
bh_worker+0x1a7/0x210
tasklet_action+0x10/0x30
handle_softirqs+0xf0/0x340
__irq_exit_rcu+0xcd/0xf0
common_interrupt+0x85/0xa0
</IRQ>
Tested on RTL8187BvE device.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c1db52b9d27e ("rtl8187: Use usb anchor facilities to manage urbs")
Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250617135634.21760-1-d.dulov@aladdin.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
index eb68b2d3caa1..c9df185dc3f4 100644
--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
@@ -1041,10 +1041,11 @@ static void rtl8187_stop(struct ieee80211_hw *dev)
rtl818x_iowrite8(priv, &priv->map->CONFIG4, reg | RTL818X_CONFIG4_VCOOFF);
rtl818x_iowrite8(priv, &priv->map->EEPROM_CMD, RTL818X_EEPROM_CMD_NORMAL);
+ usb_kill_anchored_urbs(&priv->anchored);
+
while ((skb = skb_dequeue(&priv->b_tx_status.queue)))
dev_kfree_skb_any(skb);
- usb_kill_anchored_urbs(&priv->anchored);
mutex_unlock(&priv->conf_mutex);
if (!priv->is_rtl8187b)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 141/644] wifi: iwlwifi: Fix memory leak in iwl_mvm_init()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 140/644] wifi: rtl818x: Kill URBs before clearing tx status queue Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 142/644] iwlwifi: Add missing check for alloc_ordered_workqueue Greg Kroah-Hartman
` (508 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Miri Korenblit,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit ed2e916c890944633d6826dce267579334f63ea5 ]
When iwl_opmode_register() fails, it does not unregster rate control,
which will cause a memory leak issue, this patch fixes it.
Fixes: 9f66a397c877 ("iwlwifi: mvm: rs: add ops for the new rate scaling in the FW")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Link: https://patch.msgid.link/20221109035213.570-1-xiujianfeng@huawei.com
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
index e2c244ceaf70..05e1a6de8c2e 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
@@ -61,8 +61,10 @@ static int __init iwl_mvm_init(void)
}
ret = iwl_opmode_register("iwlmvm", &iwl_mvm_ops);
- if (ret)
+ if (ret) {
pr_err("Unable to register MVM op_mode: %d\n", ret);
+ iwl_mvm_rate_control_unregister();
+ }
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 142/644] iwlwifi: Add missing check for alloc_ordered_workqueue
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 141/644] wifi: iwlwifi: Fix memory leak in iwl_mvm_init() Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 143/644] wifi: ath11k: clear initialized flag for deinit-ed srng lists Greg Kroah-Hartman
` (507 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Miri Korenblit,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ Upstream commit 90a0d9f339960448a3acc1437a46730f975efd6a ]
Add check for the return value of alloc_ordered_workqueue since it may
return NULL pointer.
Fixes: b481de9ca074 ("[IWLWIFI]: add iwlwifi wireless drivers")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Link: https://patch.msgid.link/20230110014848.28226-1-jiasheng@iscas.ac.cn
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/dvm/main.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
index 69d1aae96bbb..0ff9b0a1bd18 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
@@ -1053,9 +1053,11 @@ static void iwl_bg_restart(struct work_struct *data)
*
*****************************************************************************/
-static void iwl_setup_deferred_work(struct iwl_priv *priv)
+static int iwl_setup_deferred_work(struct iwl_priv *priv)
{
priv->workqueue = alloc_ordered_workqueue(DRV_NAME, 0);
+ if (!priv->workqueue)
+ return -ENOMEM;
INIT_WORK(&priv->restart, iwl_bg_restart);
INIT_WORK(&priv->beacon_update, iwl_bg_beacon_update);
@@ -1072,6 +1074,8 @@ static void iwl_setup_deferred_work(struct iwl_priv *priv)
timer_setup(&priv->statistics_periodic, iwl_bg_statistics_periodic, 0);
timer_setup(&priv->ucode_trace, iwl_bg_ucode_trace, 0);
+
+ return 0;
}
void iwl_cancel_deferred_work(struct iwl_priv *priv)
@@ -1461,7 +1465,9 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
/********************
* 6. Setup services
********************/
- iwl_setup_deferred_work(priv);
+ if (iwl_setup_deferred_work(priv))
+ goto out_uninit_drv;
+
iwl_setup_rx_handlers(priv);
iwl_power_initialize(priv);
@@ -1499,6 +1505,7 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
iwl_cancel_deferred_work(priv);
destroy_workqueue(priv->workqueue);
priv->workqueue = NULL;
+out_uninit_drv:
iwl_uninit_drv(priv);
out_free_eeprom_blob:
kfree(priv->eeprom_blob);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 143/644] wifi: ath11k: clear initialized flag for deinit-ed srng lists
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 142/644] iwlwifi: Add missing check for alloc_ordered_workqueue Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 144/644] tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range Greg Kroah-Hartman
` (506 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Senozhatsky, Baochen Qiang,
Jeff Johnson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Senozhatsky <senozhatsky@chromium.org>
[ Upstream commit a5b46aa7cf5f05c213316a018e49a8e086efd98e ]
In a number of cases we see kernel panics on resume due
to ath11k kernel page fault, which happens under the
following circumstances:
1) First ath11k_hal_dump_srng_stats() call
Last interrupt received for each group:
ath11k_pci 0000:01:00.0: group_id 0 22511ms before
ath11k_pci 0000:01:00.0: group_id 1 14440788ms before
[..]
ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..
ath11k_pci 0000:01:00.0: Service connect timeout
ath11k_pci 0000:01:00.0: failed to connect to HTT: -110
ath11k_pci 0000:01:00.0: failed to start core: -110
ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM
ath11k_pci 0000:01:00.0: already resetting count 2
ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110
ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110
ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery
[..]
2) At this point reconfiguration fails (we have 2 resets) and
ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()
which destroys srng lists. However, it does not reset per-list
->initialized flag.
3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized
flag and attempts to dump srng stats:
Last interrupt received for each group:
ath11k_pci 0000:01:00.0: group_id 0 66785ms before
ath11k_pci 0000:01:00.0: group_id 1 14485062ms before
ath11k_pci 0000:01:00.0: group_id 2 14485062ms before
ath11k_pci 0000:01:00.0: group_id 3 14485062ms before
ath11k_pci 0000:01:00.0: group_id 4 14780845ms before
ath11k_pci 0000:01:00.0: group_id 5 14780845ms before
ath11k_pci 0000:01:00.0: group_id 6 14485062ms before
ath11k_pci 0000:01:00.0: group_id 7 66814ms before
ath11k_pci 0000:01:00.0: group_id 8 68997ms before
ath11k_pci 0000:01:00.0: group_id 9 67588ms before
ath11k_pci 0000:01:00.0: group_id 10 69511ms before
BUG: unable to handle page fault for address: ffffa007404eb010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]
Call Trace:
<TASK>
? __die_body+0xae/0xb0
? page_fault_oops+0x381/0x3e0
? exc_page_fault+0x69/0xa0
? asm_exc_page_fault+0x22/0x30
? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]
ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]
worker_thread+0x389/0x930
kthread+0x149/0x170
Clear per-list ->initialized flag in ath11k_hal_srng_deinit().
Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
Fixes: 5118935b1bc2 ("ath11k: dump SRNG stats during FW assert")
Link: https://patch.msgid.link/20250612084551.702803-1-senozhatsky@chromium.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/hal.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c
index 5dbf5596c9e8..ee68f67d8ab8 100644
--- a/drivers/net/wireless/ath/ath11k/hal.c
+++ b/drivers/net/wireless/ath/ath11k/hal.c
@@ -1286,6 +1286,10 @@ EXPORT_SYMBOL(ath11k_hal_srng_init);
void ath11k_hal_srng_deinit(struct ath11k_base *ab)
{
struct ath11k_hal *hal = &ab->hal;
+ int i;
+
+ for (i = 0; i < HAL_SRNG_RING_ID_MAX; i++)
+ ab->hal.srng_list[i].initialized = 0;
ath11k_hal_unregister_srng_key(ab);
ath11k_hal_free_cont_rdp(ab);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 144/644] tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 143/644] wifi: ath11k: clear initialized flag for deinit-ed srng lists Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 145/644] net/mlx5: Check device memory pointer before usage Greg Kroah-Hartman
` (505 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, xin.guo, Eric Dumazet,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: xin.guo <guoxin0309@gmail.com>
[ Upstream commit a041f70e573e185d5d5fdbba53f0db2fbe7257ad ]
If the new coming segment covers more than one skbs in the ofo queue,
and which seq is equal to rcv_nxt, then the sequence range
that is duplicated will be sent as DUP SACK, the detail as below,
in step6, the {501,2001} range is clearly including too much
DUP SACK range, in violation of RFC 2883 rules.
1. client > server: Flags [.], seq 501:1001, ack 1325288529, win 20000, length 500
2. server > client: Flags [.], ack 1, [nop,nop,sack 1 {501:1001}], length 0
3. client > server: Flags [.], seq 1501:2001, ack 1325288529, win 20000, length 500
4. server > client: Flags [.], ack 1, [nop,nop,sack 2 {1501:2001} {501:1001}], length 0
5. client > server: Flags [.], seq 1:2001, ack 1325288529, win 20000, length 2000
6. server > client: Flags [.], ack 2001, [nop,nop,sack 1 {501:2001}], length 0
After this fix, the final ACK is as below:
6. server > client: Flags [.], ack 2001, options [nop,nop,sack 1 {501:1001}], length 0
[edumazet] added a new packetdrill test in the following patch.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: xin.guo <guoxin0309@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250626123420.1933835-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_input.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 10f39b2762a7..fea019cc92d3 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4826,8 +4826,9 @@ static void tcp_ofo_queue(struct sock *sk)
if (before(TCP_SKB_CB(skb)->seq, dsack_high)) {
__u32 dsack = dsack_high;
+
if (before(TCP_SKB_CB(skb)->end_seq, dsack_high))
- dsack_high = TCP_SKB_CB(skb)->end_seq;
+ dsack = TCP_SKB_CB(skb)->end_seq;
tcp_dsack_extend(sk, TCP_SKB_CB(skb)->seq, dsack);
}
p = rb_next(p);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 145/644] net/mlx5: Check device memory pointer before usage
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 144/644] tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 146/644] m68k: Dont unregister boot console needlessly Greg Kroah-Hartman
` (504 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stav Aviram, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stav Aviram <saviram@nvidia.com>
[ Upstream commit 70f238c902b8c0461ae6fbb8d1a0bbddc4350eea ]
Add a NULL check before accessing device memory to prevent a crash if
dev->dm allocation in mlx5_init_once() fails.
Fixes: c9b9dcb430b3 ("net/mlx5: Move device memory management to mlx5_core")
Signed-off-by: Stav Aviram <saviram@nvidia.com>
Link: https://patch.msgid.link/c88711327f4d74d5cebc730dc629607e989ca187.1751370035.git.leon@kernel.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/mlx5/dm.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c | 4 ++--
drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 ---
3 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/drivers/infiniband/hw/mlx5/dm.c b/drivers/infiniband/hw/mlx5/dm.c
index 001d766cf291..a85f9f08877e 100644
--- a/drivers/infiniband/hw/mlx5/dm.c
+++ b/drivers/infiniband/hw/mlx5/dm.c
@@ -282,7 +282,7 @@ static struct ib_dm *handle_alloc_dm_memic(struct ib_ucontext *ctx,
int err;
u64 address;
- if (!MLX5_CAP_DEV_MEM(dm_db->dev, memic))
+ if (!dm_db || !MLX5_CAP_DEV_MEM(dm_db->dev, memic))
return ERR_PTR(-EOPNOTSUPP);
dm = kzalloc(sizeof(*dm), GFP_KERNEL);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c
index 3d5e57ff558c..15ee84a2a470 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c
@@ -25,7 +25,7 @@ struct mlx5_dm *mlx5_dm_create(struct mlx5_core_dev *dev)
dm = kzalloc(sizeof(*dm), GFP_KERNEL);
if (!dm)
- return ERR_PTR(-ENOMEM);
+ return NULL;
spin_lock_init(&dm->lock);
@@ -61,7 +61,7 @@ struct mlx5_dm *mlx5_dm_create(struct mlx5_core_dev *dev)
err_steering:
kfree(dm);
- return ERR_PTR(-ENOMEM);
+ return NULL;
}
void mlx5_dm_cleanup(struct mlx5_core_dev *dev)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
index 13eceb601634..b3627163a292 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -901,9 +901,6 @@ static int mlx5_init_once(struct mlx5_core_dev *dev)
}
dev->dm = mlx5_dm_create(dev);
- if (IS_ERR(dev->dm))
- mlx5_core_warn(dev, "Failed to init device memory %ld\n", PTR_ERR(dev->dm));
-
dev->tracer = mlx5_fw_tracer_create(dev);
dev->hv_vhca = mlx5_hv_vhca_create(dev);
dev->rsc_dump = mlx5_rsc_dump_create(dev);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 146/644] m68k: Dont unregister boot console needlessly
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 145/644] net/mlx5: Check device memory pointer before usage Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 147/644] drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value Greg Kroah-Hartman
` (503 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Palmer, Finn Thain,
Geert Uytterhoeven, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Finn Thain <fthain@linux-m68k.org>
[ Upstream commit 83f672a7f69ec38b1bbb27221e342937f68c11c7 ]
When MACH_IS_MVME147, the boot console calls mvme147_scc_write() to
generate console output. That will continue to work even after
debug_cons_nputs() becomes unavailable so there's no need to
unregister the boot console.
Take the opportunity to remove a repeated MACH_IS_* test. Use the
actual .write method (instead of a wrapper) and test that pointer
instead. This means adding an unused parameter to debug_cons_nputs() for
consistency with the struct console API.
early_printk.c is only built when CONFIG_EARLY_PRINTK=y. As of late,
head.S is only built when CONFIG_MMU_MOTOROLA=y. So let the former symbol
depend on the latter, to obviate some ifdef conditionals.
Cc: Daniel Palmer <daniel@0x0f.com>
Fixes: 077b33b9e283 ("m68k: mvme147: Reinstate early console")
Signed-off-by: Finn Thain <fthain@linux-m68k.org>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/d1d4328e5aa9a87bd8352529ce62b767731c0530.1743467205.git.fthain@linux-m68k.org
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/m68k/Kconfig.debug | 2 +-
arch/m68k/kernel/early_printk.c | 42 +++++++++++----------------------
arch/m68k/kernel/head.S | 8 +++----
3 files changed, 19 insertions(+), 33 deletions(-)
diff --git a/arch/m68k/Kconfig.debug b/arch/m68k/Kconfig.debug
index 11b306bdd788..5a3713170a61 100644
--- a/arch/m68k/Kconfig.debug
+++ b/arch/m68k/Kconfig.debug
@@ -10,7 +10,7 @@ config BOOTPARAM_STRING
config EARLY_PRINTK
bool "Early printk"
- depends on !(SUN3 || M68000 || COLDFIRE)
+ depends on MMU_MOTOROLA
help
Write kernel log output directly to a serial port.
Where implemented, output goes to the framebuffer as well.
diff --git a/arch/m68k/kernel/early_printk.c b/arch/m68k/kernel/early_printk.c
index f11ef9f1f56f..521cbb8a150c 100644
--- a/arch/m68k/kernel/early_printk.c
+++ b/arch/m68k/kernel/early_printk.c
@@ -16,25 +16,10 @@
#include "../mvme147/mvme147.h"
#include "../mvme16x/mvme16x.h"
-asmlinkage void __init debug_cons_nputs(const char *s, unsigned n);
-
-static void __ref debug_cons_write(struct console *c,
- const char *s, unsigned n)
-{
-#if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \
- defined(CONFIG_COLDFIRE))
- if (MACH_IS_MVME147)
- mvme147_scc_write(c, s, n);
- else if (MACH_IS_MVME16x)
- mvme16x_cons_write(c, s, n);
- else
- debug_cons_nputs(s, n);
-#endif
-}
+asmlinkage void __init debug_cons_nputs(struct console *c, const char *s, unsigned int n);
static struct console early_console_instance = {
.name = "debug",
- .write = debug_cons_write,
.flags = CON_PRINTBUFFER | CON_BOOT,
.index = -1
};
@@ -44,6 +29,12 @@ static int __init setup_early_printk(char *buf)
if (early_console || buf)
return 0;
+ if (MACH_IS_MVME147)
+ early_console_instance.write = mvme147_scc_write;
+ else if (MACH_IS_MVME16x)
+ early_console_instance.write = mvme16x_cons_write;
+ else
+ early_console_instance.write = debug_cons_nputs;
early_console = &early_console_instance;
register_console(early_console);
@@ -51,20 +42,15 @@ static int __init setup_early_printk(char *buf)
}
early_param("earlyprintk", setup_early_printk);
-/*
- * debug_cons_nputs() defined in arch/m68k/kernel/head.S cannot be called
- * after init sections are discarded (for platforms that use it).
- */
-#if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \
- defined(CONFIG_COLDFIRE))
-
static int __init unregister_early_console(void)
{
- if (!early_console || MACH_IS_MVME16x)
- return 0;
+ /*
+ * debug_cons_nputs() defined in arch/m68k/kernel/head.S cannot be
+ * called after init sections are discarded (for platforms that use it).
+ */
+ if (early_console && early_console->write == debug_cons_nputs)
+ return unregister_console(early_console);
- return unregister_console(early_console);
+ return 0;
}
late_initcall(unregister_early_console);
-
-#endif
diff --git a/arch/m68k/kernel/head.S b/arch/m68k/kernel/head.S
index 493c95db0e51..2d40e0f34de5 100644
--- a/arch/m68k/kernel/head.S
+++ b/arch/m68k/kernel/head.S
@@ -3242,8 +3242,8 @@ func_return putn
* turns around and calls the internal routines. This routine
* is used by the boot console.
*
- * The calling parameters are:
- * void debug_cons_nputs(const char *str, unsigned length)
+ * The function signature is -
+ * void debug_cons_nputs(struct console *c, const char *s, unsigned int n)
*
* This routine does NOT understand variable arguments only
* simple strings!
@@ -3252,8 +3252,8 @@ ENTRY(debug_cons_nputs)
moveml %d0/%d1/%a0,%sp@-
movew %sr,%sp@-
ori #0x0700,%sr
- movel %sp@(18),%a0 /* fetch parameter */
- movel %sp@(22),%d1 /* fetch parameter */
+ movel %sp@(22),%a0 /* char *s */
+ movel %sp@(26),%d1 /* unsigned int n */
jra 2f
1:
#ifdef CONSOLE_DEBUG
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 147/644] drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 146/644] m68k: Dont unregister boot console needlessly Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 148/644] netfilter: nf_tables: adjust lockdep assertions handling Greg Kroah-Hartman
` (502 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Alex Deucher,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit a54e4639c4ef37a0241bac7d2a77f2e6ffb57099 ]
There is a small typo in phm_wait_on_indirect_register().
Swap mask and value arguments provided to phm_wait_on_register() so that
they satisfy the function signature and actual usage scheme.
Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
In practice this doesn't fix any issues because the only place this
function is used uses the same value for the value and mask.
Fixes: 3bace3591493 ("drm/amd/powerplay: add hardware manager sub-component")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c
index bfe80ac0ad8c..fa2a91d16615 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c
@@ -149,7 +149,7 @@ int phm_wait_on_indirect_register(struct pp_hwmgr *hwmgr,
}
cgs_write_register(hwmgr->device, indirect_port, index);
- return phm_wait_on_register(hwmgr, indirect_port + 1, mask, value);
+ return phm_wait_on_register(hwmgr, indirect_port + 1, value, mask);
}
int phm_wait_for_register_unequal(struct pp_hwmgr *hwmgr,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 148/644] netfilter: nf_tables: adjust lockdep assertions handling
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 147/644] drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value Greg Kroah-Hartman
@ 2025-08-26 11:03 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 149/644] arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX Greg Kroah-Hartman
` (501 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Khoroshilov, Fedor Pchelkin,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit 8df1b40de76979bb8e975201d07b71103d5de820 ]
It's needed to check the return value of lockdep_commit_lock_is_held(),
otherwise there's no point in this assertion as it doesn't print any
debug information on itself.
Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
Fixes: b04df3da1b5c ("netfilter: nf_tables: do not defer rule destruction via call_rcu")
Reported-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a1f60f275814..33d03340d9fc 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3443,7 +3443,7 @@ void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
/* can only be used if rule is no longer visible to dumps */
static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
{
- lockdep_commit_lock_is_held(ctx->net);
+ WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
nf_tables_rule_destroy(ctx, rule);
@@ -5180,7 +5180,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
struct nft_set_binding *binding,
enum nft_trans_phase phase)
{
- lockdep_commit_lock_is_held(ctx->net);
+ WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
switch (phase) {
case NFT_TRANS_PREPARE_ERROR:
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 149/644] arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2025-08-26 11:03 ` [PATCH 5.15 148/644] netfilter: nf_tables: adjust lockdep assertions handling Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 150/644] um: rtc: Avoid shadowing err in uml_rtc_start() Greg Kroah-Hartman
` (500 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Korsnes, Christophe Leroy,
Madhavan Srinivasan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Korsnes <johan.korsnes@gmail.com>
[ Upstream commit 75cd37c5f28b85979fd5a65174013010f6b78f27 ]
This option was removed from the Kconfig in commit
8c710f75256b ("net/sched: Retire tcindex classifier") but it was not
removed from the defconfigs.
Fixes: 8c710f75256b ("net/sched: Retire tcindex classifier")
Signed-off-by: Johan Korsnes <johan.korsnes@gmail.com>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250323191116.113482-1-johan.korsnes@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/configs/ppc6xx_defconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/powerpc/configs/ppc6xx_defconfig b/arch/powerpc/configs/ppc6xx_defconfig
index 7f7e7add44e7..cdaf8469d484 100644
--- a/arch/powerpc/configs/ppc6xx_defconfig
+++ b/arch/powerpc/configs/ppc6xx_defconfig
@@ -263,7 +263,6 @@ CONFIG_NET_SCH_DSMARK=m
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_INGRESS=m
CONFIG_NET_CLS_BASIC=m
-CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=m
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 150/644] um: rtc: Avoid shadowing err in uml_rtc_start()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 149/644] arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 151/644] net/sched: Restrict conditions for adding duplicating netems to qdisc tree Greg Kroah-Hartman
` (499 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tiwei Bie, Johannes Berg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tiwei Bie <tiwei.btw@antgroup.com>
[ Upstream commit 4c916e3b224a02019b3cc3983a15f32bfd9a22df ]
Remove the declaration of 'err' inside the 'if (timetravel)' block,
as it would otherwise be unavailable outside that block, potentially
leading to uml_rtc_start() returning an uninitialized value.
Fixes: dde8b58d5127 ("um: add a pseudo RTC")
Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
Link: https://patch.msgid.link/20250708090403.1067440-5-tiwei.bie@linux.dev
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/um/drivers/rtc_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/um/drivers/rtc_user.c b/arch/um/drivers/rtc_user.c
index 7c3cec4c68cf..006a5a164ea9 100644
--- a/arch/um/drivers/rtc_user.c
+++ b/arch/um/drivers/rtc_user.c
@@ -28,7 +28,7 @@ int uml_rtc_start(bool timetravel)
int err;
if (timetravel) {
- int err = os_pipe(uml_rtc_irq_fds, 1, 1);
+ err = os_pipe(uml_rtc_irq_fds, 1, 1);
if (err)
goto fail;
} else {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 151/644] net/sched: Restrict conditions for adding duplicating netems to qdisc tree
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 150/644] um: rtc: Avoid shadowing err in uml_rtc_start() Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 152/644] net_sched: act_ctinfo: use atomic64_t for three counters Greg Kroah-Hartman
` (498 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William Liu, Savino Dicanosa,
Jamal Hadi Salim, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: William Liu <will@willsroot.io>
[ Upstream commit ec8e0e3d7adef940cdf9475e2352c0680189d14e ]
netem_enqueue's duplication prevention logic breaks when a netem
resides in a qdisc tree with other netems - this can lead to a
soft lockup and OOM loop in netem_dequeue, as seen in [1].
Ensure that a duplicating netem cannot exist in a tree with other
netems.
Previous approaches suggested in discussions in chronological order:
1) Track duplication status or ttl in the sk_buff struct. Considered
too specific a use case to extend such a struct, though this would
be a resilient fix and address other previous and potential future
DOS bugs like the one described in loopy fun [2].
2) Restrict netem_enqueue recursion depth like in act_mirred with a
per cpu variable. However, netem_dequeue can call enqueue on its
child, and the depth restriction could be bypassed if the child is a
netem.
3) Use the same approach as in 2, but add metadata in netem_skb_cb
to handle the netem_dequeue case and track a packet's involvement
in duplication. This is an overly complex approach, and Jamal
notes that the skb cb can be overwritten to circumvent this
safeguard.
4) Prevent the addition of a netem to a qdisc tree if its ancestral
path contains a netem. However, filters and actions can cause a
packet to change paths when re-enqueued to the root from netem
duplication, leading us to the current solution: prevent a
duplicating netem from inhabiting the same tree as other netems.
[1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/
[2] https://lwn.net/Articles/719297/
Fixes: 0afb51e72855 ("[PKT_SCHED]: netem: reinsert for duplication")
Reported-by: William Liu <will@willsroot.io>
Reported-by: Savino Dicanosa <savy@syst3mfailure.io>
Signed-off-by: William Liu <will@willsroot.io>
Signed-off-by: Savino Dicanosa <savy@syst3mfailure.io>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20250708164141.875402-1-will@willsroot.io
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_netem.c | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 22f5d9421f6a..951156d7e548 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -962,6 +962,41 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla,
return 0;
}
+static const struct Qdisc_class_ops netem_class_ops;
+
+static int check_netem_in_tree(struct Qdisc *sch, bool duplicates,
+ struct netlink_ext_ack *extack)
+{
+ struct Qdisc *root, *q;
+ unsigned int i;
+
+ root = qdisc_root_sleeping(sch);
+
+ if (sch != root && root->ops->cl_ops == &netem_class_ops) {
+ if (duplicates ||
+ ((struct netem_sched_data *)qdisc_priv(root))->duplicate)
+ goto err;
+ }
+
+ if (!qdisc_dev(root))
+ return 0;
+
+ hash_for_each(qdisc_dev(root)->qdisc_hash, i, q, hash) {
+ if (sch != q && q->ops->cl_ops == &netem_class_ops) {
+ if (duplicates ||
+ ((struct netem_sched_data *)qdisc_priv(q))->duplicate)
+ goto err;
+ }
+ }
+
+ return 0;
+
+err:
+ NL_SET_ERR_MSG(extack,
+ "netem: cannot mix duplicating netems with other netems in tree");
+ return -EINVAL;
+}
+
/* Parse netlink message to set options */
static int netem_change(struct Qdisc *sch, struct nlattr *opt,
struct netlink_ext_ack *extack)
@@ -1023,6 +1058,11 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
q->gap = qopt->gap;
q->counter = 0;
q->loss = qopt->loss;
+
+ ret = check_netem_in_tree(sch, qopt->duplicate, extack);
+ if (ret)
+ goto unlock;
+
q->duplicate = qopt->duplicate;
/* for compatibility with earlier versions.
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 152/644] net_sched: act_ctinfo: use atomic64_t for three counters
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 151/644] net/sched: Restrict conditions for adding duplicating netems to qdisc tree Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 153/644] xen/gntdev: remove struct gntdev_copy_batch from stack Greg Kroah-Hartman
` (497 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Pedro Tammela,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d300335b4e18672913dd792ff9f49e6cccf41d26 ]
Commit 21c167aa0ba9 ("net/sched: act_ctinfo: use percpu stats")
missed that stats_dscp_set, stats_dscp_error and stats_cpmark_set
might be written (and read) locklessly.
Use atomic64_t for these three fields, I doubt act_ctinfo is used
heavily on big SMP hosts anyway.
Fixes: 24ec483cec98 ("net: sched: Introduce act_ctinfo action")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pedro Tammela <pctammela@mojatatu.com>
Link: https://patch.msgid.link/20250709090204.797558-6-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/tc_act/tc_ctinfo.h | 6 +++---
net/sched/act_ctinfo.c | 19 +++++++++++--------
2 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/include/net/tc_act/tc_ctinfo.h b/include/net/tc_act/tc_ctinfo.h
index f071c1d70a25..a04bcac7adf4 100644
--- a/include/net/tc_act/tc_ctinfo.h
+++ b/include/net/tc_act/tc_ctinfo.h
@@ -18,9 +18,9 @@ struct tcf_ctinfo_params {
struct tcf_ctinfo {
struct tc_action common;
struct tcf_ctinfo_params __rcu *params;
- u64 stats_dscp_set;
- u64 stats_dscp_error;
- u64 stats_cpmark_set;
+ atomic64_t stats_dscp_set;
+ atomic64_t stats_dscp_error;
+ atomic64_t stats_cpmark_set;
};
enum {
diff --git a/net/sched/act_ctinfo.c b/net/sched/act_ctinfo.c
index 56e0a5eb6494..ddacd4fa442c 100644
--- a/net/sched/act_ctinfo.c
+++ b/net/sched/act_ctinfo.c
@@ -44,9 +44,9 @@ static void tcf_ctinfo_dscp_set(struct nf_conn *ct, struct tcf_ctinfo *ca,
ipv4_change_dsfield(ip_hdr(skb),
INET_ECN_MASK,
newdscp);
- ca->stats_dscp_set++;
+ atomic64_inc(&ca->stats_dscp_set);
} else {
- ca->stats_dscp_error++;
+ atomic64_inc(&ca->stats_dscp_error);
}
}
break;
@@ -57,9 +57,9 @@ static void tcf_ctinfo_dscp_set(struct nf_conn *ct, struct tcf_ctinfo *ca,
ipv6_change_dsfield(ipv6_hdr(skb),
INET_ECN_MASK,
newdscp);
- ca->stats_dscp_set++;
+ atomic64_inc(&ca->stats_dscp_set);
} else {
- ca->stats_dscp_error++;
+ atomic64_inc(&ca->stats_dscp_error);
}
}
break;
@@ -72,7 +72,7 @@ static void tcf_ctinfo_cpmark_set(struct nf_conn *ct, struct tcf_ctinfo *ca,
struct tcf_ctinfo_params *cp,
struct sk_buff *skb)
{
- ca->stats_cpmark_set++;
+ atomic64_inc(&ca->stats_cpmark_set);
skb->mark = READ_ONCE(ct->mark) & cp->cpmarkmask;
}
@@ -322,15 +322,18 @@ static int tcf_ctinfo_dump(struct sk_buff *skb, struct tc_action *a,
}
if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_DSCP_SET,
- ci->stats_dscp_set, TCA_CTINFO_PAD))
+ atomic64_read(&ci->stats_dscp_set),
+ TCA_CTINFO_PAD))
goto nla_put_failure;
if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_DSCP_ERROR,
- ci->stats_dscp_error, TCA_CTINFO_PAD))
+ atomic64_read(&ci->stats_dscp_error),
+ TCA_CTINFO_PAD))
goto nla_put_failure;
if (nla_put_u64_64bit(skb, TCA_CTINFO_STATS_CPMARK_SET,
- ci->stats_cpmark_set, TCA_CTINFO_PAD))
+ atomic64_read(&ci->stats_cpmark_set),
+ TCA_CTINFO_PAD))
goto nla_put_failure;
spin_unlock_bh(&ci->tcf_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 153/644] xen/gntdev: remove struct gntdev_copy_batch from stack
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 152/644] net_sched: act_ctinfo: use atomic64_t for three counters Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 154/644] wifi: rtl8xxxu: Fix RX skb size for aggregation disabled Greg Kroah-Hartman
` (496 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abinash Singh, Stefano Stabellini,
Juergen Gross, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juergen Gross <jgross@suse.com>
[ Upstream commit 70045cf6593cbf0740956ea9b7b4269142c6ee38 ]
When compiling the kernel with LLVM, the following warning was issued:
drivers/xen/gntdev.c:991: warning: stack frame size (1160) exceeds
limit (1024) in function 'gntdev_ioctl'
The main reason is struct gntdev_copy_batch which is located on the
stack and has a size of nearly 1kb.
For performance reasons it shouldn't by just dynamically allocated
instead, so allocate a new instance when needed and instead of freeing
it put it into a list of free structs anchored in struct gntdev_priv.
Fixes: a4cdb556cae0 ("xen/gntdev: add ioctl for grant copy")
Reported-by: Abinash Singh <abinashsinghlalotra@gmail.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250703073259.17356-1-jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/xen/gntdev-common.h | 4 +++
drivers/xen/gntdev.c | 71 ++++++++++++++++++++++++++-----------
2 files changed, 54 insertions(+), 21 deletions(-)
diff --git a/drivers/xen/gntdev-common.h b/drivers/xen/gntdev-common.h
index 9c286b2a1900..ac8ce3179ba2 100644
--- a/drivers/xen/gntdev-common.h
+++ b/drivers/xen/gntdev-common.h
@@ -26,6 +26,10 @@ struct gntdev_priv {
/* lock protects maps and freeable_maps. */
struct mutex lock;
+ /* Free instances of struct gntdev_copy_batch. */
+ struct gntdev_copy_batch *batch;
+ struct mutex batch_lock;
+
#ifdef CONFIG_XEN_GRANT_DMA_ALLOC
/* Device for which DMA memory is allocated. */
struct device *dma_dev;
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index 4d9a3050de6a..de8a36502aa2 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -56,6 +56,18 @@ MODULE_AUTHOR("Derek G. Murray <Derek.Murray@cl.cam.ac.uk>, "
"Gerd Hoffmann <kraxel@redhat.com>");
MODULE_DESCRIPTION("User-space granted page access driver");
+#define GNTDEV_COPY_BATCH 16
+
+struct gntdev_copy_batch {
+ struct gnttab_copy ops[GNTDEV_COPY_BATCH];
+ struct page *pages[GNTDEV_COPY_BATCH];
+ s16 __user *status[GNTDEV_COPY_BATCH];
+ unsigned int nr_ops;
+ unsigned int nr_pages;
+ bool writeable;
+ struct gntdev_copy_batch *next;
+};
+
static unsigned int limit = 64*1024;
module_param(limit, uint, 0644);
MODULE_PARM_DESC(limit,
@@ -584,6 +596,8 @@ static int gntdev_open(struct inode *inode, struct file *flip)
INIT_LIST_HEAD(&priv->maps);
mutex_init(&priv->lock);
+ mutex_init(&priv->batch_lock);
+
#ifdef CONFIG_XEN_GNTDEV_DMABUF
priv->dmabuf_priv = gntdev_dmabuf_init(flip);
if (IS_ERR(priv->dmabuf_priv)) {
@@ -608,6 +622,7 @@ static int gntdev_release(struct inode *inode, struct file *flip)
{
struct gntdev_priv *priv = flip->private_data;
struct gntdev_grant_map *map;
+ struct gntdev_copy_batch *batch;
pr_debug("priv %p\n", priv);
@@ -620,6 +635,14 @@ static int gntdev_release(struct inode *inode, struct file *flip)
}
mutex_unlock(&priv->lock);
+ mutex_lock(&priv->batch_lock);
+ while (priv->batch) {
+ batch = priv->batch;
+ priv->batch = batch->next;
+ kfree(batch);
+ }
+ mutex_unlock(&priv->batch_lock);
+
#ifdef CONFIG_XEN_GNTDEV_DMABUF
gntdev_dmabuf_fini(priv->dmabuf_priv);
#endif
@@ -785,17 +808,6 @@ static long gntdev_ioctl_notify(struct gntdev_priv *priv, void __user *u)
return rc;
}
-#define GNTDEV_COPY_BATCH 16
-
-struct gntdev_copy_batch {
- struct gnttab_copy ops[GNTDEV_COPY_BATCH];
- struct page *pages[GNTDEV_COPY_BATCH];
- s16 __user *status[GNTDEV_COPY_BATCH];
- unsigned int nr_ops;
- unsigned int nr_pages;
- bool writeable;
-};
-
static int gntdev_get_page(struct gntdev_copy_batch *batch, void __user *virt,
unsigned long *gfn)
{
@@ -953,36 +965,53 @@ static int gntdev_grant_copy_seg(struct gntdev_copy_batch *batch,
static long gntdev_ioctl_grant_copy(struct gntdev_priv *priv, void __user *u)
{
struct ioctl_gntdev_grant_copy copy;
- struct gntdev_copy_batch batch;
+ struct gntdev_copy_batch *batch;
unsigned int i;
int ret = 0;
if (copy_from_user(©, u, sizeof(copy)))
return -EFAULT;
- batch.nr_ops = 0;
- batch.nr_pages = 0;
+ mutex_lock(&priv->batch_lock);
+ if (!priv->batch) {
+ batch = kmalloc(sizeof(*batch), GFP_KERNEL);
+ } else {
+ batch = priv->batch;
+ priv->batch = batch->next;
+ }
+ mutex_unlock(&priv->batch_lock);
+ if (!batch)
+ return -ENOMEM;
+
+ batch->nr_ops = 0;
+ batch->nr_pages = 0;
for (i = 0; i < copy.count; i++) {
struct gntdev_grant_copy_segment seg;
if (copy_from_user(&seg, ©.segments[i], sizeof(seg))) {
ret = -EFAULT;
+ gntdev_put_pages(batch);
goto out;
}
- ret = gntdev_grant_copy_seg(&batch, &seg, ©.segments[i].status);
- if (ret < 0)
+ ret = gntdev_grant_copy_seg(batch, &seg, ©.segments[i].status);
+ if (ret < 0) {
+ gntdev_put_pages(batch);
goto out;
+ }
cond_resched();
}
- if (batch.nr_ops)
- ret = gntdev_copy(&batch);
- return ret;
+ if (batch->nr_ops)
+ ret = gntdev_copy(batch);
+
+ out:
+ mutex_lock(&priv->batch_lock);
+ batch->next = priv->batch;
+ priv->batch = batch;
+ mutex_unlock(&priv->batch_lock);
- out:
- gntdev_put_pages(&batch);
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 154/644] wifi: rtl8xxxu: Fix RX skb size for aggregation disabled
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 153/644] xen/gntdev: remove struct gntdev_copy_batch from stack Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 155/644] mwl8k: Add missing check after DMA map Greg Kroah-Hartman
` (495 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Kaistra, Ping-Ke Shih,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Kaistra <martin.kaistra@linutronix.de>
[ Upstream commit d76a1abcf57734d2bcd4a7ec051617edd4513d7f ]
Commit 1e5b3b3fe9e0 ("rtl8xxxu: Adjust RX skb size to include space for
phystats") increased the skb size when aggregation is enabled but decreased
it for the aggregation disabled case.
As a result, if a frame near the maximum size is received,
rtl8xxxu_rx_complete() is called with status -EOVERFLOW and then the
driver starts to malfunction and no further communication is possible.
Restore the skb size in the aggregation disabled case.
Fixes: 1e5b3b3fe9e0 ("rtl8xxxu: Adjust RX skb size to include space for phystats")
Signed-off-by: Martin Kaistra <martin.kaistra@linutronix.de>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250709121522.1992366-1-martin.kaistra@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index b042dff4ac93..9bcc137da20f 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -5795,7 +5795,7 @@ static int rtl8xxxu_submit_rx_urb(struct rtl8xxxu_priv *priv,
skb_size = fops->rx_agg_buf_size;
skb_size += (rx_desc_sz + sizeof(struct rtl8723au_phy_stats));
} else {
- skb_size = IEEE80211_MAX_FRAME_LEN;
+ skb_size = IEEE80211_MAX_FRAME_LEN + rx_desc_sz;
}
skb = __netdev_alloc_skb(NULL, skb_size, GFP_KERNEL);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 155/644] mwl8k: Add missing check after DMA map
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 154/644] wifi: rtl8xxxu: Fix RX skb size for aggregation disabled Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 156/644] wifi: mac80211: Dont call fq_flow_idx() for management frames Greg Kroah-Hartman
` (494 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Johannes Berg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 50459501b9a212dbe7a673727589ee105a8a9954 ]
The DMA map functions can fail and should be tested for errors.
If the mapping fails, unmap and return an error.
Fixes: 788838ebe8a4 ("mwl8k: use pci_unmap_addr{,set}() to keep track of unmap addresses on rx")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20250709111339.25360-2-fourier.thomas@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwl8k.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
index ad9678186c58..6cef5a0d6a6e 100644
--- a/drivers/net/wireless/marvell/mwl8k.c
+++ b/drivers/net/wireless/marvell/mwl8k.c
@@ -1222,6 +1222,10 @@ static int rxq_refill(struct ieee80211_hw *hw, int index, int limit)
addr = dma_map_single(&priv->pdev->dev, skb->data,
MWL8K_RX_MAXSZ, DMA_FROM_DEVICE);
+ if (dma_mapping_error(&priv->pdev->dev, addr)) {
+ kfree_skb(skb);
+ break;
+ }
rxq->rxd_count++;
rx = rxq->tail++;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 156/644] wifi: mac80211: Dont call fq_flow_idx() for management frames
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 155/644] mwl8k: Add missing check after DMA map Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 157/644] wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() Greg Kroah-Hartman
` (493 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Wetzel, Johannes Berg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Wetzel <Alexander@wetzel-home.de>
[ Upstream commit cb3bb3d88dfcd177a1050c0a009a3ee147b2e5b9 ]
skb_get_hash() can only be used when the skb is linked to a netdev
device.
Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
Fixes: 73bc9e0af594 ("mac80211: don't apply flow control on management frames")
Link: https://patch.msgid.link/20250717162547.94582-3-Alexander@wetzel-home.de
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/tx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index c4e6fbe4343e..4f2183f23117 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1417,7 +1417,7 @@ static void ieee80211_txq_enqueue(struct ieee80211_local *local,
{
struct fq *fq = &local->fq;
struct fq_tin *tin = &txqi->tin;
- u32 flow_idx = fq_flow_idx(fq, skb);
+ u32 flow_idx;
ieee80211_set_skb_enqueue_time(skb);
@@ -1433,6 +1433,7 @@ static void ieee80211_txq_enqueue(struct ieee80211_local *local,
IEEE80211_TX_INTCFL_NEED_TXPROCESSING;
__skb_queue_tail(&txqi->frags, skb);
} else {
+ flow_idx = fq_flow_idx(fq, skb);
fq_tin_enqueue(fq, tin, flow_idx, skb,
fq_skb_free_func);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 157/644] wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 156/644] wifi: mac80211: Dont call fq_flow_idx() for management frames Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 158/644] Reapply "wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()" Greg Kroah-Hartman
` (492 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bert Karwatzki, Remi Pommarel,
Johannes Berg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Remi Pommarel <repk@triplefau.lt>
[ Upstream commit 4037c468d1b3c508d69e6df0ef47fdee3d440e39 ]
With 802.11 encapsulation offloading, ieee80211_tx_h_select_key() is
called on 802.3 frames. In that case do not try to use skb data as
valid 802.11 headers.
Reported-by: Bert Karwatzki <spasswolf@web.de>
Closes: https://lore.kernel.org/linux-wireless/20250410215527.3001-1-spasswolf@web.de
Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
Link: https://patch.msgid.link/1af4b5b903a5fca5ebe67333d5854f93b2be5abe.1752765971.git.repk@triplefau.lt
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/tx.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 4f2183f23117..4ab891c8416d 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -608,6 +608,12 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
else
tx->key = NULL;
+ if (info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) {
+ if (tx->key && tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)
+ info->control.hw_key = &tx->key->conf;
+ return TX_CONTINUE;
+ }
+
if (tx->key) {
bool skip_hw = false;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 158/644] Reapply "wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()"
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 157/644] wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 159/644] wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE Greg Kroah-Hartman
` (491 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Remi Pommarel, Johannes Berg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Remi Pommarel <repk@triplefau.lt>
[ Upstream commit 754fe848b3b297fc85ec24cd959bad22b6df8cb8 ]
This reverts commit 0937cb5f345c ("Revert "wifi: mac80211: Update
skb's control block key in ieee80211_tx_dequeue()"").
This commit broke TX with 802.11 encapsulation HW offloading, now that
this is fixed, reapply it.
Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
Link: https://patch.msgid.link/66b8fc39fb0194fa06c9ca7eeb6ffe0118dcb3ec.1752765971.git.repk@triplefau.lt
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/tx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 4ab891c8416d..a5be5fe5c6b4 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3711,6 +3711,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
* The key can be removed while the packet was queued, so need to call
* this here to get the current key.
*/
+ info->control.hw_key = NULL;
r = ieee80211_tx_h_select_key(&tx);
if (r != TX_CONTINUE) {
ieee80211_free_txskb(&local->hw, skb);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 159/644] wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 158/644] Reapply "wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()" Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 160/644] can: kvaser_pciefd: Store device channel index Greg Kroah-Hartman
` (490 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gokul Sivakumar, Arend van Spriel,
Johannes Berg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
[ Upstream commit 579bf8037b70b644a674c126a32bbb2212cf5c21 ]
After commit bd99a3013bdc ("brcmfmac: move configuration of probe request
IEs"), the probe request MGMT IE addition operation brcmf_vif_set_mgmt_ie()
got moved from the brcmf_p2p_scan_prep() to the brcmf_cfg80211_scan().
Because of this, as part of the scan request handler for the P2P Discovery,
vif struct used for adding the Probe Request P2P IE in firmware got changed
from the P2PAPI_BSSCFG_DEVICE vif to P2PAPI_BSSCFG_PRIMARY vif incorrectly.
So the firmware stopped adding P2P IE to the outgoing P2P Discovery probe
requests frames and the other P2P peers were unable to discover this device
causing a regression on the P2P feature.
To fix this, while setting the P2P IE in firmware, properly use the vif of
the P2P discovery wdev on which the driver received the P2P scan request.
This is done by not changing the vif pointer, until brcmf_vif_set_mgmt_ie()
is completed.
Fixes: bd99a3013bdc ("brcmfmac: move configuration of probe request IEs")
Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20250626050706.7271-1-gokulkumar.sivakumar@infineon.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 1c95e8f75916..ebd2db226488 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -1199,10 +1199,6 @@ brcmf_cfg80211_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request)
return -EAGAIN;
}
- /* If scan req comes for p2p0, send it over primary I/F */
- if (vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif)
- vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif;
-
brcmf_dbg(SCAN, "START ESCAN\n");
cfg->scan_request = request;
@@ -1218,6 +1214,10 @@ brcmf_cfg80211_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request)
if (err)
goto scan_out;
+ /* If scan req comes for p2p0, send it over primary I/F */
+ if (vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif)
+ vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif;
+
err = brcmf_do_escan(vif->ifp, request);
if (err)
goto scan_out;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 160/644] can: kvaser_pciefd: Store device channel index
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 159/644] wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 161/644] can: kvaser_usb: Assign netdev.dev_port based on " Greg Kroah-Hartman
` (489 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Mailhol, Jimmy Assarsson,
Marc Kleine-Budde, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jimmy Assarsson <extja@kvaser.com>
[ Upstream commit d54b16b40ddadb7d0a77fff48af7b319a0cd6aae ]
Store device channel index in netdev.dev_port.
Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://patch.msgid.link/20250725123230.8-6-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/kvaser_pciefd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c
index 26bc8c7ad75b..23c6632319a1 100644
--- a/drivers/net/can/kvaser_pciefd.c
+++ b/drivers/net/can/kvaser_pciefd.c
@@ -955,6 +955,7 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie)
can->err_rep_cnt = 0;
can->bec.txerr = 0;
can->bec.rxerr = 0;
+ can->can.dev->dev_port = i;
init_completion(&can->start_comp);
init_completion(&can->flush_comp);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 161/644] can: kvaser_usb: Assign netdev.dev_port based on device channel index
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 160/644] can: kvaser_pciefd: Store device channel index Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 162/644] netfilter: xt_nfacct: dont assume acct name is null-terminated Greg Kroah-Hartman
` (488 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Mailhol, Jimmy Assarsson,
Marc Kleine-Budde, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jimmy Assarsson <extja@kvaser.com>
[ Upstream commit c151b06a087a61c7a1790b75ee2f1d6edb6a8a45 ]
Assign netdev.dev_port based on the device channel index, to indicate the
port number of the network device.
While this driver already uses netdev.dev_id for that purpose, dev_port is
more appropriate. However, retain dev_id to avoid potential regressions.
Fixes: 3e66d0138c05 ("can: populate netdev::dev_id for udev discrimination")
Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://patch.msgid.link/20250725123452.41-4-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
index f6cb5ba61ac9..d5f119f607ef 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
@@ -838,6 +838,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel)
SET_NETDEV_DEV(netdev, &dev->intf->dev);
netdev->dev_id = channel;
+ netdev->dev_port = channel;
dev->nets[channel] = priv;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 162/644] netfilter: xt_nfacct: dont assume acct name is null-terminated
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 161/644] can: kvaser_usb: Assign netdev.dev_port based on " Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 163/644] selftests: rtnetlink.sh: remove esp4_offload after test Greg Kroah-Hartman
` (487 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4ff165b9251e4d295690,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit bf58e667af7d96c8eb9411f926a0a0955f41ce21 ]
BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721
Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851
[..]
string+0x231/0x2b0 lib/vsprintf.c:721
vsnprintf+0x739/0xf00 lib/vsprintf.c:2874
[..]
nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41
xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523
nfnl_acct_find_get() handles non-null input, but the error
printk relied on its presence.
Reported-by: syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4ff165b9251e4d295690
Tested-by: syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com
Fixes: ceb98d03eac5 ("netfilter: xtables: add nfacct match to support extended accounting")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/xt_nfacct.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
index 7c6bf1c16813..0ca1cdfc4095 100644
--- a/net/netfilter/xt_nfacct.c
+++ b/net/netfilter/xt_nfacct.c
@@ -38,8 +38,8 @@ nfacct_mt_checkentry(const struct xt_mtchk_param *par)
nfacct = nfnl_acct_find_get(par->net, info->name);
if (nfacct == NULL) {
- pr_info_ratelimited("accounting object `%s' does not exists\n",
- info->name);
+ pr_info_ratelimited("accounting object `%.*s' does not exist\n",
+ NFACCT_NAME_MAX, info->name);
return -ENOENT;
}
info->nfacct = nfacct;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 163/644] selftests: rtnetlink.sh: remove esp4_offload after test
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 162/644] netfilter: xt_nfacct: dont assume acct name is null-terminated Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 164/644] vrf: Drop existing dst reference in vrf_ip6_input_dst Greg Kroah-Hartman
` (486 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiumei Mu, Shannon Nelson,
Hangbin Liu, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiumei Mu <xmu@redhat.com>
[ Upstream commit 5b32321fdaf3fd1a92ec726af18765e225b0ee2b ]
The esp4_offload module, loaded during IPsec offload tests, should
be reset to its default settings after testing.
Otherwise, leaving it enabled could unintentionally affect subsequence
test cases by keeping offload active.
Without this fix:
$ lsmod | grep offload; ./rtnetlink.sh -t kci_test_ipsec_offload ; lsmod | grep offload;
PASS: ipsec_offload
esp4_offload 12288 0
esp4 32768 1 esp4_offload
With this fix:
$ lsmod | grep offload; ./rtnetlink.sh -t kci_test_ipsec_offload ; lsmod | grep offload;
PASS: ipsec_offload
Fixes: 2766a11161cc ("selftests: rtnetlink: add ipsec offload API test")
Signed-off-by: Xiumei Mu <xmu@redhat.com>
Reviewed-by: Shannon Nelson <sln@onemain.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/6d3a1d777c4de4eb0ca94ced9e77be8d48c5b12f.1753415428.git.xmu@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/rtnetlink.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
index a3597b3e579f..0a6212a96415 100755
--- a/tools/testing/selftests/net/rtnetlink.sh
+++ b/tools/testing/selftests/net/rtnetlink.sh
@@ -746,6 +746,11 @@ kci_test_ipsec_offload()
sysfsf=$sysfsd/ipsec
sysfsnet=/sys/bus/netdevsim/devices/netdevsim0/net/
probed=false
+ esp4_offload_probed_default=false
+
+ if lsmod | grep -q esp4_offload; then
+ esp4_offload_probed_default=true
+ fi
# setup netdevsim since dummydev doesn't have offload support
if [ ! -w /sys/bus/netdevsim/new_device ] ; then
@@ -835,6 +840,7 @@ EOF
fi
# clean up any leftovers
+ ! "$esp4_offload_probed_default" && lsmod | grep -q esp4_offload && rmmod esp4_offload
echo 0 > /sys/bus/netdevsim/del_device
$probed && rmmod netdevsim
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 164/644] vrf: Drop existing dst reference in vrf_ip6_input_dst
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 163/644] selftests: rtnetlink.sh: remove esp4_offload after test Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 165/644] PCI: rockchip-host: Fix "Unexpected Completion" log message Greg Kroah-Hartman
` (485 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Ahern, Ido Schimmel,
Stanislav Fomichev, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislav Fomichev <sdf@fomichev.me>
[ Upstream commit f388f807eca1de9e6e70f9ffb1a573c3811c4215 ]
Commit ff3fbcdd4724 ("selftests: tc: Add generic erspan_opts matching support
for tc-flower") started triggering the following kmemleak warning:
unreferenced object 0xffff888015fb0e00 (size 512):
comm "softirq", pid 0, jiffies 4294679065
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 40 d2 85 9e ff ff ff ff ........@.......
41 69 59 9d ff ff ff ff 00 00 00 00 00 00 00 00 AiY.............
backtrace (crc 30b71e8b):
__kmalloc_noprof+0x359/0x460
metadata_dst_alloc+0x28/0x490
erspan_rcv+0x4f1/0x1160 [ip_gre]
gre_rcv+0x217/0x240 [ip_gre]
gre_rcv+0x1b8/0x400 [gre]
ip_protocol_deliver_rcu+0x31d/0x3a0
ip_local_deliver_finish+0x37d/0x620
ip_local_deliver+0x174/0x460
ip_rcv+0x52b/0x6b0
__netif_receive_skb_one_core+0x149/0x1a0
process_backlog+0x3c8/0x1390
__napi_poll.constprop.0+0xa1/0x390
net_rx_action+0x59b/0xe00
handle_softirqs+0x22b/0x630
do_softirq+0xb1/0xf0
__local_bh_enable_ip+0x115/0x150
vrf_ip6_input_dst unconditionally sets skb dst entry, add a call to
skb_dst_drop to drop any existing entry.
Cc: David Ahern <dsahern@kernel.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Fixes: 9ff74384600a ("net: vrf: Handle ipv6 multicast and link-local addresses")
Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
Link: https://patch.msgid.link/20250725160043.350725-1-sdf@fomichev.me
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vrf.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index 27ab443ffa65..6c719d6da5b8 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -1364,6 +1364,8 @@ static void vrf_ip6_input_dst(struct sk_buff *skb, struct net_device *vrf_dev,
struct net *net = dev_net(vrf_dev);
struct rt6_info *rt6;
+ skb_dst_drop(skb);
+
rt6 = vrf_ip6_route_lookup(net, vrf_dev, &fl6, ifindex, skb,
RT6_LOOKUP_F_HAS_SADDR | RT6_LOOKUP_F_IFACE);
if (unlikely(!rt6))
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 165/644] PCI: rockchip-host: Fix "Unexpected Completion" log message
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 164/644] vrf: Drop existing dst reference in vrf_ip6_input_dst Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 166/644] crypto: marvell/cesa - Fix engine load inaccuracy Greg Kroah-Hartman
` (484 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans Zhang, Manivannan Sadhasivam,
Shawn Lin, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Zhang <18255117159@163.com>
[ Upstream commit fcc5f586c4edbcc10de23fb9b8c0972a84e945cd ]
Fix the debug message for the PCIE_CORE_INT_UCR interrupt to clearly
indicate "Unexpected Completion" instead of a duplicate "malformed TLP"
message.
Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support")
Signed-off-by: Hans Zhang <18255117159@163.com>
[mani: added fixes tag]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Acked-by: Shawn Lin <shawn.lin@rock-chips.com>
Link: https://patch.msgid.link/20250607160201.807043-2-18255117159@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/pcie-rockchip-host.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/controller/pcie-rockchip-host.c b/drivers/pci/controller/pcie-rockchip-host.c
index c52316d0bfd2..9e9e90e7c0fe 100644
--- a/drivers/pci/controller/pcie-rockchip-host.c
+++ b/drivers/pci/controller/pcie-rockchip-host.c
@@ -441,7 +441,7 @@ static irqreturn_t rockchip_pcie_subsys_irq_handler(int irq, void *arg)
dev_dbg(dev, "malformed TLP received from the link\n");
if (sub_reg & PCIE_CORE_INT_UCR)
- dev_dbg(dev, "malformed TLP received from the link\n");
+ dev_dbg(dev, "Unexpected Completion received from the link\n");
if (sub_reg & PCIE_CORE_INT_FCE)
dev_dbg(dev, "an error was observed in the flow control advertisements from the other side\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 166/644] crypto: marvell/cesa - Fix engine load inaccuracy
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 165/644] PCI: rockchip-host: Fix "Unexpected Completion" log message Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 167/644] mtd: fix possible integer overflow in erase_xfer() Greg Kroah-Hartman
` (483 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 442134ab30e75b7229c4bfc1ac5641d245cffe27 ]
If an error occurs during queueing the engine load will never be
decremented. Fix this by moving the engine load adjustment into
the cleanup function.
Fixes: bf8f91e71192 ("crypto: marvell - Add load balancing between engines")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/marvell/cesa/cipher.c | 4 +++-
drivers/crypto/marvell/cesa/hash.c | 5 +++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c
index 3876e3ce822f..eabed9d977df 100644
--- a/drivers/crypto/marvell/cesa/cipher.c
+++ b/drivers/crypto/marvell/cesa/cipher.c
@@ -75,9 +75,12 @@ mv_cesa_skcipher_dma_cleanup(struct skcipher_request *req)
static inline void mv_cesa_skcipher_cleanup(struct skcipher_request *req)
{
struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req);
+ struct mv_cesa_engine *engine = creq->base.engine;
if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ)
mv_cesa_skcipher_dma_cleanup(req);
+
+ atomic_sub(req->cryptlen, &engine->load);
}
static void mv_cesa_skcipher_std_step(struct skcipher_request *req)
@@ -212,7 +215,6 @@ mv_cesa_skcipher_complete(struct crypto_async_request *req)
struct mv_cesa_engine *engine = creq->base.engine;
unsigned int ivsize;
- atomic_sub(skreq->cryptlen, &engine->load);
ivsize = crypto_skcipher_ivsize(crypto_skcipher_reqtfm(skreq));
if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ) {
diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c
index 72b0f863dee0..66ebe26e59cb 100644
--- a/drivers/crypto/marvell/cesa/hash.c
+++ b/drivers/crypto/marvell/cesa/hash.c
@@ -110,9 +110,12 @@ static inline void mv_cesa_ahash_dma_cleanup(struct ahash_request *req)
static inline void mv_cesa_ahash_cleanup(struct ahash_request *req)
{
struct mv_cesa_ahash_req *creq = ahash_request_ctx(req);
+ struct mv_cesa_engine *engine = creq->base.engine;
if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ)
mv_cesa_ahash_dma_cleanup(req);
+
+ atomic_sub(req->nbytes, &engine->load);
}
static void mv_cesa_ahash_last_cleanup(struct ahash_request *req)
@@ -395,8 +398,6 @@ static void mv_cesa_ahash_complete(struct crypto_async_request *req)
}
}
}
-
- atomic_sub(ahashreq->nbytes, &engine->load);
}
static void mv_cesa_ahash_prepare(struct crypto_async_request *req,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 167/644] mtd: fix possible integer overflow in erase_xfer()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 166/644] crypto: marvell/cesa - Fix engine load inaccuracy Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 168/644] clk: davinci: Add NULL check in davinci_lpsc_clk_register() Greg Kroah-Hartman
` (482 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivan Stepchenko, Miquel Raynal,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Stepchenko <sid@itb.spb.ru>
[ Upstream commit 9358bdb9f9f54d94ceafc650deffefd737d19fdd ]
The expression '1 << EraseUnitSize' is evaluated in int, which causes
a negative result when shifting by 31 - the upper bound of the valid
range [10, 31], enforced by scan_header(). This leads to incorrect
extension when storing the result in 'erase->len' (uint64_t), producing
a large unexpected value.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/ftl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/ftl.c b/drivers/mtd/ftl.c
index f655d2905270..243d7faa128a 100644
--- a/drivers/mtd/ftl.c
+++ b/drivers/mtd/ftl.c
@@ -344,7 +344,7 @@ static int erase_xfer(partition_t *part,
return -ENOMEM;
erase->addr = xfer->Offset;
- erase->len = 1 << part->header.EraseUnitSize;
+ erase->len = 1ULL << part->header.EraseUnitSize;
ret = mtd_erase(part->mbd.mtd, erase);
if (!ret) {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 168/644] clk: davinci: Add NULL check in davinci_lpsc_clk_register()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 167/644] mtd: fix possible integer overflow in erase_xfer() Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 169/644] media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check Greg Kroah-Hartman
` (481 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Henry Martin, David Lechner,
Stephen Boyd, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Henry Martin <bsdhenrymartin@gmail.com>
[ Upstream commit 13de464f445d42738fe18c9a28bab056ba3a290a ]
devm_kasprintf() returns NULL when memory allocation fails. Currently,
davinci_lpsc_clk_register() does not check for this case, which results
in a NULL pointer dereference.
Add NULL check after devm_kasprintf() to prevent this issue and ensuring
no resources are left allocated.
Fixes: c6ed4d734bc7 ("clk: davinci: New driver for davinci PSC clocks")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Link: https://lore.kernel.org/r/20250401131341.26800-1-bsdhenrymartin@gmail.com
Reviewed-by: David Lechner <david@lechnology.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/davinci/psc.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/clk/davinci/psc.c b/drivers/clk/davinci/psc.c
index 7387e7f6276e..4e1abfc1e564 100644
--- a/drivers/clk/davinci/psc.c
+++ b/drivers/clk/davinci/psc.c
@@ -278,6 +278,11 @@ davinci_lpsc_clk_register(struct device *dev, const char *name,
lpsc->pm_domain.name = devm_kasprintf(dev, GFP_KERNEL, "%s: %s",
best_dev_name(dev), name);
+ if (!lpsc->pm_domain.name) {
+ clk_hw_unregister(&lpsc->hw);
+ kfree(lpsc);
+ return ERR_PTR(-ENOMEM);
+ }
lpsc->pm_domain.attach_dev = davinci_psc_genpd_attach_dev;
lpsc->pm_domain.detach_dev = davinci_psc_genpd_detach_dev;
lpsc->pm_domain.flags = GENPD_FLAG_PM_CLK;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 169/644] media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 168/644] clk: davinci: Add NULL check in davinci_lpsc_clk_register() Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 170/644] clk: xilinx: vcu: unregister pll_post only if registered correctly Greg Kroah-Hartman
` (480 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Cowgill, Nicolas Dufresne,
Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Cowgill <james.cowgill@blaize.com>
[ Upstream commit 803b9eabc649c778986449eb0596e5ffeb7a8aed ]
The `separate_colour_plane_flag` element is only present in the SPS if
`chroma_format_idc == 3`, so the corresponding flag should be disabled
whenever that is not the case and not just on profiles where
`chroma_format_idc` is not present.
Fixes: b32e48503df0 ("media: controls: Validate H264 stateless controls")
Signed-off-by: James Cowgill <james.cowgill@blaize.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/v4l2-core/v4l2-ctrls-core.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/media/v4l2-core/v4l2-ctrls-core.c b/drivers/media/v4l2-core/v4l2-ctrls-core.c
index 3798a57bbbd4..19e769420b9b 100644
--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c
+++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c
@@ -431,12 +431,12 @@ static int std_validate_compound(const struct v4l2_ctrl *ctrl, u32 idx,
p_h264_sps->flags &=
~V4L2_H264_SPS_FLAG_QPPRIME_Y_ZERO_TRANSFORM_BYPASS;
-
- if (p_h264_sps->chroma_format_idc < 3)
- p_h264_sps->flags &=
- ~V4L2_H264_SPS_FLAG_SEPARATE_COLOUR_PLANE;
}
+ if (p_h264_sps->chroma_format_idc < 3)
+ p_h264_sps->flags &=
+ ~V4L2_H264_SPS_FLAG_SEPARATE_COLOUR_PLANE;
+
if (p_h264_sps->flags & V4L2_H264_SPS_FLAG_FRAME_MBS_ONLY)
p_h264_sps->flags &=
~V4L2_H264_SPS_FLAG_MB_ADAPTIVE_FRAME_FIELD;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 170/644] clk: xilinx: vcu: unregister pll_post only if registered correctly
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 169/644] media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 171/644] power: supply: cpcap-charger: Fix null check for power_supply_get_by_name Greg Kroah-Hartman
` (479 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rohit Visavalia, Stephen Boyd,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rohit Visavalia <rohit.visavalia@amd.com>
[ Upstream commit 3b0abc443ac22f7d4f61ddbbbbc5dbb06c87139d ]
If registration of pll_post is failed, it will be set to NULL or ERR,
unregistering same will fail with following call trace:
Unable to handle kernel NULL pointer dereference at virtual address 008
pc : clk_hw_unregister+0xc/0x20
lr : clk_hw_unregister_fixed_factor+0x18/0x30
sp : ffff800011923850
...
Call trace:
clk_hw_unregister+0xc/0x20
clk_hw_unregister_fixed_factor+0x18/0x30
xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu]
xvcu_probe+0x2bc/0x53c [xlnx_vcu]
Fixes: 4472e1849db7 ("soc: xilinx: vcu: make pll post divider explicit")
Signed-off-by: Rohit Visavalia <rohit.visavalia@amd.com>
Link: https://lore.kernel.org/r/20250210113614.4149050-2-rohit.visavalia@amd.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/xilinx/xlnx_vcu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/xilinx/xlnx_vcu.c b/drivers/clk/xilinx/xlnx_vcu.c
index d66b1315114e..292d50ba0112 100644
--- a/drivers/clk/xilinx/xlnx_vcu.c
+++ b/drivers/clk/xilinx/xlnx_vcu.c
@@ -587,8 +587,8 @@ static void xvcu_unregister_clock_provider(struct xvcu_device *xvcu)
xvcu_clk_hw_unregister_leaf(hws[CLK_XVCU_ENC_MCU]);
if (!IS_ERR_OR_NULL(hws[CLK_XVCU_ENC_CORE]))
xvcu_clk_hw_unregister_leaf(hws[CLK_XVCU_ENC_CORE]);
-
- clk_hw_unregister_fixed_factor(xvcu->pll_post);
+ if (!IS_ERR_OR_NULL(xvcu->pll_post))
+ clk_hw_unregister_fixed_factor(xvcu->pll_post);
}
/**
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 171/644] power: supply: cpcap-charger: Fix null check for power_supply_get_by_name
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 170/644] clk: xilinx: vcu: unregister pll_post only if registered correctly Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 172/644] power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set Greg Kroah-Hartman
` (478 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Charles Han, Sebastian Reichel,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Han <hanchunchao@inspur.com>
[ Upstream commit d9fa3aae08f99493e67fb79413c0e95d30fca5e9 ]
In the cpcap_usb_detect() function, the power_supply_get_by_name()
function may return `NULL` instead of an error pointer.
To prevent potential null pointer dereferences, Added a null check.
Fixes: eab4e6d953c1 ("power: supply: cpcap-charger: get the battery inserted infomation from cpcap-battery")
Signed-off-by: Charles Han <hanchunchao@inspur.com>
Link: https://lore.kernel.org/r/20250519024741.5846-1-hanchunchao@inspur.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/cpcap-charger.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/power/supply/cpcap-charger.c b/drivers/power/supply/cpcap-charger.c
index 60e0ce105a29..5c9e3784ed47 100644
--- a/drivers/power/supply/cpcap-charger.c
+++ b/drivers/power/supply/cpcap-charger.c
@@ -689,9 +689,8 @@ static void cpcap_usb_detect(struct work_struct *work)
struct power_supply *battery;
battery = power_supply_get_by_name("battery");
- if (IS_ERR_OR_NULL(battery)) {
- dev_err(ddata->dev, "battery power_supply not available %li\n",
- PTR_ERR(battery));
+ if (!battery) {
+ dev_err(ddata->dev, "battery power_supply not available\n");
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 172/644] power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 171/644] power: supply: cpcap-charger: Fix null check for power_supply_get_by_name Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 173/644] PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails Greg Kroah-Hartman
` (477 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Charles Han, Krzysztof Kozlowski,
Sebastian Reichel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charles Han <hanchunchao@inspur.com>
[ Upstream commit 2937f5d2e24eefef8cb126244caec7fe3307f724 ]
When the kernel is not configured CONFIG_OF, the max14577_charger_dt_init
function returns NULL. Fix the max14577_charger_probe functionby returning
-ENODATA instead of potentially passing a NULL pointer to PTR_ERR.
This fixes the below smatch warning:
max14577_charger_probe() warn: passing zero to 'PTR_ERR'
Fixes: e30110e9c96f ("charger: max14577: Configure battery-dependent settings from DTS and sysfs")
Signed-off-by: Charles Han <hanchunchao@inspur.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20250519061601.8755-1-hanchunchao@inspur.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/max14577_charger.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/power/supply/max14577_charger.c b/drivers/power/supply/max14577_charger.c
index f244cd902eb9..e4461caecea3 100644
--- a/drivers/power/supply/max14577_charger.c
+++ b/drivers/power/supply/max14577_charger.c
@@ -501,7 +501,7 @@ static struct max14577_charger_platform_data *max14577_charger_dt_init(
static struct max14577_charger_platform_data *max14577_charger_dt_init(
struct platform_device *pdev)
{
- return NULL;
+ return ERR_PTR(-ENODATA);
}
#endif /* CONFIG_OF */
@@ -572,7 +572,7 @@ static int max14577_charger_probe(struct platform_device *pdev)
chg->max14577 = max14577;
chg->pdata = max14577_charger_dt_init(pdev);
- if (IS_ERR_OR_NULL(chg->pdata))
+ if (IS_ERR(chg->pdata))
return PTR_ERR(chg->pdata);
ret = max14577_charger_reg_init(chg);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 173/644] PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 172/644] power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 174/644] pinctrl: sunxi: Fix memory leak on krealloc failure Greg Kroah-Hartman
` (476 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jerome Brunet, Manivannan Sadhasivam,
Frank Li, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerome Brunet <jbrunet@baylibre.com>
[ Upstream commit 7ea488cce73263231662e426639dd3e836537068 ]
According the function documentation of epf_ntb_init_epc_bar(), the
function should return an error code on error. However, it returns -1 when
no BAR is available i.e., when pci_epc_get_next_free_bar() fails.
Return -ENOENT instead.
Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP")
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
[mani: changed err code to -ENOENT]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20250603-pci-vntb-bar-mapping-v2-1-fc685a22ad28@baylibre.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/endpoint/functions/pci-epf-vntb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c
index fb926b300c95..5cc0d2014ed8 100644
--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
+++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
@@ -686,7 +686,7 @@ static int epf_ntb_init_epc_bar(struct epf_ntb *ntb)
barno = pci_epc_get_next_free_bar(epc_features, barno);
if (barno < 0) {
dev_err(dev, "Fail to get NTB function BAR\n");
- return barno;
+ return -ENOENT;
}
ntb->epf_ntb_bar[bar] = barno;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 174/644] pinctrl: sunxi: Fix memory leak on krealloc failure
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 173/644] PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 175/644] clk: clk-axi-clkgen: fix fpfd_max frequency for zynq Greg Kroah-Hartman
` (475 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuan Chen, Linus Walleij,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuan Chen <chenyuan@kylinos.cn>
[ Upstream commit e3507c56cbb208d4f160942748c527ef6a528ba1 ]
In sunxi_pctrl_dt_node_to_map(), when krealloc() fails to resize
the pinctrl_map array, the function returns -ENOMEM directly
without freeing the previously allocated *map buffer. This results
in a memory leak of the original kmalloc_array allocation.
Fixes: e11dee2e98f8 ("pinctrl: sunxi: Deal with configless pins")
Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
Link: https://lore.kernel.org/20250620012708.16709-1-chenyuan_fl@163.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/pinctrl/sunxi/pinctrl-sunxi.c b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
index 30ca0fe5c31a..afe41ea0ff1e 100644
--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
@@ -335,6 +335,7 @@ static int sunxi_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev,
const char *function, *pin_prop;
const char *group;
int ret, npins, nmaps, configlen = 0, i = 0;
+ struct pinctrl_map *new_map;
*map = NULL;
*num_maps = 0;
@@ -409,9 +410,13 @@ static int sunxi_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev,
* We know have the number of maps we need, we can resize our
* map array
*/
- *map = krealloc(*map, i * sizeof(struct pinctrl_map), GFP_KERNEL);
- if (!*map)
- return -ENOMEM;
+ new_map = krealloc(*map, i * sizeof(struct pinctrl_map), GFP_KERNEL);
+ if (!new_map) {
+ ret = -ENOMEM;
+ goto err_free_map;
+ }
+
+ *map = new_map;
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 175/644] clk: clk-axi-clkgen: fix fpfd_max frequency for zynq
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 174/644] pinctrl: sunxi: Fix memory leak on krealloc failure Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 176/644] perf sched: Fix memory leaks for evsel->priv in timehist Greg Kroah-Hartman
` (474 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sá, David Lechner,
Stephen Boyd, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sá <nuno.sa@analog.com>
[ Upstream commit ce8a9096699500e2c5bca09dde27b16edda5f636 ]
The fpfd_max frequency should be set to 450 MHz instead of 300 MHz.
Well, it actually depends on the platform speed grade but we are being
conservative for ultrascale so let's be consistent. In a following
change we will set these limits at runtime.
Fixes: 0e646c52cf0e ("clk: Add axi-clkgen driver")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20250519-dev-axi-clkgen-limits-v6-1-bc4b3b61d1d4@analog.com
Reviewed-by: David Lechner <dlechner@baylibre.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/clk-axi-clkgen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/clk-axi-clkgen.c b/drivers/clk/clk-axi-clkgen.c
index bb5cd9d38993..df9a4c778351 100644
--- a/drivers/clk/clk-axi-clkgen.c
+++ b/drivers/clk/clk-axi-clkgen.c
@@ -118,7 +118,7 @@ static const struct axi_clkgen_limits axi_clkgen_zynqmp_default_limits = {
static const struct axi_clkgen_limits axi_clkgen_zynq_default_limits = {
.fpfd_min = 10000,
- .fpfd_max = 300000,
+ .fpfd_max = 450000,
.fvco_min = 600000,
.fvco_max = 1200000,
};
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 176/644] perf sched: Fix memory leaks for evsel->priv in timehist
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 175/644] clk: clk-axi-clkgen: fix fpfd_max frequency for zynq Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 177/644] crypto: inside-secure - Fix `dma_unmap_sg()` nents value Greg Kroah-Hartman
` (473 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namhyung Kim <namhyung@kernel.org>
[ Upstream commit 117e5c33b1c44037af016d77ce6c0b086d55535f ]
It uses evsel->priv to save per-cpu timing information. It should be
freed when the evsel is released.
Add the priv destructor for evsel same as thread to handle that.
Fixes: 49394a2a24c78ce0 ("perf sched timehist: Introduce timehist command")
Reviewed-by: Ian Rogers <irogers@google.com>
Tested-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20250703014942.1369397-6-namhyung@kernel.org
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-sched.c | 12 ++++++++++++
tools/perf/util/evsel.c | 11 +++++++++++
tools/perf/util/evsel.h | 2 ++
3 files changed, 25 insertions(+)
diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
index 19e96141e7b4..95a549fdabe0 100644
--- a/tools/perf/builtin-sched.c
+++ b/tools/perf/builtin-sched.c
@@ -1902,6 +1902,16 @@ static u64 evsel__get_time(struct evsel *evsel, u32 cpu)
return r->last_time[cpu];
}
+static void timehist__evsel_priv_destructor(void *priv)
+{
+ struct evsel_runtime *r = priv;
+
+ if (r) {
+ free(r->last_time);
+ free(r);
+ }
+}
+
static int comm_width = 30;
static char *timehist_get_commstr(struct thread *thread)
@@ -3039,6 +3049,8 @@ static int perf_sched__timehist(struct perf_sched *sched)
setup_pager();
+ evsel__set_priv_destructor(timehist__evsel_priv_destructor);
+
/* prefer sched_waking if it is captured */
if (evlist__find_tracepoint_by_name(session->evlist, "sched:sched_waking"))
handlers[1].handler = timehist_sched_wakeup_ignore;
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index c19a583ca9f6..f14c83e6829a 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -1416,6 +1416,15 @@ static void evsel__free_config_terms(struct evsel *evsel)
free_config_terms(&evsel->config_terms);
}
+static void (*evsel__priv_destructor)(void *priv);
+
+void evsel__set_priv_destructor(void (*destructor)(void *priv))
+{
+ assert(evsel__priv_destructor == NULL);
+
+ evsel__priv_destructor = destructor;
+}
+
void evsel__exit(struct evsel *evsel)
{
assert(list_empty(&evsel->core.node));
@@ -1436,6 +1445,8 @@ void evsel__exit(struct evsel *evsel)
hashmap__free(evsel->per_pkg_mask);
evsel->per_pkg_mask = NULL;
zfree(&evsel->metric_events);
+ if (evsel__priv_destructor)
+ evsel__priv_destructor(evsel->priv);
perf_evsel__object.fini(evsel);
}
diff --git a/tools/perf/util/evsel.h b/tools/perf/util/evsel.h
index 0492cafac443..d39d8aab3769 100644
--- a/tools/perf/util/evsel.h
+++ b/tools/perf/util/evsel.h
@@ -231,6 +231,8 @@ void evsel__init(struct evsel *evsel, struct perf_event_attr *attr, int idx);
void evsel__exit(struct evsel *evsel);
void evsel__delete(struct evsel *evsel);
+void evsel__set_priv_destructor(void (*destructor)(void *priv));
+
struct callchain_param;
void evsel__config(struct evsel *evsel, struct record_opts *opts,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 177/644] crypto: inside-secure - Fix `dma_unmap_sg()` nents value
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 176/644] perf sched: Fix memory leaks for evsel->priv in timehist Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 178/644] crypto: ccp - Fix crash when rebind ccp device for ccp.ko Greg Kroah-Hartman
` (472 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Antoine Tenart,
Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit cb7fa6b6fc71e0c801e271aa498e2f19e6df2931 ]
The `dma_unmap_sg()` functions should be called with the same nents as the
`dma_map_sg()`, not the value the map function returned.
Fixes: c957f8b3e2e5 ("crypto: inside-secure - avoid unmapping DMA memory that was not mapped")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Antoine Tenart <atenart@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/inside-secure/safexcel_hash.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/inside-secure/safexcel_hash.c b/drivers/crypto/inside-secure/safexcel_hash.c
index 2124416742f8..de0a093d8f50 100644
--- a/drivers/crypto/inside-secure/safexcel_hash.c
+++ b/drivers/crypto/inside-secure/safexcel_hash.c
@@ -249,7 +249,9 @@ static int safexcel_handle_req_result(struct safexcel_crypto_priv *priv,
safexcel_complete(priv, ring);
if (sreq->nents) {
- dma_unmap_sg(priv->dev, areq->src, sreq->nents, DMA_TO_DEVICE);
+ dma_unmap_sg(priv->dev, areq->src,
+ sg_nents_for_len(areq->src, areq->nbytes),
+ DMA_TO_DEVICE);
sreq->nents = 0;
}
@@ -497,7 +499,9 @@ static int safexcel_ahash_send_req(struct crypto_async_request *async, int ring,
DMA_FROM_DEVICE);
unmap_sg:
if (req->nents) {
- dma_unmap_sg(priv->dev, areq->src, req->nents, DMA_TO_DEVICE);
+ dma_unmap_sg(priv->dev, areq->src,
+ sg_nents_for_len(areq->src, areq->nbytes),
+ DMA_TO_DEVICE);
req->nents = 0;
}
cdesc_rollback:
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 178/644] crypto: ccp - Fix crash when rebind ccp device for ccp.ko
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 177/644] crypto: inside-secure - Fix `dma_unmap_sg()` nents value Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 179/644] RDMA/hns: Fix -Wframe-larger-than issue Greg Kroah-Hartman
` (471 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mengbiao Xiong, Tom Lendacky,
Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mengbiao Xiong <xisme1998@gmail.com>
[ Upstream commit 181698af38d3f93381229ad89c09b5bd0496661a ]
When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding
the ccp device causes the following crash:
$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind
$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind
[ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098
[ 204.978026] #PF: supervisor write access in kernel mode
[ 204.979126] #PF: error_code(0x0002) - not-present page
[ 204.980226] PGD 0 P4D 0
[ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI
...
[ 204.997852] Call Trace:
[ 204.999074] <TASK>
[ 205.000297] start_creating+0x9f/0x1c0
[ 205.001533] debugfs_create_dir+0x1f/0x170
[ 205.002769] ? srso_return_thunk+0x5/0x5f
[ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp]
[ 205.005241] ccp5_init+0x8b2/0x960 [ccp]
[ 205.006469] ccp_dev_init+0xd4/0x150 [ccp]
[ 205.007709] sp_init+0x5f/0x80 [ccp]
[ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp]
[ 205.010165] ? srso_return_thunk+0x5/0x5f
[ 205.011376] local_pci_probe+0x4f/0xb0
[ 205.012584] pci_device_probe+0xdb/0x230
[ 205.013810] really_probe+0xed/0x380
[ 205.015024] __driver_probe_device+0x7e/0x160
[ 205.016240] device_driver_attach+0x2f/0x60
[ 205.017457] bind_store+0x7c/0xb0
[ 205.018663] drv_attr_store+0x28/0x40
[ 205.019868] sysfs_kf_write+0x5f/0x70
[ 205.021065] kernfs_fop_write_iter+0x145/0x1d0
[ 205.022267] vfs_write+0x308/0x440
[ 205.023453] ksys_write+0x6d/0xe0
[ 205.024616] __x64_sys_write+0x1e/0x30
[ 205.025778] x64_sys_call+0x16ba/0x2150
[ 205.026942] do_syscall_64+0x56/0x1e0
[ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 205.029276] RIP: 0033:0x7fbc36f10104
[ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5
This patch sets ccp_debugfs_dir to NULL after destroying it in
ccp5_debugfs_destroy, allowing the directory dentry to be
recreated when rebinding the ccp device.
Tested on AMD Ryzen 7 1700X.
Fixes: 3cdbe346ed3f ("crypto: ccp - Add debugfs entries for CCP information")
Signed-off-by: Mengbiao Xiong <xisme1998@gmail.com>
Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/ccp/ccp-debugfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/crypto/ccp/ccp-debugfs.c b/drivers/crypto/ccp/ccp-debugfs.c
index a1055554b47a..dc26bc22c91d 100644
--- a/drivers/crypto/ccp/ccp-debugfs.c
+++ b/drivers/crypto/ccp/ccp-debugfs.c
@@ -319,5 +319,8 @@ void ccp5_debugfs_setup(struct ccp_device *ccp)
void ccp5_debugfs_destroy(void)
{
+ mutex_lock(&ccp_debugfs_lock);
debugfs_remove_recursive(ccp_debugfs_dir);
+ ccp_debugfs_dir = NULL;
+ mutex_unlock(&ccp_debugfs_lock);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 179/644] RDMA/hns: Fix -Wframe-larger-than issue
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 178/644] crypto: ccp - Fix crash when rebind ccp device for ccp.ko Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 180/644] kernel: trace: preemptirq_delay_test: use offstack cpu mask Greg Kroah-Hartman
` (470 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Junxian Huang,
Leon Romanovsky, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxian Huang <huangjunxian6@hisilicon.com>
[ Upstream commit 79d56805c5068f2bc81518043e043c3dedd1c82a ]
Fix -Wframe-larger-than issue by allocating memory for qpc struct
with kzalloc() instead of using stack memory.
Fixes: 606bf89e98ef ("RDMA/hns: Refactor for hns_roce_v2_modify_qp function")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202506240032.CSgIyFct-lkp@intel.com/
Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
Link: https://patch.msgid.link/20250703113905.3597124-7-huangjunxian6@hisilicon.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
index e10fe47d45c1..74f48e201031 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
@@ -5008,11 +5008,10 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp,
{
struct hns_roce_dev *hr_dev = to_hr_dev(ibqp->device);
struct hns_roce_qp *hr_qp = to_hr_qp(ibqp);
- struct hns_roce_v2_qp_context ctx[2];
- struct hns_roce_v2_qp_context *context = ctx;
- struct hns_roce_v2_qp_context *qpc_mask = ctx + 1;
+ struct hns_roce_v2_qp_context *context;
+ struct hns_roce_v2_qp_context *qpc_mask;
struct ib_device *ibdev = &hr_dev->ib_dev;
- int ret;
+ int ret = -ENOMEM;
if (attr_mask & ~IB_QP_ATTR_STANDARD_BITS)
return -EOPNOTSUPP;
@@ -5023,7 +5022,11 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp,
* we should set all bits of the relevant fields in context mask to
* 0 at the same time, else set them to 0x1.
*/
- memset(context, 0, hr_dev->caps.qpc_sz);
+ context = kvzalloc(sizeof(*context), GFP_KERNEL);
+ qpc_mask = kvzalloc(sizeof(*qpc_mask), GFP_KERNEL);
+ if (!context || !qpc_mask)
+ goto out;
+
memset(qpc_mask, 0xff, hr_dev->caps.qpc_sz);
ret = hns_roce_v2_set_abs_fields(ibqp, attr, attr_mask, cur_state,
@@ -5065,6 +5068,8 @@ static int hns_roce_v2_modify_qp(struct ib_qp *ibqp,
clear_qp(hr_qp);
out:
+ kvfree(qpc_mask);
+ kvfree(context);
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 180/644] kernel: trace: preemptirq_delay_test: use offstack cpu mask
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 179/644] RDMA/hns: Fix -Wframe-larger-than issue Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 181/644] perf tests bp_account: Fix leaked file descriptor Greg Kroah-Hartman
` (469 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Song Chen,
Mathieu Desnoyers, Arnd Bergmann, Steven Rostedt (Google),
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit adc353c0bfb243ebfd29b6222fa3bf149169a6de ]
A CPU mask on the stack is broken for large values of CONFIG_NR_CPUS:
kernel/trace/preemptirq_delay_test.c: In function ‘preemptirq_delay_run’:
kernel/trace/preemptirq_delay_test.c:143:1: error: the frame size of 8512 bytes is larger than 1536 bytes [-Werror=frame-larger-than=]
Fall back to dynamic allocation here.
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Song Chen <chensong_2000@189.cn>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://lore.kernel.org/20250620111215.3365305-1-arnd@kernel.org
Fixes: 4b9091e1c194 ("kernel: trace: preemptirq_delay_test: add cpu affinity")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/preemptirq_delay_test.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/kernel/trace/preemptirq_delay_test.c b/kernel/trace/preemptirq_delay_test.c
index cb0871fbdb07..8af92dbe98f0 100644
--- a/kernel/trace/preemptirq_delay_test.c
+++ b/kernel/trace/preemptirq_delay_test.c
@@ -119,12 +119,15 @@ static int preemptirq_delay_run(void *data)
{
int i;
int s = MIN(burst_size, NR_TEST_FUNCS);
- struct cpumask cpu_mask;
+ cpumask_var_t cpu_mask;
+
+ if (!alloc_cpumask_var(&cpu_mask, GFP_KERNEL))
+ return -ENOMEM;
if (cpu_affinity > -1) {
- cpumask_clear(&cpu_mask);
- cpumask_set_cpu(cpu_affinity, &cpu_mask);
- if (set_cpus_allowed_ptr(current, &cpu_mask))
+ cpumask_clear(cpu_mask);
+ cpumask_set_cpu(cpu_affinity, cpu_mask);
+ if (set_cpus_allowed_ptr(current, cpu_mask))
pr_err("cpu_affinity:%d, failed\n", cpu_affinity);
}
@@ -141,6 +144,8 @@ static int preemptirq_delay_run(void *data)
__set_current_state(TASK_RUNNING);
+ free_cpumask_var(cpu_mask);
+
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 181/644] perf tests bp_account: Fix leaked file descriptor
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 180/644] kernel: trace: preemptirq_delay_test: use offstack cpu mask Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 182/644] clk: sunxi-ng: v3s: Fix de clock definition Greg Kroah-Hartman
` (468 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aishwarya TCV, Leo Yan, Ian Rogers,
Namhyung Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 4a6cdecaa1497f1fbbd1d5307a225b6ca5a62a90 ]
Since the commit e9846f5ead26 ("perf test: In forked mode add check that
fds aren't leaked"), the test "Breakpoint accounting" reports the error:
# perf test -vvv "Breakpoint accounting"
20: Breakpoint accounting:
--- start ---
test child forked, pid 373
failed opening event 0
failed opening event 0
watchpoints count 4, breakpoints count 6, has_ioctl 1, share 0
wp 0 created
wp 1 created
wp 2 created
wp 3 created
wp 0 modified to bp
wp max created
---- end(0) ----
Leak of file descriptor 7 that opened: 'anon_inode:[perf_event]'
A watchpoint's file descriptor was not properly released. This patch
fixes the leak.
Fixes: 032db28e5fa3 ("perf tests: Add breakpoint accounting/modify test")
Reported-by: Aishwarya TCV <aishwarya.tcv@arm.com>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Link: https://lore.kernel.org/r/20250711-perf_fix_breakpoint_accounting-v1-1-b314393023f9@arm.com
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/tests/bp_account.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/perf/tests/bp_account.c b/tools/perf/tests/bp_account.c
index 489b50604cf2..ac39f4947fd8 100644
--- a/tools/perf/tests/bp_account.c
+++ b/tools/perf/tests/bp_account.c
@@ -89,6 +89,7 @@ static int bp_accounting(int wp_cnt, int share)
fd_wp = wp_event((void *)&the_var, &attr_new);
TEST_ASSERT_VAL("failed to create max wp\n", fd_wp != -1);
pr_debug("wp max created\n");
+ close(fd_wp);
}
for (i = 0; i < wp_cnt; i++)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 182/644] clk: sunxi-ng: v3s: Fix de clock definition
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 181/644] perf tests bp_account: Fix leaked file descriptor Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 183/644] scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value Greg Kroah-Hartman
` (467 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Kocialkowski, Chen-Yu Tsai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Kocialkowski <paulk@sys-base.io>
[ Upstream commit e8ab346f9907a1a3aa2f0e5decf849925c06ae2e ]
The de clock is marked with CLK_SET_RATE_PARENT, which is really not
necessary (as confirmed from experimentation) and significantly
restricts flexibility for other clocks using the same parent.
In addition the source selection (parent) field is marked as using
2 bits, when it the documentation reports that it uses 3.
Fix both issues in the de clock definition.
Fixes: d0f11d14b0bc ("clk: sunxi-ng: add support for V3s CCU")
Signed-off-by: Paul Kocialkowski <paulk@sys-base.io>
Link: https://patch.msgid.link/20250704154008.3463257-1-paulk@sys-base.io
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
index ce150f83ab54..2501de774874 100644
--- a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
+++ b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
@@ -345,8 +345,7 @@ static SUNXI_CCU_GATE(dram_ohci_clk, "dram-ohci", "dram",
static const char * const de_parents[] = { "pll-video", "pll-periph0" };
static SUNXI_CCU_M_WITH_MUX_GATE(de_clk, "de", de_parents,
- 0x104, 0, 4, 24, 2, BIT(31),
- CLK_SET_RATE_PARENT);
+ 0x104, 0, 4, 24, 3, BIT(31), 0);
static const char * const tcon_parents[] = { "pll-video" };
static SUNXI_CCU_M_WITH_MUX_GATE(tcon_clk, "tcon", tcon_parents,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 183/644] scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 182/644] clk: sunxi-ng: v3s: Fix de clock definition Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 184/644] scsi: mvsas: " Greg Kroah-Hartman
` (466 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 023a293b9cd0bb86a9b50cd7688a3d9d266826db ]
The dma_unmap_sg() functions should be called with the same nents as the
dma_map_sg(), not the value the map function returned.
Fixes: 88a678bbc34c ("ibmvscsis: Initial commit of IBM VSCSI Tgt Driver")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://lore.kernel.org/r/20250630111803.94389-2-fourier.thomas@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ibmvscsi_tgt/libsrp.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/ibmvscsi_tgt/libsrp.c b/drivers/scsi/ibmvscsi_tgt/libsrp.c
index 8a0e28aec928..0ecad398ed3d 100644
--- a/drivers/scsi/ibmvscsi_tgt/libsrp.c
+++ b/drivers/scsi/ibmvscsi_tgt/libsrp.c
@@ -184,7 +184,8 @@ static int srp_direct_data(struct ibmvscsis_cmd *cmd, struct srp_direct_buf *md,
err = rdma_io(cmd, sg, nsg, md, 1, dir, len);
if (dma_map)
- dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL);
+ dma_unmap_sg(iue->target->dev, sg, cmd->se_cmd.t_data_nents,
+ DMA_BIDIRECTIONAL);
return err;
}
@@ -256,7 +257,8 @@ static int srp_indirect_data(struct ibmvscsis_cmd *cmd, struct srp_cmd *srp_cmd,
err = rdma_io(cmd, sg, nsg, md, nmd, dir, len);
if (dma_map)
- dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL);
+ dma_unmap_sg(iue->target->dev, sg, cmd->se_cmd.t_data_nents,
+ DMA_BIDIRECTIONAL);
free_mem:
if (token && dma_map) {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 184/644] scsi: mvsas: Fix dma_unmap_sg() nents value
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 183/644] scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 185/644] scsi: isci: " Greg Kroah-Hartman
` (465 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 0141618727bc929fe868153d21797f10ce5bef3f ]
The dma_unmap_sg() functions should be called with the same nents as the
dma_map_sg(), not the value the map function returned.
Fixes: b5762948263d ("[SCSI] mvsas: Add Marvell 6440 SAS/SATA driver")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://lore.kernel.org/r/20250627134822.234813-2-fourier.thomas@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mvsas/mv_sas.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
index 04d3710c683f..efd11fabff93 100644
--- a/drivers/scsi/mvsas/mv_sas.c
+++ b/drivers/scsi/mvsas/mv_sas.c
@@ -829,7 +829,7 @@ static int mvs_task_prep(struct sas_task *task, struct mvs_info *mvi, int is_tmf
dev_printk(KERN_ERR, mvi->dev, "mvsas prep failed[%d]!\n", rc);
if (!sas_protocol_ata(task->task_proto))
if (n_elem)
- dma_unmap_sg(mvi->dev, task->scatter, n_elem,
+ dma_unmap_sg(mvi->dev, task->scatter, task->num_scatter,
task->data_dir);
prep_out:
return rc;
@@ -880,7 +880,7 @@ static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task,
if (!sas_protocol_ata(task->task_proto))
if (slot->n_elem)
dma_unmap_sg(mvi->dev, task->scatter,
- slot->n_elem, task->data_dir);
+ task->num_scatter, task->data_dir);
switch (task->task_proto) {
case SAS_PROTOCOL_SMP:
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 185/644] scsi: isci: Fix dma_unmap_sg() nents value
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 184/644] scsi: mvsas: " Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 186/644] watchdog: ziirave_wdt: check record length in ziirave_firm_verify() Greg Kroah-Hartman
` (464 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 063bec4444d54e5f35d11949c5c90eaa1ff84c11 ]
The dma_unmap_sg() functions should be called with the same nents as the
dma_map_sg(), not the value the map function returned.
Fixes: ddcc7e347a89 ("isci: fix dma_unmap_sg usage")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://lore.kernel.org/r/20250627142451.241713-2-fourier.thomas@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/isci/request.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c
index 6ef40993906a..b37ab6fa3d0e 100644
--- a/drivers/scsi/isci/request.c
+++ b/drivers/scsi/isci/request.c
@@ -2906,7 +2906,7 @@ static void isci_request_io_request_complete(struct isci_host *ihost,
task->total_xfer_len, task->data_dir);
else /* unmap the sgl dma addresses */
dma_unmap_sg(&ihost->pdev->dev, task->scatter,
- request->num_sg_entries, task->data_dir);
+ task->num_scatter, task->data_dir);
break;
case SAS_PROTOCOL_SMP: {
struct scatterlist *sg = &task->smp_task.smp_req;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 186/644] watchdog: ziirave_wdt: check record length in ziirave_firm_verify()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 185/644] scsi: isci: " Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 187/644] hwrng: mtk - handle devm_pm_runtime_enable errors Greg Kroah-Hartman
` (463 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Guenter Roeck,
Wim Van Sebroeck, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 8b61d8ca751bc15875b50e0ff6ac3ba0cf95a529 ]
The "rec->len" value comes from the firmware. We generally do
trust firmware, but it's always better to double check. If
the length value is too large it would lead to memory corruption
when we set "data[i] = ret;"
Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/3b58b453f0faa8b968c90523f52c11908b56c346.1748463049.git.dan.carpenter@linaro.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/ziirave_wdt.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/watchdog/ziirave_wdt.c b/drivers/watchdog/ziirave_wdt.c
index c5a9b820d43a..48c68c66e530 100644
--- a/drivers/watchdog/ziirave_wdt.c
+++ b/drivers/watchdog/ziirave_wdt.c
@@ -302,6 +302,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd,
const u16 len = be16_to_cpu(rec->len);
const u32 addr = be32_to_cpu(rec->addr);
+ if (len > sizeof(data))
+ return -EINVAL;
+
if (ziirave_firm_addr_readonly(addr))
continue;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 187/644] hwrng: mtk - handle devm_pm_runtime_enable errors
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 186/644] watchdog: ziirave_wdt: check record length in ziirave_firm_verify() Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 188/644] crypto: keembay - Fix dma_unmap_sg() nents value Greg Kroah-Hartman
` (462 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ovidiu Panait, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
[ Upstream commit 522a242a18adc5c63a24836715dbeec4dc3faee1 ]
Although unlikely, devm_pm_runtime_enable() call might fail, so handle
the return value.
Fixes: 78cb66caa6ab ("hwrng: mtk - Use devm_pm_runtime_enable")
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/hw_random/mtk-rng.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/char/hw_random/mtk-rng.c b/drivers/char/hw_random/mtk-rng.c
index 3e00506543b6..72269d0f2a4e 100644
--- a/drivers/char/hw_random/mtk-rng.c
+++ b/drivers/char/hw_random/mtk-rng.c
@@ -142,7 +142,9 @@ static int mtk_rng_probe(struct platform_device *pdev)
dev_set_drvdata(&pdev->dev, priv);
pm_runtime_set_autosuspend_delay(&pdev->dev, RNG_AUTOSUSPEND_TIMEOUT);
pm_runtime_use_autosuspend(&pdev->dev);
- devm_pm_runtime_enable(&pdev->dev);
+ ret = devm_pm_runtime_enable(&pdev->dev);
+ if (ret)
+ return ret;
dev_info(&pdev->dev, "registered RNG driver\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 188/644] crypto: keembay - Fix dma_unmap_sg() nents value
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 187/644] hwrng: mtk - handle devm_pm_runtime_enable errors Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 189/644] crypto: img-hash " Greg Kroah-Hartman
` (461 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 01951a7dc5ac1a37e5fb7d86ea7eb2dfbf96e8b6 ]
The dma_unmap_sg() functions should be called with the same nents as the
dma_map_sg(), not the value the map function returned.
Fixes: 472b04444cd3 ("crypto: keembay - Add Keem Bay OCS HCU driver")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/keembay/keembay-ocs-hcu-core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/keembay/keembay-ocs-hcu-core.c b/drivers/crypto/keembay/keembay-ocs-hcu-core.c
index 0379dbf32a4c..6b46c37f00ae 100644
--- a/drivers/crypto/keembay/keembay-ocs-hcu-core.c
+++ b/drivers/crypto/keembay/keembay-ocs-hcu-core.c
@@ -68,6 +68,7 @@ struct ocs_hcu_ctx {
* @sg_data_total: Total data in the SG list at any time.
* @sg_data_offset: Offset into the data of the current individual SG node.
* @sg_dma_nents: Number of sg entries mapped in dma_list.
+ * @nents: Number of entries in the scatterlist.
*/
struct ocs_hcu_rctx {
struct ocs_hcu_dev *hcu_dev;
@@ -91,6 +92,7 @@ struct ocs_hcu_rctx {
unsigned int sg_data_total;
unsigned int sg_data_offset;
unsigned int sg_dma_nents;
+ unsigned int nents;
};
/**
@@ -199,7 +201,7 @@ static void kmb_ocs_hcu_dma_cleanup(struct ahash_request *req,
/* Unmap req->src (if mapped). */
if (rctx->sg_dma_nents) {
- dma_unmap_sg(dev, req->src, rctx->sg_dma_nents, DMA_TO_DEVICE);
+ dma_unmap_sg(dev, req->src, rctx->nents, DMA_TO_DEVICE);
rctx->sg_dma_nents = 0;
}
@@ -260,6 +262,10 @@ static int kmb_ocs_dma_prepare(struct ahash_request *req)
rc = -ENOMEM;
goto cleanup;
}
+
+ /* Save the value of nents to pass to dma_unmap_sg. */
+ rctx->nents = nents;
+
/*
* The value returned by dma_map_sg() can be < nents; so update
* nents accordingly.
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 189/644] crypto: img-hash - Fix dma_unmap_sg() nents value
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 188/644] crypto: keembay - Fix dma_unmap_sg() nents value Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 190/644] soundwire: stream: restore params when prepare ports fail Greg Kroah-Hartman
` (460 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 34b283636181ce02c52633551f594fec9876bec7 ]
The dma_unmap_sg() functions should be called with the same nents as the
dma_map_sg(), not the value the map function returned.
Fixes: d358f1abbf71 ("crypto: img-hash - Add Imagination Technologies hw hash accelerator")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/img-hash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/img-hash.c b/drivers/crypto/img-hash.c
index 34b41cbcfa8d..28b75632d1d1 100644
--- a/drivers/crypto/img-hash.c
+++ b/drivers/crypto/img-hash.c
@@ -436,7 +436,7 @@ static int img_hash_write_via_dma_stop(struct img_hash_dev *hdev)
struct img_hash_request_ctx *ctx = ahash_request_ctx(hdev->req);
if (ctx->flags & DRIVER_FLAGS_SG)
- dma_unmap_sg(hdev->dev, ctx->sg, ctx->dma_ct, DMA_TO_DEVICE);
+ dma_unmap_sg(hdev->dev, ctx->sg, 1, DMA_TO_DEVICE);
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 190/644] soundwire: stream: restore params when prepare ports fail
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 189/644] crypto: img-hash " Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 191/644] PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute Greg Kroah-Hartman
` (459 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bard Liao, Péter Ujfalusi,
Ranjani Sridharan, Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bard Liao <yung-chuan.liao@linux.intel.com>
[ Upstream commit dba7d9dbfdc4389361ff3a910e767d3cfca22587 ]
The bus->params should be restored if the stream is failed to prepare.
The issue exists since beginning. The Fixes tag just indicates the
first commit that the commit can be applied to.
Fixes: 17ed5bef49f4 ("soundwire: add missing newlines in dynamic debug logs")
Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Link: https://lore.kernel.org/r/20250626060952.405996-1-yung-chuan.liao@linux.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soundwire/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
index 8f9f4ee7860c..1b62cdadb089 100644
--- a/drivers/soundwire/stream.c
+++ b/drivers/soundwire/stream.c
@@ -1575,7 +1575,7 @@ static int _sdw_prepare_stream(struct sdw_stream_runtime *stream,
if (ret < 0) {
dev_err(bus->dev, "Prepare port(s) failed ret = %d\n",
ret);
- return ret;
+ goto restore_params;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 191/644] PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 190/644] soundwire: stream: restore params when prepare ports fail Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 192/644] fs/orangefs: Allow 2 more characters in do_c_string() Greg Kroah-Hartman
` (458 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam, Frank Li,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <mani@kernel.org>
[ Upstream commit 61ae7f8694fb4b57a8c02a1a8d2b601806afc999 ]
__iomem attribute is supposed to be used only with variables holding the
MMIO pointer. But here, 'mw_addr' variable is just holding a 'void *'
returned by pci_epf_alloc_space(). So annotating it with __iomem is clearly
wrong. Hence, drop the attribute.
This also fixes the below sparse warning:
drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: warning: incorrect type in assignment (different address spaces)
drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: expected void [noderef] __iomem *mw_addr
drivers/pci/endpoint/functions/pci-epf-vntb.c:524:17: got void *
drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: warning: incorrect type in assignment (different address spaces)
drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: expected unsigned int [usertype] *epf_db
drivers/pci/endpoint/functions/pci-epf-vntb.c:530:21: got void [noderef] __iomem *mw_addr
drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: warning: incorrect type in argument 2 (different address spaces)
drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: expected void *addr
drivers/pci/endpoint/functions/pci-epf-vntb.c:542:38: got void [noderef] __iomem *mw_addr
Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP")
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20250709125022.22524-1-mani@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/endpoint/functions/pci-epf-vntb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/endpoint/functions/pci-epf-vntb.c b/drivers/pci/endpoint/functions/pci-epf-vntb.c
index 5cc0d2014ed8..45530bca50fb 100644
--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
+++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
@@ -520,7 +520,7 @@ static int epf_ntb_db_bar_init(struct epf_ntb *ntb)
struct device *dev = &ntb->epf->dev;
int ret;
struct pci_epf_bar *epf_bar;
- void __iomem *mw_addr;
+ void *mw_addr;
enum pci_barno barno;
size_t size = 4 * ntb->db_count;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 192/644] fs/orangefs: Allow 2 more characters in do_c_string()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 191/644] PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 193/644] dmaengine: mv_xor: Fix missing check after DMA map and missing unmap Greg Kroah-Hartman
` (457 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Mike Marshall,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 2138e89cb066b40386b1d9ddd61253347d356474 ]
The do_k_string() and do_c_string() functions do essentially the same
thing which is they add a string and a comma onto the end of an existing
string. At the end, the caller will overwrite the last comma with a
newline. Later, in orangefs_kernel_debug_init(), we add a newline to
the string.
The change to do_k_string() is just cosmetic. I moved the "- 1" to
the other side of the comparison and made it "+ 1". This has no
effect on runtime, I just wanted the functions to match each other
and the rest of the file.
However in do_c_string(), I removed the "- 2" which allows us to print
two extra characters. I noticed this issue while reviewing the code
and I doubt affects anything in real life. My guess is that this was
double counting the comma and the newline. The "+ 1" accounts for
the newline, and the caller will delete the final comma which ensures
there is enough space for the newline.
Removing the "- 2" lets us print 2 more characters, but mainly it makes
the code more consistent and understandable for reviewers.
Fixes: 44f4641073f1 ("orangefs: clean up debugfs globals")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/orangefs/orangefs-debugfs.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
index fa41db088488..b57140ebfad0 100644
--- a/fs/orangefs/orangefs-debugfs.c
+++ b/fs/orangefs/orangefs-debugfs.c
@@ -728,8 +728,8 @@ static void do_k_string(void *k_mask, int index)
if (*mask & s_kmod_keyword_mask_map[index].mask_val) {
if ((strlen(kernel_debug_string) +
- strlen(s_kmod_keyword_mask_map[index].keyword))
- < ORANGEFS_MAX_DEBUG_STRING_LEN - 1) {
+ strlen(s_kmod_keyword_mask_map[index].keyword) + 1)
+ < ORANGEFS_MAX_DEBUG_STRING_LEN) {
strcat(kernel_debug_string,
s_kmod_keyword_mask_map[index].keyword);
strcat(kernel_debug_string, ",");
@@ -756,7 +756,7 @@ static void do_c_string(void *c_mask, int index)
(mask->mask2 & cdm_array[index].mask2)) {
if ((strlen(client_debug_string) +
strlen(cdm_array[index].keyword) + 1)
- < ORANGEFS_MAX_DEBUG_STRING_LEN - 2) {
+ < ORANGEFS_MAX_DEBUG_STRING_LEN) {
strcat(client_debug_string,
cdm_array[index].keyword);
strcat(client_debug_string, ",");
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 193/644] dmaengine: mv_xor: Fix missing check after DMA map and missing unmap
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 192/644] fs/orangefs: Allow 2 more characters in do_c_string() Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 194/644] dmaengine: nbpfaxi: Add missing check after DMA map Greg Kroah-Hartman
` (456 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Vinod Koul,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 60095aca6b471b7b7a79c80b7395f7e4e414b479 ]
The DMA map functions can fail and should be tested for errors.
In case of error, unmap the already mapped regions.
Fixes: 22843545b200 ("dma: mv_xor: Add support for DMA_INTERRUPT")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://lore.kernel.org/r/20250701123753.46935-2-fourier.thomas@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/mv_xor.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/mv_xor.c b/drivers/dma/mv_xor.c
index ea48661e87ea..ca0ba1d46283 100644
--- a/drivers/dma/mv_xor.c
+++ b/drivers/dma/mv_xor.c
@@ -1061,8 +1061,16 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
*/
mv_chan->dummy_src_addr = dma_map_single(dma_dev->dev,
mv_chan->dummy_src, MV_XOR_MIN_BYTE_COUNT, DMA_FROM_DEVICE);
+ if (dma_mapping_error(dma_dev->dev, mv_chan->dummy_src_addr))
+ return ERR_PTR(-ENOMEM);
+
mv_chan->dummy_dst_addr = dma_map_single(dma_dev->dev,
mv_chan->dummy_dst, MV_XOR_MIN_BYTE_COUNT, DMA_TO_DEVICE);
+ if (dma_mapping_error(dma_dev->dev, mv_chan->dummy_dst_addr)) {
+ ret = -ENOMEM;
+ goto err_unmap_src;
+ }
+
/* allocate coherent memory for hardware descriptors
* note: writecombine gives slightly better performance, but
@@ -1071,8 +1079,10 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
mv_chan->dma_desc_pool_virt =
dma_alloc_wc(&pdev->dev, MV_XOR_POOL_SIZE, &mv_chan->dma_desc_pool,
GFP_KERNEL);
- if (!mv_chan->dma_desc_pool_virt)
- return ERR_PTR(-ENOMEM);
+ if (!mv_chan->dma_desc_pool_virt) {
+ ret = -ENOMEM;
+ goto err_unmap_dst;
+ }
/* discover transaction capabilites from the platform data */
dma_dev->cap_mask = cap_mask;
@@ -1155,6 +1165,13 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
err_free_dma:
dma_free_coherent(&pdev->dev, MV_XOR_POOL_SIZE,
mv_chan->dma_desc_pool_virt, mv_chan->dma_desc_pool);
+err_unmap_dst:
+ dma_unmap_single(dma_dev->dev, mv_chan->dummy_dst_addr,
+ MV_XOR_MIN_BYTE_COUNT, DMA_TO_DEVICE);
+err_unmap_src:
+ dma_unmap_single(dma_dev->dev, mv_chan->dummy_src_addr,
+ MV_XOR_MIN_BYTE_COUNT, DMA_FROM_DEVICE);
+
return ERR_PTR(ret);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 194/644] dmaengine: nbpfaxi: Add missing check after DMA map
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 193/644] dmaengine: mv_xor: Fix missing check after DMA map and missing unmap Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 195/644] sh: Do not use hyphen in exported variable name Greg Kroah-Hartman
` (455 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Vinod Koul,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit c6ee78fc8f3e653bec427cfd06fec7877ee782bd ]
The DMA map functions can fail and should be tested for errors.
If the mapping fails, unmap and return an error.
Fixes: b45b262cefd5 ("dmaengine: add a driver for AMBA AXI NBPF DMAC IP cores")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://lore.kernel.org/r/20250707075752.28674-2-fourier.thomas@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/nbpfaxi.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/dma/nbpfaxi.c b/drivers/dma/nbpfaxi.c
index bbedf57e3612..94e7e3290691 100644
--- a/drivers/dma/nbpfaxi.c
+++ b/drivers/dma/nbpfaxi.c
@@ -712,6 +712,9 @@ static int nbpf_desc_page_alloc(struct nbpf_channel *chan)
list_add_tail(&ldesc->node, &lhead);
ldesc->hwdesc_dma_addr = dma_map_single(dchan->device->dev,
hwdesc, sizeof(*hwdesc), DMA_TO_DEVICE);
+ if (dma_mapping_error(dchan->device->dev,
+ ldesc->hwdesc_dma_addr))
+ goto unmap_error;
dev_dbg(dev, "%s(): mapped 0x%p to %pad\n", __func__,
hwdesc, &ldesc->hwdesc_dma_addr);
@@ -738,6 +741,16 @@ static int nbpf_desc_page_alloc(struct nbpf_channel *chan)
spin_unlock_irq(&chan->lock);
return ARRAY_SIZE(dpage->desc);
+
+unmap_error:
+ while (i--) {
+ ldesc--; hwdesc--;
+
+ dma_unmap_single(dchan->device->dev, ldesc->hwdesc_dma_addr,
+ sizeof(hwdesc), DMA_TO_DEVICE);
+ }
+
+ return -ENOMEM;
}
static void nbpf_desc_put(struct nbpf_desc *desc)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 195/644] sh: Do not use hyphen in exported variable name
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 194/644] dmaengine: nbpfaxi: Add missing check after DMA map Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 196/644] crypto: qat - fix seq_file position update in adf_ring_next() Greg Kroah-Hartman
` (454 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Hutchings,
John Paul Adrian Glaubitz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <benh@debian.org>
[ Upstream commit c32969d0362a790fbc6117e0b6a737a7e510b843 ]
arch/sh/Makefile defines and exports ld-bfd to be used by
arch/sh/boot/compressed/Makefile and arch/sh/boot/romimage/Makefile.
However some shells, including dash, will not pass through environment
variables whose name includes a hyphen. Usually GNU make does not use
a shell to recurse, but if e.g. $(srctree) contains '~' it will use a
shell here.
Other instances of this problem were previously fixed by commits
2bfbe7881ee0 "kbuild: Do not use hyphen in exported variable name"
and 82977af93a0d "sh: rename suffix-y to suffix_y".
Rename the variable to ld_bfd.
References: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=sh4&ver=4.13%7Erc5-1%7Eexp1&stamp=1502943967&raw=0
Fixes: 7b022d07a0fd ("sh: Tidy up the ldscript output format specifier.")
Signed-off-by: Ben Hutchings <benh@debian.org>
Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sh/Makefile | 10 +++++-----
arch/sh/boot/compressed/Makefile | 4 ++--
arch/sh/boot/romimage/Makefile | 4 ++--
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/arch/sh/Makefile b/arch/sh/Makefile
index 88ddb6f1c75b..ab9b78125544 100644
--- a/arch/sh/Makefile
+++ b/arch/sh/Makefile
@@ -103,16 +103,16 @@ UTS_MACHINE := sh
LDFLAGS_vmlinux += -e _stext
ifdef CONFIG_CPU_LITTLE_ENDIAN
-ld-bfd := elf32-sh-linux
-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld-bfd)
+ld_bfd := elf32-sh-linux
+LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld_bfd)
KBUILD_LDFLAGS += -EL
else
-ld-bfd := elf32-shbig-linux
-LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld-bfd)
+ld_bfd := elf32-shbig-linux
+LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld_bfd)
KBUILD_LDFLAGS += -EB
endif
-export ld-bfd
+export ld_bfd
head-y := arch/sh/kernel/head_32.o
diff --git a/arch/sh/boot/compressed/Makefile b/arch/sh/boot/compressed/Makefile
index 589d2d8a573d..d4baaaace17f 100644
--- a/arch/sh/boot/compressed/Makefile
+++ b/arch/sh/boot/compressed/Makefile
@@ -30,7 +30,7 @@ endif
ccflags-remove-$(CONFIG_MCOUNT) += -pg
-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(IMAGE_OFFSET) -e startup \
+LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(IMAGE_OFFSET) -e startup \
-T $(obj)/../../kernel/vmlinux.lds
#
@@ -68,7 +68,7 @@ $(obj)/vmlinux.bin.lzo: $(vmlinux.bin.all-y) FORCE
OBJCOPYFLAGS += -R .empty_zero_page
-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T
+LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T
$(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix-y) FORCE
$(call if_changed,ld)
diff --git a/arch/sh/boot/romimage/Makefile b/arch/sh/boot/romimage/Makefile
index c7c8be58400c..17b03df0a8de 100644
--- a/arch/sh/boot/romimage/Makefile
+++ b/arch/sh/boot/romimage/Makefile
@@ -13,7 +13,7 @@ mmcif-obj-$(CONFIG_CPU_SUBTYPE_SH7724) := $(obj)/mmcif-sh7724.o
load-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-load-y)
obj-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-obj-y)
-LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(load-y) -e romstart \
+LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(load-y) -e romstart \
-T $(obj)/../../kernel/vmlinux.lds
$(obj)/vmlinux: $(obj)/head.o $(obj-y) $(obj)/piggy.o FORCE
@@ -24,7 +24,7 @@ OBJCOPYFLAGS += -j .empty_zero_page
$(obj)/zeropage.bin: vmlinux FORCE
$(call if_changed,objcopy)
-LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T
+LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T
$(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/zeropage.bin arch/sh/boot/zImage FORCE
$(call if_changed,ld)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 196/644] crypto: qat - fix seq_file position update in adf_ring_next()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 195/644] sh: Do not use hyphen in exported variable name Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 197/644] fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref Greg Kroah-Hartman
` (453 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Giovanni Cabiddu, Ahsan Atta,
Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
[ Upstream commit 6908c5f4f066a0412c3d9a6f543a09fa7d87824b ]
The `adf_ring_next()` function in the QAT debug transport interface
fails to correctly update the position index when reaching the end of
the ring elements. This triggers the following kernel warning when
reading ring files, such as
/sys/kernel/debug/qat_c6xx_<D:B:D:F>/transport/bank_00/ring_00:
[27725.022965] seq_file: buggy .next function adf_ring_next [intel_qat] did not update position index
Ensure that the `*pos` index is incremented before returning NULL when
after the last element in the ring is found, satisfying the seq_file API
requirements and preventing the warning.
Fixes: a672a9dc872e ("crypto: qat - Intel(R) QAT transport code")
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/qat/qat_common/adf_transport_debug.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/qat/qat_common/adf_transport_debug.c b/drivers/crypto/qat/qat_common/adf_transport_debug.c
index 006867f410bd..494ddab81df7 100644
--- a/drivers/crypto/qat/qat_common/adf_transport_debug.c
+++ b/drivers/crypto/qat/qat_common/adf_transport_debug.c
@@ -31,8 +31,10 @@ static void *adf_ring_next(struct seq_file *sfile, void *v, loff_t *pos)
struct adf_etr_ring_data *ring = sfile->private;
if (*pos >= (ADF_SIZE_TO_RING_SIZE_IN_BYTES(ring->ring_size) /
- ADF_MSG_SIZE_TO_BYTES(ring->msg_size)))
+ ADF_MSG_SIZE_TO_BYTES(ring->msg_size))) {
+ (*pos)++;
return NULL;
+ }
return ring->base_addr +
(ADF_MSG_SIZE_TO_BYTES(ring->msg_size) * (*pos)++);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 197/644] fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 196/644] crypto: qat - fix seq_file position update in adf_ring_next() Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 198/644] jfs: fix metapage reference count leak in dbAllocCtl Greg Kroah-Hartman
` (452 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Helge Deller,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
[ Upstream commit da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7 ]
fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot
allocate a struct fb_modelist. If that happens, the modelist stays empty but
the driver continues to register. Add a check for its return value to prevent
poteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 ("fbdev:
Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var").
Fixes: 1b6c79361ba5 ("video: imxfb: Add DT support")
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/imxfb.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c
index cd376a9bfe1b..f9af2b1a91ab 100644
--- a/drivers/video/fbdev/imxfb.c
+++ b/drivers/video/fbdev/imxfb.c
@@ -1007,8 +1007,13 @@ static int imxfb_probe(struct platform_device *pdev)
INIT_LIST_HEAD(&info->modelist);
- for (i = 0; i < fbi->num_modes; i++)
- fb_add_videomode(&fbi->mode[i].mode, &info->modelist);
+ for (i = 0; i < fbi->num_modes; i++) {
+ ret = fb_add_videomode(&fbi->mode[i].mode, &info->modelist);
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to add videomode\n");
+ goto failed_cmap;
+ }
+ }
/*
* This makes sure that our colour bitfield
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 198/644] jfs: fix metapage reference count leak in dbAllocCtl
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 197/644] fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 199/644] mtd: rawnand: atmel: Fix dma_mapping_error() address Greg Kroah-Hartman
` (451 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zheng Yu, Dave Kleikamp, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Yu <zheng.yu@northwestern.edu>
[ Upstream commit 856db37592021e9155384094e331e2d4589f28b1 ]
In dbAllocCtl(), read_metapage() increases the reference count of the
metapage. However, when dp->tree.budmin < 0, the function returns -EIO
without calling release_metapage() to decrease the reference count,
leading to a memory leak.
Add release_metapage(mp) before the error return to properly manage
the metapage reference count and prevent the leak.
Fixes: a5f5e4698f8abbb25fe4959814093fb5bfa1aa9d ("jfs: fix shift-out-of-bounds in dbSplit")
Signed-off-by: Zheng Yu <zheng.yu@northwestern.edu>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cfb81bf5881e..c2d4349cd959 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1877,8 +1877,10 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results)
return -EIO;
dp = (struct dmap *) mp->data;
- if (dp->tree.budmin < 0)
+ if (dp->tree.budmin < 0) {
+ release_metapage(mp);
return -EIO;
+ }
/* try to allocate the blocks.
*/
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 199/644] mtd: rawnand: atmel: Fix dma_mapping_error() address
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 198/644] jfs: fix metapage reference count leak in dbAllocCtl Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 200/644] mtd: rawnand: rockchip: Add missing check after DMA map Greg Kroah-Hartman
` (450 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Miquel Raynal,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit e1e6b933c56b1e9fda93caa0b8bae39f3f421e5c ]
It seems like what was intended is to test if the dma_map of the
previous line failed but the wrong dma address was passed.
Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Rule: add
Link: https://lore.kernel.org/stable/20250702064515.18145-2-fourier.thomas%40gmail.com
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/nand/raw/atmel/nand-controller.c b/drivers/mtd/nand/raw/atmel/nand-controller.c
index 73956a9f5449..060e2c11b8e0 100644
--- a/drivers/mtd/nand/raw/atmel/nand-controller.c
+++ b/drivers/mtd/nand/raw/atmel/nand-controller.c
@@ -373,7 +373,7 @@ static int atmel_nand_dma_transfer(struct atmel_nand_controller *nc,
dma_cookie_t cookie;
buf_dma = dma_map_single(nc->dev, buf, len, dir);
- if (dma_mapping_error(nc->dev, dev_dma)) {
+ if (dma_mapping_error(nc->dev, buf_dma)) {
dev_err(nc->dev,
"Failed to prepare a buffer for DMA access\n");
goto err;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 200/644] mtd: rawnand: rockchip: Add missing check after DMA map
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 199/644] mtd: rawnand: atmel: Fix dma_mapping_error() address Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 201/644] mtd: rawnand: atmel: set pmecc data setup time Greg Kroah-Hartman
` (449 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Miquel Raynal,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 3b36f86dc47261828f96f826077131a35dd825fd ]
The DMA map functions can fail and should be tested for errors.
Fixes: 058e0e847d54 ("mtd: rawnand: rockchip: NFC driver for RK3308, RK2928 and others")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/raw/rockchip-nand-controller.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/mtd/nand/raw/rockchip-nand-controller.c b/drivers/mtd/nand/raw/rockchip-nand-controller.c
index f45c85a1a5a3..76721a3b3e33 100644
--- a/drivers/mtd/nand/raw/rockchip-nand-controller.c
+++ b/drivers/mtd/nand/raw/rockchip-nand-controller.c
@@ -657,9 +657,16 @@ static int rk_nfc_write_page_hwecc(struct nand_chip *chip, const u8 *buf,
dma_data = dma_map_single(nfc->dev, (void *)nfc->page_buf,
mtd->writesize, DMA_TO_DEVICE);
+ if (dma_mapping_error(nfc->dev, dma_data))
+ return -ENOMEM;
+
dma_oob = dma_map_single(nfc->dev, nfc->oob_buf,
ecc->steps * oob_step,
DMA_TO_DEVICE);
+ if (dma_mapping_error(nfc->dev, dma_oob)) {
+ dma_unmap_single(nfc->dev, dma_data, mtd->writesize, DMA_TO_DEVICE);
+ return -ENOMEM;
+ }
reinit_completion(&nfc->done);
writel(INT_DMA, nfc->regs + nfc->cfg->int_en_off);
@@ -773,9 +780,17 @@ static int rk_nfc_read_page_hwecc(struct nand_chip *chip, u8 *buf, int oob_on,
dma_data = dma_map_single(nfc->dev, nfc->page_buf,
mtd->writesize,
DMA_FROM_DEVICE);
+ if (dma_mapping_error(nfc->dev, dma_data))
+ return -ENOMEM;
+
dma_oob = dma_map_single(nfc->dev, nfc->oob_buf,
ecc->steps * oob_step,
DMA_FROM_DEVICE);
+ if (dma_mapping_error(nfc->dev, dma_oob)) {
+ dma_unmap_single(nfc->dev, dma_data, mtd->writesize,
+ DMA_FROM_DEVICE);
+ return -ENOMEM;
+ }
/*
* The first blocks (4, 8 or 16 depending on the device)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 201/644] mtd: rawnand: atmel: set pmecc data setup time
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 200/644] mtd: rawnand: rockchip: Add missing check after DMA map Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 202/644] vhost-scsi: Fix log flooding with target does not exist errors Greg Kroah-Hartman
` (448 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zixun LI, Ada Couprie Diaz,
Balamanikandan Gunasundar, Miquel Raynal, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Balamanikandan Gunasundar <balamanikandan.gunasundar@microchip.com>
[ Upstream commit f552a7c7e0a14215cb8a6fd89e60fa3932a74786 ]
Setup the pmecc data setup time as 3 clock cycles for 133MHz as recommended
by the datasheet.
Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
Reported-by: Zixun LI <admin@hifiphile.com>
Closes: https://lore.kernel.org/all/c015bb20-6a57-4f63-8102-34b3d83e0f5b@microchip.com
Suggested-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Signed-off-by: Balamanikandan Gunasundar <balamanikandan.gunasundar@microchip.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/raw/atmel/pmecc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/mtd/nand/raw/atmel/pmecc.c b/drivers/mtd/nand/raw/atmel/pmecc.c
index d1ed5878b3b1..28ed65dd3d43 100644
--- a/drivers/mtd/nand/raw/atmel/pmecc.c
+++ b/drivers/mtd/nand/raw/atmel/pmecc.c
@@ -143,6 +143,7 @@ struct atmel_pmecc_caps {
int nstrengths;
int el_offset;
bool correct_erased_chunks;
+ bool clk_ctrl;
};
struct atmel_pmecc {
@@ -846,6 +847,10 @@ static struct atmel_pmecc *atmel_pmecc_create(struct platform_device *pdev,
if (IS_ERR(pmecc->regs.errloc))
return ERR_CAST(pmecc->regs.errloc);
+ /* pmecc data setup time */
+ if (caps->clk_ctrl)
+ writel(PMECC_CLK_133MHZ, pmecc->regs.base + ATMEL_PMECC_CLK);
+
/* Disable all interrupts before registering the PMECC handler. */
writel(0xffffffff, pmecc->regs.base + ATMEL_PMECC_IDR);
atmel_pmecc_reset(pmecc);
@@ -899,6 +904,7 @@ static struct atmel_pmecc_caps at91sam9g45_caps = {
.strengths = atmel_pmecc_strengths,
.nstrengths = 5,
.el_offset = 0x8c,
+ .clk_ctrl = true,
};
static struct atmel_pmecc_caps sama5d4_caps = {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 202/644] vhost-scsi: Fix log flooding with target does not exist errors
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 201/644] mtd: rawnand: atmel: set pmecc data setup time Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 203/644] bpf: Check flow_dissector ctx accesses are aligned Greg Kroah-Hartman
` (447 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Christie, Stefan Hajnoczi,
Stefano Garzarella, Michael S. Tsirkin, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Christie <michael.christie@oracle.com>
[ Upstream commit 69cd720a8a5e9ef0f05ce5dd8c9ea6e018245c82 ]
As part of the normal initiator side scanning the guest's scsi layer
will loop over all possible targets and send an inquiry. Since the
max number of targets for virtio-scsi is 256, this can result in 255
error messages about targets not existing if you only have a single
target. When there's more than 1 vhost-scsi device each with a single
target, then you get N * 255 log messages.
It looks like the log message was added by accident in:
commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from
control queue handler")
when we added common helpers. Then in:
commit 09d7583294aa ("vhost/scsi: Use common handling code in request
queue handler")
we converted the scsi command processing path to use the new
helpers so we started to see the extra log messages during scanning.
The patches were just making some code common but added the vq_err
call and I'm guessing the patch author forgot to enable the vq_err
call (vq_err is implemented by pr_debug which defaults to off). So
this patch removes the call since it's expected to hit this path
during device discovery.
Fixes: 09d7583294aa ("vhost/scsi: Use common handling code in request queue handler")
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20250611210113.10912-1-michael.christie@oracle.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vhost/scsi.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/vhost/scsi.c b/drivers/vhost/scsi.c
index 2c19fa02141d..dff93612fcfd 100644
--- a/drivers/vhost/scsi.c
+++ b/drivers/vhost/scsi.c
@@ -907,10 +907,8 @@ vhost_scsi_get_req(struct vhost_virtqueue *vq, struct vhost_scsi_ctx *vc,
/* validated at handler entry */
vs_tpg = vhost_vq_get_backend(vq);
tpg = READ_ONCE(vs_tpg[*vc->target]);
- if (unlikely(!tpg)) {
- vq_err(vq, "Target 0x%x does not exist\n", *vc->target);
+ if (unlikely(!tpg))
goto out;
- }
}
if (tpgp)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 203/644] bpf: Check flow_dissector ctx accesses are aligned
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 202/644] vhost-scsi: Fix log flooding with target does not exist errors Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 204/644] apparmor: ensure WB_HISTORY_SIZE value is a power of 2 Greg Kroah-Hartman
` (446 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ccac90e482b2a81d74aa,
Paul Chaignon, Yonghong Song, Eduard Zingerman,
Alexei Starovoitov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Chaignon <paul.chaignon@gmail.com>
[ Upstream commit ead3d7b2b6afa5ee7958620c4329982a7d9c2b78 ]
flow_dissector_is_valid_access doesn't check that the context access is
aligned. As a consequence, an unaligned access within one of the exposed
field is considered valid and later rejected by
flow_dissector_convert_ctx_access when we try to convert it.
The later rejection is problematic because it's reported as a verifier
bug with a kernel warning and doesn't point to the right instruction in
verifier logs.
Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
Reported-by: syzbot+ccac90e482b2a81d74aa@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ccac90e482b2a81d74aa
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/cc1b036be484c99be45eddf48bd78cc6f72839b1.1754039605.git.paul.chaignon@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 169d9ba4e7a0..f346f19cf468 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -8764,6 +8764,9 @@ static bool flow_dissector_is_valid_access(int off, int size,
if (off < 0 || off >= sizeof(struct __sk_buff))
return false;
+ if (off % size != 0)
+ return false;
+
if (type == BPF_WRITE)
return false;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 204/644] apparmor: ensure WB_HISTORY_SIZE value is a power of 2
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 203/644] bpf: Check flow_dissector ctx accesses are aligned Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 205/644] module: Restore the moduleparam prefix length check Greg Kroah-Hartman
` (445 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ryan Lee, John Johansen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Lee <ryan.lee@canonical.com>
[ Upstream commit 6c055e62560b958354625604293652753d82bcae ]
WB_HISTORY_SIZE was defined to be a value not a power of 2, despite a
comment in the declaration of struct match_workbuf stating it is and a
modular arithmetic usage in the inc_wb_pos macro assuming that it is. Bump
WB_HISTORY_SIZE's value up to 32 and add a BUILD_BUG_ON_NOT_POWER_OF_2
line to ensure that any future changes to the value of WB_HISTORY_SIZE
respect this requirement.
Fixes: 136db994852a ("apparmor: increase left match history buffer size")
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/apparmor/include/match.h | 3 ++-
security/apparmor/match.c | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index 884489590588..29306ec87fd1 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -141,7 +141,8 @@ unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
void aa_dfa_free_kref(struct kref *kref);
-#define WB_HISTORY_SIZE 24
+/* This needs to be a power of 2 */
+#define WB_HISTORY_SIZE 32
struct match_workbuf {
unsigned int count;
unsigned int pos;
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 3e9e1eaf990e..0e683ee323e3 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -672,6 +672,7 @@ unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
#define inc_wb_pos(wb) \
do { \
+ BUILD_BUG_ON_NOT_POWER_OF_2(WB_HISTORY_SIZE); \
wb->pos = (wb->pos + 1) & (WB_HISTORY_SIZE - 1); \
wb->len = (wb->len + 1) & (WB_HISTORY_SIZE - 1); \
} while (0)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 205/644] module: Restore the moduleparam prefix length check
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 204/644] apparmor: ensure WB_HISTORY_SIZE value is a power of 2 Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 206/644] ucount: fix atomic_long_inc_below() argument type Greg Kroah-Hartman
` (444 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Petr Pavlu, Daniel Gomez,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Pavlu <petr.pavlu@suse.com>
[ Upstream commit bdc877ba6b7ff1b6d2ebeff11e63da4a50a54854 ]
The moduleparam code allows modules to provide their own definition of
MODULE_PARAM_PREFIX, instead of using the default KBUILD_MODNAME ".".
Commit 730b69d22525 ("module: check kernel param length at compile time,
not runtime") added a check to ensure the prefix doesn't exceed
MODULE_NAME_LEN, as this is what param_sysfs_builtin() expects.
Later, commit 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking
for sysfs perms.") removed this check, but there is no indication this was
intentional.
Since the check is still useful for param_sysfs_builtin() to function
properly, reintroduce it in __module_param_call(), but in a modernized form
using static_assert().
While here, clean up the __module_param_call() comments. In particular,
remove the comment "Default value instead of permissions?", which comes
from commit 9774a1f54f17 ("[PATCH] Compile-time check re world-writeable
module params"). This comment was related to the test variable
__param_perm_check_##name, which was removed in the previously mentioned
commit 58f86cc89c33.
Fixes: 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking for sysfs perms.")
Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
Link: https://lore.kernel.org/r/20250630143535.267745-4-petr.pavlu@suse.com
Signed-off-by: Daniel Gomez <da.gomez@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/moduleparam.h | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
index 962cd41a2cb5..061e19c94a6b 100644
--- a/include/linux/moduleparam.h
+++ b/include/linux/moduleparam.h
@@ -282,10 +282,9 @@ struct kparam_array
#define __moduleparam_const const
#endif
-/* This is the fundamental function for registering boot/module
- parameters. */
+/* This is the fundamental function for registering boot/module parameters. */
#define __module_param_call(prefix, name, ops, arg, perm, level, flags) \
- /* Default value instead of permissions? */ \
+ static_assert(sizeof(""prefix) - 1 <= MAX_PARAM_PREFIX_LEN); \
static const char __param_str_##name[] = prefix #name; \
static struct kernel_param __moduleparam_const __param_##name \
__used __section("__param") \
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 206/644] ucount: fix atomic_long_inc_below() argument type
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 205/644] module: Restore the moduleparam prefix length check Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 207/644] rtc: ds1307: fix incorrect maximum clock rate handling Greg Kroah-Hartman
` (443 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uros Bizjak, Eric W. Biederman,
Sebastian Andrzej Siewior, Paul E. McKenney, Alexey Gladkov,
Roman Gushchin, MengEn Sun, Thomas Weißschuh, Mark Rutland,
Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uros Bizjak <ubizjak@gmail.com>
[ Upstream commit f8cd9193b62e92ad25def5370ca8ea2bc7585381 ]
The type of u argument of atomic_long_inc_below() should be long to avoid
unwanted truncation to int.
The patch fixes the wrong argument type of an internal function to
prevent unwanted argument truncation. It fixes an internal locking
primitive; it should not have any direct effect on userspace.
Mark said
: AFAICT there's no problem in practice because atomic_long_inc_below()
: is only used by inc_ucount(), and it looks like the value is
: constrained between 0 and INT_MAX.
:
: In inc_ucount() the limit value is taken from
: user_namespace::ucount_max[], and AFAICT that's only written by
: sysctls, to the table setup by setup_userns_sysctls(), where
: UCOUNT_ENTRY() limits the value between 0 and INT_MAX.
:
: This is certainly a cleanup, but there might be no functional issue in
: practice as above.
Link: https://lkml.kernel.org/r/20250721174610.28361-1-ubizjak@gmail.com
Fixes: f9c82a4ea89c ("Increase size of ucounts to atomic_long_t")
Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: "Paul E. McKenney" <paulmck@kernel.org>
Cc: Alexey Gladkov <legion@kernel.org>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: MengEn Sun <mengensun@tencent.com>
Cc: "Thomas Weißschuh" <linux@weissschuh.net>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/ucount.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/ucount.c b/kernel/ucount.c
index 85d7c19b0b80..8c21398f7b4f 100644
--- a/kernel/ucount.c
+++ b/kernel/ucount.c
@@ -210,7 +210,7 @@ void put_ucounts(struct ucounts *ucounts)
}
}
-static inline bool atomic_long_inc_below(atomic_long_t *v, int u)
+static inline bool atomic_long_inc_below(atomic_long_t *v, long u)
{
long c, old;
c = atomic_long_read(v);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 207/644] rtc: ds1307: fix incorrect maximum clock rate handling
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 206/644] ucount: fix atomic_long_inc_below() argument type Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 208/644] rtc: hym8563: " Greg Kroah-Hartman
` (442 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Alexandre Belloni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit cf6eb547a24af7ad7bbd2abe9c5327f956bbeae8 ]
When ds3231_clk_sqw_round_rate() is called with a requested rate higher
than the highest supported rate, it currently returns 0, which disables
the clock. According to the clk API, round_rate() should instead return
the highest supported rate. Update the function to return the maximum
supported rate in this case.
Fixes: 6c6ff145b3346 ("rtc: ds1307: add clock provider support for DS3231")
Signed-off-by: Brian Masney <bmasney@redhat.com>
Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-1-33140bb2278e@redhat.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-ds1307.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
index d5a7a377e4a6..1e621080f666 100644
--- a/drivers/rtc/rtc-ds1307.c
+++ b/drivers/rtc/rtc-ds1307.c
@@ -1461,7 +1461,7 @@ static long ds3231_clk_sqw_round_rate(struct clk_hw *hw, unsigned long rate,
return ds3231_clk_sqw_rates[i];
}
- return 0;
+ return ds3231_clk_sqw_rates[ARRAY_SIZE(ds3231_clk_sqw_rates) - 1];
}
static int ds3231_clk_sqw_set_rate(struct clk_hw *hw, unsigned long rate,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 208/644] rtc: hym8563: fix incorrect maximum clock rate handling
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 207/644] rtc: ds1307: fix incorrect maximum clock rate handling Greg Kroah-Hartman
@ 2025-08-26 11:04 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 209/644] rtc: pcf85063: " Greg Kroah-Hartman
` (441 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Alexandre Belloni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit d0a518eb0a692a2ab8357e844970660c5ea37720 ]
When hym8563_clkout_round_rate() is called with a requested rate higher
than the highest supported rate, it currently returns 0, which disables
the clock. According to the clk API, round_rate() should instead return
the highest supported rate. Update the function to return the maximum
supported rate in this case.
Fixes: dcaf038493525 ("rtc: add hym8563 rtc-driver")
Signed-off-by: Brian Masney <bmasney@redhat.com>
Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-2-33140bb2278e@redhat.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-hym8563.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rtc/rtc-hym8563.c b/drivers/rtc/rtc-hym8563.c
index 0751cae27285..93fd182d440b 100644
--- a/drivers/rtc/rtc-hym8563.c
+++ b/drivers/rtc/rtc-hym8563.c
@@ -312,7 +312,7 @@ static long hym8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
if (clkout_rates[i] <= rate)
return clkout_rates[i];
- return 0;
+ return clkout_rates[0];
}
static int hym8563_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 209/644] rtc: pcf85063: fix incorrect maximum clock rate handling
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2025-08-26 11:04 ` [PATCH 5.15 208/644] rtc: hym8563: " Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 210/644] rtc: pcf8563: " Greg Kroah-Hartman
` (440 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Alexandre Belloni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit 186ae1869880e58bb3f142d222abdb35ecb4df0f ]
When pcf85063_clkout_round_rate() is called with a requested rate higher
than the highest supported rate, it currently returns 0, which disables
the clock. According to the clk API, round_rate() should instead return
the highest supported rate. Update the function to return the maximum
supported rate in this case.
Fixes: 8c229ab6048b7 ("rtc: pcf85063: Add pcf85063 clkout control to common clock framework")
Signed-off-by: Brian Masney <bmasney@redhat.com>
Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-4-33140bb2278e@redhat.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-pcf85063.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c
index 89e080798e03..b286e3078025 100644
--- a/drivers/rtc/rtc-pcf85063.c
+++ b/drivers/rtc/rtc-pcf85063.c
@@ -407,7 +407,7 @@ static long pcf85063_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
if (clkout_rates[i] <= rate)
return clkout_rates[i];
- return 0;
+ return clkout_rates[0];
}
static int pcf85063_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 210/644] rtc: pcf8563: fix incorrect maximum clock rate handling
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 209/644] rtc: pcf85063: " Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 211/644] rtc: rv3028: " Greg Kroah-Hartman
` (439 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Alexandre Belloni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit 906726a5efeefe0ef0103ccff5312a09080c04ae ]
When pcf8563_clkout_round_rate() is called with a requested rate higher
than the highest supported rate, it currently returns 0, which disables
the clock. According to the clk API, round_rate() should instead return
the highest supported rate. Update the function to return the maximum
supported rate in this case.
Fixes: a39a6405d5f94 ("rtc: pcf8563: add CLKOUT to common clock framework")
Signed-off-by: Brian Masney <bmasney@redhat.com>
Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-5-33140bb2278e@redhat.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-pcf8563.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rtc/rtc-pcf8563.c b/drivers/rtc/rtc-pcf8563.c
index c8bddfb94129..7d47d1f4802a 100644
--- a/drivers/rtc/rtc-pcf8563.c
+++ b/drivers/rtc/rtc-pcf8563.c
@@ -399,7 +399,7 @@ static long pcf8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
if (clkout_rates[i] <= rate)
return clkout_rates[i];
- return 0;
+ return clkout_rates[0];
}
static int pcf8563_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 211/644] rtc: rv3028: fix incorrect maximum clock rate handling
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 210/644] rtc: pcf8563: " Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 212/644] f2fs: fix KMSAN uninit-value in extent_info usage Greg Kroah-Hartman
` (438 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Alexandre Belloni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Masney <bmasney@redhat.com>
[ Upstream commit b574acb3cf7591d2513a9f29f8c2021ad55fb881 ]
When rv3028_clkout_round_rate() is called with a requested rate higher
than the highest supported rate, it currently returns 0, which disables
the clock. According to the clk API, round_rate() should instead return
the highest supported rate. Update the function to return the maximum
supported rate in this case.
Fixes: f583c341a515f ("rtc: rv3028: add clkout support")
Signed-off-by: Brian Masney <bmasney@redhat.com>
Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-6-33140bb2278e@redhat.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-rv3028.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rtc/rtc-rv3028.c b/drivers/rtc/rtc-rv3028.c
index 12c807306893..fdcca4bf1ce2 100644
--- a/drivers/rtc/rtc-rv3028.c
+++ b/drivers/rtc/rtc-rv3028.c
@@ -669,7 +669,7 @@ static long rv3028_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
if (clkout_rates[i] <= rate)
return clkout_rates[i];
- return 0;
+ return clkout_rates[0];
}
static int rv3028_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 212/644] f2fs: fix KMSAN uninit-value in extent_info usage
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 211/644] rtc: rv3028: " Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 213/644] f2fs: doc: fix wrong quota mount option description Greg Kroah-Hartman
` (437 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b8c1d60e95df65e827d4, Chao Yu,
Abinash Singh, Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abinash Singh <abinashlalotra@gmail.com>
[ Upstream commit 154467f4ad033473e5c903a03e7b9bca7df9a0fa ]
KMSAN reported a use of uninitialized value in `__is_extent_mergeable()`
and `__is_back_mergeable()` via the read extent tree path.
The root cause is that `get_read_extent_info()` only initializes three
fields (`fofs`, `blk`, `len`) of `struct extent_info`, leaving the
remaining fields uninitialized. This leads to undefined behavior
when those fields are accessed later, especially during
extent merging.
Fix it by zero-initializing the `extent_info` struct before population.
Reported-by: syzbot+b8c1d60e95df65e827d4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b8c1d60e95df65e827d4
Fixes: 94afd6d6e525 ("f2fs: extent cache: support unaligned extent")
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Abinash Singh <abinashsinghlalotra@gmail.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/extent_cache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c
index 30b8924d1493..5808791efd98 100644
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -365,7 +365,7 @@ static void __f2fs_init_extent_tree(struct inode *inode, struct page *ipage)
struct f2fs_extent *i_ext = ipage ? &F2FS_INODE(ipage)->i_ext : NULL;
struct extent_tree *et;
struct extent_node *en;
- struct extent_info ei;
+ struct extent_info ei = {0};
if (!f2fs_may_extent_tree(inode)) {
/* drop largest extent */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 213/644] f2fs: doc: fix wrong quota mount option description
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 212/644] f2fs: fix KMSAN uninit-value in extent_info usage Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 214/644] f2fs: fix to avoid UAF in f2fs_sync_inode_meta() Greg Kroah-Hartman
` (436 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 81b6ecca2f15922e8d653dc037df5871e754be6e ]
We should use "{usr,grp,prj}jquota=" to disable journaled quota,
rather than using off{usr,grp,prj}jquota.
Fixes: 4b2414d04e99 ("f2fs: support journalled quota")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/filesystems/f2fs.rst | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Documentation/filesystems/f2fs.rst b/Documentation/filesystems/f2fs.rst
index 7fe50b0bccde..f3e9ba8d6892 100644
--- a/Documentation/filesystems/f2fs.rst
+++ b/Documentation/filesystems/f2fs.rst
@@ -211,9 +211,9 @@ usrjquota=<file> Appoint specified file and type during mount, so that quota
grpjquota=<file> information can be properly updated during recovery flow,
prjjquota=<file> <quota file>: must be in root directory;
jqfmt=<quota type> <quota type>: [vfsold,vfsv0,vfsv1].
-offusrjquota Turn off user journalled quota.
-offgrpjquota Turn off group journalled quota.
-offprjjquota Turn off project journalled quota.
+usrjquota= Turn off user journalled quota.
+grpjquota= Turn off group journalled quota.
+prjjquota= Turn off project journalled quota.
quota Enable plain user disk quota accounting.
noquota Disable all plain disk quota option.
whint_mode=%s Control which write hints are passed down to block
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 214/644] f2fs: fix to avoid UAF in f2fs_sync_inode_meta()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 213/644] f2fs: doc: fix wrong quota mount option description Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 215/644] f2fs: fix to avoid panic in f2fs_evict_inode Greg Kroah-Hartman
` (435 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 7c30d79930132466f5be7d0b57add14d1a016bda ]
syzbot reported an UAF issue as below: [1] [2]
[1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
Read of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8
CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0x158/0x4e0 mm/kasan/report.c:427
kasan_report+0x13c/0x170 mm/kasan/report.c:531
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351
__list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
__list_del_entry include/linux/list.h:134 [inline]
list_del_init include/linux/list.h:206 [inline]
f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553
f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588
f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706
f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734
write_inode fs/fs-writeback.c:1460 [inline]
__writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677
writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903
__writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974
wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081
wb_check_background_flush fs/fs-writeback.c:2151 [inline]
wb_do_writeback fs/fs-writeback.c:2239 [inline]
wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266
process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299
worker_thread+0xa60/0x1260 kernel/workqueue.c:2446
kthread+0x26d/0x300 kernel/kthread.c:386
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
Allocated by task 298:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333
kasan_slab_alloc include/linux/kasan.h:202 [inline]
slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768
slab_alloc_node mm/slub.c:3421 [inline]
slab_alloc mm/slub.c:3431 [inline]
__kmem_cache_alloc_lru mm/slub.c:3438 [inline]
kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454
alloc_inode_sb include/linux/fs.h:3255 [inline]
f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437
alloc_inode fs/inode.c:261 [inline]
iget_locked+0x18c/0x7e0 fs/inode.c:1373
f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486
f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484
__lookup_slow+0x2b9/0x3e0 fs/namei.c:1689
lookup_slow+0x5a/0x80 fs/namei.c:1706
walk_component+0x2e7/0x410 fs/namei.c:1997
lookup_last fs/namei.c:2454 [inline]
path_lookupat+0x16d/0x450 fs/namei.c:2478
filename_lookup+0x251/0x600 fs/namei.c:2507
vfs_statx+0x107/0x4b0 fs/stat.c:229
vfs_fstatat fs/stat.c:267 [inline]
vfs_lstat include/linux/fs.h:3434 [inline]
__do_sys_newlstat fs/stat.c:423 [inline]
__se_sys_newlstat+0xda/0x7c0 fs/stat.c:417
__x64_sys_newlstat+0x5b/0x70 fs/stat.c:417
x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Freed by task 0:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516
____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:249
kasan_slab_free include/linux/kasan.h:178 [inline]
slab_free_hook mm/slub.c:1745 [inline]
slab_free_freelist_hook mm/slub.c:1771 [inline]
slab_free mm/slub.c:3686 [inline]
kmem_cache_free+0x291/0x560 mm/slub.c:3711
f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1584
i_callback+0x4b/0x70 fs/inode.c:250
rcu_do_batch+0x552/0xbe0 kernel/rcu/tree.c:2297
rcu_core+0x502/0xf40 kernel/rcu/tree.c:2557
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574
handle_softirqs+0x1db/0x650 kernel/softirq.c:624
__do_softirq kernel/softirq.c:662 [inline]
invoke_softirq kernel/softirq.c:479 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:711
irq_exit_rcu+0x9/0x10 kernel/softirq.c:723
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
Last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb4/0xc0 mm/kasan/generic.c:486
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496
__call_rcu_common kernel/rcu/tree.c:2807 [inline]
call_rcu+0xdc/0x10f0 kernel/rcu/tree.c:2926
destroy_inode fs/inode.c:316 [inline]
evict+0x87d/0x930 fs/inode.c:720
iput_final fs/inode.c:1834 [inline]
iput+0x616/0x690 fs/inode.c:1860
do_unlinkat+0x4e1/0x920 fs/namei.c:4396
__do_sys_unlink fs/namei.c:4437 [inline]
__se_sys_unlink fs/namei.c:4435 [inline]
__x64_sys_unlink+0x49/0x50 fs/namei.c:4435
x64_sys_call+0x289/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff888100567a10
which belongs to the cache f2fs_inode_cache of size 1360
The buggy address is located 952 bytes inside of
1360-byte region [ffff888100567a10, ffff888100567f60)
The buggy address belongs to the physical page:
page:ffffea0004015800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100560
head:ffffea0004015800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881002c4d80
raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 298, tgid 298 (syz-executor330), ts 26489303743, free_ts 0
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x213/0x220 mm/page_alloc.c:2637
prep_new_page+0x1b/0x110 mm/page_alloc.c:2644
get_page_from_freelist+0x3a98/0x3b10 mm/page_alloc.c:4539
__alloc_pages+0x234/0x610 mm/page_alloc.c:5837
alloc_slab_page+0x6c/0xf0 include/linux/gfp.h:-1
allocate_slab mm/slub.c:1962 [inline]
new_slab+0x90/0x3e0 mm/slub.c:2015
___slab_alloc+0x6f9/0xb80 mm/slub.c:3203
__slab_alloc+0x5d/0xa0 mm/slub.c:3302
slab_alloc_node mm/slub.c:3387 [inline]
slab_alloc mm/slub.c:3431 [inline]
__kmem_cache_alloc_lru mm/slub.c:3438 [inline]
kmem_cache_alloc_lru+0x149/0x270 mm/slub.c:3454
alloc_inode_sb include/linux/fs.h:3255 [inline]
f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437
alloc_inode fs/inode.c:261 [inline]
iget_locked+0x18c/0x7e0 fs/inode.c:1373
f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486
f2fs_fill_super+0x5360/0x6dc0 fs/f2fs/super.c:4488
mount_bdev+0x282/0x3b0 fs/super.c:1445
f2fs_mount+0x34/0x40 fs/f2fs/super.c:4743
legacy_get_tree+0xf1/0x190 fs/fs_context.c:632
page_owner free stack trace missing
Memory state around the buggy address:
ffff888100567c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888100567d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888100567d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888100567e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888100567e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
[2] https://syzkaller.appspot.com/text?tag=CrashLog&x=13654c60580000
[ 24.675720][ T28] audit: type=1400 audit(1745327318.732:72): avc: denied { write } for pid=298 comm="syz-executor399" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
[ 24.705426][ T296] ------------[ cut here ]------------
[ 24.706608][ T28] audit: type=1400 audit(1745327318.732:73): avc: denied { remove_name } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
[ 24.711550][ T296] WARNING: CPU: 0 PID: 296 at fs/f2fs/inode.c:847 f2fs_evict_inode+0x1262/0x1540
[ 24.734141][ T28] audit: type=1400 audit(1745327318.732:74): avc: denied { rename } for pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
[ 24.742969][ T296] Modules linked in:
[ 24.765201][ T28] audit: type=1400 audit(1745327318.732:75): avc: denied { add_name } for pid=298 comm="syz-executor399" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
[ 24.768847][ T296] CPU: 0 PID: 296 Comm: syz-executor399 Not tainted 6.1.129-syzkaller-00017-g642656a36791 #0
[ 24.799506][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[ 24.809401][ T296] RIP: 0010:f2fs_evict_inode+0x1262/0x1540
[ 24.815018][ T296] Code: 34 70 4a ff eb 0d e8 2d 70 4a ff 4d 89 e5 4c 8b 64 24 18 48 8b 5c 24 28 4c 89 e7 e8 78 38 03 00 e9 84 fc ff ff e8 0e 70 4a ff <0f> 0b 4c 89 f7 be 08 00 00 00 e8 7f 21 92 ff f0 41 80 0e 04 e9 61
[ 24.834584][ T296] RSP: 0018:ffffc90000db7a40 EFLAGS: 00010293
[ 24.840465][ T296] RAX: ffffffff822aca42 RBX: 0000000000000002 RCX: ffff888110948000
[ 24.848291][ T296] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
[ 24.856064][ T296] RBP: ffffc90000db7bb0 R08: ffffffff822ac6a8 R09: ffffed10200b005d
[ 24.864073][ T296] R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888100580000
[ 24.871812][ T296] R13: dffffc0000000000 R14: ffff88810fef4078 R15: 1ffff920001b6f5c
The root cause is w/ a fuzzed image, f2fs may missed to clear FI_DIRTY_INODE
flag for target inode, after f2fs_evict_inode(), the inode is still linked in
sbi->inode_list[DIRTY_META] global list, once it triggers checkpoint,
f2fs_sync_inode_meta() may access the released inode.
In f2fs_evict_inode(), let's always call f2fs_inode_synced() to clear
FI_DIRTY_INODE flag and drop inode from global dirty list to avoid this
UAF issue.
Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing")
Closes: https://syzkaller.appspot.com/bug?extid=849174b2efaf0d8be6ba
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/inode.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 558f478d037d..35760080803f 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -842,8 +842,12 @@ void f2fs_evict_inode(struct inode *inode)
if (likely(!f2fs_cp_error(sbi) &&
!is_sbi_flag_set(sbi, SBI_CP_DISABLED)))
f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE));
- else
- f2fs_inode_synced(inode);
+
+ /*
+ * anyway, it needs to remove the inode from sbi->inode_list[DIRTY_META]
+ * list to avoid UAF in f2fs_sync_inode_meta() during checkpoint.
+ */
+ f2fs_inode_synced(inode);
/* for the case f2fs_new_inode() was failed, .i_ino is zero, skip it */
if (inode->i_ino)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 215/644] f2fs: fix to avoid panic in f2fs_evict_inode
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 214/644] f2fs: fix to avoid UAF in f2fs_sync_inode_meta() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 216/644] f2fs: fix to avoid out-of-boundary access in devs.path Greg Kroah-Hartman
` (434 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit a509a55f8eecc8970b3980c6f06886bbff0e2f68 ]
As syzbot [1] reported as below:
R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450
R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520
</TASK>
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
Read of size 8 at addr ffff88812d962278 by task syz-executor/564
CPU: 1 PID: 564 Comm: syz-executor Tainted: G W 6.1.129-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
<TASK>
__dump_stack+0x21/0x24 lib/dump_stack.c:88
dump_stack_lvl+0xee/0x158 lib/dump_stack.c:106
print_address_description+0x71/0x210 mm/kasan/report.c:316
print_report+0x4a/0x60 mm/kasan/report.c:427
kasan_report+0x122/0x150 mm/kasan/report.c:531
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351
__list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
__list_del_entry include/linux/list.h:134 [inline]
list_del_init include/linux/list.h:206 [inline]
f2fs_inode_synced+0xf7/0x2e0 fs/f2fs/super.c:1531
f2fs_update_inode+0x74/0x1c40 fs/f2fs/inode.c:585
f2fs_update_inode_page+0x137/0x170 fs/f2fs/inode.c:703
f2fs_write_inode+0x4ec/0x770 fs/f2fs/inode.c:731
write_inode fs/fs-writeback.c:1460 [inline]
__writeback_single_inode+0x4a0/0xab0 fs/fs-writeback.c:1677
writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1733
sync_inode_metadata+0xb6/0x110 fs/fs-writeback.c:2789
f2fs_sync_inode_meta+0x16d/0x2a0 fs/f2fs/checkpoint.c:1159
block_operations fs/f2fs/checkpoint.c:1269 [inline]
f2fs_write_checkpoint+0xca3/0x2100 fs/f2fs/checkpoint.c:1658
kill_f2fs_super+0x231/0x390 fs/f2fs/super.c:4668
deactivate_locked_super+0x98/0x100 fs/super.c:332
deactivate_super+0xaf/0xe0 fs/super.c:363
cleanup_mnt+0x45f/0x4e0 fs/namespace.c:1186
__cleanup_mnt+0x19/0x20 fs/namespace.c:1193
task_work_run+0x1c6/0x230 kernel/task_work.c:203
exit_task_work include/linux/task_work.h:39 [inline]
do_exit+0x9fb/0x2410 kernel/exit.c:871
do_group_exit+0x210/0x2d0 kernel/exit.c:1021
__do_sys_exit_group kernel/exit.c:1032 [inline]
__se_sys_exit_group kernel/exit.c:1030 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1030
x64_sys_call+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f28b1b8e169
Code: Unable to access opcode bytes at 0x7f28b1b8e13f.
RSP: 002b:00007ffe174710a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f28b1c10879 RCX: 00007f28b1b8e169
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000002 R08: 00007ffe1746ee47 R09: 00007ffe17472360
R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffe17472360
R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520
</TASK>
Allocated by task 569:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505
__kasan_slab_alloc+0x72/0x80 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x4f/0x2c0 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc_lru+0x104/0x220 mm/slub.c:3429
alloc_inode_sb include/linux/fs.h:3245 [inline]
f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419
alloc_inode fs/inode.c:261 [inline]
iget_locked+0x186/0x880 fs/inode.c:1373
f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483
f2fs_lookup+0x366/0xab0 fs/f2fs/namei.c:487
__lookup_slow+0x2a3/0x3d0 fs/namei.c:1690
lookup_slow+0x57/0x70 fs/namei.c:1707
walk_component+0x2e6/0x410 fs/namei.c:1998
lookup_last fs/namei.c:2455 [inline]
path_lookupat+0x180/0x490 fs/namei.c:2479
filename_lookup+0x1f0/0x500 fs/namei.c:2508
vfs_statx+0x10b/0x660 fs/stat.c:229
vfs_fstatat fs/stat.c:267 [inline]
vfs_lstat include/linux/fs.h:3424 [inline]
__do_sys_newlstat fs/stat.c:423 [inline]
__se_sys_newlstat+0xd5/0x350 fs/stat.c:417
__x64_sys_newlstat+0x5b/0x70 fs/stat.c:417
x64_sys_call+0x393/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Freed by task 13:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516
____kasan_slab_free+0x132/0x180 mm/kasan/common.c:236
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1750
slab_free mm/slub.c:3661 [inline]
kmem_cache_free+0x12d/0x2a0 mm/slub.c:3683
f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1562
i_callback+0x4c/0x70 fs/inode.c:250
rcu_do_batch+0x503/0xb80 kernel/rcu/tree.c:2297
rcu_core+0x5a2/0xe70 kernel/rcu/tree.c:2557
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574
handle_softirqs+0x178/0x500 kernel/softirq.c:578
run_ksoftirqd+0x28/0x30 kernel/softirq.c:945
smpboot_thread_fn+0x45a/0x8c0 kernel/smpboot.c:164
kthread+0x270/0x310 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Last potentially related work creation:
kasan_save_stack+0x3a/0x60 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb6/0xc0 mm/kasan/generic.c:486
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496
call_rcu+0xd4/0xf70 kernel/rcu/tree.c:2845
destroy_inode fs/inode.c:316 [inline]
evict+0x7da/0x870 fs/inode.c:720
iput_final fs/inode.c:1834 [inline]
iput+0x62b/0x830 fs/inode.c:1860
do_unlinkat+0x356/0x540 fs/namei.c:4397
__do_sys_unlink fs/namei.c:4438 [inline]
__se_sys_unlink fs/namei.c:4436 [inline]
__x64_sys_unlink+0x49/0x50 fs/namei.c:4436
x64_sys_call+0x958/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
The buggy address belongs to the object at ffff88812d961f20
which belongs to the cache f2fs_inode_cache of size 1200
The buggy address is located 856 bytes inside of
1200-byte region [ffff88812d961f20, ffff88812d9623d0)
The buggy address belongs to the physical page:
page:ffffea0004b65800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d960
head:ffffea0004b65800 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff88810a94c500
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 569, tgid 568 (syz.2.16), ts 55943246141, free_ts 0
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1d0/0x1f0 mm/page_alloc.c:2532
prep_new_page mm/page_alloc.c:2539 [inline]
get_page_from_freelist+0x2e63/0x2ef0 mm/page_alloc.c:4328
__alloc_pages+0x235/0x4b0 mm/page_alloc.c:5605
alloc_slab_page include/linux/gfp.h:-1 [inline]
allocate_slab mm/slub.c:1939 [inline]
new_slab+0xec/0x4b0 mm/slub.c:1992
___slab_alloc+0x6f6/0xb50 mm/slub.c:3180
__slab_alloc+0x5e/0xa0 mm/slub.c:3279
slab_alloc_node mm/slub.c:3364 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc_lru+0x13f/0x220 mm/slub.c:3429
alloc_inode_sb include/linux/fs.h:3245 [inline]
f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419
alloc_inode fs/inode.c:261 [inline]
iget_locked+0x186/0x880 fs/inode.c:1373
f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483
f2fs_fill_super+0x3ad7/0x6bb0 fs/f2fs/super.c:4293
mount_bdev+0x2ae/0x3e0 fs/super.c:1443
f2fs_mount+0x34/0x40 fs/f2fs/super.c:4642
legacy_get_tree+0xea/0x190 fs/fs_context.c:632
vfs_get_tree+0x89/0x260 fs/super.c:1573
do_new_mount+0x25a/0xa20 fs/namespace.c:3056
page_owner free stack trace missing
Memory state around the buggy address:
ffff88812d962100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88812d962180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88812d962200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88812d962280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88812d962300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
[1] https://syzkaller.appspot.com/x/report.txt?x=13448368580000
This bug can be reproduced w/ the reproducer [2], once we enable
CONFIG_F2FS_CHECK_FS config, the reproducer will trigger panic as below,
so the direct reason of this bug is the same as the one below patch [3]
fixed.
kernel BUG at fs/f2fs/inode.c:857!
RIP: 0010:f2fs_evict_inode+0x1204/0x1a20
Call Trace:
<TASK>
evict+0x32a/0x7a0
do_unlinkat+0x37b/0x5b0
__x64_sys_unlink+0xad/0x100
do_syscall_64+0x5a/0xb0
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0010:f2fs_evict_inode+0x1204/0x1a20
[2] https://syzkaller.appspot.com/x/repro.c?x=17495ccc580000
[3] https://lore.kernel.org/linux-f2fs-devel/20250702120321.1080759-1-chao@kernel.org
Tracepoints before panic:
f2fs_unlink_enter: dev = (7,0), dir ino = 3, i_size = 4096, i_blocks = 8, name = file1
f2fs_unlink_exit: dev = (7,0), ino = 7, ret = 0
f2fs_evict_inode: dev = (7,0), ino = 7, pino = 3, i_mode = 0x81ed, i_size = 10, i_nlink = 0, i_blocks = 0, i_advise = 0x0
f2fs_truncate_node: dev = (7,0), ino = 7, nid = 8, block_address = 0x3c05
f2fs_unlink_enter: dev = (7,0), dir ino = 3, i_size = 4096, i_blocks = 8, name = file3
f2fs_unlink_exit: dev = (7,0), ino = 8, ret = 0
f2fs_evict_inode: dev = (7,0), ino = 8, pino = 3, i_mode = 0x81ed, i_size = 9000, i_nlink = 0, i_blocks = 24, i_advise = 0x4
f2fs_truncate: dev = (7,0), ino = 8, pino = 3, i_mode = 0x81ed, i_size = 0, i_nlink = 0, i_blocks = 24, i_advise = 0x4
f2fs_truncate_blocks_enter: dev = (7,0), ino = 8, i_size = 0, i_blocks = 24, start file offset = 0
f2fs_truncate_blocks_exit: dev = (7,0), ino = 8, ret = -2
The root cause is: in the fuzzed image, dnode #8 belongs to inode #7,
after inode #7 eviction, dnode #8 was dropped.
However there is dirent that has ino #8, so, once we unlink file3, in
f2fs_evict_inode(), both f2fs_truncate() and f2fs_update_inode_page()
will fail due to we can not load node #8, result in we missed to call
f2fs_inode_synced() to clear inode dirty status.
Let's fix this by calling f2fs_inode_synced() in error path of
f2fs_evict_inode().
PS: As I verified, the reproducer [2] can trigger this bug in v6.1.129,
but it failed in v6.16-rc4, this is because the testcase will stop due to
other corruption has been detected by f2fs:
F2FS-fs (loop0): inconsistent node block, node_type:2, nid:8, node_footer[nid:8,ino:8,ofs:0,cpver:5013063228981249506,blkaddr:15366]
F2FS-fs (loop0): f2fs_lookup: inode (ino=9) has zero i_nlink
Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing")
Closes: https://syzkaller.appspot.com/x/report.txt?x=13448368580000
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/inode.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 35760080803f..dc34a999996e 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -826,6 +826,19 @@ void f2fs_evict_inode(struct inode *inode)
f2fs_update_inode_page(inode);
if (dquot_initialize_needed(inode))
set_sbi_flag(sbi, SBI_QUOTA_NEED_REPAIR);
+
+ /*
+ * If both f2fs_truncate() and f2fs_update_inode_page() failed
+ * due to fuzzed corrupted inode, call f2fs_inode_synced() to
+ * avoid triggering later f2fs_bug_on().
+ */
+ if (is_inode_flag_set(inode, FI_DIRTY_INODE)) {
+ f2fs_warn(sbi,
+ "f2fs_evict_inode: inode is dirty, ino:%lu",
+ inode->i_ino);
+ f2fs_inode_synced(inode);
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ }
}
if (!is_sbi_flag_set(sbi, SBI_IS_FREEZING))
sb_end_intwrite(inode->i_sb);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 216/644] f2fs: fix to avoid out-of-boundary access in devs.path
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 215/644] f2fs: fix to avoid panic in f2fs_evict_inode Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 217/644] scsi: mpt3sas: Fix a fw_event memory leak Greg Kroah-Hartman
` (433 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 5661998536af52848cc4d52a377e90368196edea ]
- touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123
- truncate -s $((1024*1024*1024)) \
/mnt/f2fs/012345678901234567890123456789012345678901234567890123
- touch /mnt/f2fs/file
- truncate -s $((1024*1024*1024)) /mnt/f2fs/file
- mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \
-c /mnt/f2fs/file
- mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \
/mnt/f2fs/loop
[16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\xff\x01, 511, 0 - 3ffff
[16937.192268] F2FS-fs (loop0): Failed to find devices
If device path length equals to MAX_PATH_LEN, sbi->devs.path[] may
not end up w/ null character due to path array is fully filled, So
accidently, fields locate after path[] may be treated as part of
device path, result in parsing wrong device path.
struct f2fs_dev_info {
...
char path[MAX_PATH_LEN];
...
};
Let's add one byte space for sbi->devs.path[] to store null
character of device path string.
Fixes: 3c62be17d4f5 ("f2fs: support multiple devices")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/f2fs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index 28db323dd400..5475d017ad1e 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1209,7 +1209,7 @@ struct f2fs_bio_info {
#define RDEV(i) (raw_super->devs[i])
struct f2fs_dev_info {
struct block_device *bdev;
- char path[MAX_PATH_LEN];
+ char path[MAX_PATH_LEN + 1];
unsigned int total_segments;
block_t start_blk;
block_t end_blk;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 217/644] scsi: mpt3sas: Fix a fw_event memory leak
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 216/644] f2fs: fix to avoid out-of-boundary access in devs.path Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 218/644] scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume Greg Kroah-Hartman
` (432 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomas Henzl,
Sathya Prakash Veerichetty, Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomas Henzl <thenzl@redhat.com>
[ Upstream commit 3e90b38781e3bdd651edaf789585687611638862 ]
In _mpt3sas_fw_work() the fw_event reference is removed, it should also
be freed in all cases.
Fixes: 4318c7347847 ("scsi: mpt3sas: Handle NVMe PCIe device related events generated from firmware.")
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Link: https://lore.kernel.org/r/20250723153018.50518-1-thenzl@redhat.com
Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
index bbef78608a67..055929021818 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -10806,8 +10806,7 @@ _mpt3sas_fw_work(struct MPT3SAS_ADAPTER *ioc, struct fw_event_work *fw_event)
break;
case MPI2_EVENT_PCIE_TOPOLOGY_CHANGE_LIST:
_scsih_pcie_topology_change_event(ioc, fw_event);
- ioc->current_event = NULL;
- return;
+ break;
}
out:
fw_event_work_put(fw_event);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 218/644] scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 217/644] scsi: mpt3sas: Fix a fw_event memory leak Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 219/644] kconfig: qconf: fix ConfigList::updateListAllforAll() Greg Kroah-Hartman
` (431 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Seunghui Lee, Bean Huo,
Bart Van Assche, Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seunghui Lee <sh043.lee@samsung.com>
[ Upstream commit 35dabf4503b94a697bababe94678a8bc989c3223 ]
If the h8 exit fails during runtime resume process, the runtime thread
enters runtime suspend immediately and the error handler operates at the
same time. It becomes stuck and cannot be recovered through the error
handler. To fix this, use link recovery instead of the error handler.
Fixes: 4db7a2360597 ("scsi: ufs: Fix concurrency of error handler and other error recovery paths")
Signed-off-by: Seunghui Lee <sh043.lee@samsung.com>
Link: https://lore.kernel.org/r/20250717081213.6811-1-sh043.lee@samsung.com
Reviewed-by: Bean Huo <beanhuo@micron.com>
Acked-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ufs/ufshcd.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 2b78cc96ccef..3d2b6ee50e2c 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -4013,7 +4013,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd)
hba->uic_async_done = NULL;
if (reenable_intr)
ufshcd_enable_intr(hba, UIC_COMMAND_COMPL);
- if (ret) {
+ if (ret && !hba->pm_op_in_progress) {
ufshcd_set_link_broken(hba);
ufshcd_schedule_eh_work(hba);
}
@@ -4021,6 +4021,14 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd)
spin_unlock_irqrestore(hba->host->host_lock, flags);
mutex_unlock(&hba->uic_cmd_mutex);
+ /*
+ * If the h8 exit fails during the runtime resume process, it becomes
+ * stuck and cannot be recovered through the error handler. To fix
+ * this, use link recovery instead of the error handler.
+ */
+ if (ret && hba->pm_op_in_progress)
+ ret = ufshcd_link_recovery(hba);
+
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 219/644] kconfig: qconf: fix ConfigList::updateListAllforAll()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 218/644] scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 220/644] PCI: pnv_php: Clean up allocated IRQs on unplug Greg Kroah-Hartman
` (430 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit 721bfe583c52ba1ea74b3736a31a9dcfe6dd6d95 ]
ConfigList::updateListForAll() and ConfigList::updateListAllforAll()
are identical.
Commit f9b918fae678 ("kconfig: qconf: move ConfigView::updateList(All)
to ConfigList class") was a misconversion.
Fixes: f9b918fae678 ("kconfig: qconf: move ConfigView::updateList(All) to ConfigList class")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/kconfig/qconf.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc
index 61b679f6c2f2..c31dead186cc 100644
--- a/scripts/kconfig/qconf.cc
+++ b/scripts/kconfig/qconf.cc
@@ -478,7 +478,7 @@ void ConfigList::updateListAllForAll()
while (it.hasNext()) {
ConfigList *list = it.next();
- list->updateList();
+ list->updateListAll();
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 220/644] PCI: pnv_php: Clean up allocated IRQs on unplug
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 219/644] kconfig: qconf: fix ConfigList::updateListAllforAll() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 221/644] PCI: pnv_php: Work around switches with broken presence detection Greg Kroah-Hartman
` (429 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shawn Anastasio, Timothy Pearson,
Bjorn Helgaas, Madhavan Srinivasan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timothy Pearson <tpearson@raptorengineering.com>
[ Upstream commit 4668619092554e1b95c9a5ac2941ca47ba6d548a ]
When the root of a nested PCIe bridge configuration is unplugged, the
pnv_php driver leaked the allocated IRQ resources for the child bridges'
hotplug event notifications, resulting in a panic.
Fix this by walking all child buses and deallocating all its IRQ resources
before calling pci_hp_remove_devices().
Also modify the lifetime of the workqueue at struct pnv_php_slot::wq so
that it is only destroyed in pnv_php_free_slot(), instead of
pnv_php_disable_irq(). This is required since pnv_php_disable_irq() will
now be called by workers triggered by hot unplug interrupts, so the
workqueue needs to stay allocated.
The abridged kernel panic that occurs without this patch is as follows:
WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c
CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2
Call Trace:
msi_device_data_release+0x34/0x9c (unreliable)
release_nodes+0x64/0x13c
devres_release_all+0xc0/0x140
device_del+0x2d4/0x46c
pci_destroy_dev+0x5c/0x194
pci_hp_remove_devices+0x90/0x128
pci_hp_remove_devices+0x44/0x128
pnv_php_disable_slot+0x54/0xd4
power_write_file+0xf8/0x18c
pci_slot_attr_store+0x40/0x5c
sysfs_kf_write+0x64/0x78
kernfs_fop_write_iter+0x1b0/0x290
vfs_write+0x3bc/0x50c
ksys_write+0x84/0x140
system_call_exception+0x124/0x230
system_call_vectored_common+0x15c/0x2ec
Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com>
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
[bhelgaas: tidy comments]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/2013845045.1359852.1752615367790.JavaMail.zimbra@raptorengineeringinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/hotplug/pnv_php.c | 96 ++++++++++++++++++++++++++++-------
1 file changed, 77 insertions(+), 19 deletions(-)
diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
index e233f8402e8c..c1c1d30bd86b 100644
--- a/drivers/pci/hotplug/pnv_php.c
+++ b/drivers/pci/hotplug/pnv_php.c
@@ -3,6 +3,7 @@
* PCI Hotplug Driver for PowerPC PowerNV platform.
*
* Copyright Gavin Shan, IBM Corporation 2016.
+ * Copyright (C) 2025 Raptor Engineering, LLC
*/
#include <linux/libfdt.h>
@@ -34,8 +35,10 @@ static void pnv_php_register(struct device_node *dn);
static void pnv_php_unregister_one(struct device_node *dn);
static void pnv_php_unregister(struct device_node *dn);
+static void pnv_php_enable_irq(struct pnv_php_slot *php_slot);
+
static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
- bool disable_device)
+ bool disable_device, bool disable_msi)
{
struct pci_dev *pdev = php_slot->pdev;
u16 ctrl;
@@ -51,19 +54,15 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
php_slot->irq = 0;
}
- if (php_slot->wq) {
- destroy_workqueue(php_slot->wq);
- php_slot->wq = NULL;
- }
-
- if (disable_device) {
+ if (disable_device || disable_msi) {
if (pdev->msix_enabled)
pci_disable_msix(pdev);
else if (pdev->msi_enabled)
pci_disable_msi(pdev);
+ }
+ if (disable_device)
pci_disable_device(pdev);
- }
}
static void pnv_php_free_slot(struct kref *kref)
@@ -72,7 +71,8 @@ static void pnv_php_free_slot(struct kref *kref)
struct pnv_php_slot, kref);
WARN_ON(!list_empty(&php_slot->children));
- pnv_php_disable_irq(php_slot, false);
+ pnv_php_disable_irq(php_slot, false, false);
+ destroy_workqueue(php_slot->wq);
kfree(php_slot->name);
kfree(php_slot);
}
@@ -559,8 +559,58 @@ static int pnv_php_reset_slot(struct hotplug_slot *slot, bool probe)
static int pnv_php_enable_slot(struct hotplug_slot *slot)
{
struct pnv_php_slot *php_slot = to_pnv_php_slot(slot);
+ u32 prop32;
+ int ret;
+
+ ret = pnv_php_enable(php_slot, true);
+ if (ret)
+ return ret;
+
+ /* (Re-)enable interrupt if the slot supports surprise hotplug */
+ ret = of_property_read_u32(php_slot->dn, "ibm,slot-surprise-pluggable",
+ &prop32);
+ if (!ret && prop32)
+ pnv_php_enable_irq(php_slot);
- return pnv_php_enable(php_slot, true);
+ return 0;
+}
+
+/*
+ * Disable any hotplug interrupts for all slots on the provided bus, as well as
+ * all downstream slots in preparation for a hot unplug.
+ */
+static int pnv_php_disable_all_irqs(struct pci_bus *bus)
+{
+ struct pci_bus *child_bus;
+ struct pci_slot *slot;
+
+ /* First go down child buses */
+ list_for_each_entry(child_bus, &bus->children, node)
+ pnv_php_disable_all_irqs(child_bus);
+
+ /* Disable IRQs for all pnv_php slots on this bus */
+ list_for_each_entry(slot, &bus->slots, list) {
+ struct pnv_php_slot *php_slot = to_pnv_php_slot(slot->hotplug);
+
+ pnv_php_disable_irq(php_slot, false, true);
+ }
+
+ return 0;
+}
+
+/*
+ * Disable any hotplug interrupts for all downstream slots on the provided
+ * bus in preparation for a hot unplug.
+ */
+static int pnv_php_disable_all_downstream_irqs(struct pci_bus *bus)
+{
+ struct pci_bus *child_bus;
+
+ /* Go down child buses, recursively deactivating their IRQs */
+ list_for_each_entry(child_bus, &bus->children, node)
+ pnv_php_disable_all_irqs(child_bus);
+
+ return 0;
}
static int pnv_php_disable_slot(struct hotplug_slot *slot)
@@ -577,6 +627,13 @@ static int pnv_php_disable_slot(struct hotplug_slot *slot)
php_slot->state != PNV_PHP_STATE_REGISTERED)
return 0;
+ /*
+ * Free all IRQ resources from all child slots before remove.
+ * Note that we do not disable the root slot IRQ here as that
+ * would also deactivate the slot hot (re)plug interrupt!
+ */
+ pnv_php_disable_all_downstream_irqs(php_slot->bus);
+
/* Remove all devices behind the slot */
pci_lock_rescan_remove();
pci_hp_remove_devices(php_slot->bus);
@@ -645,6 +702,15 @@ static struct pnv_php_slot *pnv_php_alloc_slot(struct device_node *dn)
return NULL;
}
+ /* Allocate workqueue for this slot's interrupt handling */
+ php_slot->wq = alloc_workqueue("pciehp-%s", 0, 0, php_slot->name);
+ if (!php_slot->wq) {
+ SLOT_WARN(php_slot, "Cannot alloc workqueue\n");
+ kfree(php_slot->name);
+ kfree(php_slot);
+ return NULL;
+ }
+
if (dn->child && PCI_DN(dn->child))
php_slot->slot_no = PCI_SLOT(PCI_DN(dn->child)->devfn);
else
@@ -841,14 +907,6 @@ static void pnv_php_init_irq(struct pnv_php_slot *php_slot, int irq)
u16 sts, ctrl;
int ret;
- /* Allocate workqueue */
- php_slot->wq = alloc_workqueue("pciehp-%s", 0, 0, php_slot->name);
- if (!php_slot->wq) {
- SLOT_WARN(php_slot, "Cannot alloc workqueue\n");
- pnv_php_disable_irq(php_slot, true);
- return;
- }
-
/* Check PDC (Presence Detection Change) is broken or not */
ret = of_property_read_u32(php_slot->dn, "ibm,slot-broken-pdc",
&broken_pdc);
@@ -867,7 +925,7 @@ static void pnv_php_init_irq(struct pnv_php_slot *php_slot, int irq)
ret = request_irq(irq, pnv_php_interrupt, IRQF_SHARED,
php_slot->name, php_slot);
if (ret) {
- pnv_php_disable_irq(php_slot, true);
+ pnv_php_disable_irq(php_slot, true, true);
SLOT_WARN(php_slot, "Error %d enabling IRQ %d\n", ret, irq);
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 221/644] PCI: pnv_php: Work around switches with broken presence detection
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 220/644] PCI: pnv_php: Clean up allocated IRQs on unplug Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 222/644] powerpc/eeh: Export eeh_unfreeze_pe() Greg Kroah-Hartman
` (428 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shawn Anastasio, Timothy Pearson,
Bjorn Helgaas, Madhavan Srinivasan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timothy Pearson <tpearson@raptorengineering.com>
[ Upstream commit 80f9fc2362797538ebd4fd70a1dfa838cc2c2cdb ]
The Microsemi Switchtec PM8533 PFX 48xG3 [11f8:8533] PCIe switch system
was observed to incorrectly assert the Presence Detect Set bit in its
capabilities when tested on a Raptor Computing Systems Blackbird system,
resulting in the hot insert path never attempting a rescan of the bus
and any downstream devices not being re-detected.
Work around this by additionally checking whether the PCIe data link is
active or not when performing presence detection on downstream switches'
ports, similar to the pciehp_hpc.c driver.
Signed-off-by: Shawn Anastasio <sanastasio@raptorengineering.com>
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/505981576.1359853.1752615415117.JavaMail.zimbra@raptorengineeringinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/hotplug/pnv_php.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
index c1c1d30bd86b..f99987f26ff0 100644
--- a/drivers/pci/hotplug/pnv_php.c
+++ b/drivers/pci/hotplug/pnv_php.c
@@ -389,6 +389,20 @@ static int pnv_php_get_power_state(struct hotplug_slot *slot, u8 *state)
return 0;
}
+static int pcie_check_link_active(struct pci_dev *pdev)
+{
+ u16 lnk_status;
+ int ret;
+
+ ret = pcie_capability_read_word(pdev, PCI_EXP_LNKSTA, &lnk_status);
+ if (ret == PCIBIOS_DEVICE_NOT_FOUND || PCI_POSSIBLE_ERROR(lnk_status))
+ return -ENODEV;
+
+ ret = !!(lnk_status & PCI_EXP_LNKSTA_DLLLA);
+
+ return ret;
+}
+
static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state)
{
struct pnv_php_slot *php_slot = to_pnv_php_slot(slot);
@@ -401,6 +415,19 @@ static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state)
*/
ret = pnv_pci_get_presence_state(php_slot->id, &presence);
if (ret >= 0) {
+ if (pci_pcie_type(php_slot->pdev) == PCI_EXP_TYPE_DOWNSTREAM &&
+ presence == OPAL_PCI_SLOT_EMPTY) {
+ /*
+ * Similar to pciehp_hpc, check whether the Link Active
+ * bit is set to account for broken downstream bridges
+ * that don't properly assert Presence Detect State, as
+ * was observed on the Microsemi Switchtec PM8533 PFX
+ * [11f8:8533].
+ */
+ if (pcie_check_link_active(php_slot->pdev) > 0)
+ presence = OPAL_PCI_SLOT_PRESENT;
+ }
+
*state = presence;
ret = 0;
} else {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 222/644] powerpc/eeh: Export eeh_unfreeze_pe()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 221/644] PCI: pnv_php: Work around switches with broken presence detection Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 223/644] powerpc/eeh: Rely on dev->link_active_reporting Greg Kroah-Hartman
` (427 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timothy Pearson, Bjorn Helgaas,
Madhavan Srinivasan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timothy Pearson <tpearson@raptorengineering.com>
[ Upstream commit e82b34eed04b0ddcff4548b62633467235672fd3 ]
The PowerNV hotplug driver needs to be able to clear any frozen PE(s)
on the PHB after suprise removal of a downstream device.
Export the eeh_unfreeze_pe() symbol to allow implementation of this
functionality in the php_nv module.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/1778535414.1359858.1752615454618.JavaMail.zimbra@raptorengineeringinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/eeh.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c
index 209d1a61eb94..3f68da6c75a2 100644
--- a/arch/powerpc/kernel/eeh.c
+++ b/arch/powerpc/kernel/eeh.c
@@ -1119,6 +1119,7 @@ int eeh_unfreeze_pe(struct eeh_pe *pe)
return ret;
}
+EXPORT_SYMBOL_GPL(eeh_unfreeze_pe);
static struct pci_device_id eeh_reset_ids[] = {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 223/644] powerpc/eeh: Rely on dev->link_active_reporting
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 222/644] powerpc/eeh: Export eeh_unfreeze_pe() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 224/644] powerpc/eeh: Make EEH driver device hotplug safe Greg Kroah-Hartman
` (426 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki, Bjorn Helgaas,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
[ Upstream commit 1541a21305ceb10fcf3f7cbb23f3e1a00bbf1789 ]
Use dev->link_active_reporting to determine whether Data Link Layer Link
Active Reporting is available rather than re-retrieving the capability.
Link: https://lore.kernel.org/r/alpine.DEB.2.21.2305310124100.59226@angie.orcam.me.uk
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/eeh_pe.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c
index a856d9ba42d2..3f55e372f259 100644
--- a/arch/powerpc/kernel/eeh_pe.c
+++ b/arch/powerpc/kernel/eeh_pe.c
@@ -670,9 +670,8 @@ static void eeh_bridge_check_link(struct eeh_dev *edev)
eeh_ops->write_config(edev, cap + PCI_EXP_LNKCTL, 2, val);
/* Check link */
- eeh_ops->read_config(edev, cap + PCI_EXP_LNKCAP, 4, &val);
- if (!(val & PCI_EXP_LNKCAP_DLLLARC)) {
- eeh_edev_dbg(edev, "No link reporting capability (0x%08x) \n", val);
+ if (!edev->pdev->link_active_reporting) {
+ eeh_edev_dbg(edev, "No link reporting capability\n");
msleep(1000);
return;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 224/644] powerpc/eeh: Make EEH driver device hotplug safe
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 223/644] powerpc/eeh: Rely on dev->link_active_reporting Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 225/644] PCI: pnv_php: Fix surprise plug detection and recovery Greg Kroah-Hartman
` (425 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timothy Pearson, Bjorn Helgaas,
Madhavan Srinivasan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timothy Pearson <tpearson@raptorengineering.com>
[ Upstream commit 1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 ]
Multiple race conditions existed between the PCIe hotplug driver and the
EEH driver, leading to a variety of kernel oopses of the same general
nature:
<pcie device unplug>
<eeh driver trigger>
<hotplug removal trigger>
<pcie tree reconfiguration>
<eeh recovery next step>
<oops in EEH driver bus iteration loop>
A second class of oops is also seen when the underlying bus disappears
during device recovery.
Refactor the EEH module to be PCI rescan and remove safe. Also clean
up a few minor formatting / readability issues.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/1334208367.1359861.1752615503144.JavaMail.zimbra@raptorengineeringinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/eeh_driver.c | 48 +++++++++++++++++++++-----------
arch/powerpc/kernel/eeh_pe.c | 10 ++++---
2 files changed, 38 insertions(+), 20 deletions(-)
diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
index 665d847ef9b5..ed5be1bff60c 100644
--- a/arch/powerpc/kernel/eeh_driver.c
+++ b/arch/powerpc/kernel/eeh_driver.c
@@ -258,13 +258,12 @@ static void eeh_pe_report_edev(struct eeh_dev *edev, eeh_report_fn fn,
struct pci_driver *driver;
enum pci_ers_result new_result;
- pci_lock_rescan_remove();
pdev = edev->pdev;
if (pdev)
get_device(&pdev->dev);
- pci_unlock_rescan_remove();
if (!pdev) {
eeh_edev_info(edev, "no device");
+ *result = PCI_ERS_RESULT_DISCONNECT;
return;
}
device_lock(&pdev->dev);
@@ -305,8 +304,9 @@ static void eeh_pe_report(const char *name, struct eeh_pe *root,
struct eeh_dev *edev, *tmp;
pr_info("EEH: Beginning: '%s'\n", name);
- eeh_for_each_pe(root, pe) eeh_pe_for_each_dev(pe, edev, tmp)
- eeh_pe_report_edev(edev, fn, result);
+ eeh_for_each_pe(root, pe)
+ eeh_pe_for_each_dev(pe, edev, tmp)
+ eeh_pe_report_edev(edev, fn, result);
if (result)
pr_info("EEH: Finished:'%s' with aggregate recovery state:'%s'\n",
name, pci_ers_result_name(*result));
@@ -384,6 +384,8 @@ static void eeh_dev_restore_state(struct eeh_dev *edev, void *userdata)
if (!edev)
return;
+ pci_lock_rescan_remove();
+
/*
* The content in the config space isn't saved because
* the blocked config space on some adapters. We have
@@ -394,14 +396,19 @@ static void eeh_dev_restore_state(struct eeh_dev *edev, void *userdata)
if (list_is_last(&edev->entry, &edev->pe->edevs))
eeh_pe_restore_bars(edev->pe);
+ pci_unlock_rescan_remove();
return;
}
pdev = eeh_dev_to_pci_dev(edev);
- if (!pdev)
+ if (!pdev) {
+ pci_unlock_rescan_remove();
return;
+ }
pci_restore_state(pdev);
+
+ pci_unlock_rescan_remove();
}
/**
@@ -648,9 +655,7 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
if (any_passed || driver_eeh_aware || (pe->type & EEH_PE_VF)) {
eeh_pe_dev_traverse(pe, eeh_rmv_device, rmv_data);
} else {
- pci_lock_rescan_remove();
pci_hp_remove_devices(bus);
- pci_unlock_rescan_remove();
}
/*
@@ -666,8 +671,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
if (rc)
return rc;
- pci_lock_rescan_remove();
-
/* Restore PE */
eeh_ops->configure_bridge(pe);
eeh_pe_restore_bars(pe);
@@ -675,7 +678,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
/* Clear frozen state */
rc = eeh_clear_pe_frozen_state(pe, false);
if (rc) {
- pci_unlock_rescan_remove();
return rc;
}
@@ -710,7 +712,6 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
pe->tstamp = tstamp;
pe->freeze_count = cnt;
- pci_unlock_rescan_remove();
return 0;
}
@@ -844,10 +845,13 @@ void eeh_handle_normal_event(struct eeh_pe *pe)
{LIST_HEAD_INIT(rmv_data.removed_vf_list), 0};
int devices = 0;
+ pci_lock_rescan_remove();
+
bus = eeh_pe_bus_get(pe);
if (!bus) {
pr_err("%s: Cannot find PCI bus for PHB#%x-PE#%x\n",
__func__, pe->phb->global_number, pe->addr);
+ pci_unlock_rescan_remove();
return;
}
@@ -1089,10 +1093,15 @@ void eeh_handle_normal_event(struct eeh_pe *pe)
eeh_pe_state_clear(pe, EEH_PE_PRI_BUS, true);
eeh_pe_dev_mode_mark(pe, EEH_DEV_REMOVED);
- pci_lock_rescan_remove();
- pci_hp_remove_devices(bus);
- pci_unlock_rescan_remove();
+ bus = eeh_pe_bus_get(pe);
+ if (bus)
+ pci_hp_remove_devices(bus);
+ else
+ pr_err("%s: PCI bus for PHB#%x-PE#%x disappeared\n",
+ __func__, pe->phb->global_number, pe->addr);
+
/* The passed PE should no longer be used */
+ pci_unlock_rescan_remove();
return;
}
@@ -1109,6 +1118,8 @@ void eeh_handle_normal_event(struct eeh_pe *pe)
eeh_clear_slot_attention(edev->pdev);
eeh_pe_state_clear(pe, EEH_PE_RECOVERING, true);
+
+ pci_unlock_rescan_remove();
}
/**
@@ -1127,6 +1138,7 @@ void eeh_handle_special_event(void)
unsigned long flags;
int rc;
+ pci_lock_rescan_remove();
do {
rc = eeh_ops->next_error(&pe);
@@ -1166,10 +1178,12 @@ void eeh_handle_special_event(void)
break;
case EEH_NEXT_ERR_NONE:
+ pci_unlock_rescan_remove();
return;
default:
pr_warn("%s: Invalid value %d from next_error()\n",
__func__, rc);
+ pci_unlock_rescan_remove();
return;
}
@@ -1181,7 +1195,9 @@ void eeh_handle_special_event(void)
if (rc == EEH_NEXT_ERR_FROZEN_PE ||
rc == EEH_NEXT_ERR_FENCED_PHB) {
eeh_pe_state_mark(pe, EEH_PE_RECOVERING);
+ pci_unlock_rescan_remove();
eeh_handle_normal_event(pe);
+ pci_lock_rescan_remove();
} else {
eeh_for_each_pe(pe, tmp_pe)
eeh_pe_for_each_dev(tmp_pe, edev, tmp_edev)
@@ -1194,7 +1210,6 @@ void eeh_handle_special_event(void)
eeh_report_failure, NULL);
eeh_set_channel_state(pe, pci_channel_io_perm_failure);
- pci_lock_rescan_remove();
list_for_each_entry(hose, &hose_list, list_node) {
phb_pe = eeh_phb_pe_get(hose);
if (!phb_pe ||
@@ -1213,7 +1228,6 @@ void eeh_handle_special_event(void)
}
pci_hp_remove_devices(bus);
}
- pci_unlock_rescan_remove();
}
/*
@@ -1223,4 +1237,6 @@ void eeh_handle_special_event(void)
if (rc == EEH_NEXT_ERR_DEAD_IOC)
break;
} while (rc != EEH_NEXT_ERR_NONE);
+
+ pci_unlock_rescan_remove();
}
diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c
index 3f55e372f259..fea58e9546f9 100644
--- a/arch/powerpc/kernel/eeh_pe.c
+++ b/arch/powerpc/kernel/eeh_pe.c
@@ -670,10 +670,12 @@ static void eeh_bridge_check_link(struct eeh_dev *edev)
eeh_ops->write_config(edev, cap + PCI_EXP_LNKCTL, 2, val);
/* Check link */
- if (!edev->pdev->link_active_reporting) {
- eeh_edev_dbg(edev, "No link reporting capability\n");
- msleep(1000);
- return;
+ if (edev->pdev) {
+ if (!edev->pdev->link_active_reporting) {
+ eeh_edev_dbg(edev, "No link reporting capability\n");
+ msleep(1000);
+ return;
+ }
}
/* Wait the link is up until timeout (5s) */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 225/644] PCI: pnv_php: Fix surprise plug detection and recovery
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 224/644] powerpc/eeh: Make EEH driver device hotplug safe Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 226/644] pNFS/flexfiles: dont attempt pnfs on fatal DS errors Greg Kroah-Hartman
` (424 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timothy Pearson, Bjorn Helgaas,
Madhavan Srinivasan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timothy Pearson <tpearson@raptorengineering.com>
[ Upstream commit a2a2a6fc2469524caa713036297c542746d148dc ]
The existing PowerNV hotplug code did not handle surprise plug events
correctly, leading to a complete failure of the hotplug system after device
removal and a required reboot to detect new devices.
This comes down to two issues:
1) When a device is surprise removed, often the bridge upstream
port will cause a PE freeze on the PHB. If this freeze is not
cleared, the MSI interrupts from the bridge hotplug notification
logic will not be received by the kernel, stalling all plug events
on all slots associated with the PE.
2) When a device is removed from a slot, regardless of surprise or
programmatic removal, the associated PHB/PE ls left frozen.
If this freeze is not cleared via a fundamental reset, skiboot
is unable to clear the freeze and cannot retrain / rescan the
slot. This also requires a reboot to clear the freeze and redetect
the device in the slot.
Issue the appropriate unfreeze and rescan commands on hotplug events,
and don't oops on hotplug if pci_bus_to_OF_node() returns NULL.
Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
[bhelgaas: tidy comments]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/171044224.1359864.1752615546988.JavaMail.zimbra@raptorengineeringinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/pci-hotplug.c | 3 +
drivers/pci/hotplug/pnv_php.c | 110 +++++++++++++++++++++++++++++-
2 files changed, 110 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/kernel/pci-hotplug.c b/arch/powerpc/kernel/pci-hotplug.c
index 2fc12198ec07..62de678f9f50 100644
--- a/arch/powerpc/kernel/pci-hotplug.c
+++ b/arch/powerpc/kernel/pci-hotplug.c
@@ -110,6 +110,9 @@ void pci_hp_add_devices(struct pci_bus *bus)
struct pci_controller *phb;
struct device_node *dn = pci_bus_to_OF_node(bus);
+ if (!dn)
+ return;
+
phb = pci_bus_to_host(bus);
mode = PCI_PROBE_NORMAL;
diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
index f99987f26ff0..9ff979678644 100644
--- a/drivers/pci/hotplug/pnv_php.c
+++ b/drivers/pci/hotplug/pnv_php.c
@@ -4,11 +4,13 @@
*
* Copyright Gavin Shan, IBM Corporation 2016.
* Copyright (C) 2025 Raptor Engineering, LLC
+ * Copyright (C) 2025 Raptor Computing Systems, LLC
*/
#include <linux/libfdt.h>
#include <linux/module.h>
#include <linux/pci.h>
+#include <linux/delay.h>
#include <linux/pci_hotplug.h>
#include <asm/opal.h>
@@ -467,6 +469,61 @@ static int pnv_php_set_attention_state(struct hotplug_slot *slot, u8 state)
return 0;
}
+static int pnv_php_activate_slot(struct pnv_php_slot *php_slot,
+ struct hotplug_slot *slot)
+{
+ int ret, i;
+
+ /*
+ * Issue initial slot activation command to firmware
+ *
+ * Firmware will power slot on, attempt to train the link, and
+ * discover any downstream devices. If this process fails, firmware
+ * will return an error code and an invalid device tree. Failure
+ * can be caused for multiple reasons, including a faulty
+ * downstream device, poor connection to the downstream device, or
+ * a previously latched PHB fence. On failure, issue fundamental
+ * reset up to three times before aborting.
+ */
+ ret = pnv_php_set_slot_power_state(slot, OPAL_PCI_SLOT_POWER_ON);
+ if (ret) {
+ SLOT_WARN(
+ php_slot,
+ "PCI slot activation failed with error code %d, possible frozen PHB",
+ ret);
+ SLOT_WARN(
+ php_slot,
+ "Attempting complete PHB reset before retrying slot activation\n");
+ for (i = 0; i < 3; i++) {
+ /*
+ * Slot activation failed, PHB may be fenced from a
+ * prior device failure.
+ *
+ * Use the OPAL fundamental reset call to both try a
+ * device reset and clear any potentially active PHB
+ * fence / freeze.
+ */
+ SLOT_WARN(php_slot, "Try %d...\n", i + 1);
+ pci_set_pcie_reset_state(php_slot->pdev,
+ pcie_warm_reset);
+ msleep(250);
+ pci_set_pcie_reset_state(php_slot->pdev,
+ pcie_deassert_reset);
+
+ ret = pnv_php_set_slot_power_state(
+ slot, OPAL_PCI_SLOT_POWER_ON);
+ if (!ret)
+ break;
+ }
+
+ if (i >= 3)
+ SLOT_WARN(php_slot,
+ "Failed to bring slot online, aborting!\n");
+ }
+
+ return ret;
+}
+
static int pnv_php_enable(struct pnv_php_slot *php_slot, bool rescan)
{
struct hotplug_slot *slot = &php_slot->slot;
@@ -529,7 +586,7 @@ static int pnv_php_enable(struct pnv_php_slot *php_slot, bool rescan)
goto scan;
/* Power is off, turn it on and then scan the slot */
- ret = pnv_php_set_slot_power_state(slot, OPAL_PCI_SLOT_POWER_ON);
+ ret = pnv_php_activate_slot(php_slot, slot);
if (ret)
return ret;
@@ -836,16 +893,63 @@ static int pnv_php_enable_msix(struct pnv_php_slot *php_slot)
return entry.vector;
}
+static void
+pnv_php_detect_clear_suprise_removal_freeze(struct pnv_php_slot *php_slot)
+{
+ struct pci_dev *pdev = php_slot->pdev;
+ struct eeh_dev *edev;
+ struct eeh_pe *pe;
+ int i, rc;
+
+ /*
+ * When a device is surprise removed from a downstream bridge slot,
+ * the upstream bridge port can still end up frozen due to related EEH
+ * events, which will in turn block the MSI interrupts for slot hotplug
+ * detection.
+ *
+ * Detect and thaw any frozen upstream PE after slot deactivation.
+ */
+ edev = pci_dev_to_eeh_dev(pdev);
+ pe = edev ? edev->pe : NULL;
+ rc = eeh_pe_get_state(pe);
+ if ((rc == -ENODEV) || (rc == -ENOENT)) {
+ SLOT_WARN(
+ php_slot,
+ "Upstream bridge PE state unknown, hotplug detect may fail\n");
+ } else {
+ if (pe->state & EEH_PE_ISOLATED) {
+ SLOT_WARN(
+ php_slot,
+ "Upstream bridge PE %02x frozen, thawing...\n",
+ pe->addr);
+ for (i = 0; i < 3; i++)
+ if (!eeh_unfreeze_pe(pe))
+ break;
+ if (i >= 3)
+ SLOT_WARN(
+ php_slot,
+ "Unable to thaw PE %02x, hotplug detect will fail!\n",
+ pe->addr);
+ else
+ SLOT_WARN(php_slot,
+ "PE %02x thawed successfully\n",
+ pe->addr);
+ }
+ }
+}
+
static void pnv_php_event_handler(struct work_struct *work)
{
struct pnv_php_event *event =
container_of(work, struct pnv_php_event, work);
struct pnv_php_slot *php_slot = event->php_slot;
- if (event->added)
+ if (event->added) {
pnv_php_enable_slot(&php_slot->slot);
- else
+ } else {
pnv_php_disable_slot(&php_slot->slot);
+ pnv_php_detect_clear_suprise_removal_freeze(php_slot);
+ }
kfree(event);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 226/644] pNFS/flexfiles: dont attempt pnfs on fatal DS errors
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 225/644] PCI: pnv_php: Fix surprise plug detection and recovery Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 227/644] NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() Greg Kroah-Hartman
` (423 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tigran Mkrtchyan, Trond Myklebust,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
[ Upstream commit f06bedfa62d57f7b67d44aacd6badad2e13a803f ]
When an applications get killed (SIGTERM/SIGINT) while pNFS client performs a connection
to DS, client ends in an infinite loop of connect-disconnect. This
source of the issue, it that flexfilelayoutdev#nfs4_ff_layout_prepare_ds gets an error
on nfs4_pnfs_ds_connect with status ERESTARTSYS, which is set by rpc_signal_task, but
the error is treated as transient, thus retried.
The issue is reproducible with Ctrl+C the following script(there should be ~1000 files in
a directory, client should must not have any connections to DSes):
```
echo 3 > /proc/sys/vm/drop_caches
for i in *
do
head -1 $i
done
```
The change aims to propagate the nfs4_ff_layout_prepare_ds error state
to the caller that can decide whatever this is a retryable error or not.
Signed-off-by: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
Link: https://lore.kernel.org/r/20250627071751.189663-1-tigran.mkrtchyan@desy.de
Fixes: 260f32adb88d ("pNFS/flexfiles: Check the result of nfs4_pnfs_ds_connect")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/flexfilelayout/flexfilelayout.c | 26 ++++++++++++++---------
fs/nfs/flexfilelayout/flexfilelayoutdev.c | 6 +++---
2 files changed, 19 insertions(+), 13 deletions(-)
diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
index 7a568d2de472..14c7de8fd781 100644
--- a/fs/nfs/flexfilelayout/flexfilelayout.c
+++ b/fs/nfs/flexfilelayout/flexfilelayout.c
@@ -739,14 +739,14 @@ ff_layout_choose_ds_for_read(struct pnfs_layout_segment *lseg,
{
struct nfs4_ff_layout_segment *fls = FF_LAYOUT_LSEG(lseg);
struct nfs4_ff_layout_mirror *mirror;
- struct nfs4_pnfs_ds *ds;
+ struct nfs4_pnfs_ds *ds = ERR_PTR(-EAGAIN);
u32 idx;
/* mirrors are initially sorted by efficiency */
for (idx = start_idx; idx < fls->mirror_array_cnt; idx++) {
mirror = FF_LAYOUT_COMP(lseg, idx);
ds = nfs4_ff_layout_prepare_ds(lseg, mirror, false);
- if (!ds)
+ if (IS_ERR(ds))
continue;
if (check_device &&
@@ -754,10 +754,10 @@ ff_layout_choose_ds_for_read(struct pnfs_layout_segment *lseg,
continue;
*best_idx = idx;
- return ds;
+ break;
}
- return NULL;
+ return ds;
}
static struct nfs4_pnfs_ds *
@@ -933,7 +933,7 @@ ff_layout_pg_init_write(struct nfs_pageio_descriptor *pgio,
for (i = 0; i < pgio->pg_mirror_count; i++) {
mirror = FF_LAYOUT_COMP(pgio->pg_lseg, i);
ds = nfs4_ff_layout_prepare_ds(pgio->pg_lseg, mirror, true);
- if (!ds) {
+ if (IS_ERR(ds)) {
if (!ff_layout_no_fallback_to_mds(pgio->pg_lseg))
goto out_mds;
pnfs_generic_pg_cleanup(pgio);
@@ -1826,6 +1826,7 @@ ff_layout_read_pagelist(struct nfs_pgio_header *hdr)
u32 idx = hdr->pgio_mirror_idx;
int vers;
struct nfs_fh *fh;
+ bool ds_fatal_error = false;
dprintk("--> %s ino %lu pgbase %u req %zu@%llu\n",
__func__, hdr->inode->i_ino,
@@ -1833,8 +1834,10 @@ ff_layout_read_pagelist(struct nfs_pgio_header *hdr)
mirror = FF_LAYOUT_COMP(lseg, idx);
ds = nfs4_ff_layout_prepare_ds(lseg, mirror, false);
- if (!ds)
+ if (IS_ERR(ds)) {
+ ds_fatal_error = nfs_error_is_fatal(PTR_ERR(ds));
goto out_failed;
+ }
ds_clnt = nfs4_ff_find_or_create_ds_client(mirror, ds->ds_clp,
hdr->inode);
@@ -1875,7 +1878,7 @@ ff_layout_read_pagelist(struct nfs_pgio_header *hdr)
return PNFS_ATTEMPTED;
out_failed:
- if (ff_layout_avoid_mds_available_ds(lseg))
+ if (ff_layout_avoid_mds_available_ds(lseg) && !ds_fatal_error)
return PNFS_TRY_AGAIN;
trace_pnfs_mds_fallback_read_pagelist(hdr->inode,
hdr->args.offset, hdr->args.count,
@@ -1896,11 +1899,14 @@ ff_layout_write_pagelist(struct nfs_pgio_header *hdr, int sync)
int vers;
struct nfs_fh *fh;
u32 idx = hdr->pgio_mirror_idx;
+ bool ds_fatal_error = false;
mirror = FF_LAYOUT_COMP(lseg, idx);
ds = nfs4_ff_layout_prepare_ds(lseg, mirror, true);
- if (!ds)
+ if (IS_ERR(ds)) {
+ ds_fatal_error = nfs_error_is_fatal(PTR_ERR(ds));
goto out_failed;
+ }
ds_clnt = nfs4_ff_find_or_create_ds_client(mirror, ds->ds_clp,
hdr->inode);
@@ -1943,7 +1949,7 @@ ff_layout_write_pagelist(struct nfs_pgio_header *hdr, int sync)
return PNFS_ATTEMPTED;
out_failed:
- if (ff_layout_avoid_mds_available_ds(lseg))
+ if (ff_layout_avoid_mds_available_ds(lseg) && !ds_fatal_error)
return PNFS_TRY_AGAIN;
trace_pnfs_mds_fallback_write_pagelist(hdr->inode,
hdr->args.offset, hdr->args.count,
@@ -1985,7 +1991,7 @@ static int ff_layout_initiate_commit(struct nfs_commit_data *data, int how)
idx = calc_ds_index_from_commit(lseg, data->ds_commit_index);
mirror = FF_LAYOUT_COMP(lseg, idx);
ds = nfs4_ff_layout_prepare_ds(lseg, mirror, true);
- if (!ds)
+ if (IS_ERR(ds))
goto out_err;
ds_clnt = nfs4_ff_find_or_create_ds_client(mirror, ds->ds_clp,
diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
index 4b0cdddce6eb..11777d33a85e 100644
--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
@@ -368,11 +368,11 @@ nfs4_ff_layout_prepare_ds(struct pnfs_layout_segment *lseg,
struct nfs4_ff_layout_mirror *mirror,
bool fail_return)
{
- struct nfs4_pnfs_ds *ds = NULL;
+ struct nfs4_pnfs_ds *ds;
struct inode *ino = lseg->pls_layout->plh_inode;
struct nfs_server *s = NFS_SERVER(ino);
unsigned int max_payload;
- int status;
+ int status = -EAGAIN;
if (!ff_layout_init_mirror_ds(lseg->pls_layout, mirror))
goto noconnect;
@@ -410,7 +410,7 @@ nfs4_ff_layout_prepare_ds(struct pnfs_layout_segment *lseg,
ff_layout_send_layouterror(lseg);
if (fail_return || !ff_layout_has_available_ds(lseg))
pnfs_error_mark_layout_for_return(ino, lseg);
- ds = NULL;
+ ds = ERR_PTR(status);
out:
return ds;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 227/644] NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 226/644] pNFS/flexfiles: dont attempt pnfs on fatal DS errors Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 228/644] NFSv4.2: another fix for listxattr Greg Kroah-Hartman
` (422 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, zhangjian, Trond Myklebust,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit ef93a685e01a281b5e2a25ce4e3428cf9371a205 ]
The function needs to check the minimal filehandle length before it can
access the embedded filehandle.
Reported-by: zhangjian <zhangjian496@huawei.com>
Fixes: 20fa19027286 ("nfs: add export operations")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/export.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/export.c b/fs/nfs/export.c
index eafa9d7b0911..6bbe92a4eb0c 100644
--- a/fs/nfs/export.c
+++ b/fs/nfs/export.c
@@ -67,14 +67,21 @@ nfs_fh_to_dentry(struct super_block *sb, struct fid *fid,
struct nfs4_label *label = NULL;
struct nfs_fattr *fattr = NULL;
struct nfs_fh *server_fh = nfs_exp_embedfh(fid->raw);
- size_t fh_size = offsetof(struct nfs_fh, data) + server_fh->size;
+ size_t fh_size = offsetof(struct nfs_fh, data);
const struct nfs_rpc_ops *rpc_ops;
struct dentry *dentry;
struct inode *inode;
- int len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);
+ int len = EMBED_FH_OFF;
u32 *p = fid->raw;
int ret;
+ /* Initial check of bounds */
+ if (fh_len < len + XDR_QUADLEN(fh_size) ||
+ fh_len > XDR_QUADLEN(NFS_MAXFHSIZE))
+ return NULL;
+ /* Calculate embedded filehandle size */
+ fh_size += server_fh->size;
+ len += XDR_QUADLEN(fh_size);
/* NULL translates to ESTALE */
if (fh_len < len || fh_type != len)
return NULL;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 228/644] NFSv4.2: another fix for listxattr
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 227/644] NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 229/644] XArray: Add calls to might_alloc() Greg Kroah-Hartman
` (421 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, Trond Myklebust,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olga Kornievskaia <okorniev@redhat.com>
[ Upstream commit 9acb237deff7667b0f6b10fe6b1b70c4429ea049 ]
Currently, when the server supports NFS4.1 security labels then
security.selinux label in included twice. Instead, only add it
when the server doesn't possess security label support.
Fixes: 243fea134633 ("NFSv4.2: fix listxattr to return selinux security label")
Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
Link: https://lore.kernel.org/r/20250722205641.79394-1-okorniev@redhat.com
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4proc.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 9d4e4146efef..528e904f5475 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -10528,7 +10528,7 @@ const struct nfs4_minor_version_ops *nfs_v4_minor_ops[] = {
static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)
{
- ssize_t error, error2, error3, error4;
+ ssize_t error, error2, error3, error4 = 0;
size_t left = size;
error = generic_listxattr(dentry, list, left);
@@ -10556,9 +10556,11 @@ static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)
left -= error3;
}
- error4 = security_inode_listsecurity(d_inode(dentry), list, left);
- if (error4 < 0)
- return error4;
+ if (!nfs_server_capable(d_inode(dentry), NFS_CAP_SECURITY_LABEL)) {
+ error4 = security_inode_listsecurity(d_inode(dentry), list, left);
+ if (error4 < 0)
+ return error4;
+ }
error += error2 + error3 + error4;
if (size && error > size)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 229/644] XArray: Add calls to might_alloc()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 228/644] NFSv4.2: another fix for listxattr Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 230/644] NFS: Fixup allocation flags for nfsiods __GFP_NORETRY Greg Kroah-Hartman
` (420 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Borisov,
Matthew Wilcox (Oracle), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
[ Upstream commit 1dd685c414a7b9fdb3d23aca3aedae84f0b998ae ]
Catch bogus GFP flags deterministically, instead of occasionally
when we actually have to allocate memory.
Reported-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Stable-dep-of: 99765233ab42 ("NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/xarray.h | 15 +++++++++++++++
tools/include/linux/sched/mm.h | 2 ++
2 files changed, 17 insertions(+)
diff --git a/include/linux/xarray.h b/include/linux/xarray.h
index a91e3d90df8a..549f222a2a6f 100644
--- a/include/linux/xarray.h
+++ b/include/linux/xarray.h
@@ -15,6 +15,7 @@
#include <linux/kconfig.h>
#include <linux/kernel.h>
#include <linux/rcupdate.h>
+#include <linux/sched/mm.h>
#include <linux/spinlock.h>
#include <linux/types.h>
@@ -585,6 +586,7 @@ static inline void *xa_store_bh(struct xarray *xa, unsigned long index,
{
void *curr;
+ might_alloc(gfp);
xa_lock_bh(xa);
curr = __xa_store(xa, index, entry, gfp);
xa_unlock_bh(xa);
@@ -611,6 +613,7 @@ static inline void *xa_store_irq(struct xarray *xa, unsigned long index,
{
void *curr;
+ might_alloc(gfp);
xa_lock_irq(xa);
curr = __xa_store(xa, index, entry, gfp);
xa_unlock_irq(xa);
@@ -686,6 +689,7 @@ static inline void *xa_cmpxchg(struct xarray *xa, unsigned long index,
{
void *curr;
+ might_alloc(gfp);
xa_lock(xa);
curr = __xa_cmpxchg(xa, index, old, entry, gfp);
xa_unlock(xa);
@@ -713,6 +717,7 @@ static inline void *xa_cmpxchg_bh(struct xarray *xa, unsigned long index,
{
void *curr;
+ might_alloc(gfp);
xa_lock_bh(xa);
curr = __xa_cmpxchg(xa, index, old, entry, gfp);
xa_unlock_bh(xa);
@@ -740,6 +745,7 @@ static inline void *xa_cmpxchg_irq(struct xarray *xa, unsigned long index,
{
void *curr;
+ might_alloc(gfp);
xa_lock_irq(xa);
curr = __xa_cmpxchg(xa, index, old, entry, gfp);
xa_unlock_irq(xa);
@@ -769,6 +775,7 @@ static inline int __must_check xa_insert(struct xarray *xa,
{
int err;
+ might_alloc(gfp);
xa_lock(xa);
err = __xa_insert(xa, index, entry, gfp);
xa_unlock(xa);
@@ -798,6 +805,7 @@ static inline int __must_check xa_insert_bh(struct xarray *xa,
{
int err;
+ might_alloc(gfp);
xa_lock_bh(xa);
err = __xa_insert(xa, index, entry, gfp);
xa_unlock_bh(xa);
@@ -827,6 +835,7 @@ static inline int __must_check xa_insert_irq(struct xarray *xa,
{
int err;
+ might_alloc(gfp);
xa_lock_irq(xa);
err = __xa_insert(xa, index, entry, gfp);
xa_unlock_irq(xa);
@@ -856,6 +865,7 @@ static inline __must_check int xa_alloc(struct xarray *xa, u32 *id,
{
int err;
+ might_alloc(gfp);
xa_lock(xa);
err = __xa_alloc(xa, id, entry, limit, gfp);
xa_unlock(xa);
@@ -885,6 +895,7 @@ static inline int __must_check xa_alloc_bh(struct xarray *xa, u32 *id,
{
int err;
+ might_alloc(gfp);
xa_lock_bh(xa);
err = __xa_alloc(xa, id, entry, limit, gfp);
xa_unlock_bh(xa);
@@ -914,6 +925,7 @@ static inline int __must_check xa_alloc_irq(struct xarray *xa, u32 *id,
{
int err;
+ might_alloc(gfp);
xa_lock_irq(xa);
err = __xa_alloc(xa, id, entry, limit, gfp);
xa_unlock_irq(xa);
@@ -947,6 +959,7 @@ static inline int xa_alloc_cyclic(struct xarray *xa, u32 *id, void *entry,
{
int err;
+ might_alloc(gfp);
xa_lock(xa);
err = __xa_alloc_cyclic(xa, id, entry, limit, next, gfp);
xa_unlock(xa);
@@ -980,6 +993,7 @@ static inline int xa_alloc_cyclic_bh(struct xarray *xa, u32 *id, void *entry,
{
int err;
+ might_alloc(gfp);
xa_lock_bh(xa);
err = __xa_alloc_cyclic(xa, id, entry, limit, next, gfp);
xa_unlock_bh(xa);
@@ -1013,6 +1027,7 @@ static inline int xa_alloc_cyclic_irq(struct xarray *xa, u32 *id, void *entry,
{
int err;
+ might_alloc(gfp);
xa_lock_irq(xa);
err = __xa_alloc_cyclic(xa, id, entry, limit, next, gfp);
xa_unlock_irq(xa);
diff --git a/tools/include/linux/sched/mm.h b/tools/include/linux/sched/mm.h
index c8d9f19c1f35..967294b8edcf 100644
--- a/tools/include/linux/sched/mm.h
+++ b/tools/include/linux/sched/mm.h
@@ -1,4 +1,6 @@
#ifndef _TOOLS_PERF_LINUX_SCHED_MM_H
#define _TOOLS_PERF_LINUX_SCHED_MM_H
+#define might_alloc(gfp) do { } while (0)
+
#endif /* _TOOLS_PERF_LINUX_SCHED_MM_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 230/644] NFS: Fixup allocation flags for nfsiods __GFP_NORETRY
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 229/644] XArray: Add calls to might_alloc() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 231/644] netpoll: prevent hanging NAPI when netcons gets enabled Greg Kroah-Hartman
` (419 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Benjamin Coddington,
Laurence Oberman, Jeff Layton, Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Coddington <bcodding@redhat.com>
[ Upstream commit 99765233ab42bf7a4950377ad7894dce8a5c0e60 ]
If the NFS client is doing writeback from a workqueue context, avoid using
__GFP_NORETRY for allocations if the task has set PF_MEMALLOC_NOIO or
PF_MEMALLOC_NOFS. The combination of these flags makes memory allocation
failures much more likely.
We've seen those allocation failures show up when the loopback driver is
doing writeback from a workqueue to a file on NFS, where memory allocation
failure results in errors or corruption within the loopback device's
filesystem.
Suggested-by: Trond Myklebust <trondmy@kernel.org>
Fixes: 0bae835b63c5 ("NFS: Avoid writeback threads getting stuck in mempool_alloc()")
Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
Reviewed-by: Laurence Oberman <loberman@redhat.com>
Tested-by: Laurence Oberman <loberman@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Link: https://lore.kernel.org/r/f83ac1155a4bc670f2663959a7a068571e06afd9.1752111622.git.bcodding@redhat.com
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/internal.h | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
index a6d0b64dda36..76605eb93609 100644
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -581,9 +581,12 @@ nfs_write_match_verf(const struct nfs_writeverf *verf,
static inline gfp_t nfs_io_gfp_mask(void)
{
- if (current->flags & PF_WQ_WORKER)
- return GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN;
- return GFP_KERNEL;
+ gfp_t ret = current_gfp_context(GFP_KERNEL);
+
+ /* For workers __GFP_NORETRY only with __GFP_IO or __GFP_FS */
+ if ((current->flags & PF_WQ_WORKER) && ret == GFP_KERNEL)
+ ret |= __GFP_NORETRY | __GFP_NOWARN;
+ return ret;
}
/* unlink.c */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 231/644] netpoll: prevent hanging NAPI when netcons gets enabled
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 230/644] NFS: Fixup allocation flags for nfsiods __GFP_NORETRY Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 232/644] phy: mscc: Fix parsing of unicast frames Greg Kroah-Hartman
` (418 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Jason Wang, Xuan Zhuo,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 2da4def0f487f24bbb0cece3bb2bcdcb918a0b72 ]
Paolo spotted hangs in NIPA running driver tests against virtio.
The tests hang in virtnet_close() -> virtnet_napi_tx_disable().
The problem is only reproducible if running multiple of our tests
in sequence (I used TEST_PROGS="xdp.py ping.py netcons_basic.sh \
netpoll_basic.py stats.py"). Initial suspicion was that this is
a simple case of double-disable of NAPI, but instrumenting the
code reveals:
Deadlocked on NAPI ffff888007cd82c0 (virtnet_poll_tx):
state: 0x37, disabled: false, owner: 0, listed: false, weight: 64
The NAPI was not in fact disabled, owner is 0 (rather than -1),
so the NAPI "thinks" it's scheduled for CPU 0 but it's not listed
(!list_empty(&n->poll_list) => false). It seems odd that normal NAPI
processing would wedge itself like this.
Better suspicion is that netpoll gets enabled while NAPI is polling,
and also grabs the NAPI instance. This confuses napi_complete_done():
[netpoll] [normal NAPI]
napi_poll()
have = netpoll_poll_lock()
rcu_access_pointer(dev->npinfo)
return NULL # no netpoll
__napi_poll()
->poll(->weight)
poll_napi()
cmpxchg(->poll_owner, -1, cpu)
poll_one_napi()
set_bit(NAPI_STATE_NPSVC, ->state)
napi_complete_done()
if (NAPIF_STATE_NPSVC)
return false
# exit without clearing SCHED
This feels very unlikely, but perhaps virtio has some interactions
with the hypervisor in the NAPI ->poll that makes the race window
larger?
Best I could to to prove the theory was to add and trigger this
warning in napi_poll (just before netpoll_poll_unlock()):
WARN_ONCE(!have && rcu_access_pointer(n->dev->npinfo) &&
napi_is_scheduled(n) && list_empty(&n->poll_list),
"NAPI race with netpoll %px", n);
If this warning hits the next virtio_close() will hang.
This patch survived 30 test iterations without a hang (without it
the longest clean run was around 10). Credit for triggering this
goes to Breno's recent netconsole tests.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Paolo Abeni <pabeni@redhat.com>
Link: https://lore.kernel.org/c5a93ed1-9abe-4880-a3bb-8d1678018b1d@redhat.com
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Link: https://patch.msgid.link/20250726010846.1105875-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/netpoll.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 87f5a837410c..c900badd5325 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -800,6 +800,13 @@ int netpoll_setup(struct netpoll *np)
goto put;
rtnl_unlock();
+
+ /* Make sure all NAPI polls which started before dev->npinfo
+ * was visible have exited before we start calling NAPI poll.
+ * NAPI skips locking if dev->npinfo is NULL.
+ */
+ synchronize_rcu();
+
return 0;
put:
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 232/644] phy: mscc: Fix parsing of unicast frames
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 231/644] netpoll: prevent hanging NAPI when netcons gets enabled Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 233/644] pptp: ensure minimal skb length in pptp_xmit() Greg Kroah-Hartman
` (417 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Horatiu Vultur, Andrew Lunn,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit 6fb5ff63b35b7e849cc8510957f25753f87f63d2 ]
According to the 1588 standard, it is possible to use both unicast and
multicast frames to send the PTP information. It was noticed that if the
frames were unicast they were not processed by the analyzer meaning that
they were not timestamped. Therefore fix this to match also these
unicast frames.
Fixes: ab2bf9339357 ("net: phy: mscc: 1588 block initialization")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250726140307.3039694-1-horatiu.vultur@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc_ptp.c | 1 +
drivers/net/phy/mscc/mscc_ptp.h | 1 +
2 files changed, 2 insertions(+)
diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
index 7a3a8cce02d3..92f59c964409 100644
--- a/drivers/net/phy/mscc/mscc_ptp.c
+++ b/drivers/net/phy/mscc/mscc_ptp.c
@@ -897,6 +897,7 @@ static int vsc85xx_eth1_conf(struct phy_device *phydev, enum ts_blk blk,
get_unaligned_be32(ptp_multicast));
} else {
val |= ANA_ETH1_FLOW_ADDR_MATCH2_ANY_MULTICAST;
+ val |= ANA_ETH1_FLOW_ADDR_MATCH2_ANY_UNICAST;
vsc85xx_ts_write_csr(phydev, blk,
MSCC_ANA_ETH1_FLOW_ADDR_MATCH2(0), val);
vsc85xx_ts_write_csr(phydev, blk,
diff --git a/drivers/net/phy/mscc/mscc_ptp.h b/drivers/net/phy/mscc/mscc_ptp.h
index da3465360e90..ae9ad925bfa8 100644
--- a/drivers/net/phy/mscc/mscc_ptp.h
+++ b/drivers/net/phy/mscc/mscc_ptp.h
@@ -98,6 +98,7 @@
#define MSCC_ANA_ETH1_FLOW_ADDR_MATCH2(x) (MSCC_ANA_ETH1_FLOW_ENA(x) + 3)
#define ANA_ETH1_FLOW_ADDR_MATCH2_MASK_MASK GENMASK(22, 20)
#define ANA_ETH1_FLOW_ADDR_MATCH2_ANY_MULTICAST 0x400000
+#define ANA_ETH1_FLOW_ADDR_MATCH2_ANY_UNICAST 0x200000
#define ANA_ETH1_FLOW_ADDR_MATCH2_FULL_ADDR 0x100000
#define ANA_ETH1_FLOW_ADDR_MATCH2_SRC_DEST_MASK GENMASK(17, 16)
#define ANA_ETH1_FLOW_ADDR_MATCH2_SRC_DEST 0x020000
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 233/644] pptp: ensure minimal skb length in pptp_xmit()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 232/644] phy: mscc: Fix parsing of unicast frames Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 234/644] net/mlx5: Correctly set gso_segs when LRO is used Greg Kroah-Hartman
` (416 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+afad90ffc8645324afe5,
Eric Dumazet, Dawid Osuchowski, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit de9c4861fb42f0cd72da844c3c34f692d5895b7b ]
Commit aabc6596ffb3 ("net: ppp: Add bound checking for skb data
on ppp_sync_txmung") fixed ppp_sync_txmunge()
We need a similar fix in pptp_xmit(), otherwise we might
read uninit data as reported by syzbot.
BUG: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193
pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193
ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [inline]
ppp_input+0x1d6/0xe60 drivers/net/ppp/ppp_generic.c:2314
pppoe_rcv_core+0x1e8/0x760 drivers/net/ppp/pppoe.c:379
sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148
__release_sock+0x1d3/0x330 net/core/sock.c:3213
release_sock+0x6b/0x270 net/core/sock.c:3767
pppoe_sendmsg+0x15d/0xcb0 drivers/net/ppp/pppoe.c:904
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x330/0x3d0 net/socket.c:727
____sys_sendmsg+0x893/0xd80 net/socket.c:2566
___sys_sendmsg+0x271/0x3b0 net/socket.c:2620
__sys_sendmmsg+0x2d9/0x7c0 net/socket.c:2709
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+afad90ffc8645324afe5@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/68887d86.a00a0220.b12ec.00cd.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Link: https://patch.msgid.link/20250729080207.1863408-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/pptp.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
index 32183f24e63f..951dac268adb 100644
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -159,9 +159,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
int len;
unsigned char *data;
__u32 seq_recv;
-
-
- struct rtable *rt;
+ struct rtable *rt = NULL;
struct net_device *tdev;
struct iphdr *iph;
int max_headroom;
@@ -179,16 +177,20 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
if (skb_headroom(skb) < max_headroom || skb_cloned(skb) || skb_shared(skb)) {
struct sk_buff *new_skb = skb_realloc_headroom(skb, max_headroom);
- if (!new_skb) {
- ip_rt_put(rt);
+
+ if (!new_skb)
goto tx_error;
- }
+
if (skb->sk)
skb_set_owner_w(new_skb, skb->sk);
consume_skb(skb);
skb = new_skb;
}
+ /* Ensure we can safely access protocol field and LCP code */
+ if (!pskb_may_pull(skb, 3))
+ goto tx_error;
+
data = skb->data;
islcp = ((data[0] << 8) + data[1]) == PPP_LCP && 1 <= data[2] && data[2] <= 7;
@@ -262,6 +264,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
return 1;
tx_error:
+ ip_rt_put(rt);
kfree_skb(skb);
return 1;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 234/644] net/mlx5: Correctly set gso_segs when LRO is used
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 233/644] pptp: ensure minimal skb length in pptp_xmit() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 235/644] ipv6: reject malicious packets in ipv6_gso_segment() Greg Kroah-Hartman
` (415 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gal Pressman, Christoph Paasch,
Eric Dumazet, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Paasch <cpaasch@openai.com>
[ Upstream commit 77bf1c55b2acc7fa3734b14f4561e3d75aea1a90 ]
When gso_segs is left at 0, a number of assumptions will end up being
incorrect throughout the stack.
For example, in the GRO-path, we set NAPI_GRO_CB()->count to gso_segs.
So, if a non-LRO'ed packet followed by an LRO'ed packet is being
processed in GRO, the first one will have NAPI_GRO_CB()->count set to 1 and
the next one to 0 (in dev_gro_receive()).
Since commit 531d0d32de3e
("net/mlx5: Correctly set gso_size when LRO is used")
these packets will get merged (as their gso_size now matches).
So, we end up in gro_complete() with NAPI_GRO_CB()->count == 1 and thus
don't call inet_gro_complete(). Meaning, checksum-validation in
tcp_checksum_complete() will fail with a "hw csum failure".
Even before the above mentioned commit, incorrect gso_segs means that other
things like TCP's accounting of incoming packets (tp->segs_in,
data_segs_in, rcv_ooopack) will be incorrect. Which means that if one
does bytes_received/data_segs_in, the result will be bigger than the
MTU.
Fix this by initializing gso_segs correctly when LRO is used.
Fixes: e586b3b0baee ("net/mlx5: Ethernet Datapath files")
Reported-by: Gal Pressman <gal@nvidia.com>
Closes: https://lore.kernel.org/netdev/6583783f-f0fb-4fb1-a415-feec8155bc69@nvidia.com/
Signed-off-by: Christoph Paasch <cpaasch@openai.com>
Reviewed-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250729-mlx5_gso_segs-v1-1-b48c480c1c12@openai.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -1061,6 +1061,7 @@ static inline void mlx5e_build_rx_skb(st
unsigned int hdrlen = mlx5e_lro_update_hdr(skb, cqe, cqe_bcnt);
skb_shinfo(skb)->gso_size = DIV_ROUND_UP(cqe_bcnt - hdrlen, lro_num_seg);
+ skb_shinfo(skb)->gso_segs = lro_num_seg;
/* Subtract one since we already counted this as one
* "regular" packet in mlx5e_complete_rx_cqe()
*/
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 235/644] ipv6: reject malicious packets in ipv6_gso_segment()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 234/644] net/mlx5: Correctly set gso_segs when LRO is used Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 236/644] net: drop UFO packets in udp_rcv_segment() Greg Kroah-Hartman
` (414 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+af43e647fd835acc02df,
Eric Dumazet, Dawid Osuchowski, Willem de Bruijn, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d45cf1e7d7180256e17c9ce88e32e8061a7887fe ]
syzbot was able to craft a packet with very long IPv6 extension headers
leading to an overflow of skb->transport_header.
This 16bit field has a limited range.
Add skb_reset_transport_header_careful() helper and use it
from ipv6_gso_segment()
WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Modules linked in:
CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]
RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151
Call Trace:
<TASK>
skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110
skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53
__skb_gso_segment+0x342/0x510 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950
validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000
sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329
__dev_xmit_skb net/core/dev.c:4102 [inline]
__dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679
Fixes: d1da932ed4ec ("ipv6: Separate ipv6 offload support")
Reported-by: syzbot+af43e647fd835acc02df@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/688a1a05.050a0220.5d226.0008.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20250730131738.3385939-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/skbuff.h | 23 +++++++++++++++++++++++
net/ipv6/ip6_offload.c | 4 +++-
2 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 7f52562fac19..9155d0d7f706 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2646,6 +2646,29 @@ static inline void skb_reset_transport_header(struct sk_buff *skb)
skb->transport_header = skb->data - skb->head;
}
+/**
+ * skb_reset_transport_header_careful - conditionally reset transport header
+ * @skb: buffer to alter
+ *
+ * Hardened version of skb_reset_transport_header().
+ *
+ * Returns: true if the operation was a success.
+ */
+static inline bool __must_check
+skb_reset_transport_header_careful(struct sk_buff *skb)
+{
+ long offset = skb->data - skb->head;
+
+ if (unlikely(offset != (typeof(skb->transport_header))offset))
+ return false;
+
+ if (unlikely(offset == (typeof(skb->transport_header))~0U))
+ return false;
+
+ skb->transport_header = offset;
+ return true;
+}
+
static inline void skb_set_transport_header(struct sk_buff *skb,
const int offset)
{
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index 30c56143d79b..0de54467ee84 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -112,7 +112,9 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
ops = rcu_dereference(inet6_offloads[proto]);
if (likely(ops && ops->callbacks.gso_segment)) {
- skb_reset_transport_header(skb);
+ if (!skb_reset_transport_header_careful(skb))
+ goto out;
+
segs = ops->callbacks.gso_segment(skb, features);
if (!segs)
skb->network_header = skb_mac_header(skb) + nhoff - skb->head;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 236/644] net: drop UFO packets in udp_rcv_segment()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 235/644] ipv6: reject malicious packets in ipv6_gso_segment() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 237/644] benet: fix BUG when creating VFs Greg Kroah-Hartman
` (413 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Willem de Bruijn, Wang Liang,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Liang <wangliang74@huawei.com>
[ Upstream commit d46e51f1c78b9ab9323610feb14238d06d46d519 ]
When sending a packet with virtio_net_hdr to tun device, if the gso_type
in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr
size, below crash may happen.
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:4572!
Oops: invalid opcode: 0000 [#1] SMP NOPTI
CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:skb_pull_rcsum+0x8e/0xa0
Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc <0f> 0b 0f 0b 66 66 2e 0f 1f 84 00 000
RSP: 0018:ffffc900001fba38 EFLAGS: 00000297
RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948
RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062
RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001
R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000
R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900
FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0
Call Trace:
<TASK>
udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445
udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475
udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626
__udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690
ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233
ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579
ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636
ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670
__netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067
netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210
napi_complete_done+0x78/0x180 net/core/dev.c:6580
tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909
tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984
vfs_write+0x300/0x420 fs/read_write.c:593
ksys_write+0x60/0xd0 fs/read_write.c:686
do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63
</TASK>
To trigger gso segment in udp_queue_rcv_skb(), we should also set option
UDP_ENCAP_ESPINUDP to enable udp_sk(sk)->encap_rcv. When the encap_rcv
hook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try
to pull udphdr, but the skb size has been segmented to gso size, which
leads to this crash.
Previous commit cf329aa42b66 ("udp: cope with UDP GRO packet misdirection")
introduces segmentation in UDP receive path only for GRO, which was never
intended to be used for UFO, so drop UFO packets in udp_rcv_segment().
Link: https://lore.kernel.org/netdev/20250724083005.3918375-1-wangliang74@huawei.com/
Link: https://lore.kernel.org/netdev/20250729123907.3318425-1-wangliang74@huawei.com/
Fixes: cf329aa42b66 ("udp: cope with UDP GRO packet misdirection")
Suggested-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20250730101458.3470788-1-wangliang74@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/udp.h | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/include/net/udp.h b/include/net/udp.h
index 10508c66e7a1..3dbfa4cfac50 100644
--- a/include/net/udp.h
+++ b/include/net/udp.h
@@ -483,6 +483,16 @@ static inline struct sk_buff *udp_rcv_segment(struct sock *sk,
{
netdev_features_t features = NETIF_F_SG;
struct sk_buff *segs;
+ int drop_count;
+
+ /*
+ * Segmentation in UDP receive path is only for UDP GRO, drop udp
+ * fragmentation offload (UFO) packets.
+ */
+ if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP) {
+ drop_count = 1;
+ goto drop;
+ }
/* Avoid csum recalculation by skb_segment unless userspace explicitly
* asks for the final checksum values
@@ -506,16 +516,18 @@ static inline struct sk_buff *udp_rcv_segment(struct sock *sk,
*/
segs = __skb_gso_segment(skb, features, false);
if (IS_ERR_OR_NULL(segs)) {
- int segs_nr = skb_shinfo(skb)->gso_segs;
-
- atomic_add(segs_nr, &sk->sk_drops);
- SNMP_ADD_STATS(__UDPX_MIB(sk, ipv4), UDP_MIB_INERRORS, segs_nr);
- kfree_skb(skb);
- return NULL;
+ drop_count = skb_shinfo(skb)->gso_segs;
+ goto drop;
}
consume_skb(skb);
return segs;
+
+drop:
+ atomic_add(drop_count, &sk->sk_drops);
+ SNMP_ADD_STATS(__UDPX_MIB(sk, ipv4), UDP_MIB_INERRORS, drop_count);
+ kfree_skb(skb);
+ return NULL;
}
static inline void udp_post_segment_fix_csum(struct sk_buff *skb)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 237/644] benet: fix BUG when creating VFs
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 236/644] net: drop UFO packets in udp_rcv_segment() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 238/644] ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() Greg Kroah-Hartman
` (412 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Schmidt, Nikolay Aleksandrov,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Schmidt <mschmidt@redhat.com>
[ Upstream commit 5a40f8af2ba1b9bdf46e2db10e8c9710538fbc63 ]
benet crashes as soon as SRIOV VFs are created:
kernel BUG at mm/vmalloc.c:3457!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 4 UID: 0 PID: 7408 Comm: test.sh Kdump: loaded Not tainted 6.16.0+ #1 PREEMPT(voluntary)
[...]
RIP: 0010:vunmap+0x5f/0x70
[...]
Call Trace:
<TASK>
__iommu_dma_free+0xe8/0x1c0
be_cmd_set_mac_list+0x3fe/0x640 [be2net]
be_cmd_set_mac+0xaf/0x110 [be2net]
be_vf_eth_addr_config+0x19f/0x330 [be2net]
be_vf_setup+0x4f7/0x990 [be2net]
be_pci_sriov_configure+0x3a1/0x470 [be2net]
sriov_numvfs_store+0x20b/0x380
kernfs_fop_write_iter+0x354/0x530
vfs_write+0x9b9/0xf60
ksys_write+0xf3/0x1d0
do_syscall_64+0x8c/0x3d0
be_cmd_set_mac_list() calls dma_free_coherent() under a spin_lock_bh.
Fix it by freeing only after the lock has been released.
Fixes: 1a82d19ca2d6 ("be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink")
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20250801101338.72502-1-mschmidt@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c
index 1cdb7ca019f5..96a8749cf34f 100644
--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
+++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
@@ -3851,8 +3851,8 @@ int be_cmd_set_mac_list(struct be_adapter *adapter, u8 *mac_array,
status = be_mcc_notify_wait(adapter);
err:
- dma_free_coherent(&adapter->pdev->dev, cmd.size, cmd.va, cmd.dma);
spin_unlock_bh(&adapter->mcc_lock);
+ dma_free_coherent(&adapter->pdev->dev, cmd.size, cmd.va, cmd.dma);
return status;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 238/644] ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 237/644] benet: fix BUG when creating VFs Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 239/644] smb: server: remove separate empty_recvmsg_queue Greg Kroah-Hartman
` (411 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 9f320dfb0ffc555aa2eac8331dee0c2c16f67633 ]
There are a couple of cases where the error is ignored or the error
code isn't propagated in ca0132_alt_select_out(). Fix those.
Fixes: def3f0a5c700 ("ALSA: hda/ca0132 - Add quirk output selection structures.")
Link: https://patch.msgid.link/20250806094423.8843-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_ca0132.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
index fab7c329acbe..a922c5079880 100644
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -4794,7 +4794,8 @@ static int ca0132_alt_select_out(struct hda_codec *codec)
if (err < 0)
goto exit;
- if (ca0132_alt_select_out_quirk_set(codec) < 0)
+ err = ca0132_alt_select_out_quirk_set(codec);
+ if (err < 0)
goto exit;
switch (spec->cur_out_type) {
@@ -4884,6 +4885,8 @@ static int ca0132_alt_select_out(struct hda_codec *codec)
spec->bass_redirection_val);
else
err = ca0132_alt_surround_set_bass_redirection(codec, 0);
+ if (err < 0)
+ goto exit;
/* Unmute DSP now that we're done with output selection. */
err = dspio_set_uint_param(codec, 0x96,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 239/644] smb: server: remove separate empty_recvmsg_queue
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 238/644] ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 240/644] smb: server: make sure we call ib_dma_unmap_single() only if we called ib_dma_map_single already Greg Kroah-Hartman
` (410 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steve French, Tom Talpey, linux-cifs,
samba-technical, Stefan Metzmacher, Namjae Jeon, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
[ Upstream commit 01027a62b508c48c762096f347de925eedcbd008 ]
There's no need to maintain two lists, we can just
have a single list of receive buffers, which are free to use.
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/transport_rdma.c | 60 ++++++---------------------------------
1 file changed, 8 insertions(+), 52 deletions(-)
diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c
index 91e663d5d5bc..2644117305c2 100644
--- a/fs/ksmbd/transport_rdma.c
+++ b/fs/ksmbd/transport_rdma.c
@@ -128,9 +128,6 @@ struct smb_direct_transport {
spinlock_t recvmsg_queue_lock;
struct list_head recvmsg_queue;
- spinlock_t empty_recvmsg_queue_lock;
- struct list_head empty_recvmsg_queue;
-
int send_credit_target;
atomic_t send_credits;
spinlock_t lock_new_recv_credits;
@@ -274,32 +271,6 @@ static void put_recvmsg(struct smb_direct_transport *t,
spin_unlock(&t->recvmsg_queue_lock);
}
-static struct
-smb_direct_recvmsg *get_empty_recvmsg(struct smb_direct_transport *t)
-{
- struct smb_direct_recvmsg *recvmsg = NULL;
-
- spin_lock(&t->empty_recvmsg_queue_lock);
- if (!list_empty(&t->empty_recvmsg_queue)) {
- recvmsg = list_first_entry(&t->empty_recvmsg_queue,
- struct smb_direct_recvmsg, list);
- list_del(&recvmsg->list);
- }
- spin_unlock(&t->empty_recvmsg_queue_lock);
- return recvmsg;
-}
-
-static void put_empty_recvmsg(struct smb_direct_transport *t,
- struct smb_direct_recvmsg *recvmsg)
-{
- ib_dma_unmap_single(t->cm_id->device, recvmsg->sge.addr,
- recvmsg->sge.length, DMA_FROM_DEVICE);
-
- spin_lock(&t->empty_recvmsg_queue_lock);
- list_add_tail(&recvmsg->list, &t->empty_recvmsg_queue);
- spin_unlock(&t->empty_recvmsg_queue_lock);
-}
-
static void enqueue_reassembly(struct smb_direct_transport *t,
struct smb_direct_recvmsg *recvmsg,
int data_length)
@@ -384,9 +355,6 @@ static struct smb_direct_transport *alloc_transport(struct rdma_cm_id *cm_id)
spin_lock_init(&t->recvmsg_queue_lock);
INIT_LIST_HEAD(&t->recvmsg_queue);
- spin_lock_init(&t->empty_recvmsg_queue_lock);
- INIT_LIST_HEAD(&t->empty_recvmsg_queue);
-
init_waitqueue_head(&t->wait_send_pending);
atomic_set(&t->send_pending, 0);
@@ -548,7 +516,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
wc->opcode);
smb_direct_disconnect_rdma_connection(t);
}
- put_empty_recvmsg(t, recvmsg);
+ put_recvmsg(t, recvmsg);
return;
}
@@ -562,7 +530,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
switch (recvmsg->type) {
case SMB_DIRECT_MSG_NEGOTIATE_REQ:
if (wc->byte_len < sizeof(struct smb_direct_negotiate_req)) {
- put_empty_recvmsg(t, recvmsg);
+ put_recvmsg(t, recvmsg);
return;
}
t->negotiation_requested = true;
@@ -579,7 +547,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
if (wc->byte_len <
offsetof(struct smb_direct_data_transfer, padding)) {
- put_empty_recvmsg(t, recvmsg);
+ put_recvmsg(t, recvmsg);
return;
}
@@ -587,7 +555,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
if (data_length) {
if (wc->byte_len < sizeof(struct smb_direct_data_transfer) +
(u64)data_length) {
- put_empty_recvmsg(t, recvmsg);
+ put_recvmsg(t, recvmsg);
return;
}
@@ -607,7 +575,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
avail_recvmsg_count = t->count_avail_recvmsg;
spin_unlock(&t->receive_credit_lock);
} else {
- put_empty_recvmsg(t, recvmsg);
+ put_recvmsg(t, recvmsg);
spin_lock(&t->receive_credit_lock);
receive_credits = --(t->recv_credits);
@@ -805,7 +773,6 @@ static void smb_direct_post_recv_credits(struct work_struct *work)
struct smb_direct_recvmsg *recvmsg;
int receive_credits, credits = 0;
int ret;
- int use_free = 1;
spin_lock(&t->receive_credit_lock);
receive_credits = t->recv_credits;
@@ -813,18 +780,9 @@ static void smb_direct_post_recv_credits(struct work_struct *work)
if (receive_credits < t->recv_credit_target) {
while (true) {
- if (use_free)
- recvmsg = get_free_recvmsg(t);
- else
- recvmsg = get_empty_recvmsg(t);
- if (!recvmsg) {
- if (use_free) {
- use_free = 0;
- continue;
- } else {
- break;
- }
- }
+ recvmsg = get_free_recvmsg(t);
+ if (!recvmsg)
+ break;
recvmsg->type = SMB_DIRECT_MSG_DATA_TRANSFER;
recvmsg->first_segment = false;
@@ -1800,8 +1758,6 @@ static void smb_direct_destroy_pools(struct smb_direct_transport *t)
while ((recvmsg = get_free_recvmsg(t)))
mempool_free(recvmsg, t->recvmsg_mempool);
- while ((recvmsg = get_empty_recvmsg(t)))
- mempool_free(recvmsg, t->recvmsg_mempool);
mempool_destroy(t->recvmsg_mempool);
t->recvmsg_mempool = NULL;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 240/644] smb: server: make sure we call ib_dma_unmap_single() only if we called ib_dma_map_single already
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 239/644] smb: server: remove separate empty_recvmsg_queue Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 241/644] smb: server: let recv_done() consistently call put_recvmsg/smb_direct_disconnect_rdma_connection Greg Kroah-Hartman
` (409 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
Tom Talpey, linux-cifs, samba-technical, Stefan Metzmacher,
Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
[ Upstream commit afb4108c92898350e66b9a009692230bcdd2ac73 ]
In case of failures either ib_dma_map_single() might not be called yet
or ib_dma_unmap_single() was already called.
We should make sure put_recvmsg() only calls ib_dma_unmap_single() if needed.
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/transport_rdma.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c
index 2644117305c2..dd37cabe8cbc 100644
--- a/fs/ksmbd/transport_rdma.c
+++ b/fs/ksmbd/transport_rdma.c
@@ -263,8 +263,13 @@ smb_direct_recvmsg *get_free_recvmsg(struct smb_direct_transport *t)
static void put_recvmsg(struct smb_direct_transport *t,
struct smb_direct_recvmsg *recvmsg)
{
- ib_dma_unmap_single(t->cm_id->device, recvmsg->sge.addr,
- recvmsg->sge.length, DMA_FROM_DEVICE);
+ if (likely(recvmsg->sge.length != 0)) {
+ ib_dma_unmap_single(t->cm_id->device,
+ recvmsg->sge.addr,
+ recvmsg->sge.length,
+ DMA_FROM_DEVICE);
+ recvmsg->sge.length = 0;
+ }
spin_lock(&t->recvmsg_queue_lock);
list_add(&recvmsg->list, &t->recvmsg_queue);
@@ -632,6 +637,7 @@ static int smb_direct_post_recv(struct smb_direct_transport *t,
ib_dma_unmap_single(t->cm_id->device,
recvmsg->sge.addr, recvmsg->sge.length,
DMA_FROM_DEVICE);
+ recvmsg->sge.length = 0;
smb_direct_disconnect_rdma_connection(t);
return ret;
}
@@ -1813,6 +1819,7 @@ static int smb_direct_create_pools(struct smb_direct_transport *t)
if (!recvmsg)
goto err;
recvmsg->transport = t;
+ recvmsg->sge.length = 0;
list_add(&recvmsg->list, &t->recvmsg_queue);
}
t->count_avail_recvmsg = t->recv_credit_max;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 241/644] smb: server: let recv_done() consistently call put_recvmsg/smb_direct_disconnect_rdma_connection
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 240/644] smb: server: make sure we call ib_dma_unmap_single() only if we called ib_dma_map_single already Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 242/644] smb: server: let recv_done() avoid touching data_transfer after cleanup/move Greg Kroah-Hartman
` (408 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
Tom Talpey, linux-cifs, samba-technical, Stefan Metzmacher,
Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
[ Upstream commit cfe76fdbb9729c650f3505d9cfb2f70ddda2dbdc ]
We should call put_recvmsg() before smb_direct_disconnect_rdma_connection()
in order to call it before waking up the callers.
In all error cases we should call smb_direct_disconnect_rdma_connection()
in order to avoid stale connections.
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/transport_rdma.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c
index dd37cabe8cbc..07e1e6bbdd54 100644
--- a/fs/ksmbd/transport_rdma.c
+++ b/fs/ksmbd/transport_rdma.c
@@ -515,13 +515,13 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
t = recvmsg->transport;
if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) {
+ put_recvmsg(t, recvmsg);
if (wc->status != IB_WC_WR_FLUSH_ERR) {
pr_err("Recv error. status='%s (%d)' opcode=%d\n",
ib_wc_status_msg(wc->status), wc->status,
wc->opcode);
smb_direct_disconnect_rdma_connection(t);
}
- put_recvmsg(t, recvmsg);
return;
}
@@ -536,6 +536,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
case SMB_DIRECT_MSG_NEGOTIATE_REQ:
if (wc->byte_len < sizeof(struct smb_direct_negotiate_req)) {
put_recvmsg(t, recvmsg);
+ smb_direct_disconnect_rdma_connection(t);
return;
}
t->negotiation_requested = true;
@@ -543,7 +544,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
t->status = SMB_DIRECT_CS_CONNECTED;
enqueue_reassembly(t, recvmsg, 0);
wake_up_interruptible(&t->wait_status);
- break;
+ return;
case SMB_DIRECT_MSG_DATA_TRANSFER: {
struct smb_direct_data_transfer *data_transfer =
(struct smb_direct_data_transfer *)recvmsg->packet;
@@ -553,6 +554,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
if (wc->byte_len <
offsetof(struct smb_direct_data_transfer, padding)) {
put_recvmsg(t, recvmsg);
+ smb_direct_disconnect_rdma_connection(t);
return;
}
@@ -561,6 +563,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
if (wc->byte_len < sizeof(struct smb_direct_data_transfer) +
(u64)data_length) {
put_recvmsg(t, recvmsg);
+ smb_direct_disconnect_rdma_connection(t);
return;
}
@@ -603,11 +606,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
if (is_receive_credit_post_required(receive_credits, avail_recvmsg_count))
mod_delayed_work(smb_direct_wq,
&t->post_recv_credits_work, 0);
- break;
+ return;
}
- default:
- break;
}
+
+ /*
+ * This is an internal error!
+ */
+ WARN_ON_ONCE(recvmsg->type != SMB_DIRECT_MSG_DATA_TRANSFER);
+ put_recvmsg(t, recvmsg);
+ smb_direct_disconnect_rdma_connection(t);
}
static int smb_direct_post_recv(struct smb_direct_transport *t,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 242/644] smb: server: let recv_done() avoid touching data_transfer after cleanup/move
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 241/644] smb: server: let recv_done() consistently call put_recvmsg/smb_direct_disconnect_rdma_connection Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 243/644] smb: client: let recv_done() cleanup before notifying the callers Greg Kroah-Hartman
` (407 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
Tom Talpey, linux-cifs, samba-technical, Stefan Metzmacher,
Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
[ Upstream commit a6c015b7ac2d8c5233337e5793f50d04fac17669 ]
Calling enqueue_reassembly() and wake_up_interruptible(&t->wait_reassembly_queue)
or put_receive_buffer() means the recvmsg/data_transfer pointer might
get re-used by another thread, which means these should be
the last operations before calling return.
Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/transport_rdma.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/fs/ksmbd/transport_rdma.c b/fs/ksmbd/transport_rdma.c
index 07e1e6bbdd54..2f0263290584 100644
--- a/fs/ksmbd/transport_rdma.c
+++ b/fs/ksmbd/transport_rdma.c
@@ -575,16 +575,11 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
else
t->full_packet_received = true;
- enqueue_reassembly(t, recvmsg, (int)data_length);
- wake_up_interruptible(&t->wait_reassembly_queue);
-
spin_lock(&t->receive_credit_lock);
receive_credits = --(t->recv_credits);
avail_recvmsg_count = t->count_avail_recvmsg;
spin_unlock(&t->receive_credit_lock);
} else {
- put_recvmsg(t, recvmsg);
-
spin_lock(&t->receive_credit_lock);
receive_credits = --(t->recv_credits);
avail_recvmsg_count = ++(t->count_avail_recvmsg);
@@ -606,6 +601,13 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
if (is_receive_credit_post_required(receive_credits, avail_recvmsg_count))
mod_delayed_work(smb_direct_wq,
&t->post_recv_credits_work, 0);
+
+ if (data_length) {
+ enqueue_reassembly(t, recvmsg, (int)data_length);
+ wake_up_interruptible(&t->wait_reassembly_queue);
+ } else
+ put_recvmsg(t, recvmsg);
+
return;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 243/644] smb: client: let recv_done() cleanup before notifying the callers.
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 242/644] smb: server: let recv_done() avoid touching data_transfer after cleanup/move Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 244/644] pptp: fix pptp_xmit() error path Greg Kroah-Hartman
` (406 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steve French, Tom Talpey, Long Li,
linux-cifs, samba-technical, Stefan Metzmacher, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
[ Upstream commit bdd7afc6dca5e0ebbb75583484aa6ea9e03fbb13 ]
We should call put_receive_buffer() before waking up the callers.
For the internal error case of response->type being unexpected,
we now also call smbd_disconnect_rdma_connection() instead
of not waking up the callers at all.
Note that the SMBD_TRANSFER_DATA case still has problems,
which will be addressed in the next commit in order to make
it easier to review this one.
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Long Li <longli@microsoft.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/smbdirect.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/fs/cifs/smbdirect.c b/fs/cifs/smbdirect.c
index a9a5d27b8d38..48bd879349fb 100644
--- a/fs/cifs/smbdirect.c
+++ b/fs/cifs/smbdirect.c
@@ -455,7 +455,6 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) {
log_rdma_recv(INFO, "wc->status=%d opcode=%d\n",
wc->status, wc->opcode);
- smbd_disconnect_rdma_connection(info);
goto error;
}
@@ -472,8 +471,9 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
info->full_packet_received = true;
info->negotiate_done =
process_negotiation_response(response, wc->byte_len);
+ put_receive_buffer(info, response);
complete(&info->negotiate_completion);
- break;
+ return;
/* SMBD data transfer packet */
case SMBD_TRANSFER_DATA:
@@ -530,14 +530,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
}
return;
-
- default:
- log_rdma_recv(ERR,
- "unexpected response type=%d\n", response->type);
}
+ /*
+ * This is an internal error!
+ */
+ log_rdma_recv(ERR, "unexpected response type=%d\n", response->type);
+ WARN_ON_ONCE(response->type != SMBD_TRANSFER_DATA);
error:
put_receive_buffer(info, response);
+ smbd_disconnect_rdma_connection(info);
}
static struct rdma_cm_id *smbd_create_id(
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 244/644] pptp: fix pptp_xmit() error path
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 243/644] smb: client: let recv_done() cleanup before notifying the callers Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 245/644] perf/core: Dont leak AUX buffer refcount on allocation failure Greg Kroah-Hartman
` (405 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+27d7cfbc93457e472e00,
Eric Dumazet, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit ae633388cae349886f1a3cfb27aa092854b24c1b ]
I accidentally added a bug in pptp_xmit() that syzbot caught for us.
Only call ip_rt_put() if a route has been allocated.
BUG: unable to handle page fault for address: ffffffffffffffdb
PGD df3b067 P4D df3b067 PUD df3d067 PMD 0
Oops: Oops: 0002 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6346 Comm: syz.0.336 Not tainted 6.16.0-next-20250804-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:85 [inline]
RIP: 0010:raw_atomic_sub_return_release include/linux/atomic/atomic-arch-fallback.h:846 [inline]
RIP: 0010:atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:327 [inline]
RIP: 0010:__rcuref_put include/linux/rcuref.h:109 [inline]
RIP: 0010:rcuref_put+0x172/0x210 include/linux/rcuref.h:173
Call Trace:
<TASK>
dst_release+0x24/0x1b0 net/core/dst.c:167
ip_rt_put include/net/route.h:285 [inline]
pptp_xmit+0x14b/0x1a90 drivers/net/ppp/pptp.c:267
__ppp_channel_push+0xf2/0x1c0 drivers/net/ppp/ppp_generic.c:2166
ppp_channel_push+0x123/0x660 drivers/net/ppp/ppp_generic.c:2198
ppp_write+0x2b0/0x400 drivers/net/ppp/ppp_generic.c:544
vfs_write+0x27b/0xb30 fs/read_write.c:684
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: de9c4861fb42 ("pptp: ensure minimal skb length in pptp_xmit()")
Reported-by: syzbot+27d7cfbc93457e472e00@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/689095a5.050a0220.1fc43d.0009.GAE@google.com/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250807142146.2877060-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/pptp.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
index 951dac268adb..bf011bbb6105 100644
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -159,17 +159,17 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
int len;
unsigned char *data;
__u32 seq_recv;
- struct rtable *rt = NULL;
+ struct rtable *rt;
struct net_device *tdev;
struct iphdr *iph;
int max_headroom;
if (sk_pppox(po)->sk_state & PPPOX_DEAD)
- goto tx_error;
+ goto tx_drop;
rt = pptp_route_output(po, &fl4);
if (IS_ERR(rt))
- goto tx_error;
+ goto tx_drop;
tdev = rt->dst.dev;
@@ -265,6 +265,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
tx_error:
ip_rt_put(rt);
+tx_drop:
kfree_skb(skb);
return 1;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 245/644] perf/core: Dont leak AUX buffer refcount on allocation failure
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 244/644] pptp: fix pptp_xmit() error path Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 246/644] perf/core: Exit early on perf_mmap() fail Greg Kroah-Hartman
` (404 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Lorenzo Stoakes
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 5468c0fbccbb9d156522c50832244a8b722374fb upstream.
Failure of the AUX buffer allocation leaks the reference count.
Set the reference count to 1 only when the allocation succeeds.
Fixes: 45bfb2e50471 ("perf/core: Add AUX area to ring buffer for raw data streams")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/core.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -6477,9 +6477,7 @@ static int perf_mmap(struct file *file,
goto unlock;
}
- atomic_set(&rb->aux_mmap_count, 1);
user_extra = nr_pages;
-
goto accounting;
}
@@ -6581,8 +6579,10 @@ accounting:
} else {
ret = rb_alloc_aux(rb, event, vma->vm_pgoff, nr_pages,
event->attr.aux_watermark, flags);
- if (!ret)
+ if (!ret) {
+ atomic_set(&rb->aux_mmap_count, 1);
rb->aux_mmap_locked = extra;
+ }
}
unlock:
@@ -6592,6 +6592,7 @@ unlock:
atomic_inc(&event->mmap_count);
} else if (rb) {
+ /* AUX allocation failed */
atomic_dec(&rb->mmap_count);
}
aux_unlock:
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 246/644] perf/core: Exit early on perf_mmap() fail
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 245/644] perf/core: Dont leak AUX buffer refcount on allocation failure Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 247/644] perf/core: Prevent VMA split of buffer mappings Greg Kroah-Hartman
` (403 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Lorenzo Stoakes
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 07091aade394f690e7b655578140ef84d0e8d7b0 upstream.
When perf_mmap() fails to allocate a buffer, it still invokes the
event_mapped() callback of the related event. On X86 this might increase
the perf_rdpmc_allowed reference counter. But nothing undoes this as
perf_mmap_close() is never called in this case, which causes another
reference count leak.
Return early on failure to prevent that.
Fixes: 1e0fb9ec679c ("perf/core: Add pmu callbacks to track event mapping and unmapping")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -6600,6 +6600,9 @@ aux_unlock:
mutex_unlock(aux_mutex);
mutex_unlock(&event->mmap_mutex);
+ if (ret)
+ return ret;
+
/*
* Since pinned accounting is per vm we cannot allow fork() to copy our
* vma.
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 247/644] perf/core: Prevent VMA split of buffer mappings
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 246/644] perf/core: Exit early on perf_mmap() fail Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 248/644] selftests/perf_events: Add a mmap() correctness test Greg Kroah-Hartman
` (402 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Lorenzo Stoakes,
Arnaldo Carvalho de Melo, Vlastimil Babka, zdi-disclosures
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit b024d7b56c77191cde544f838debb7f8451cd0d6 upstream.
The perf mmap code is careful about mmap()'ing the user page with the
ringbuffer and additionally the auxiliary buffer, when the event supports
it. Once the first mapping is established, subsequent mapping have to use
the same offset and the same size in both cases. The reference counting for
the ringbuffer and the auxiliary buffer depends on this being correct.
Though perf does not prevent that a related mapping is split via mmap(2),
munmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls,
which take reference counts, but then the subsequent perf_mmap_close()
calls are not longer fulfilling the offset and size checks. This leads to
reference count leaks.
As perf already has the requirement for subsequent mappings to match the
initial mapping, the obvious consequence is that VMA splits, caused by
resizing of a mapping or partial unmapping, have to be prevented.
Implement the vm_operations_struct::may_split() callback and return
unconditionally -EINVAL.
That ensures that the mapping offsets and sizes cannot be changed after the
fact. Remapping to a different fixed address with the same size is still
possible as it takes the references for the new mapping and drops those of
the old mapping.
Fixes: 45bfb2e50471 ("perf/core: Add AUX area to ring buffer for raw data streams")
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-27504
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/core.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -6381,11 +6381,21 @@ out_put:
ring_buffer_put(rb); /* could be last */
}
+static int perf_mmap_may_split(struct vm_area_struct *vma, unsigned long addr)
+{
+ /*
+ * Forbid splitting perf mappings to prevent refcount leaks due to
+ * the resulting non-matching offsets and sizes. See open()/close().
+ */
+ return -EINVAL;
+}
+
static const struct vm_operations_struct perf_mmap_vmops = {
.open = perf_mmap_open,
.close = perf_mmap_close, /* non mergeable */
.fault = perf_mmap_fault,
.page_mkwrite = perf_mmap_fault,
+ .may_split = perf_mmap_may_split,
};
static int perf_mmap(struct file *file, struct vm_area_struct *vma)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 248/644] selftests/perf_events: Add a mmap() correctness test
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 247/644] perf/core: Prevent VMA split of buffer mappings Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 249/644] net/packet: fix a race in packet_set_ring() and packet_notifier() Greg Kroah-Hartman
` (401 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes, Thomas Gleixner
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
commit 084d2ac4030c5919e85bba1f4af26e33491469cb upstream.
Exercise various mmap(), munmap() and mremap() invocations, which might
cause a perf buffer mapping to be split or truncated.
To avoid hard coding the perf event and having dependencies on
architectures and configuration options, scan through event types in sysfs
and try to open them. On success, try to mmap() and if that succeeds try to
mmap() the AUX buffer.
In case that no AUX buffer supporting event is found, only test the base
buffer mapping. If no mappable event is found or permissions are not
sufficient, skip the tests.
Reserve a PROT_NONE region for both rb and aux tests to allow testing the
case where mremap unmaps beyond the end of a mapped VMA to prevent it from
unmapping unrelated mappings.
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Co-developed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/perf_events/.gitignore | 1
tools/testing/selftests/perf_events/Makefile | 2
tools/testing/selftests/perf_events/mmap.c | 236 +++++++++++++++++++++++++
3 files changed, 238 insertions(+), 1 deletion(-)
create mode 100644 tools/testing/selftests/perf_events/mmap.c
--- a/tools/testing/selftests/perf_events/.gitignore
+++ b/tools/testing/selftests/perf_events/.gitignore
@@ -1,3 +1,4 @@
# SPDX-License-Identifier: GPL-2.0-only
sigtrap_threads
remove_on_exec
+mmap
--- a/tools/testing/selftests/perf_events/Makefile
+++ b/tools/testing/selftests/perf_events/Makefile
@@ -2,5 +2,5 @@
CFLAGS += -Wl,-no-as-needed -Wall -I../../../../usr/include
LDFLAGS += -lpthread
-TEST_GEN_PROGS := sigtrap_threads remove_on_exec
+TEST_GEN_PROGS := sigtrap_threads remove_on_exec mmap
include ../lib.mk
--- /dev/null
+++ b/tools/testing/selftests/perf_events/mmap.c
@@ -0,0 +1,236 @@
+// SPDX-License-Identifier: GPL-2.0-only
+#define _GNU_SOURCE
+
+#include <dirent.h>
+#include <sched.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+
+#include <linux/perf_event.h>
+
+#include "../kselftest_harness.h"
+
+#define RB_SIZE 0x3000
+#define AUX_SIZE 0x10000
+#define AUX_OFFS 0x4000
+
+#define HOLE_SIZE 0x1000
+
+/* Reserve space for rb, aux with space for shrink-beyond-vma testing. */
+#define REGION_SIZE (2 * RB_SIZE + 2 * AUX_SIZE)
+#define REGION_AUX_OFFS (2 * RB_SIZE)
+
+#define MAP_BASE 1
+#define MAP_AUX 2
+
+#define EVENT_SRC_DIR "/sys/bus/event_source/devices"
+
+FIXTURE(perf_mmap)
+{
+ int fd;
+ void *ptr;
+ void *region;
+};
+
+FIXTURE_VARIANT(perf_mmap)
+{
+ bool aux;
+ unsigned long ptr_size;
+};
+
+FIXTURE_VARIANT_ADD(perf_mmap, rb)
+{
+ .aux = false,
+ .ptr_size = RB_SIZE,
+};
+
+FIXTURE_VARIANT_ADD(perf_mmap, aux)
+{
+ .aux = true,
+ .ptr_size = AUX_SIZE,
+};
+
+static bool read_event_type(struct dirent *dent, __u32 *type)
+{
+ char typefn[512];
+ FILE *fp;
+ int res;
+
+ snprintf(typefn, sizeof(typefn), "%s/%s/type", EVENT_SRC_DIR, dent->d_name);
+ fp = fopen(typefn, "r");
+ if (!fp)
+ return false;
+
+ res = fscanf(fp, "%u", type);
+ fclose(fp);
+ return res > 0;
+}
+
+FIXTURE_SETUP(perf_mmap)
+{
+ struct perf_event_attr attr = {
+ .size = sizeof(attr),
+ .disabled = 1,
+ .exclude_kernel = 1,
+ .exclude_hv = 1,
+ };
+ struct perf_event_attr attr_ok = {};
+ unsigned int eacces = 0, map = 0;
+ struct perf_event_mmap_page *rb;
+ struct dirent *dent;
+ void *aux, *region;
+ DIR *dir;
+
+ self->ptr = NULL;
+
+ dir = opendir(EVENT_SRC_DIR);
+ if (!dir)
+ SKIP(return, "perf not available.");
+
+ region = mmap(NULL, REGION_SIZE, PROT_NONE, MAP_ANON | MAP_PRIVATE, -1, 0);
+ ASSERT_NE(region, MAP_FAILED);
+ self->region = region;
+
+ // Try to find a suitable event on this system
+ while ((dent = readdir(dir))) {
+ int fd;
+
+ if (!read_event_type(dent, &attr.type))
+ continue;
+
+ fd = syscall(SYS_perf_event_open, &attr, 0, -1, -1, 0);
+ if (fd < 0) {
+ if (errno == EACCES)
+ eacces++;
+ continue;
+ }
+
+ // Check whether the event supports mmap()
+ rb = mmap(region, RB_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, fd, 0);
+ if (rb == MAP_FAILED) {
+ close(fd);
+ continue;
+ }
+
+ if (!map) {
+ // Save the event in case that no AUX capable event is found
+ attr_ok = attr;
+ map = MAP_BASE;
+ }
+
+ if (!variant->aux)
+ continue;
+
+ rb->aux_offset = AUX_OFFS;
+ rb->aux_size = AUX_SIZE;
+
+ // Check whether it supports a AUX buffer
+ aux = mmap(region + REGION_AUX_OFFS, AUX_SIZE, PROT_READ | PROT_WRITE,
+ MAP_SHARED | MAP_FIXED, fd, AUX_OFFS);
+ if (aux == MAP_FAILED) {
+ munmap(rb, RB_SIZE);
+ close(fd);
+ continue;
+ }
+
+ attr_ok = attr;
+ map = MAP_AUX;
+ munmap(aux, AUX_SIZE);
+ munmap(rb, RB_SIZE);
+ close(fd);
+ break;
+ }
+ closedir(dir);
+
+ if (!map) {
+ if (!eacces)
+ SKIP(return, "No mappable perf event found.");
+ else
+ SKIP(return, "No permissions for perf_event_open()");
+ }
+
+ self->fd = syscall(SYS_perf_event_open, &attr_ok, 0, -1, -1, 0);
+ ASSERT_NE(self->fd, -1);
+
+ rb = mmap(region, RB_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, self->fd, 0);
+ ASSERT_NE(rb, MAP_FAILED);
+
+ if (!variant->aux) {
+ self->ptr = rb;
+ return;
+ }
+
+ if (map != MAP_AUX)
+ SKIP(return, "No AUX event found.");
+
+ rb->aux_offset = AUX_OFFS;
+ rb->aux_size = AUX_SIZE;
+ aux = mmap(region + REGION_AUX_OFFS, AUX_SIZE, PROT_READ | PROT_WRITE,
+ MAP_SHARED | MAP_FIXED, self->fd, AUX_OFFS);
+ ASSERT_NE(aux, MAP_FAILED);
+ self->ptr = aux;
+}
+
+FIXTURE_TEARDOWN(perf_mmap)
+{
+ ASSERT_EQ(munmap(self->region, REGION_SIZE), 0);
+ if (self->fd != -1)
+ ASSERT_EQ(close(self->fd), 0);
+}
+
+TEST_F(perf_mmap, remap)
+{
+ void *tmp, *ptr = self->ptr;
+ unsigned long size = variant->ptr_size;
+
+ // Test the invalid remaps
+ ASSERT_EQ(mremap(ptr, size, HOLE_SIZE, MREMAP_MAYMOVE), MAP_FAILED);
+ ASSERT_EQ(mremap(ptr + HOLE_SIZE, size, HOLE_SIZE, MREMAP_MAYMOVE), MAP_FAILED);
+ ASSERT_EQ(mremap(ptr + size - HOLE_SIZE, HOLE_SIZE, size, MREMAP_MAYMOVE), MAP_FAILED);
+ // Shrink the end of the mapping such that we only unmap past end of the VMA,
+ // which should succeed and poke a hole into the PROT_NONE region
+ ASSERT_NE(mremap(ptr + size - HOLE_SIZE, size, HOLE_SIZE, MREMAP_MAYMOVE), MAP_FAILED);
+
+ // Remap the whole buffer to a new address
+ tmp = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0);
+ ASSERT_NE(tmp, MAP_FAILED);
+
+ // Try splitting offset 1 hole size into VMA, this should fail
+ ASSERT_EQ(mremap(ptr + HOLE_SIZE, size - HOLE_SIZE, size - HOLE_SIZE,
+ MREMAP_MAYMOVE | MREMAP_FIXED, tmp), MAP_FAILED);
+ // Remapping the whole thing should succeed fine
+ ptr = mremap(ptr, size, size, MREMAP_MAYMOVE | MREMAP_FIXED, tmp);
+ ASSERT_EQ(ptr, tmp);
+ ASSERT_EQ(munmap(tmp, size), 0);
+}
+
+TEST_F(perf_mmap, unmap)
+{
+ unsigned long size = variant->ptr_size;
+
+ // Try to poke holes into the mappings
+ ASSERT_NE(munmap(self->ptr, HOLE_SIZE), 0);
+ ASSERT_NE(munmap(self->ptr + HOLE_SIZE, HOLE_SIZE), 0);
+ ASSERT_NE(munmap(self->ptr + size - HOLE_SIZE, HOLE_SIZE), 0);
+}
+
+TEST_F(perf_mmap, map)
+{
+ unsigned long size = variant->ptr_size;
+
+ // Try to poke holes into the mappings by mapping anonymous memory over it
+ ASSERT_EQ(mmap(self->ptr, HOLE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0), MAP_FAILED);
+ ASSERT_EQ(mmap(self->ptr + HOLE_SIZE, HOLE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0), MAP_FAILED);
+ ASSERT_EQ(mmap(self->ptr + size - HOLE_SIZE, HOLE_SIZE, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0), MAP_FAILED);
+}
+
+TEST_HARNESS_MAIN
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 249/644] net/packet: fix a race in packet_set_ring() and packet_notifier()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 248/644] selftests/perf_events: Add a mmap() correctness test Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 250/644] vsock: Do not allow binding to VMADDR_PORT_ANY Greg Kroah-Hartman
` (400 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quang Le, Willem de Bruijn,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quang Le <quanglex97@gmail.com>
commit 01d3c8417b9c1b884a8a981a3b886da556512f36 upstream.
When packet_set_ring() releases po->bind_lock, another thread can
run packet_notifier() and process an NETDEV_UP event.
This race and the fix are both similar to that of commit 15fe076edea7
("net/packet: fix a race in packet_bind() and packet_notifier()").
There too the packet_notifier NETDEV_UP event managed to run while a
po->bind_lock critical section had to be temporarily released. And
the fix was similarly to temporarily set po->num to zero to keep
the socket unhooked until the lock is retaken.
The po->bind_lock in packet_set_ring and packet_notifier precede the
introduction of git history.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Quang Le <quanglex97@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20250801175423.2970334-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/packet/af_packet.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4506,10 +4506,10 @@ static int packet_set_ring(struct sock *
spin_lock(&po->bind_lock);
was_running = po->running;
num = po->num;
- if (was_running) {
- WRITE_ONCE(po->num, 0);
+ WRITE_ONCE(po->num, 0);
+ if (was_running)
__unregister_prot_hook(sk, false);
- }
+
spin_unlock(&po->bind_lock);
synchronize_net();
@@ -4541,10 +4541,10 @@ static int packet_set_ring(struct sock *
mutex_unlock(&po->pg_vec_lock);
spin_lock(&po->bind_lock);
- if (was_running) {
- WRITE_ONCE(po->num, num);
+ WRITE_ONCE(po->num, num);
+ if (was_running)
register_prot_hook(sk);
- }
+
spin_unlock(&po->bind_lock);
if (pg_vec && (po->tp_version > TPACKET_V2)) {
/* Because we don't support block-based V3 on tx-ring */
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 250/644] vsock: Do not allow binding to VMADDR_PORT_ANY
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 249/644] net/packet: fix a race in packet_set_ring() and packet_notifier() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 251/644] USB: serial: option: add Foxconn T99W709 Greg Kroah-Hartman
` (399 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Budimir Markovic, Stefano Garzarella,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Budimir Markovic <markovicbudimir@gmail.com>
commit aba0c94f61ec05315fa7815d21aefa4c87f6a9f4 upstream.
It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can
cause a use-after-free when a connection is made to the bound socket.
The socket returned by accept() also has port VMADDR_PORT_ANY but is not
on the list of unbound sockets. Binding it will result in an extra
refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep
the binding until socket destruction).
Modify the check in __vsock_bind_connectible() to also prevent binding
to VMADDR_PORT_ANY.
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Budimir Markovic <markovicbudimir@gmail.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20250807041811.678-1-markovicbudimir@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/vmw_vsock/af_vsock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -683,7 +683,8 @@ static int __vsock_bind_connectible(stru
unsigned int i;
for (i = 0; i < MAX_PORT_RETRIES; i++) {
- if (port <= LAST_RESERVED_PORT)
+ if (port == VMADDR_PORT_ANY ||
+ port <= LAST_RESERVED_PORT)
port = LAST_RESERVED_PORT + 1;
new_addr.svm_port = port++;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 251/644] USB: serial: option: add Foxconn T99W709
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 250/644] vsock: Do not allow binding to VMADDR_PORT_ANY Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 252/644] net: usbnet: Avoid potential RCU stall on LINK_CHANGE event Greg Kroah-Hartman
` (398 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Slark Xiao, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Slark Xiao <slark_xiao@163.com>
commit ad1244e1ce18f8c1a5ebad8074bfcf10eacb0311 upstream.
T99W709 is designed based on MTK T300(5G redcap) chip. There are
7 serial ports to be enumerated: AP_LOG, GNSS, AP_META, AT,
MD_META, NPT, DBG. RSVD(5) for ADB port.
test evidence as below:
T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 7 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e15f Rev=00.01
S: Manufacturer=MediaTek Inc.
S: Product=USB DATA CARD
S: SerialNumber=355511220000399
C: #Ifs=10 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
I: If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#=0x7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#=0x8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#=0x9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
Signed-off-by: Slark Xiao <slark_xiao@163.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2346,6 +2346,8 @@ static const struct usb_device_id option
.driver_info = RSVD(3) },
{ USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe145, 0xff), /* Foxconn T99W651 RNDIS */
.driver_info = RSVD(5) | RSVD(6) },
+ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe15f, 0xff), /* Foxconn T99W709 */
+ .driver_info = RSVD(5) },
{ USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe167, 0xff), /* Foxconn T99W640 MBIM */
.driver_info = RSVD(3) },
{ USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 (IOT version) */
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 252/644] net: usbnet: Avoid potential RCU stall on LINK_CHANGE event
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 251/644] USB: serial: option: add Foxconn T99W709 Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 253/644] net: usbnet: Fix the wrong netif_carrier_on() call Greg Kroah-Hartman
` (397 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Ernberg, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Ernberg <john.ernberg@actia.se>
commit 0d9cfc9b8cb17dbc29a98792d36ec39a1cf1395f upstream.
The Gemalto Cinterion PLS83-W modem (cdc_ether) is emitting confusing link
up and down events when the WWAN interface is activated on the modem-side.
Interrupt URBs will in consecutive polls grab:
* Link Connected
* Link Disconnected
* Link Connected
Where the last Connected is then a stable link state.
When the system is under load this may cause the unlink_urbs() work in
__handle_link_change() to not complete before the next usbnet_link_change()
call turns the carrier on again, allowing rx_submit() to queue new SKBs.
In that event the URB queue is filled faster than it can drain, ending up
in a RCU stall:
rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 0-.... } 33108 jiffies s: 201 root: 0x1/.
rcu: blocking rcu_node structures (internal RCU debug):
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
Call trace:
arch_local_irq_enable+0x4/0x8
local_bh_enable+0x18/0x20
__netdev_alloc_skb+0x18c/0x1cc
rx_submit+0x68/0x1f8 [usbnet]
rx_alloc_submit+0x4c/0x74 [usbnet]
usbnet_bh+0x1d8/0x218 [usbnet]
usbnet_bh_tasklet+0x10/0x18 [usbnet]
tasklet_action_common+0xa8/0x110
tasklet_action+0x2c/0x34
handle_softirqs+0x2cc/0x3a0
__do_softirq+0x10/0x18
____do_softirq+0xc/0x14
call_on_irq_stack+0x24/0x34
do_softirq_own_stack+0x18/0x20
__irq_exit_rcu+0xa8/0xb8
irq_exit_rcu+0xc/0x30
el1_interrupt+0x34/0x48
el1h_64_irq_handler+0x14/0x1c
el1h_64_irq+0x68/0x6c
_raw_spin_unlock_irqrestore+0x38/0x48
xhci_urb_dequeue+0x1ac/0x45c [xhci_hcd]
unlink1+0xd4/0xdc [usbcore]
usb_hcd_unlink_urb+0x70/0xb0 [usbcore]
usb_unlink_urb+0x24/0x44 [usbcore]
unlink_urbs.constprop.0.isra.0+0x64/0xa8 [usbnet]
__handle_link_change+0x34/0x70 [usbnet]
usbnet_deferred_kevent+0x1c0/0x320 [usbnet]
process_scheduled_works+0x2d0/0x48c
worker_thread+0x150/0x1dc
kthread+0xd8/0xe8
ret_from_fork+0x10/0x20
Get around the problem by delaying the carrier on to the scheduled work.
This needs a new flag to keep track of the necessary action.
The carrier ok check cannot be removed as it remains required for the
LINK_RESET event flow.
Fixes: 4b49f58fff00 ("usbnet: handle link change")
Cc: stable@vger.kernel.org
Signed-off-by: John Ernberg <john.ernberg@actia.se>
Link: https://patch.msgid.link/20250723102526.1305339-1-john.ernberg@actia.se
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/usbnet.c | 11 ++++++++---
include/linux/usb/usbnet.h | 1 +
2 files changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1127,6 +1127,9 @@ static void __handle_link_change(struct
* tx queue is stopped by netcore after link becomes off
*/
} else {
+ if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags))
+ netif_carrier_on(dev->net);
+
/* submitting URBs for reading packets */
tasklet_schedule(&dev->bh);
}
@@ -2013,10 +2016,12 @@ EXPORT_SYMBOL(usbnet_manage_power);
void usbnet_link_change(struct usbnet *dev, bool link, bool need_reset)
{
/* update link after link is reseted */
- if (link && !need_reset)
- netif_carrier_on(dev->net);
- else
+ if (link && !need_reset) {
+ set_bit(EVENT_LINK_CARRIER_ON, &dev->flags);
+ } else {
+ clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags);
netif_carrier_off(dev->net);
+ }
if (need_reset && link)
usbnet_defer_kevent(dev, EVENT_LINK_RESET);
--- a/include/linux/usb/usbnet.h
+++ b/include/linux/usb/usbnet.h
@@ -84,6 +84,7 @@ struct usbnet {
# define EVENT_LINK_CHANGE 11
# define EVENT_SET_RX_MODE 12
# define EVENT_NO_IP_ALIGN 13
+# define EVENT_LINK_CARRIER_ON 14
/* This one is special, as it indicates that the device is going away
* there are cyclic dependencies between tasklet, timer and bh
* that must be broken
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 253/644] net: usbnet: Fix the wrong netif_carrier_on() call
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 252/644] net: usbnet: Avoid potential RCU stall on LINK_CHANGE event Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 254/644] ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() Greg Kroah-Hartman
` (396 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armando Budianto, Simon Horman,
Linus Torvalds, Ammar Faizi
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ammar Faizi <ammarfaizi2@gnuweeb.org>
commit 8466d393700f9ccef68134d3349f4e0a087679b9 upstream.
The commit referenced in the Fixes tag causes usbnet to malfunction
(identified via git bisect). Post-commit, my external RJ45 LAN cable
fails to connect. Linus also reported the same issue after pulling that
commit.
The code has a logic error: netif_carrier_on() is only called when the
link is already on. Fix this by moving the netif_carrier_on() call
outside the if-statement entirely. This ensures it is always called
when EVENT_LINK_CARRIER_ON is set and properly clears it regardless
of the link state.
Cc: stable@vger.kernel.org
Cc: Armando Budianto <sprite@gnuweeb.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/all/CAHk-=wjqL4uF0MG_c8+xHX1Vv8==sPYQrtzbdA3kzi96284nuQ@mail.gmail.com
Closes: https://lore.kernel.org/netdev/CAHk-=wjKh8X4PT_mU1kD4GQrbjivMfPn-_hXa6han_BTDcXddw@mail.gmail.com
Closes: https://lore.kernel.org/netdev/0752dee6-43d6-4e1f-81d2-4248142cccd2@gnuweeb.org
Fixes: 0d9cfc9b8cb1 ("net: usbnet: Avoid potential RCU stall on LINK_CHANGE event")
Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/usbnet.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1118,6 +1118,9 @@ static void __handle_link_change(struct
if (!test_bit(EVENT_DEV_OPEN, &dev->flags))
return;
+ if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags))
+ netif_carrier_on(dev->net);
+
if (!netif_carrier_ok(dev->net)) {
/* kill URBs for reading packets to save bus bandwidth */
unlink_urbs(dev, &dev->rxq);
@@ -1127,9 +1130,6 @@ static void __handle_link_change(struct
* tx queue is stopped by netcore after link becomes off
*/
} else {
- if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags))
- netif_carrier_on(dev->net);
-
/* submitting URBs for reading packets */
tasklet_schedule(&dev->bh);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 254/644] ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 253/644] net: usbnet: Fix the wrong netif_carrier_on() call Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 255/644] MIPS: mm: tlb-r4k: Uniquify TLB entries on init Greg Kroah-Hartman
` (395 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 8cbe564974248ee980562be02f2b1912769562c7 upstream.
In __hdmi_lpe_audio_probe(), strscpy() is incorrectly called with the
length of the source string (excluding the NUL terminator) rather than
the size of the destination buffer. This results in one character less
being copied from 'card->shortname' to 'pcm->name'.
Use the destination buffer size instead to ensure the card name is
copied correctly.
Cc: stable@vger.kernel.org
Fixes: 75b1a8f9d62e ("ALSA: Convert strlcpy to strscpy when return value is unused")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://patch.msgid.link/20250805234156.60294-1-thorsten.blum@linux.dev
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/x86/intel_hdmi_audio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/x86/intel_hdmi_audio.c
+++ b/sound/x86/intel_hdmi_audio.c
@@ -1769,7 +1769,7 @@ static int __hdmi_lpe_audio_probe(struct
/* setup private data which can be retrieved when required */
pcm->private_data = ctx;
pcm->info_flags = 0;
- strscpy(pcm->name, card->shortname, strlen(card->shortname));
+ strscpy(pcm->name, card->shortname, sizeof(pcm->name));
/* setup the ops for playback */
snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, &had_pcm_ops);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 255/644] MIPS: mm: tlb-r4k: Uniquify TLB entries on init
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 254/644] ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 256/644] mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery Greg Kroah-Hartman
` (394 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jiaxun Yang,
Thomas Bogendoerfer
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiaxun Yang <jiaxun.yang@flygoat.com>
commit 35ad7e181541aa5757f9f316768d3e64403ec843 upstream.
Hardware or bootloader will initialize TLB entries to any value, which
may collide with kernel's UNIQUE_ENTRYHI value. On MIPS microAptiv/M5150
family of cores this will trigger machine check exception and cause boot
failure. On M5150 simulation this could happen 7 times out of 1000 boots.
Replace local_flush_tlb_all() with r4k_tlb_uniquify() which probes each
TLB ENTRIHI unique value for collisions before it's written, and in case
of collision try a different ASID.
Cc: stable@kernel.org
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/mm/tlb-r4k.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 55 insertions(+), 1 deletion(-)
--- a/arch/mips/mm/tlb-r4k.c
+++ b/arch/mips/mm/tlb-r4k.c
@@ -498,6 +498,60 @@ static int __init set_ntlb(char *str)
__setup("ntlb=", set_ntlb);
+/* Initialise all TLB entries with unique values */
+static void r4k_tlb_uniquify(void)
+{
+ int entry = num_wired_entries();
+
+ htw_stop();
+ write_c0_entrylo0(0);
+ write_c0_entrylo1(0);
+
+ while (entry < current_cpu_data.tlbsize) {
+ unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data);
+ unsigned long asid = 0;
+ int idx;
+
+ /* Skip wired MMID to make ginvt_mmid work */
+ if (cpu_has_mmid)
+ asid = MMID_KERNEL_WIRED + 1;
+
+ /* Check for match before using UNIQUE_ENTRYHI */
+ do {
+ if (cpu_has_mmid) {
+ write_c0_memorymapid(asid);
+ write_c0_entryhi(UNIQUE_ENTRYHI(entry));
+ } else {
+ write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid);
+ }
+ mtc0_tlbw_hazard();
+ tlb_probe();
+ tlb_probe_hazard();
+ idx = read_c0_index();
+ /* No match or match is on current entry */
+ if (idx < 0 || idx == entry)
+ break;
+ /*
+ * If we hit a match, we need to try again with
+ * a different ASID.
+ */
+ asid++;
+ } while (asid < asid_mask);
+
+ if (idx >= 0 && idx != entry)
+ panic("Unable to uniquify TLB entry %d", idx);
+
+ write_c0_index(entry);
+ mtc0_tlbw_hazard();
+ tlb_write_indexed();
+ entry++;
+ }
+
+ tlbw_use_hazard();
+ htw_start();
+ flush_micro_tlb();
+}
+
/*
* Configure TLB (for init or after a CPU has been powered off).
*/
@@ -537,7 +591,7 @@ static void r4k_tlb_configure(void)
temp_tlb_entry = current_cpu_data.tlbsize - 1;
/* From this point on the ARC firmware is dead. */
- local_flush_tlb_all();
+ r4k_tlb_uniquify();
/* Did I tell you that ARC SUCKS? */
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 256/644] mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 255/644] MIPS: mm: tlb-r4k: Uniquify TLB entries on init Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 257/644] usb: gadget : fix use-after-free in composite_dev_cleanup() Greg Kroah-Hartman
` (393 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Leon Romanovsky,
Alistair Popple, Bill Wendling, Jerome Glisse, Justin Stitt,
Nathan Chancellor, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 188cb385bbf04d486df3e52f28c47b3961f5f0c0 upstream.
When pmd_to_hmm_pfn_flags() is unused, it prevents kernel builds with
clang, `make W=1` and CONFIG_TRANSPARENT_HUGEPAGE=n:
mm/hmm.c:186:29: warning: unused function 'pmd_to_hmm_pfn_flags' [-Wunused-function]
Fix this by moving the function to the respective existing ifdeffery
for its the only user.
See also:
6863f5643dd7 ("kbuild: allow Clang to find unused static inline functions for W=1 build")
Link: https://lkml.kernel.org/r/20250710082403.664093-1-andriy.shevchenko@linux.intel.com
Fixes: 992de9a8b751 ("mm/hmm: allow to mirror vma of a file on a DAX backed filesystem")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Alistair Popple <apopple@nvidia.com>
Cc: Andriy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Bill Wendling <morbo@google.com>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Justin Stitt <justinstitt@google.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hmm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/hmm.c
+++ b/mm/hmm.c
@@ -173,6 +173,7 @@ static inline unsigned long hmm_pfn_flag
return order << HMM_PFN_ORDER_SHIFT;
}
+#ifdef CONFIG_TRANSPARENT_HUGEPAGE
static inline unsigned long pmd_to_hmm_pfn_flags(struct hmm_range *range,
pmd_t pmd)
{
@@ -183,7 +184,6 @@ static inline unsigned long pmd_to_hmm_p
hmm_pfn_flags_order(PMD_SHIFT - PAGE_SHIFT);
}
-#ifdef CONFIG_TRANSPARENT_HUGEPAGE
static int hmm_vma_handle_pmd(struct mm_walk *walk, unsigned long addr,
unsigned long end, unsigned long hmm_pfns[],
pmd_t pmd)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 257/644] usb: gadget : fix use-after-free in composite_dev_cleanup()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 256/644] mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 258/644] io_uring: dont use int for ABI Greg Kroah-Hartman
` (392 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Tao Xue
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tao Xue <xuetao09@huawei.com>
commit 151c0aa896c47a4459e07fee7d4843f44c1bb18e upstream.
1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():
if kmalloc fails, the pointer cdev->os_desc_req will be freed but not
set to NULL. Then it will return a failure to the upper-level function.
2. in func configfs_composite_bind() -> composite_dev_cleanup():
it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it
will attempt to use it.This will lead to a use-after-free issue.
BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0
Read of size 8 at addr 0000004827837a00 by task init/1
CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1
kasan_report+0x188/0x1cc
__asan_load8+0xb4/0xbc
composite_dev_cleanup+0xf4/0x2c0
configfs_composite_bind+0x210/0x7ac
udc_bind_to_driver+0xb4/0x1ec
usb_gadget_probe_driver+0xec/0x21c
gadget_dev_desc_UDC_store+0x264/0x27c
Fixes: 37a3a533429e ("usb: gadget: OS Feature Descriptors support")
Cc: stable <stable@kernel.org>
Signed-off-by: Tao Xue <xuetao09@huawei.com>
Link: https://lore.kernel.org/r/20250721093908.14967-1-xuetao09@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/composite.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -2351,6 +2351,11 @@ int composite_os_desc_req_prepare(struct
if (!cdev->os_desc_req->buf) {
ret = -ENOMEM;
usb_ep_free_request(ep0, cdev->os_desc_req);
+ /*
+ * Set os_desc_req to NULL so that composite_dev_cleanup()
+ * will not try to free it again.
+ */
+ cdev->os_desc_req = NULL;
goto end;
}
cdev->os_desc_req->context = cdev;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 258/644] io_uring: dont use int for ABI
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 257/644] usb: gadget : fix use-after-free in composite_dev_cleanup() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 259/644] ALSA: usb-audio: Validate UAC3 power domain descriptors, too Greg Kroah-Hartman
` (391 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Begunkov <asml.silence@gmail.com>
commit cf73d9970ea4f8cace5d8f02d2565a2723003112 upstream.
__kernel_rwf_t is defined as int, the actual size of which is
implementation defined. It won't go well if some compiler / archs
ever defines it as i64, so replace it with __u32, hoping that
there is no one using i16 for it.
Cc: stable@vger.kernel.org
Fixes: 2b188cc1bb857 ("Add io_uring IO interface")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/47c666c4ee1df2018863af3a2028af18feef11ed.1751412511.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/io_uring.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/uapi/linux/io_uring.h
+++ b/include/uapi/linux/io_uring.h
@@ -29,7 +29,7 @@ struct io_uring_sqe {
};
__u32 len; /* buffer size or number of iovecs */
union {
- __kernel_rwf_t rw_flags;
+ __u32 rw_flags;
__u32 fsync_flags;
__u16 poll_events; /* compatibility */
__u32 poll32_events; /* word-reversed for BE */
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 259/644] ALSA: usb-audio: Validate UAC3 power domain descriptors, too
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 258/644] io_uring: dont use int for ABI Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 260/644] ALSA: usb-audio: Validate UAC3 cluster segment descriptors Greg Kroah-Hartman
` (390 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Youngjun Lee
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit d832ccbc301fbd9e5a1d691bdcf461cdb514595f upstream.
UAC3 power domain descriptors need to be verified with its variable
bLength for avoiding the unexpected OOB accesses by malicious
firmware, too.
Fixes: 9a2fe9b801f5 ("ALSA: usb: initial USB Audio Device Class 3.0 support")
Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/validate.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/sound/usb/validate.c
+++ b/sound/usb/validate.c
@@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(c
return d->bLength >= sizeof(*d) + 4 + 2;
}
+static bool validate_uac3_power_domain_unit(const void *p,
+ const struct usb_desc_validator *v)
+{
+ const struct uac3_power_domain_descriptor *d = p;
+
+ if (d->bLength < sizeof(*d))
+ return false;
+ /* baEntities[] + wPDomainDescrStr */
+ return d->bLength >= sizeof(*d) + d->bNrEntities + 2;
+}
+
static bool validate_midi_out_jack(const void *p,
const struct usb_desc_validator *v)
{
@@ -285,6 +296,7 @@ static const struct usb_desc_validator a
struct uac3_clock_multiplier_descriptor),
/* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */
/* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */
+ FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit),
{ } /* terminator */
};
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 260/644] ALSA: usb-audio: Validate UAC3 cluster segment descriptors
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 259/644] ALSA: usb-audio: Validate UAC3 power domain descriptors, too Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 261/644] gpio: virtio: Fix config space reading Greg Kroah-Hartman
` (389 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Youngjun Lee
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit ecfd41166b72b67d3bdeb88d224ff445f6163869 upstream.
UAC3 class segment descriptors need to be verified whether their sizes
match with the declared lengths and whether they fit with the
allocated buffer sizes, too. Otherwise malicious firmware may lead to
the unexpected OOB accesses.
Fixes: 11785ef53228 ("ALSA: usb-audio: Initial Power Domain support")
Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250814081245.8902-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/stream.c | 25 ++++++++++++++++++++++---
1 file changed, 22 insertions(+), 3 deletions(-)
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -341,20 +341,28 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
len = le16_to_cpu(cluster->wLength);
c = 0;
- p += sizeof(struct uac3_cluster_header_descriptor);
+ p += sizeof(*cluster);
+ len -= sizeof(*cluster);
- while (((p - (void *)cluster) < len) && (c < channels)) {
+ while (len > 0 && (c < channels)) {
struct uac3_cluster_segment_descriptor *cs_desc = p;
u16 cs_len;
u8 cs_type;
+ if (len < sizeof(*p))
+ break;
cs_len = le16_to_cpu(cs_desc->wLength);
+ if (len < cs_len)
+ break;
cs_type = cs_desc->bSegmentType;
if (cs_type == UAC3_CHANNEL_INFORMATION) {
struct uac3_cluster_information_segment_descriptor *is = p;
unsigned char map;
+ if (cs_len < sizeof(*is))
+ break;
+
/*
* TODO: this conversion is not complete, update it
* after adding UAC3 values to asound.h
@@ -456,6 +464,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(str
chmap->map[c++] = map;
}
p += cs_len;
+ len -= cs_len;
}
if (channels < c)
@@ -876,7 +885,7 @@ snd_usb_get_audioformat_uac3(struct snd_
u64 badd_formats = 0;
unsigned int num_channels;
struct audioformat *fp;
- u16 cluster_id, wLength;
+ u16 cluster_id, wLength, cluster_wLength;
int clock = 0;
int err;
@@ -1003,6 +1012,16 @@ snd_usb_get_audioformat_uac3(struct snd_
iface_no, altno);
kfree(cluster);
return ERR_PTR(-EIO);
+ }
+
+ cluster_wLength = le16_to_cpu(cluster->wLength);
+ if (cluster_wLength < sizeof(*cluster) ||
+ cluster_wLength > wLength) {
+ dev_err(&dev->dev,
+ "%u:%d : invalid Cluster Descriptor size\n",
+ iface_no, altno);
+ kfree(cluster);
+ return ERR_PTR(-EIO);
}
num_channels = cluster->bNrChannels;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 261/644] gpio: virtio: Fix config space reading.
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 260/644] ALSA: usb-audio: Validate UAC3 cluster segment descriptors Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 262/644] netlink: avoid infinite retry looping in netlink_unicast() Greg Kroah-Hartman
` (388 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harald Mommer, Viresh Kumar,
Bartosz Golaszewski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harald Mommer <harald.mommer@oss.qualcomm.com>
commit 4740e1e2f320061c2f0dbadc0dd3dfb58df986d5 upstream.
Quote from the virtio specification chapter 4.2.2.2:
"For the device-specific configuration space, the driver MUST use 8 bit
wide accesses for 8 bit wide fields, 16 bit wide and aligned accesses
for 16 bit wide fields and 32 bit wide and aligned accesses for 32 and
64 bit wide fields."
Signed-off-by: Harald Mommer <harald.mommer@oss.qualcomm.com>
Cc: stable@vger.kernel.org
Fixes: 3a29355a22c0 ("gpio: Add virtio-gpio driver")
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Link: https://lore.kernel.org/r/20250724143718.5442-2-harald.mommer@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-virtio.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/gpio/gpio-virtio.c
+++ b/drivers/gpio/gpio-virtio.c
@@ -275,7 +275,6 @@ static const char **virtio_gpio_get_name
static int virtio_gpio_probe(struct virtio_device *vdev)
{
- struct virtio_gpio_config config;
struct device *dev = &vdev->dev;
struct virtio_gpio *vgpio;
u32 gpio_names_size;
@@ -287,9 +286,11 @@ static int virtio_gpio_probe(struct virt
return -ENOMEM;
/* Read configuration */
- virtio_cread_bytes(vdev, 0, &config, sizeof(config));
- gpio_names_size = le32_to_cpu(config.gpio_names_size);
- ngpio = le16_to_cpu(config.ngpio);
+ gpio_names_size =
+ virtio_cread32(vdev, offsetof(struct virtio_gpio_config,
+ gpio_names_size));
+ ngpio = virtio_cread16(vdev, offsetof(struct virtio_gpio_config,
+ ngpio));
if (!ngpio) {
dev_err(dev, "Number of GPIOs can't be zero\n");
return -EINVAL;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 262/644] netlink: avoid infinite retry looping in netlink_unicast()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 261/644] gpio: virtio: Fix config space reading Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 263/644] net: gianfar: fix device leak when querying time stamp info Greg Kroah-Hartman
` (387 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Kuniyuki Iwashima,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit 759dfc7d04bab1b0b86113f1164dc1fec192b859 upstream.
netlink_attachskb() checks for the socket's read memory allocation
constraints. Firstly, it has:
rmem < READ_ONCE(sk->sk_rcvbuf)
to check if the just increased rmem value fits into the socket's receive
buffer. If not, it proceeds and tries to wait for the memory under:
rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)
The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is
equal to sk->sk_rcvbuf. Thus the function neither successfully accepts
these conditions, nor manages to reschedule the task - and is called in
retry loop for indefinite time which is caught as:
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212
(t=26000 jiffies g=230833 q=259957)
NMI backtrace for cpu 0
CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014
Call Trace:
<IRQ>
dump_stack lib/dump_stack.c:120
nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105
nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62
rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335
rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590
update_process_times kernel/time/timer.c:1953
tick_sched_handle kernel/time/tick-sched.c:227
tick_sched_timer kernel/time/tick-sched.c:1399
__hrtimer_run_queues kernel/time/hrtimer.c:1652
hrtimer_interrupt kernel/time/hrtimer.c:1717
__sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113
asm_call_irq_on_stack arch/x86/entry/entry_64.S:808
</IRQ>
netlink_attachskb net/netlink/af_netlink.c:1234
netlink_unicast net/netlink/af_netlink.c:1349
kauditd_send_queue kernel/audit.c:776
kauditd_thread kernel/audit.c:897
kthread kernel/kthread.c:328
ret_from_fork arch/x86/entry/entry_64.S:304
Restore the original behavior of the check which commit in Fixes
accidentally missed when restructuring the code.
Found by Linux Verification Center (linuxtesting.org).
Fixes: ae8f160e7eb2 ("netlink: Fix wraparounds of sk->sk_rmem_alloc.")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250728080727.255138-1-pchelkin@ispras.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netlink/af_netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1217,7 +1217,7 @@ int netlink_attachskb(struct sock *sk, s
nlk = nlk_sk(sk);
rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
- if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) &&
+ if ((rmem == skb->truesize || rmem <= READ_ONCE(sk->sk_rcvbuf)) &&
!test_bit(NETLINK_S_CONGESTED, &nlk->state)) {
netlink_skb_set_owner_r(skb, sk);
return 0;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 263/644] net: gianfar: fix device leak when querying time stamp info
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 262/644] netlink: avoid infinite retry looping in netlink_unicast() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 264/644] net: dpaa: " Greg Kroah-Hartman
` (386 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yangbo Lu, Johan Hovold,
Simon Horman, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit da717540acd34e5056e3fa35791d50f6b3303f55 upstream.
Make sure to drop the reference to the ptp device taken by
of_find_device_by_node() when querying the time stamping capabilities.
Note that holding a reference to the ptp device does not prevent its
driver data from going away.
Fixes: 7349a74ea75c ("net: ethernet: gianfar_ethtool: get phc index through drvdata")
Cc: stable@vger.kernel.org # 4.18
Cc: Yangbo Lu <yangbo.lu@nxp.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250725171213.880-4-johan@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/freescale/gianfar_ethtool.c
+++ b/drivers/net/ethernet/freescale/gianfar_ethtool.c
@@ -1461,8 +1461,10 @@ static int gfar_get_ts_info(struct net_d
if (ptp_node) {
ptp_dev = of_find_device_by_node(ptp_node);
of_node_put(ptp_node);
- if (ptp_dev)
+ if (ptp_dev) {
ptp = platform_get_drvdata(ptp_dev);
+ put_device(&ptp_dev->dev);
+ }
}
if (ptp)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 264/644] net: dpaa: fix device leak when querying time stamp info
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 263/644] net: gianfar: fix device leak when querying time stamp info Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 265/644] net: usb: asix_devices: add phy_mask for ax88772 mdio bus Greg Kroah-Hartman
` (385 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yangbo Lu, Johan Hovold,
Simon Horman, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 3fa840230f534385b34a4f39c8dd313fbe723f05 upstream.
Make sure to drop the reference to the ptp device taken by
of_find_device_by_node() when querying the time stamping capabilities.
Note that holding a reference to the ptp device does not prevent its
driver data from going away.
Fixes: 17ae0b0ee9db ("dpaa_eth: add the get_ts_info interface for ethtool")
Cc: stable@vger.kernel.org # 4.19
Cc: Yangbo Lu <yangbo.lu@nxp.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250725171213.880-2-johan@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
+++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
@@ -499,8 +499,10 @@ static int dpaa_get_ts_info(struct net_d
of_node_put(ptp_node);
}
- if (ptp_dev)
+ if (ptp_dev) {
ptp = platform_get_drvdata(ptp_dev);
+ put_device(&ptp_dev->dev);
+ }
if (ptp)
info->phc_index = ptp->phc_index;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 265/644] net: usb: asix_devices: add phy_mask for ax88772 mdio bus
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 264/644] net: dpaa: " Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 266/644] nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Greg Kroah-Hartman
` (384 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xu Yang, Oleksij Rempel, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 4faff70959d51078f9ee8372f8cff0d7045e4114 upstream.
Without setting phy_mask for ax88772 mdio bus, current driver may create
at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f.
DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy
device will bind to net phy driver. This is creating issue during system
suspend/resume since phy_polling_mode() in phy_state_machine() will
directly deference member of phydev->drv for non-main phy devices. Then
NULL pointer dereference issue will occur. Due to only external phy or
internal phy is necessary, add phy_mask for ax88772 mdio bus to workarnoud
the issue.
Closes: https://lore.kernel.org/netdev/20250806082931.3289134-1-xu.yang_2@nxp.com
Fixes: e532a096be0e ("net: usb: asix: ax88772: add phylib support")
Cc: stable@vger.kernel.org
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/20250811092931.860333-1-xu.yang_2@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/asix_devices.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/usb/asix_devices.c
+++ b/drivers/net/usb/asix_devices.c
@@ -669,6 +669,7 @@ static int ax88772_init_mdio(struct usbn
priv->mdio->read = &asix_mdio_bus_read;
priv->mdio->write = &asix_mdio_bus_write;
priv->mdio->name = "Asix MDIO Bus";
+ priv->mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR));
/* mii bus name is usb-<usb bus number>-<usb device number> */
snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
dev->udev->bus->busnum, dev->udev->devnum);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 266/644] nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 265/644] net: usb: asix_devices: add phy_mask for ax88772 mdio bus Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 267/644] NFSD: detect mismatch of file handle and delegation stateid in OPEN op Greg Kroah-Hartman
` (383 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, lei lu, Jeff Layton, Chuck Lever
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
commit 908e4ead7f757504d8b345452730636e298cbf68 upstream.
Lei Lu recently reported that nfsd4_setclientid_confirm() did not check
the return value from get_client_locked(). a SETCLIENTID_CONFIRM could
race with a confirmed client expiring and fail to get a reference. That
could later lead to a UAF.
Fix this by getting a reference early in the case where there is an
extant confirmed client. If that fails then treat it as if there were no
confirmed client found at all.
In the case where the unconfirmed client is expiring, just fail and
return the result from get_client_locked().
Reported-by: lei lu <llfamsec@gmail.com>
Closes: https://lore.kernel.org/linux-nfs/CAEBF3_b=UvqzNKdnfD_52L05Mqrqui9vZ2eFamgAbV0WG+FNWQ@mail.gmail.com/
Fixes: d20c11d86d8f ("nfsd: Protect session creation and client confirm using client_lock")
Cc: stable@vger.kernel.org
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -4285,10 +4285,16 @@ nfsd4_setclientid_confirm(struct svc_rqs
}
status = nfs_ok;
if (conf) {
- old = unconf;
- unhash_client_locked(old);
- nfsd4_change_callback(conf, &unconf->cl_cb_conn);
- } else {
+ if (get_client_locked(conf) == nfs_ok) {
+ old = unconf;
+ unhash_client_locked(old);
+ nfsd4_change_callback(conf, &unconf->cl_cb_conn);
+ } else {
+ conf = NULL;
+ }
+ }
+
+ if (!conf) {
old = find_confirmed_client_by_name(&unconf->cl_name, nn);
if (old) {
status = nfserr_clid_inuse;
@@ -4305,10 +4311,14 @@ nfsd4_setclientid_confirm(struct svc_rqs
}
trace_nfsd_clid_replaced(&old->cl_clientid);
}
+ status = get_client_locked(unconf);
+ if (status != nfs_ok) {
+ old = NULL;
+ goto out;
+ }
move_to_confirmed(unconf);
conf = unconf;
}
- get_client_locked(conf);
spin_unlock(&nn->client_lock);
if (conf == unconf)
fsnotify_dentry(conf->cl_nfsd_info_dentry, FS_MODIFY);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 267/644] NFSD: detect mismatch of file handle and delegation stateid in OPEN op
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 266/644] nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 268/644] sunvdc: Balance device refcount in vdc_port_mpgroup_check Greg Kroah-Hartman
` (382 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petro Pavlov, Dai Ngo, Jeff Layton,
Chuck Lever
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dai Ngo <dai.ngo@oracle.com>
commit 9c65001c57164033ad08b654c8b5ae35512ddf4a upstream.
When the client sends an OPEN with claim type CLAIM_DELEG_CUR_FH or
CLAIM_DELEGATION_CUR, the delegation stateid and the file handle
must belong to the same file, otherwise return NFS4ERR_INVAL.
Note that RFC8881, section 8.2.4, mandates the server to return
NFS4ERR_BAD_STATEID if the selected table entry does not match the
current filehandle. However returning NFS4ERR_BAD_STATEID in the
OPEN causes the client to retry the operation and therefor get the
client into a loop. To avoid this situation we return NFS4ERR_INVAL
instead.
Reported-by: Petro Pavlov <petro.pavlov@vastdata.com>
Fixes: c44c5eeb2c02 ("[PATCH] nfsd4: add open state code for CLAIM_DELEGATE_CUR")
Cc: stable@vger.kernel.org
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -5736,6 +5736,20 @@ nfsd4_process_open2(struct svc_rqst *rqs
status = nfs4_check_deleg(cl, open, &dp);
if (status)
goto out;
+ if (dp && nfsd4_is_deleg_cur(open) &&
+ (dp->dl_stid.sc_file != fp)) {
+ /*
+ * RFC8881 section 8.2.4 mandates the server to return
+ * NFS4ERR_BAD_STATEID if the selected table entry does
+ * not match the current filehandle. However returning
+ * NFS4ERR_BAD_STATEID in the OPEN can cause the client
+ * to repeatedly retry the operation with the same
+ * stateid, since the stateid itself is valid. To avoid
+ * this situation NFSD returns NFS4ERR_INVAL instead.
+ */
+ status = nfserr_inval;
+ goto out;
+ }
stp = nfsd4_find_and_lock_existing_open(fp, open);
} else {
open->op_file = NULL;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 268/644] sunvdc: Balance device refcount in vdc_port_mpgroup_check
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 267/644] NFSD: detect mismatch of file handle and delegation stateid in OPEN op Greg Kroah-Hartman
@ 2025-08-26 11:05 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 269/644] fs: Prevent file descriptor table allocations exceeding INT_MAX Greg Kroah-Hartman
` (381 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Jens Axboe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 63ce53724637e2e7ba51fe3a4f78351715049905 upstream.
Using device_find_child() to locate a probed virtual-device-port node
causes a device refcount imbalance, as device_find_child() internally
calls get_device() to increment the device’s reference count before
returning its pointer. vdc_port_mpgroup_check() directly returns true
upon finding a matching device without releasing the reference via
put_device(). We should call put_device() to decrement refcount.
As comment of device_find_child() says, 'NOTE: you will need to drop
the reference with put_device() after use'.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 3ee70591d6c4 ("sunvdc: prevent sunvdc panic when mpgroup disk added to guest domain")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Link: https://lore.kernel.org/r/20250719075856.3447953-1-make24@iscas.ac.cn
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/sunvdc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/block/sunvdc.c
+++ b/drivers/block/sunvdc.c
@@ -948,8 +948,10 @@ static bool vdc_port_mpgroup_check(struc
dev = device_find_child(vdev->dev.parent, &port_data,
vdc_device_probed);
- if (dev)
+ if (dev) {
+ put_device(dev);
return true;
+ }
return false;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 269/644] fs: Prevent file descriptor table allocations exceeding INT_MAX
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2025-08-26 11:05 ` [PATCH 5.15 268/644] sunvdc: Balance device refcount in vdc_port_mpgroup_check Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 270/644] eventpoll: Fix semi-unbounded recursion Greg Kroah-Hartman
` (380 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sasha Levin, Christian Brauner
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sasha Levin <sashal@kernel.org>
commit 04a2c4b4511d186b0fce685da21085a5d4acd370 upstream.
When sysctl_nr_open is set to a very high value (for example, 1073741816
as set by systemd), processes attempting to use file descriptors near
the limit can trigger massive memory allocation attempts that exceed
INT_MAX, resulting in a WARNING in mm/slub.c:
WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288
This happens because kvmalloc_array() and kvmalloc() check if the
requested size exceeds INT_MAX and emit a warning when the allocation is
not flagged with __GFP_NOWARN.
Specifically, when nr_open is set to 1073741816 (0x3ffffff8) and a
process calls dup2(oldfd, 1073741880), the kernel attempts to allocate:
- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes
- Multiple bitmaps: ~400MB
- Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647)
Reproducer:
1. Set /proc/sys/fs/nr_open to 1073741816:
# echo 1073741816 > /proc/sys/fs/nr_open
2. Run a program that uses a high file descriptor:
#include <unistd.h>
#include <sys/resource.h>
int main() {
struct rlimit rlim = {1073741824, 1073741824};
setrlimit(RLIMIT_NOFILE, &rlim);
dup2(2, 1073741880); // Triggers the warning
return 0;
}
3. Observe WARNING in dmesg at mm/slub.c:5027
systemd commit a8b627a introduced automatic bumping of fs.nr_open to the
maximum possible value. The rationale was that systems with memory
control groups (memcg) no longer need separate file descriptor limits
since memory is properly accounted. However, this change overlooked
that:
1. The kernel's allocation functions still enforce INT_MAX as a maximum
size regardless of memcg accounting
2. Programs and tests that legitimately test file descriptor limits can
inadvertently trigger massive allocations
3. The resulting allocations (>8GB) are impractical and will always fail
systemd's algorithm starts with INT_MAX and keeps halving the value
until the kernel accepts it. On most systems, this results in nr_open
being set to 1073741816 (0x3ffffff8), which is just under 1GB of file
descriptors.
While processes rarely use file descriptors near this limit in normal
operation, certain selftests (like
tools/testing/selftests/core/unshare_test.c) and programs that test file
descriptor limits can trigger this issue.
Fix this by adding a check in alloc_fdtable() to ensure the requested
allocation size does not exceed INT_MAX. This causes the operation to
fail with -EMFILE instead of triggering a kernel warning and avoids the
impractical >8GB memory allocation request.
Fixes: 9cfe015aa424 ("get rid of NR_OPEN and introduce a sysctl_nr_open")
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Link: https://lore.kernel.org/20250629074021.1038845-1-sashal@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/file.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/fs/file.c
+++ b/fs/file.c
@@ -126,6 +126,21 @@ static struct fdtable * alloc_fdtable(un
if (unlikely(nr > sysctl_nr_open))
nr = ((sysctl_nr_open - 1) | (BITS_PER_LONG - 1)) + 1;
+ /*
+ * Check if the allocation size would exceed INT_MAX. kvmalloc_array()
+ * and kvmalloc() will warn if the allocation size is greater than
+ * INT_MAX, as filp_cachep objects are not __GFP_NOWARN.
+ *
+ * This can happen when sysctl_nr_open is set to a very high value and
+ * a process tries to use a file descriptor near that limit. For example,
+ * if sysctl_nr_open is set to 1073741816 (0x3ffffff8) - which is what
+ * systemd typically sets it to - then trying to use a file descriptor
+ * close to that value will require allocating a file descriptor table
+ * that exceeds 8GB in size.
+ */
+ if (unlikely(nr > INT_MAX / sizeof(struct file *)))
+ return ERR_PTR(-EMFILE);
+
fdt = kmalloc(sizeof(struct fdtable), GFP_KERNEL_ACCOUNT);
if (!fdt)
goto out;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 270/644] eventpoll: Fix semi-unbounded recursion
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 269/644] fs: Prevent file descriptor table allocations exceeding INT_MAX Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 271/644] Documentation: ACPI: Fix parent device references Greg Kroah-Hartman
` (379 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jann Horn, Christian Brauner
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit f2e467a48287c868818085aa35389a224d226732 upstream.
Ensure that epoll instances can never form a graph deeper than
EP_MAX_NESTS+1 links.
Currently, ep_loop_check_proc() ensures that the graph is loop-free and
does some recursion depth checks, but those recursion depth checks don't
limit the depth of the resulting tree for two reasons:
- They don't look upwards in the tree.
- If there are multiple downwards paths of different lengths, only one of
the paths is actually considered for the depth check since commit
28d82dc1c4ed ("epoll: limit paths").
Essentially, the current recursion depth check in ep_loop_check_proc() just
serves to prevent it from recursing too deeply while checking for loops.
A more thorough check is done in reverse_path_check() after the new graph
edge has already been created; this checks, among other things, that no
paths going upwards from any non-epoll file with a length of more than 5
edges exist. However, this check does not apply to non-epoll files.
As a result, it is possible to recurse to a depth of at least roughly 500,
tested on v6.15. (I am unsure if deeper recursion is possible; and this may
have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion
problem").)
To fix it:
1. In ep_loop_check_proc(), note the subtree depth of each visited node,
and use subtree depths for the total depth calculation even when a subtree
has already been visited.
2. Add ep_get_upwards_depth_proc() for similarly determining the maximum
depth of an upwards walk.
3. In ep_loop_check(), use these values to limit the total path length
between epoll nodes to EP_MAX_NESTS edges.
Fixes: 22bacca48a17 ("epoll: prevent creating circular epoll structures")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/20250711-epoll-recursion-fix-v1-1-fb2457c33292@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/eventpoll.c | 60 +++++++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 46 insertions(+), 14 deletions(-)
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -216,6 +216,7 @@ struct eventpoll {
/* used to optimize loop detection check */
u64 gen;
struct hlist_head refs;
+ u8 loop_check_depth;
#ifdef CONFIG_NET_RX_BUSY_POLL
/* used to track busy poll napi_id */
@@ -1944,23 +1945,24 @@ static int ep_poll(struct eventpoll *ep,
}
/**
- * ep_loop_check_proc - verify that adding an epoll file inside another
- * epoll structure does not violate the constraints, in
- * terms of closed loops, or too deep chains (which can
- * result in excessive stack usage).
+ * ep_loop_check_proc - verify that adding an epoll file @ep inside another
+ * epoll file does not create closed loops, and
+ * determine the depth of the subtree starting at @ep
*
* @ep: the &struct eventpoll to be currently checked.
* @depth: Current depth of the path being checked.
*
- * Return: %zero if adding the epoll @file inside current epoll
- * structure @ep does not violate the constraints, or %-1 otherwise.
+ * Return: depth of the subtree, or INT_MAX if we found a loop or went too deep.
*/
static int ep_loop_check_proc(struct eventpoll *ep, int depth)
{
- int error = 0;
+ int result = 0;
struct rb_node *rbp;
struct epitem *epi;
+ if (ep->gen == loop_check_gen)
+ return ep->loop_check_depth;
+
mutex_lock_nested(&ep->mtx, depth + 1);
ep->gen = loop_check_gen;
for (rbp = rb_first_cached(&ep->rbr); rbp; rbp = rb_next(rbp)) {
@@ -1968,13 +1970,11 @@ static int ep_loop_check_proc(struct eve
if (unlikely(is_file_epoll(epi->ffd.file))) {
struct eventpoll *ep_tovisit;
ep_tovisit = epi->ffd.file->private_data;
- if (ep_tovisit->gen == loop_check_gen)
- continue;
if (ep_tovisit == inserting_into || depth > EP_MAX_NESTS)
- error = -1;
+ result = INT_MAX;
else
- error = ep_loop_check_proc(ep_tovisit, depth + 1);
- if (error != 0)
+ result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1);
+ if (result > EP_MAX_NESTS)
break;
} else {
/*
@@ -1988,9 +1988,27 @@ static int ep_loop_check_proc(struct eve
list_file(epi->ffd.file);
}
}
+ ep->loop_check_depth = result;
mutex_unlock(&ep->mtx);
- return error;
+ return result;
+}
+
+/**
+ * ep_get_upwards_depth_proc - determine depth of @ep when traversed upwards
+ */
+static int ep_get_upwards_depth_proc(struct eventpoll *ep, int depth)
+{
+ int result = 0;
+ struct epitem *epi;
+
+ if (ep->gen == loop_check_gen)
+ return ep->loop_check_depth;
+ hlist_for_each_entry_rcu(epi, &ep->refs, fllink)
+ result = max(result, ep_get_upwards_depth_proc(epi->ep, depth + 1) + 1);
+ ep->gen = loop_check_gen;
+ ep->loop_check_depth = result;
+ return result;
}
/**
@@ -2006,8 +2024,22 @@ static int ep_loop_check_proc(struct eve
*/
static int ep_loop_check(struct eventpoll *ep, struct eventpoll *to)
{
+ int depth, upwards_depth;
+
inserting_into = ep;
- return ep_loop_check_proc(to, 0);
+ /*
+ * Check how deep down we can get from @to, and whether it is possible
+ * to loop up to @ep.
+ */
+ depth = ep_loop_check_proc(to, 0);
+ if (depth > EP_MAX_NESTS)
+ return -1;
+ /* Check how far up we can go from @ep. */
+ rcu_read_lock();
+ upwards_depth = ep_get_upwards_depth_proc(ep, 0);
+ rcu_read_unlock();
+
+ return (depth+1+upwards_depth > EP_MAX_NESTS) ? -1 : 0;
}
static void clear_tfile_check_list(void)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 271/644] Documentation: ACPI: Fix parent device references
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 270/644] eventpoll: Fix semi-unbounded recursion Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 272/644] ACPI: processor: perflib: Fix initial _PPC limit application Greg Kroah-Hartman
` (378 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yevhen Kondrashyn, Andy Shevchenko,
Rafael J. Wysocki
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit e65cb011349e653ded541dddd6469c2ca813edcf upstream.
The _CRS resources in many cases want to have ResourceSource field
to be a type of ACPI String. This means that to compile properly
we need to enclosure the name path into double quotes. This will
in practice defer the interpretation to a run-time stage, However,
this may be interpreted differently on different OSes and ACPI
interpreter implementations. In particular ACPICA might not correctly
recognize the leading '^' (caret) character and will not resolve
the relative name path properly. On top of that, this piece may be
used in SSDTs which are loaded after the DSDT and on itself may also
not resolve relative name paths outside of their own scopes.
With this all said, fix documentation to use fully-qualified name
paths always to avoid any misinterpretations, which is proven to
work.
Fixes: 8eb5c87a92c0 ("i2c: add ACPI support for I2C mux ports")
Reported-by: Yevhen Kondrashyn <e.kondrashyn@gmail.com>
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20250710170225.961303-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/firmware-guide/acpi/i2c-muxes.rst | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/Documentation/firmware-guide/acpi/i2c-muxes.rst
+++ b/Documentation/firmware-guide/acpi/i2c-muxes.rst
@@ -14,7 +14,7 @@ Consider this topology::
| | | 0x70 |--CH01--> i2c client B (0x50)
+------+ +------+
-which corresponds to the following ASL::
+which corresponds to the following ASL (in the scope of \_SB)::
Device (SMB1)
{
@@ -24,7 +24,7 @@ which corresponds to the following ASL::
Name (_HID, ...)
Name (_CRS, ResourceTemplate () {
I2cSerialBus (0x70, ControllerInitiated, I2C_SPEED,
- AddressingMode7Bit, "^SMB1", 0x00,
+ AddressingMode7Bit, "\\_SB.SMB1", 0x00,
ResourceConsumer,,)
}
@@ -37,7 +37,7 @@ which corresponds to the following ASL::
Name (_HID, ...)
Name (_CRS, ResourceTemplate () {
I2cSerialBus (0x50, ControllerInitiated, I2C_SPEED,
- AddressingMode7Bit, "^CH00", 0x00,
+ AddressingMode7Bit, "\\_SB.SMB1.CH00", 0x00,
ResourceConsumer,,)
}
}
@@ -52,7 +52,7 @@ which corresponds to the following ASL::
Name (_HID, ...)
Name (_CRS, ResourceTemplate () {
I2cSerialBus (0x50, ControllerInitiated, I2C_SPEED,
- AddressingMode7Bit, "^CH01", 0x00,
+ AddressingMode7Bit, "\\_SB.SMB1.CH01", 0x00,
ResourceConsumer,,)
}
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 272/644] ACPI: processor: perflib: Fix initial _PPC limit application
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 271/644] Documentation: ACPI: Fix parent device references Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 273/644] ACPI: processor: perflib: Move problematic pr->performance check Greg Kroah-Hartman
` (377 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiayi Li, Rafael J. Wysocki
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayi Li <lijiayi@kylinos.cn>
commit d33bd88ac0ebb49e7f7c8f29a8c7ee9eae85d765 upstream.
If the BIOS sets a _PPC frequency limit upfront, it will fail to take
effect due to a call ordering issue. Namely, freq_qos_update_request()
is called before freq_qos_add_request() for the given request causing
the constraint update to be ignored. The call sequence in question is
as follows:
cpufreq_policy_online()
acpi_cpufreq_cpu_init()
acpi_processor_register_performance()
acpi_processor_get_performance_info()
acpi_processor_get_platform_limit()
freq_qos_update_request(&perflib_req) <- inactive QoS request
blocking_notifier_call_chain(&cpufreq_policy_notifier_list,
CPUFREQ_CREATE_POLICY)
acpi_processor_notifier()
acpi_processor_ppc_init()
freq_qos_add_request(&perflib_req) <- QoS request activation
Address this by adding an acpi_processor_get_platform_limit() call
to acpi_processor_ppc_init(), after the perflib_req activation via
freq_qos_add_request(), which causes the initial _PPC limit to be
picked up as appropriate. However, also ensure that the _PPC limit
will not be picked up in the cases when the cpufreq driver does not
call acpi_processor_register_performance() by adding a pr->performance
check to the related_cpus loop in acpi_processor_ppc_init().
Fixes: d15ce412737a ("ACPI: cpufreq: Switch to QoS requests instead of cpufreq notifier")
Signed-off-by: Jiayi Li <lijiayi@kylinos.cn>
Link: https://patch.msgid.link/20250721032606.3459369-1-lijiayi@kylinos.cn
[ rjw: Consolidate pr-related checks in acpi_processor_ppc_init() ]
[ rjw: Subject and changelog adjustments ]
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+: 2d8b39a62a5d ACPI: processor: Avoid NULL pointer dereferences at init time
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+: 3000ce3c52f8 cpufreq: Use per-policy frequency QoS
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+: a1bb46c36ce3 ACPI: processor: Add QoS requests for all CPUs
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/processor_perflib.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/acpi/processor_perflib.c
+++ b/drivers/acpi/processor_perflib.c
@@ -173,11 +173,14 @@ void acpi_processor_ppc_init(struct cpuf
{
unsigned int cpu;
+ if (ignore_ppc == 1)
+ return;
+
for_each_cpu(cpu, policy->related_cpus) {
struct acpi_processor *pr = per_cpu(processors, cpu);
int ret;
- if (!pr)
+ if (!pr || !pr->performance)
continue;
/*
@@ -193,6 +196,11 @@ void acpi_processor_ppc_init(struct cpuf
if (ret < 0)
pr_err("Failed to add freq constraint for CPU%d (%d)\n",
cpu, ret);
+
+ ret = acpi_processor_get_platform_limit(pr);
+ if (ret)
+ pr_err("Failed to update freq constraint for CPU%d (%d)\n",
+ cpu, ret);
}
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 273/644] ACPI: processor: perflib: Move problematic pr->performance check
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 272/644] ACPI: processor: perflib: Fix initial _PPC limit application Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 274/644] udp: also consider secpath when evaluating ipsec use for checksumming Greg Kroah-Hartman
` (376 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit d405ec23df13e6df599f5bd965a55d13420366b8 upstream.
Commit d33bd88ac0eb ("ACPI: processor: perflib: Fix initial _PPC limit
application") added a pr->performance check that prevents the frequency
QoS request from being added when the given processor has no performance
object. Unfortunately, this causes a WARN() in freq_qos_remove_request()
to trigger on an attempt to take the given CPU offline later because the
frequency QoS object has not been added for it due to the missing
performance object.
Address this by moving the pr->performance check before calling
acpi_processor_get_platform_limit() so it only prevents a limit from
being set for the CPU if the performance object is not present. This
way, the frequency QoS request is added as it was before the above
commit and it is present all the time along with the CPU's cpufreq
policy regardless of whether or not the CPU is online.
Fixes: d33bd88ac0eb ("ACPI: processor: perflib: Fix initial _PPC limit application")
Tested-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://patch.msgid.link/2801421.mvXUDI8C0e@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/processor_perflib.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/acpi/processor_perflib.c
+++ b/drivers/acpi/processor_perflib.c
@@ -180,7 +180,7 @@ void acpi_processor_ppc_init(struct cpuf
struct acpi_processor *pr = per_cpu(processors, cpu);
int ret;
- if (!pr || !pr->performance)
+ if (!pr)
continue;
/*
@@ -197,6 +197,9 @@ void acpi_processor_ppc_init(struct cpuf
pr_err("Failed to add freq constraint for CPU%d (%d)\n",
cpu, ret);
+ if (!pr->performance)
+ continue;
+
ret = acpi_processor_get_platform_limit(pr);
if (ret)
pr_err("Failed to update freq constraint for CPU%d (%d)\n",
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 274/644] udp: also consider secpath when evaluating ipsec use for checksumming
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 273/644] ACPI: processor: perflib: Move problematic pr->performance check Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 275/644] netfilter: ctnetlink: fix refcount leak on table dump Greg Kroah-Hartman
` (375 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Steffen Klassert,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 1118aaa3b35157777890fffab91d8c1da841b20b ]
Commit b40c5f4fde22 ("udp: disable inner UDP checksum offloads in
IPsec case") tried to fix checksumming in UFO when the packets are
going through IPsec, so that we can't rely on offloads because the UDP
header and payload will be encrypted.
But when doing a TCP test over VXLAN going through IPsec transport
mode with GSO enabled (esp4_offload module loaded), I'm seeing broken
UDP checksums on the encap after successful decryption.
The skbs get to udp4_ufo_fragment/__skb_udp_tunnel_segment via
__dev_queue_xmit -> validate_xmit_skb -> skb_gso_segment and at this
point we've already dropped the dst (unless the device sets
IFF_XMIT_DST_RELEASE, which is not common), so need_ipsec is false and
we proceed with checksum offload.
Make need_ipsec also check the secpath, which is not dropped on this
callpath.
Fixes: b40c5f4fde22 ("udp: disable inner UDP checksum offloads in IPsec case")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/udp_offload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 612da8ec1081..8f47d07c49fb 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -59,7 +59,7 @@ static struct sk_buff *__skb_udp_tunnel_segment(struct sk_buff *skb,
remcsum = !!(skb_shinfo(skb)->gso_type & SKB_GSO_TUNNEL_REMCSUM);
skb->remcsum_offload = remcsum;
- need_ipsec = skb_dst(skb) && dst_xfrm(skb_dst(skb));
+ need_ipsec = (skb_dst(skb) && dst_xfrm(skb_dst(skb))) || skb_sec_path(skb);
/* Try to offload checksum if possible */
offload_csum = !!(need_csum &&
!need_ipsec &&
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 275/644] netfilter: ctnetlink: fix refcount leak on table dump
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 274/644] udp: also consider secpath when evaluating ipsec use for checksumming Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 276/644] sctp: linearize cloned gso packets in sctp_rcv Greg Kroah-Hartman
` (374 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit de788b2e6227462b6dcd0e07474e72c089008f74 ]
There is a reference count leak in ctnetlink_dump_table():
if (res < 0) {
nf_conntrack_get(&ct->ct_general); // HERE
cb->args[1] = (unsigned long)ct;
...
While its very unlikely, its possible that ct == last.
If this happens, then the refcount of ct was already incremented.
This 2nd increment is never undone.
This prevents the conntrack object from being released, which in turn
keeps prevents cnet->count from dropping back to 0.
This will then block the netns dismantle (or conntrack rmmod) as
nf_conntrack_cleanup_net_list() will wait forever.
This can be reproduced by running conntrack_resize.sh selftest in a loop.
It takes ~20 minutes for me on a preemptible kernel on average before
I see a runaway kworker spinning in nf_conntrack_cleanup_net_list.
One fix would to change this to:
if (res < 0) {
if (ct != last)
nf_conntrack_get(&ct->ct_general);
But this reference counting isn't needed in the first place.
We can just store a cookie value instead.
A followup patch will do the same for ctnetlink_exp_dump_table,
it looks to me as if this has the same problem and like
ctnetlink_dump_table, we only need a 'skip hint', not the actual
object so we can apply the same cookie strategy there as well.
Fixes: d205dc40798d ("[NETFILTER]: ctnetlink: fix deadlock in table dumping")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_netlink.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 585103c16a8a..50f7531221c3 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -848,8 +848,6 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item)
static int ctnetlink_done(struct netlink_callback *cb)
{
- if (cb->args[1])
- nf_ct_put((struct nf_conn *)cb->args[1]);
kfree(cb->data);
return 0;
}
@@ -1164,19 +1162,26 @@ static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
return 0;
}
+static unsigned long ctnetlink_get_id(const struct nf_conn *ct)
+{
+ unsigned long id = nf_ct_get_id(ct);
+
+ return id ? id : 1;
+}
+
static int
ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
{
unsigned int flags = cb->data ? NLM_F_DUMP_FILTERED : 0;
struct net *net = sock_net(skb->sk);
- struct nf_conn *ct, *last;
+ unsigned long last_id = cb->args[1];
struct nf_conntrack_tuple_hash *h;
struct hlist_nulls_node *n;
struct nf_conn *nf_ct_evict[8];
+ struct nf_conn *ct;
int res, i;
spinlock_t *lockp;
- last = (struct nf_conn *)cb->args[1];
i = 0;
local_bh_disable();
@@ -1211,7 +1216,7 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
continue;
if (cb->args[1]) {
- if (ct != last)
+ if (ctnetlink_get_id(ct) != last_id)
continue;
cb->args[1] = 0;
}
@@ -1224,8 +1229,7 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
ct, true, flags);
if (res < 0) {
- nf_conntrack_get(&ct->ct_general);
- cb->args[1] = (unsigned long)ct;
+ cb->args[1] = ctnetlink_get_id(ct);
spin_unlock(lockp);
goto out;
}
@@ -1238,12 +1242,10 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
}
out:
local_bh_enable();
- if (last) {
+ if (last_id) {
/* nf ct hash resize happened, now clear the leftover. */
- if ((struct nf_conn *)cb->args[1] == last)
+ if (cb->args[1] == last_id)
cb->args[1] = 0;
-
- nf_ct_put(last);
}
while (i) {
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 276/644] sctp: linearize cloned gso packets in sctp_rcv
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 275/644] netfilter: ctnetlink: fix refcount leak on table dump Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 277/644] intel_idle: Allow loading ACPI tables for any family Greg Kroah-Hartman
` (373 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+773e51afe420baaf0e2b,
syzbot+70a42f45e76bede082be, Xin Long, Marcelo Ricardo Leitner,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit fd60d8a086191fe33c2d719732d2482052fa6805 ]
A cloned head skb still shares these frag skbs in fraglist with the
original head skb. It's not safe to access these frag skbs.
syzbot reported two use-of-uninitialized-memory bugs caused by this:
BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211
sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211
sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998
sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331
sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122
__release_sock+0x1da/0x330 net/core/sock.c:3106
release_sock+0x6b/0x250 net/core/sock.c:3660
sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360
sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885
sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031
inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:718 [inline]
and
BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987
sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987
sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88
sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331
sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148
__release_sock+0x1d3/0x330 net/core/sock.c:3213
release_sock+0x6b/0x270 net/core/sock.c:3767
sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367
sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886
sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032
inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:712 [inline]
This patch fixes it by linearizing cloned gso packets in sctp_rcv().
Fixes: 90017accff61 ("sctp: Add GSO support")
Reported-by: syzbot+773e51afe420baaf0e2b@syzkaller.appspotmail.com
Reported-by: syzbot+70a42f45e76bede082be@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://patch.msgid.link/dd7dc337b99876d4132d0961f776913719f7d225.1754595611.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 4ee9374dcfb9..182898cb754a 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -114,7 +114,7 @@ int sctp_rcv(struct sk_buff *skb)
* it's better to just linearize it otherwise crc computing
* takes longer.
*/
- if ((!is_gso && skb_linearize(skb)) ||
+ if (((!is_gso || skb_cloned(skb)) && skb_linearize(skb)) ||
!pskb_may_pull(skb, sizeof(struct sctphdr)))
goto discard_it;
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 277/644] intel_idle: Allow loading ACPI tables for any family
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 276/644] sctp: linearize cloned gso packets in sctp_rcv Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 278/644] cpuidle: governors: menu: Avoid using invalid recent intervals data Greg Kroah-Hartman
` (372 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Len Brown, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Len Brown <len.brown@intel.com>
[ Upstream commit e91a158b694d7f4bd937763dde79ed0afa472d8a ]
There is no reason to limit intel_idle's loading of ACPI tables to
family 6. Upcoming Intel processors are not in family 6.
Below "Fixes" really means "applies cleanly until".
That syntax commit didn't change the previous logic,
but shows this patch applies back 5-years.
Fixes: 4a9f45a0533f ("intel_idle: Convert to new X86 CPU match macros")
Signed-off-by: Len Brown <len.brown@intel.com>
Link: https://patch.msgid.link/06101aa4fe784e5b0be1cb2c0bdd9afcf16bd9d4.1754681697.git.len.brown@intel.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/idle/intel_idle.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/idle/intel_idle.c b/drivers/idle/intel_idle.c
index 359272ce8e29..96002f35405e 100644
--- a/drivers/idle/intel_idle.c
+++ b/drivers/idle/intel_idle.c
@@ -1194,7 +1194,7 @@ static const struct x86_cpu_id intel_idle_ids[] __initconst = {
};
static const struct x86_cpu_id intel_mwait_ids[] __initconst = {
- X86_MATCH_VENDOR_FAM_FEATURE(INTEL, 6, X86_FEATURE_MWAIT, NULL),
+ X86_MATCH_VENDOR_FAM_FEATURE(INTEL, X86_FAMILY_ANY, X86_FEATURE_MWAIT, NULL),
{}
};
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 278/644] cpuidle: governors: menu: Avoid using invalid recent intervals data
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 277/644] intel_idle: Allow loading ACPI tables for any family Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 279/644] ptp: prevent possible ABBA deadlock in ptp_clock_freerun() Greg Kroah-Hartman
` (371 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Christian Loehle,
Marc Zyngier, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit fa3fa55de0d6177fdcaf6fc254f13cc8f33c3eed ]
Marc has reported that commit 85975daeaa4d ("cpuidle: menu: Avoid
discarding useful information") caused the number of wakeup interrupts
to increase on an idle system [1], which was not expected to happen
after merely allowing shallower idle states to be selected by the
governor in some cases.
However, on the system in question, all of the idle states deeper than
WFI are rejected by the driver due to a firmware issue [2]. This causes
the governor to only consider the recent interval duriation data
corresponding to attempts to enter WFI that are successful and the
recent invervals table is filled with values lower than the scheduler
tick period. Consequently, the governor predicts an idle duration
below the scheduler tick period length and avoids stopping the tick
more often which leads to the observed symptom.
Address it by modifying the governor to update the recent intervals
table also when entering the previously selected idle state fails, so
it knows that the short idle intervals might have been the minority
had the selected idle states been actually entered every time.
Fixes: 85975daeaa4d ("cpuidle: menu: Avoid discarding useful information")
Link: https://lore.kernel.org/linux-pm/86o6sv6n94.wl-maz@kernel.org/ [1]
Link: https://lore.kernel.org/linux-pm/7ffcb716-9a1b-48c2-aaa4-469d0df7c792@arm.com/ [2]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Tested-by: Christian Loehle <christian.loehle@arm.com>
Tested-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Link: https://patch.msgid.link/2793874.mvXUDI8C0e@rafael.j.wysocki
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
--git a/drivers/cpuidle/governors/menu.c b/drivers/cpuidle/governors/menu.c
index e1e2721beb75..246b4a1b664a 100644
--- a/drivers/cpuidle/governors/menu.c
+++ b/drivers/cpuidle/governors/menu.c
@@ -158,6 +158,14 @@ static inline int performance_multiplier(unsigned int nr_iowaiters)
static DEFINE_PER_CPU(struct menu_device, menu_devices);
+static void menu_update_intervals(struct menu_device *data, unsigned int interval_us)
+{
+ /* Update the repeating-pattern data. */
+ data->intervals[data->interval_ptr++] = interval_us;
+ if (data->interval_ptr >= INTERVALS)
+ data->interval_ptr = 0;
+}
+
static void menu_update(struct cpuidle_driver *drv, struct cpuidle_device *dev);
/*
@@ -288,6 +296,14 @@ static int menu_select(struct cpuidle_driver *drv, struct cpuidle_device *dev,
if (data->needs_update) {
menu_update(drv, dev);
data->needs_update = 0;
+ } else if (!dev->last_residency_ns) {
+ /*
+ * This happens when the driver rejects the previously selected
+ * idle state and returns an error, so update the recent
+ * intervals table to prevent invalid information from being
+ * used going forward.
+ */
+ menu_update_intervals(data, UINT_MAX);
}
/* determine the expected residency time, round up */
@@ -542,10 +558,7 @@ static void menu_update(struct cpuidle_driver *drv, struct cpuidle_device *dev)
data->correction_factor[data->bucket] = new_factor;
- /* update the repeating-pattern data */
- data->intervals[data->interval_ptr++] = ktime_to_us(measured_ns);
- if (data->interval_ptr >= INTERVALS)
- data->interval_ptr = 0;
+ menu_update_intervals(data, ktime_to_us(measured_ns));
}
/**
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 279/644] ptp: prevent possible ABBA deadlock in ptp_clock_freerun()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 278/644] cpuidle: governors: menu: Avoid using invalid recent intervals data Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 280/644] hfs: fix slab-out-of-bounds in hfs_bnode_read() Greg Kroah-Hartman
` (370 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7cfb66a237c4a5fb22ad,
Jeongjun Park, Richard Cochran, Vladimir Oltean, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
[ Upstream commit 2efe41234dbd0a83fdb7cd38226c2f70039a2cd3 ]
syzbot reported the following ABBA deadlock:
CPU0 CPU1
---- ----
n_vclocks_store()
lock(&ptp->n_vclocks_mux) [1]
(physical clock)
pc_clock_adjtime()
lock(&clk->rwsem) [2]
(physical clock)
...
ptp_clock_freerun()
ptp_vclock_in_use()
lock(&ptp->n_vclocks_mux) [3]
(physical clock)
ptp_clock_unregister()
posix_clock_unregister()
lock(&clk->rwsem) [4]
(virtual clock)
Since ptp virtual clock is registered only under ptp physical clock, both
ptp_clock and posix_clock must be physical clocks for ptp_vclock_in_use()
to lock &ptp->n_vclocks_mux and check ptp->n_vclocks.
However, when unregistering vclocks in n_vclocks_store(), the locking
ptp->n_vclocks_mux is a physical clock lock, but clk->rwsem of
ptp_clock_unregister() called through device_for_each_child_reverse()
is a virtual clock lock.
Therefore, clk->rwsem used in CPU0 and clk->rwsem used in CPU1 are
different locks, but in lockdep, a false positive occurs because the
possibility of deadlock is determined through lock-class.
To solve this, lock subclass annotation must be added to the posix_clock
rwsem of the vclock.
Reported-by: syzbot+7cfb66a237c4a5fb22ad@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7cfb66a237c4a5fb22ad
Fixes: 73f37068d540 ("ptp: support ptp physical/virtual clocks conversion")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20250728062649.469882-1-aha310510@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ptp/ptp_private.h | 5 +++++
drivers/ptp/ptp_vclock.c | 7 +++++++
2 files changed, 12 insertions(+)
diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
index b8d3df8a393a..bf823b8c3c8f 100644
--- a/drivers/ptp/ptp_private.h
+++ b/drivers/ptp/ptp_private.h
@@ -20,6 +20,11 @@
#define PTP_BUF_TIMESTAMPS 30
#define PTP_DEFAULT_MAX_VCLOCKS 20
+enum {
+ PTP_LOCK_PHYSICAL = 0,
+ PTP_LOCK_VIRTUAL,
+};
+
struct timestamp_event_queue {
struct ptp_extts_event buf[PTP_MAX_TIMESTAMPS];
int head;
diff --git a/drivers/ptp/ptp_vclock.c b/drivers/ptp/ptp_vclock.c
index ab1d233173e1..6a14c39c4508 100644
--- a/drivers/ptp/ptp_vclock.c
+++ b/drivers/ptp/ptp_vclock.c
@@ -81,6 +81,11 @@ static long ptp_vclock_refresh(struct ptp_clock_info *ptp)
return PTP_VCLOCK_REFRESH_INTERVAL;
}
+static void ptp_vclock_set_subclass(struct ptp_clock *ptp)
+{
+ lockdep_set_subclass(&ptp->clock.rwsem, PTP_LOCK_VIRTUAL);
+}
+
static const struct ptp_clock_info ptp_vclock_info = {
.owner = THIS_MODULE,
.name = "ptp virtual clock",
@@ -137,6 +142,8 @@ struct ptp_vclock *ptp_vclock_register(struct ptp_clock *pclock)
return NULL;
}
+ ptp_vclock_set_subclass(vclock->clock);
+
timecounter_init(&vclock->tc, &vclock->cc, 0);
ptp_schedule_worker(vclock->clock, PTP_VCLOCK_REFRESH_INTERVAL);
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 280/644] hfs: fix slab-out-of-bounds in hfs_bnode_read()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 279/644] ptp: prevent possible ABBA deadlock in ptp_clock_freerun() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 281/644] hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() Greg Kroah-Hartman
` (369 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit a431930c9bac518bf99d6b1da526a7f37ddee8d8 ]
This patch introduces is_bnode_offset_valid() method that checks
the requested offset value. Also, it introduces
check_and_correct_requested_length() method that checks and
correct the requested length (if it is necessary). These methods
are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(),
hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent
the access out of allocated memory and triggering the crash.
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20250703214912.244138-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfs/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 92 insertions(+)
diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index 2251286cd83f..2039cb6d5f66 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -15,6 +15,48 @@
#include "btree.h"
+static inline
+bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+{
+ bool is_valid = off < node->tree->node_size;
+
+ if (!is_valid) {
+ pr_err("requested invalid offset: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off);
+ }
+
+ return is_valid;
+}
+
+static inline
+int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+{
+ unsigned int node_size;
+
+ if (!is_bnode_offset_valid(node, off))
+ return 0;
+
+ node_size = node->tree->node_size;
+
+ if ((off + len) > node_size) {
+ int new_len = (int)node_size - off;
+
+ pr_err("requested length has been corrected: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, "
+ "requested_len %d, corrected_len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len, new_len);
+
+ return new_len;
+ }
+
+ return len;
+}
+
void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
{
struct page *page;
@@ -23,6 +65,20 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
int bytes_to_read;
void *vaddr;
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+ if (len == 0) {
+ pr_err("requested zero length: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len);
+ return;
+ }
+
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
pagenum = off >> PAGE_SHIFT;
off &= ~PAGE_MASK; /* compute page offset for the first page */
@@ -83,6 +139,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len)
{
struct page *page;
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+ if (len == 0) {
+ pr_err("requested zero length: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len);
+ return;
+ }
+
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
page = node->page[0];
@@ -108,6 +178,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len)
{
struct page *page;
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+ if (len == 0) {
+ pr_err("requested zero length: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len);
+ return;
+ }
+
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
page = node->page[0];
@@ -124,6 +208,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst,
hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len);
if (!len)
return;
+
+ len = check_and_correct_requested_length(src_node, src, len);
+ len = check_and_correct_requested_length(dst_node, dst, len);
+
src += src_node->page_offset;
dst += dst_node->page_offset;
src_page = src_node->page[0];
@@ -143,6 +231,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len)
hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len);
if (!len)
return;
+
+ len = check_and_correct_requested_length(node, src, len);
+ len = check_and_correct_requested_length(node, dst, len);
+
src += node->page_offset;
dst += node->page_offset;
page = node->page[0];
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 281/644] hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 280/644] hfs: fix slab-out-of-bounds in hfs_bnode_read() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 282/644] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() Greg Kroah-Hartman
` (368 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kun Hu, Jiaji Qin, Shuoran Bai,
Viacheslav Dubeyko, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit c80aa2aaaa5e69d5219c6af8ef7e754114bd08d2 ]
The hfsplus_bnode_read() method can trigger the issue:
[ 174.852007][ T9784] ==================================================================
[ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360
[ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784
[ 174.854059][ T9784]
[ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full)
[ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 174.854286][ T9784] Call Trace:
[ 174.854289][ T9784] <TASK>
[ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0
[ 174.854305][ T9784] print_report+0xd0/0x660
[ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610
[ 174.854323][ T9784] ? __phys_addr+0xe8/0x180
[ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360
[ 174.854337][ T9784] kasan_report+0xc6/0x100
[ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360
[ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360
[ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380
[ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10
[ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0
[ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310
[ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40
[ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0
[ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0
[ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10
[ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10
[ 174.854436][ T9784] ? __asan_memset+0x23/0x50
[ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320
[ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10
[ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0
[ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40
[ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0
[ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10
[ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0
[ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10
[ 174.854525][ T9784] ? down_write+0x148/0x200
[ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10
[ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0
[ 174.854549][ T9784] do_unlinkat+0x490/0x670
[ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10
[ 174.854565][ T9784] ? __might_fault+0xbc/0x130
[ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550
[ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110
[ 174.854592][ T9784] do_syscall_64+0xc9/0x480
[ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167
[ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08
[ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
[ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167
[ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50
[ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40
[ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0
[ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 174.854658][ T9784] </TASK>
[ 174.854661][ T9784]
[ 174.879281][ T9784] Allocated by task 9784:
[ 174.879664][ T9784] kasan_save_stack+0x20/0x40
[ 174.880082][ T9784] kasan_save_track+0x14/0x30
[ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0
[ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550
[ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890
[ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10
[ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520
[ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x320
[ 174.883144][ T9784] hfsplus_delete_cat+0x845/0xde0
[ 174.883595][ T9784] hfsplus_rmdir+0x106/0x1b0
[ 174.884004][ T9784] vfs_rmdir+0x206/0x690
[ 174.884379][ T9784] do_rmdir+0x2b7/0x390
[ 174.884751][ T9784] __x64_sys_rmdir+0xc5/0x110
[ 174.885167][ T9784] do_syscall_64+0xc9/0x480
[ 174.885568][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 174.886083][ T9784]
[ 174.886293][ T9784] The buggy address belongs to the object at ffff88810b5fc600
[ 174.886293][ T9784] which belongs to the cache kmalloc-192 of size 192
[ 174.887507][ T9784] The buggy address is located 40 bytes to the right of
[ 174.887507][ T9784] allocated 152-byte region [ffff88810b5fc600, ffff88810b5fc698)
[ 174.888766][ T9784]
[ 174.888976][ T9784] The buggy address belongs to the physical page:
[ 174.889533][ T9784] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b5fc
[ 174.890295][ T9784] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
[ 174.890927][ T9784] page_type: f5(slab)
[ 174.891284][ T9784] raw: 057ff00000000000 ffff88801b4423c0 ffffea000426dc80 dead000000000002
[ 174.892032][ T9784] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[ 174.892774][ T9784] page dumped because: kasan: bad access detected
[ 174.893327][ T9784] page_owner tracks the page as allocated
[ 174.893825][ T9784] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NO1
[ 174.895373][ T9784] post_alloc_hook+0x1c0/0x230
[ 174.895801][ T9784] get_page_from_freelist+0xdeb/0x3b30
[ 174.896284][ T9784] __alloc_frozen_pages_noprof+0x25c/0x2460
[ 174.896810][ T9784] alloc_pages_mpol+0x1fb/0x550
[ 174.897242][ T9784] new_slab+0x23b/0x340
[ 174.897614][ T9784] ___slab_alloc+0xd81/0x1960
[ 174.898028][ T9784] __slab_alloc.isra.0+0x56/0xb0
[ 174.898468][ T9784] __kmalloc_noprof+0x2b0/0x550
[ 174.898896][ T9784] usb_alloc_urb+0x73/0xa0
[ 174.899289][ T9784] usb_control_msg+0x1cb/0x4a0
[ 174.899718][ T9784] usb_get_string+0xab/0x1a0
[ 174.900133][ T9784] usb_string_sub+0x107/0x3c0
[ 174.900549][ T9784] usb_string+0x307/0x670
[ 174.900933][ T9784] usb_cache_string+0x80/0x150
[ 174.901355][ T9784] usb_new_device+0x1d0/0x19d0
[ 174.901786][ T9784] register_root_hub+0x299/0x730
[ 174.902231][ T9784] page last free pid 10 tgid 10 stack trace:
[ 174.902757][ T9784] __free_frozen_pages+0x80c/0x1250
[ 174.903217][ T9784] vfree.part.0+0x12b/0xab0
[ 174.903645][ T9784] delayed_vfree_work+0x93/0xd0
[ 174.904073][ T9784] process_one_work+0x9b5/0x1b80
[ 174.904519][ T9784] worker_thread+0x630/0xe60
[ 174.904927][ T9784] kthread+0x3a8/0x770
[ 174.905291][ T9784] ret_from_fork+0x517/0x6e0
[ 174.905709][ T9784] ret_from_fork_asm+0x1a/0x30
[ 174.906128][ T9784]
[ 174.906338][ T9784] Memory state around the buggy address:
[ 174.906828][ T9784] ffff88810b5fc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 174.907528][ T9784] ffff88810b5fc600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 174.908222][ T9784] >ffff88810b5fc680: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 174.908917][ T9784] ^
[ 174.909481][ T9784] ffff88810b5fc700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 174.910432][ T9784] ffff88810b5fc780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 174.911401][ T9784] ==================================================================
The reason of the issue that code doesn't check the correctness
of the requested offset and length. As a result, incorrect value
of offset or/and length could result in access out of allocated
memory.
This patch introduces is_bnode_offset_valid() method that checks
the requested offset value. Also, it introduces
check_and_correct_requested_length() method that checks and
correct the requested length (if it is necessary). These methods
are used in hfsplus_bnode_read(), hfsplus_bnode_write(),
hfsplus_bnode_clear(), hfsplus_bnode_copy(), and hfsplus_bnode_move()
with the goal to prevent the access out of allocated memory
and triggering the crash.
Reported-by: Kun Hu <huk23@m.fudan.edu.cn>
Reported-by: Jiaji Qin <jjtan24@m.fudan.edu.cn>
Reported-by: Shuoran Bai <baishuoran@hrbeu.edu.cn>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20250703214804.244077-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 92 insertions(+)
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index cf6e5de7b9da..c9c38fddf505 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -18,12 +18,68 @@
#include "hfsplus_fs.h"
#include "hfsplus_raw.h"
+static inline
+bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+{
+ bool is_valid = off < node->tree->node_size;
+
+ if (!is_valid) {
+ pr_err("requested invalid offset: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off);
+ }
+
+ return is_valid;
+}
+
+static inline
+int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+{
+ unsigned int node_size;
+
+ if (!is_bnode_offset_valid(node, off))
+ return 0;
+
+ node_size = node->tree->node_size;
+
+ if ((off + len) > node_size) {
+ int new_len = (int)node_size - off;
+
+ pr_err("requested length has been corrected: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, "
+ "requested_len %d, corrected_len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len, new_len);
+
+ return new_len;
+ }
+
+ return len;
+}
+
/* Copy a specified range of bytes from the raw data of a node */
void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
{
struct page **pagep;
int l;
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+ if (len == 0) {
+ pr_err("requested zero length: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len);
+ return;
+ }
+
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
off &= ~PAGE_MASK;
@@ -83,6 +139,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len)
struct page **pagep;
int l;
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+ if (len == 0) {
+ pr_err("requested zero length: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len);
+ return;
+ }
+
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
off &= ~PAGE_MASK;
@@ -113,6 +183,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len)
struct page **pagep;
int l;
+ if (!is_bnode_offset_valid(node, off))
+ return;
+
+ if (len == 0) {
+ pr_err("requested zero length: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len);
+ return;
+ }
+
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
off &= ~PAGE_MASK;
@@ -139,6 +223,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst,
hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len);
if (!len)
return;
+
+ len = check_and_correct_requested_length(src_node, src, len);
+ len = check_and_correct_requested_length(dst_node, dst, len);
+
src += src_node->page_offset;
dst += dst_node->page_offset;
src_page = src_node->page + (src >> PAGE_SHIFT);
@@ -196,6 +284,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len)
hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len);
if (!len)
return;
+
+ len = check_and_correct_requested_length(node, src, len);
+ len = check_and_correct_requested_length(node, dst, len);
+
src += node->page_offset;
dst += node->page_offset;
if (dst > src) {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 282/644] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 281/644] hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 283/644] hfsplus: dont use BUG_ON() in hfsplus_create_attributes_file() Greg Kroah-Hartman
` (367 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenzhi Wang, Liu Shixin,
Viacheslav Dubeyko, John Paul Adrian Glaubitz, Yangtao Li,
linux-fsdevel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit 94458781aee6045bd3d0ad4b80b02886b9e2219b ]
The hfsplus_readdir() method is capable to crash by calling
hfsplus_uni2asc():
[ 667.121659][ T9805] ==================================================================
[ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10
[ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805
[ 667.124578][ T9805]
[ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full)
[ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 667.124890][ T9805] Call Trace:
[ 667.124893][ T9805] <TASK>
[ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0
[ 667.124911][ T9805] print_report+0xd0/0x660
[ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610
[ 667.124928][ T9805] ? __phys_addr+0xe8/0x180
[ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10
[ 667.124942][ T9805] kasan_report+0xc6/0x100
[ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10
[ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10
[ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360
[ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0
[ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10
[ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0
[ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20
[ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0
[ 667.125022][ T9805] ? lock_acquire+0x30/0x80
[ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20
[ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0
[ 667.125044][ T9805] ? putname+0x154/0x1a0
[ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10
[ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0
[ 667.125069][ T9805] iterate_dir+0x296/0xb20
[ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0
[ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10
[ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200
[ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10
[ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0
[ 667.125143][ T9805] do_syscall_64+0xc9/0x480
[ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9
[ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
[ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9
[ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9
[ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004
[ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110
[ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260
[ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 667.125207][ T9805] </TASK>
[ 667.125210][ T9805]
[ 667.145632][ T9805] Allocated by task 9805:
[ 667.145991][ T9805] kasan_save_stack+0x20/0x40
[ 667.146352][ T9805] kasan_save_track+0x14/0x30
[ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0
[ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550
[ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0
[ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0
[ 667.148174][ T9805] iterate_dir+0x296/0xb20
[ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0
[ 667.148937][ T9805] do_syscall_64+0xc9/0x480
[ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 667.149809][ T9805]
[ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000
[ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048
[ 667.151282][ T9805] The buggy address is located 0 bytes to the right of
[ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c)
[ 667.152580][ T9805]
[ 667.152798][ T9805] The buggy address belongs to the physical page:
[ 667.153373][ T9805] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25928
[ 667.154157][ T9805] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 667.154916][ T9805] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 667.155631][ T9805] page_type: f5(slab)
[ 667.155997][ T9805] raw: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001
[ 667.156770][ T9805] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[ 667.157536][ T9805] head: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001
[ 667.158317][ T9805] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[ 667.159088][ T9805] head: 00fff00000000003 ffffea0000964a01 00000000ffffffff 00000000ffffffff
[ 667.159865][ T9805] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 667.160643][ T9805] page dumped because: kasan: bad access detected
[ 667.161216][ T9805] page_owner tracks the page as allocated
[ 667.161732][ T9805] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN9
[ 667.163566][ T9805] post_alloc_hook+0x1c0/0x230
[ 667.164003][ T9805] get_page_from_freelist+0xdeb/0x3b30
[ 667.164503][ T9805] __alloc_frozen_pages_noprof+0x25c/0x2460
[ 667.165040][ T9805] alloc_pages_mpol+0x1fb/0x550
[ 667.165489][ T9805] new_slab+0x23b/0x340
[ 667.165872][ T9805] ___slab_alloc+0xd81/0x1960
[ 667.166313][ T9805] __slab_alloc.isra.0+0x56/0xb0
[ 667.166767][ T9805] __kmalloc_cache_noprof+0x255/0x3e0
[ 667.167255][ T9805] psi_cgroup_alloc+0x52/0x2d0
[ 667.167693][ T9805] cgroup_mkdir+0x694/0x1210
[ 667.168118][ T9805] kernfs_iop_mkdir+0x111/0x190
[ 667.168568][ T9805] vfs_mkdir+0x59b/0x8d0
[ 667.168956][ T9805] do_mkdirat+0x2ed/0x3d0
[ 667.169353][ T9805] __x64_sys_mkdir+0xef/0x140
[ 667.169784][ T9805] do_syscall_64+0xc9/0x480
[ 667.170195][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 667.170730][ T9805] page last free pid 1257 tgid 1257 stack trace:
[ 667.171304][ T9805] __free_frozen_pages+0x80c/0x1250
[ 667.171770][ T9805] vfree.part.0+0x12b/0xab0
[ 667.172182][ T9805] delayed_vfree_work+0x93/0xd0
[ 667.172612][ T9805] process_one_work+0x9b5/0x1b80
[ 667.173067][ T9805] worker_thread+0x630/0xe60
[ 667.173486][ T9805] kthread+0x3a8/0x770
[ 667.173857][ T9805] ret_from_fork+0x517/0x6e0
[ 667.174278][ T9805] ret_from_fork_asm+0x1a/0x30
[ 667.174703][ T9805]
[ 667.174917][ T9805] Memory state around the buggy address:
[ 667.175411][ T9805] ffff88802592f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 667.176114][ T9805] ffff88802592f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 667.176830][ T9805] >ffff88802592f400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 667.177547][ T9805] ^
[ 667.177933][ T9805] ffff88802592f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 667.178640][ T9805] ffff88802592f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 667.179350][ T9805] ==================================================================
The hfsplus_uni2asc() method operates by struct hfsplus_unistr:
struct hfsplus_unistr {
__be16 length;
hfsplus_unichr unicode[HFSPLUS_MAX_STRLEN];
} __packed;
where HFSPLUS_MAX_STRLEN is 255 bytes. The issue happens if length
of the structure instance has value bigger than 255 (for example,
65283). In such case, pointer on unicode buffer is going beyond of
the allocated memory.
The patch fixes the issue by checking the length value of
hfsplus_unistr instance and using 255 value in the case if length
value is bigger than HFSPLUS_MAX_STRLEN. Potential reason of such
situation could be a corruption of Catalog File b-tree's node.
Reported-by: Wenzhi Wang <wenzhi.wang@uwaterloo.ca>
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Reviewed-by: Yangtao Li <frank.li@vivo.com>
Link: https://lore.kernel.org/r/20250710230830.110500-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/unicode.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/fs/hfsplus/unicode.c b/fs/hfsplus/unicode.c
index 73342c925a4b..36b6cf2a3abb 100644
--- a/fs/hfsplus/unicode.c
+++ b/fs/hfsplus/unicode.c
@@ -132,7 +132,14 @@ int hfsplus_uni2asc(struct super_block *sb,
op = astr;
ip = ustr->unicode;
+
ustrlen = be16_to_cpu(ustr->length);
+ if (ustrlen > HFSPLUS_MAX_STRLEN) {
+ ustrlen = HFSPLUS_MAX_STRLEN;
+ pr_err("invalid length %u has been corrected to %d\n",
+ be16_to_cpu(ustr->length), ustrlen);
+ }
+
len = *len_p;
ce1 = NULL;
compose = !test_bit(HFSPLUS_SB_NODECOMPOSE, &HFSPLUS_SB(sb)->flags);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 283/644] hfsplus: dont use BUG_ON() in hfsplus_create_attributes_file()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 282/644] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 284/644] arm64: Handle KCOV __init vs inline mismatches Greg Kroah-Hartman
` (366 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa,
Viacheslav Dubeyko, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit c7c6363ca186747ebc2df10c8a1a51e66e0e32d9 ]
When the volume header contains erroneous values that do not reflect
the actual state of the filesystem, hfsplus_fill_super() assumes that
the attributes file is not yet created, which later results in hitting
BUG_ON() when hfsplus_create_attributes_file() is called. Replace this
BUG_ON() with -EIO error with a message to suggest running fsck tool.
Reported-by: syzbot <syzbot+1107451c16b9eb9d29e6@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=1107451c16b9eb9d29e6
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/7b587d24-c8a1-4413-9b9a-00a33fbd849f@I-love.SAKURA.ne.jp
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/xattr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
index 71fb2f8e9117..7ad3071debd6 100644
--- a/fs/hfsplus/xattr.c
+++ b/fs/hfsplus/xattr.c
@@ -172,7 +172,11 @@ static int hfsplus_create_attributes_file(struct super_block *sb)
return PTR_ERR(attr_file);
}
- BUG_ON(i_size_read(attr_file) != 0);
+ if (i_size_read(attr_file) != 0) {
+ err = -EIO;
+ pr_err("detected inconsistent attributes file, running fsck.hfsplus is recommended.\n");
+ goto end_attr_file_creation;
+ }
hip = HFSPLUS_I(attr_file);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 284/644] arm64: Handle KCOV __init vs inline mismatches
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 283/644] hfsplus: dont use BUG_ON() in hfsplus_create_attributes_file() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 285/644] smb/server: avoid deadlock when linking with ReplaceIfExists Greg Kroah-Hartman
` (365 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kees Cook, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 65c430906efffee9bd7551d474f01a6b1197df90 ]
GCC appears to have kind of fragile inlining heuristics, in the
sense that it can change whether or not it inlines something based on
optimizations. It looks like the kcov instrumentation being added (or in
this case, removed) from a function changes the optimization results,
and some functions marked "inline" are _not_ inlined. In that case,
we end up with __init code calling a function not marked __init, and we
get the build warnings I'm trying to eliminate in the coming patch that
adds __no_sanitize_coverage to __init functions:
WARNING: modpost: vmlinux: section mismatch in reference: acpi_get_enable_method+0x1c (section: .text.unlikely) -> acpi_psci_present (section: .init.text)
This problem is somewhat fragile (though using either __always_inline
or __init will deterministically solve it), but we've tripped over
this before with GCC and the solution has usually been to just use
__always_inline and move on.
For arm64 this requires forcing one ACPI function to be inlined with
__always_inline.
Link: https://lore.kernel.org/r/20250724055029.3623499-1-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/acpi.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/include/asm/acpi.h b/arch/arm64/include/asm/acpi.h
index 702587fda70c..8cbbd08cc8c5 100644
--- a/arch/arm64/include/asm/acpi.h
+++ b/arch/arm64/include/asm/acpi.h
@@ -128,7 +128,7 @@ acpi_set_mailbox_entry(int cpu, struct acpi_madt_generic_interrupt *processor)
{}
#endif
-static inline const char *acpi_get_enable_method(int cpu)
+static __always_inline const char *acpi_get_enable_method(int cpu)
{
if (acpi_psci_present())
return "psci";
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 285/644] smb/server: avoid deadlock when linking with ReplaceIfExists
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 284/644] arm64: Handle KCOV __init vs inline mismatches Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 286/644] udf: Verify partition map count Greg Kroah-Hartman
` (364 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, NeilBrown, Namjae Jeon, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neil@brown.name>
[ Upstream commit d5fc1400a34b4ea5e8f2ce296ea12bf8c8421694 ]
If smb2_create_link() is called with ReplaceIfExists set and the name
does exist then a deadlock will happen.
ksmbd_vfs_kern_path_locked() will return with success and the parent
directory will be locked. ksmbd_vfs_remove_file() will then remove the
file. ksmbd_vfs_link() will then be called while the parent is still
locked. It will try to lock the same parent and will deadlock.
This patch moves the ksmbd_vfs_kern_path_unlock() call to *before*
ksmbd_vfs_link() and then simplifies the code, removing the file_present
flag variable.
Signed-off-by: NeilBrown <neil@brown.name>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ksmbd/smb2pdu.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
index 76334a983cd2..3439dbad9389 100644
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -5612,7 +5612,6 @@ static int smb2_create_link(struct ksmbd_work *work,
{
char *link_name = NULL, *target_name = NULL, *pathname = NULL;
struct path path, parent_path;
- bool file_present = false;
int rc;
if (buf_len < (u64)sizeof(struct smb2_file_link_info) +
@@ -5645,11 +5644,8 @@ static int smb2_create_link(struct ksmbd_work *work,
if (rc) {
if (rc != -ENOENT)
goto out;
- } else
- file_present = true;
-
- if (file_info->ReplaceIfExists) {
- if (file_present) {
+ } else {
+ if (file_info->ReplaceIfExists) {
rc = ksmbd_vfs_remove_file(work, &path);
if (rc) {
rc = -EINVAL;
@@ -5657,21 +5653,17 @@ static int smb2_create_link(struct ksmbd_work *work,
link_name);
goto out;
}
- }
- } else {
- if (file_present) {
+ } else {
rc = -EEXIST;
ksmbd_debug(SMB, "link already exists\n");
goto out;
}
+ ksmbd_vfs_kern_path_unlock(&parent_path, &path);
}
-
rc = ksmbd_vfs_link(work, target_name, link_name);
if (rc)
rc = -EINVAL;
out:
- if (file_present)
- ksmbd_vfs_kern_path_unlock(&parent_path, &path);
if (!IS_ERR(link_name))
kfree(link_name);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 286/644] udf: Verify partition map count
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 285/644] smb/server: avoid deadlock when linking with ReplaceIfExists Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 287/644] drbd: add missing kref_get in handle_write_conflicts Greg Kroah-Hartman
` (363 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+478f2c1a6f0f447a46bb,
Jan Kara, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit 1a11201668e8635602577dcf06f2e96c591d8819 ]
Verify that number of partition maps isn't insanely high which can lead
to large allocation in udf_sb_alloc_partition_maps(). All partition maps
have to fit in the LVD which is in a single block.
Reported-by: syzbot+478f2c1a6f0f447a46bb@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/super.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/fs/udf/super.c b/fs/udf/super.c
index 4275d2bc0c36..69e4f00ce791 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1411,7 +1411,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
struct genericPartitionMap *gpm;
uint16_t ident;
struct buffer_head *bh;
- unsigned int table_len;
+ unsigned int table_len, part_map_count;
int ret;
bh = udf_read_tagged(sb, block, block, &ident);
@@ -1432,7 +1432,16 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
"logical volume");
if (ret)
goto out_bh;
- ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
+
+ part_map_count = le32_to_cpu(lvd->numPartitionMaps);
+ if (part_map_count > table_len / sizeof(struct genericPartitionMap1)) {
+ udf_err(sb, "error loading logical volume descriptor: "
+ "Too many partition maps (%u > %u)\n", part_map_count,
+ table_len / (unsigned)sizeof(struct genericPartitionMap1));
+ ret = -EIO;
+ goto out_bh;
+ }
+ ret = udf_sb_alloc_partition_maps(sb, part_map_count);
if (ret)
goto out_bh;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 287/644] drbd: add missing kref_get in handle_write_conflicts
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 286/644] udf: Verify partition map count Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 288/644] hfs: fix not erasing deleted b-tree node issue Greg Kroah-Hartman
` (362 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sarah Newman, Lars Ellenberg,
Christoph Böhmwalder, Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sarah Newman <srn@prgmr.com>
[ Upstream commit 00c9c9628b49e368d140cfa61d7df9b8922ec2a8 ]
With `two-primaries` enabled, DRBD tries to detect "concurrent" writes
and handle write conflicts, so that even if you write to the same sector
simultaneously on both nodes, they end up with the identical data once
the writes are completed.
In handling "superseeded" writes, we forgot a kref_get,
resulting in a premature drbd_destroy_device and use after free,
and further to kernel crashes with symptoms.
Relevance: No one should use DRBD as a random data generator, and apparently
all users of "two-primaries" handle concurrent writes correctly on layer up.
That is cluster file systems use some distributed lock manager,
and live migration in virtualization environments stops writes on one node
before starting writes on the other node.
Which means that other than for "test cases",
this code path is never taken in real life.
FYI, in DRBD 9, things are handled differently nowadays. We still detect
"write conflicts", but no longer try to be smart about them.
We decided to disconnect hard instead: upper layers must not submit concurrent
writes. If they do, that's their fault.
Signed-off-by: Sarah Newman <srn@prgmr.com>
Signed-off-by: Lars Ellenberg <lars@linbit.com>
Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Link: https://lore.kernel.org/r/20250627095728.800688-1-christoph.boehmwalder@linbit.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/drbd/drbd_receiver.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 0104e101b0d7..ea38dd43c6b0 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -2532,7 +2532,11 @@ static int handle_write_conflicts(struct drbd_device *device,
peer_req->w.cb = superseded ? e_send_superseded :
e_send_retry_write;
list_add_tail(&peer_req->w.list, &device->done_ee);
- queue_work(connection->ack_sender, &peer_req->peer_device->send_acks_work);
+ /* put is in drbd_send_acks_wf() */
+ kref_get(&device->kref);
+ if (!queue_work(connection->ack_sender,
+ &peer_req->peer_device->send_acks_work))
+ kref_put(&device->kref, drbd_destroy_device);
err = -ENOENT;
goto out;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 288/644] hfs: fix not erasing deleted b-tree node issue
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 287/644] drbd: add missing kref_get in handle_write_conflicts Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 289/644] better lockdep annotations for simple_recursive_removal() Greg Kroah-Hartman
` (361 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko,
Johannes Thumshirn, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit d3ed6d6981f4756f145766753c872482bc3b28d3 ]
The generic/001 test of xfstests suite fails and corrupts
the HFS volume:
sudo ./check generic/001
FSTYP -- hfs
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2>
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/001 32s ... _check_generic_filesystem: filesystem on /dev/loop50 is inconsistent
(see /home/slavad/XFSTESTS-2/xfstests-dev/results//generic/001.full for details)
Ran: generic/001
Failures: generic/001
Failed 1 of 1 tests
fsck.hfs -d -n ./test-image.bin
** ./test-image.bin (NO WRITE)
Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
Executing fsck_hfs (version 540.1-Linux).
** Checking HFS volume.
The volume name is untitled
** Checking extents overflow file.
** Checking catalog file.
Unused node is not erased (node = 2)
Unused node is not erased (node = 4)
<skipped>
Unused node is not erased (node = 253)
Unused node is not erased (node = 254)
Unused node is not erased (node = 255)
Unused node is not erased (node = 256)
** Checking catalog hierarchy.
** Checking volume bitmap.
** Checking volume information.
Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0000
CBTStat = 0x0004 CatStat = 0x00000000
** The volume untitled was found corrupt and needs to be repaired.
volume type is HFS
primary MDB is at block 2 0x02
alternate MDB is at block 20971518 0x13ffffe
primary VHB is at block 0 0x00
alternate VHB is at block 0 0x00
sector size = 512 0x200
VolumeObject flags = 0x19
total sectors for volume = 20971520 0x1400000
total sectors for embedded volume = 0 0x00
This patch adds logic of clearing the deleted b-tree node.
sudo ./check generic/001
FSTYP -- hfs
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/001 9s ... 32s
Ran: generic/001
Passed all 1 tests
fsck.hfs -d -n ./test-image.bin
** ./test-image.bin (NO WRITE)
Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
Executing fsck_hfs (version 540.1-Linux).
** Checking HFS volume.
The volume name is untitled
** Checking extents overflow file.
** Checking catalog file.
** Checking catalog hierarchy.
** Checking volume bitmap.
** Checking volume information.
** The volume untitled appears to be OK.
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Link: https://lore.kernel.org/r/20250430001211.1912533-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfs/bnode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index 2039cb6d5f66..219e3b8fd6a8 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -586,6 +586,7 @@ void hfs_bnode_put(struct hfs_bnode *node)
if (test_bit(HFS_BNODE_DELETED, &node->flags)) {
hfs_bnode_unhash(node);
spin_unlock(&tree->hash_lock);
+ hfs_bnode_clear(node, 0, tree->node_size);
hfs_bmap_free(node);
hfs_bnode_free(node);
return;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 289/644] better lockdep annotations for simple_recursive_removal()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 288/644] hfs: fix not erasing deleted b-tree node issue Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 290/644] ata: libata-sata: Disallow changing LPM state if not supported Greg Kroah-Hartman
` (360 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+169de184e9defe7fe709, Al Viro,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 2a8061ee5e41034eb14170ec4517b5583dbeff9f ]
We want a class that nests outside of I_MUTEX_NORMAL (for the sake of
callbacks that might want to lock the victim) and inside I_MUTEX_PARENT
(so that a variant of that could be used with parent of the victim
held locked by the caller).
In reality, simple_recursive_removal()
* never holds two locks at once
* holds the lock on parent of dentry passed to callback
* is used only on the trees with fixed topology, so the depths
are not changing.
So the locking order is actually fine.
AFAICS, the best solution is to assign I_MUTEX_CHILD to the locks
grabbed by that thing.
Reported-by: syzbot+169de184e9defe7fe709@syzkaller.appspotmail.com
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/libfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/libfs.c b/fs/libfs.c
index 7bb5d90319cc..eaf96297449e 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -273,7 +273,7 @@ void simple_recursive_removal(struct dentry *dentry,
struct dentry *victim = NULL, *child;
struct inode *inode = this->d_inode;
- inode_lock(inode);
+ inode_lock_nested(inode, I_MUTEX_CHILD);
if (d_is_dir(this))
inode->i_flags |= S_DEAD;
while ((child = find_next_child(this, victim)) == NULL) {
@@ -285,7 +285,7 @@ void simple_recursive_removal(struct dentry *dentry,
victim = this;
this = this->d_parent;
inode = this->d_inode;
- inode_lock(inode);
+ inode_lock_nested(inode, I_MUTEX_CHILD);
if (simple_positive(victim)) {
d_invalidate(victim); // avoid lost mounts
if (d_is_dir(victim))
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 290/644] ata: libata-sata: Disallow changing LPM state if not supported
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 289/644] better lockdep annotations for simple_recursive_removal() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 291/644] fs/ntfs3: Add sanity check for file name Greg Kroah-Hartman
` (359 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Niklas Cassel,
Hannes Reinecke, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit 413e800cadbf67550d76c77c230b2ecd96bce83a ]
Modify ata_scsi_lpm_store() to return an error if a user attempts to set
a link power management policy for a port that does not support LPM,
that is, ports flagged with ATA_FLAG_NO_LPM.
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Link: https://lore.kernel.org/r/20250701125321.69496-6-dlemoal@kernel.org
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-sata.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/ata/libata-sata.c b/drivers/ata/libata-sata.c
index 04bdd53abf20..7cacb2bfc360 100644
--- a/drivers/ata/libata-sata.c
+++ b/drivers/ata/libata-sata.c
@@ -815,6 +815,11 @@ static ssize_t ata_scsi_lpm_store(struct device *device,
spin_lock_irqsave(ap->lock, flags);
+ if (ap->flags & ATA_FLAG_NO_LPM) {
+ count = -EOPNOTSUPP;
+ goto out_unlock;
+ }
+
ata_for_each_link(link, ap, EDGE) {
ata_for_each_dev(dev, &ap->link, ENABLED) {
if (dev->horkage & ATA_HORKAGE_NOLPM) {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 291/644] fs/ntfs3: Add sanity check for file name
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 290/644] ata: libata-sata: Disallow changing LPM state if not supported Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 292/644] fs/ntfs3: correctly create symlink for relative path Greg Kroah-Hartman
` (358 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+598057afa0f49e62bd23,
Lizhi Xu, Konstantin Komarov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
[ Upstream commit e841ecb139339602bc1853f5f09daa5d1ea920a2 ]
The length of the file name should be smaller than the directory entry size.
Reported-by: syzbot+598057afa0f49e62bd23@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/dir.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
index a4ab0164d150..c49e64ebbd0a 100644
--- a/fs/ntfs3/dir.c
+++ b/fs/ntfs3/dir.c
@@ -304,6 +304,9 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
return true;
+ if (fname->name_len + sizeof(struct NTFS_DE) > le16_to_cpu(e->size))
+ return true;
+
name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name,
PATH_MAX);
if (name_len <= 0) {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 292/644] fs/ntfs3: correctly create symlink for relative path
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 291/644] fs/ntfs3: Add sanity check for file name Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 293/644] ext2: Handle fiemap on empty files to prevent EINVAL Greg Kroah-Hartman
` (357 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rong Zhang, Konstantin Komarov,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rong Zhang <ulin0208@gmail.com>
[ Upstream commit b1e9d89408f402858c00103f9831b25ffa0994d3 ]
After applying this patch, could correctly create symlink:
ln -s "relative/path/to/file" symlink
Signed-off-by: Rong Zhang <ulin0208@gmail.com>
[almaz.alexandrovich@paragon-software.com: added cpu_to_le32 macro to
rs->Flags assignment]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/inode.c | 31 ++++++++++++++++++-------------
1 file changed, 18 insertions(+), 13 deletions(-)
diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index 7adfa19a2f06..edd7c89ba1a1 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -1118,10 +1118,10 @@ int inode_write_data(struct inode *inode, const void *data, size_t bytes)
* Number of bytes for REPARSE_DATA_BUFFER(IO_REPARSE_TAG_SYMLINK)
* for unicode string of @uni_len length.
*/
-static inline u32 ntfs_reparse_bytes(u32 uni_len)
+static inline u32 ntfs_reparse_bytes(u32 uni_len, bool is_absolute)
{
/* Header + unicode string + decorated unicode string. */
- return sizeof(short) * (2 * uni_len + 4) +
+ return sizeof(short) * (2 * uni_len + (is_absolute ? 4 : 0)) +
offsetof(struct REPARSE_DATA_BUFFER,
SymbolicLinkReparseBuffer.PathBuffer);
}
@@ -1134,8 +1134,11 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
struct REPARSE_DATA_BUFFER *rp;
__le16 *rp_name;
typeof(rp->SymbolicLinkReparseBuffer) *rs;
+ bool is_absolute;
- rp = kzalloc(ntfs_reparse_bytes(2 * size + 2), GFP_NOFS);
+ is_absolute = (strlen(symname) > 1 && symname[1] == ':');
+
+ rp = kzalloc(ntfs_reparse_bytes(2 * size + 2, is_absolute), GFP_NOFS);
if (!rp)
return ERR_PTR(-ENOMEM);
@@ -1150,7 +1153,7 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
goto out;
/* err = the length of unicode name of symlink. */
- *nsize = ntfs_reparse_bytes(err);
+ *nsize = ntfs_reparse_bytes(err, is_absolute);
if (*nsize > sbi->reparse.max_size) {
err = -EFBIG;
@@ -1170,7 +1173,7 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
/* PrintName + SubstituteName. */
rs->SubstituteNameOffset = cpu_to_le16(sizeof(short) * err);
- rs->SubstituteNameLength = cpu_to_le16(sizeof(short) * err + 8);
+ rs->SubstituteNameLength = cpu_to_le16(sizeof(short) * err + (is_absolute ? 8 : 0));
rs->PrintNameLength = rs->SubstituteNameOffset;
/*
@@ -1178,16 +1181,18 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
* parse this path.
* 0-absolute path 1- relative path (SYMLINK_FLAG_RELATIVE).
*/
- rs->Flags = 0;
+ rs->Flags = cpu_to_le32(is_absolute ? 0 : SYMLINK_FLAG_RELATIVE);
- memmove(rp_name + err + 4, rp_name, sizeof(short) * err);
+ memmove(rp_name + err + (is_absolute ? 4 : 0), rp_name, sizeof(short) * err);
- /* Decorate SubstituteName. */
- rp_name += err;
- rp_name[0] = cpu_to_le16('\\');
- rp_name[1] = cpu_to_le16('?');
- rp_name[2] = cpu_to_le16('?');
- rp_name[3] = cpu_to_le16('\\');
+ if (is_absolute) {
+ /* Decorate SubstituteName. */
+ rp_name += err;
+ rp_name[0] = cpu_to_le16('\\');
+ rp_name[1] = cpu_to_le16('?');
+ rp_name[2] = cpu_to_le16('?');
+ rp_name[3] = cpu_to_le16('\\');
+ }
return rp;
out:
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 293/644] ext2: Handle fiemap on empty files to prevent EINVAL
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 292/644] fs/ntfs3: correctly create symlink for relative path Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 294/644] securityfs: dont pin dentries twice, once is enough Greg Kroah-Hartman
` (356 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei Gao, Jan Kara, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Gao <wegao@suse.com>
[ Upstream commit a099b09a3342a0b28ea330e405501b5b4d0424b4 ]
Previously, ext2_fiemap would unconditionally apply "len = min_t(u64, len,
i_size_read(inode));", When inode->i_size was 0 (for an empty file), this
would reduce the requested len to 0. Passing len = 0 to iomap_fiemap could
then result in an -EINVAL error, even for valid queries on empty files.
Link: https://github.com/linux-test-project/ltp/issues/1246
Signed-off-by: Wei Gao <wegao@suse.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250613152402.3432135-1-wegao@suse.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext2/inode.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c
index 333fa62661d5..85b6a76378ee 100644
--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -856,9 +856,19 @@ int ext2_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
u64 start, u64 len)
{
int ret;
+ loff_t i_size;
inode_lock(inode);
- len = min_t(u64, len, i_size_read(inode));
+ i_size = i_size_read(inode);
+ /*
+ * iomap_fiemap() returns EINVAL for 0 length. Make sure we don't trim
+ * length to 0 but still trim the range as much as possible since
+ * ext2_get_blocks() iterates unmapped space block by block which is
+ * slow.
+ */
+ if (i_size == 0)
+ i_size = 1;
+ len = min_t(u64, len, i_size);
ret = iomap_fiemap(inode, fieinfo, start, len, &ext2_iomap_ops);
inode_unlock(inode);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 294/644] securityfs: dont pin dentries twice, once is enough...
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 293/644] ext2: Handle fiemap on empty files to prevent EINVAL Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 295/644] usb: xhci: print xhci->xhc_state when queue_command failed Greg Kroah-Hartman
` (355 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 27cd1bf1240d482e4f02ca4f9812e748f3106e4f ]
incidentally, securityfs_recursive_remove() is broken without that -
it leaks dentries, since simple_recursive_removal() does not expect
anything of that sort. It could be worked around by dput() in
remove_one() callback, but it's easier to just drop that double-get
stuff.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/inode.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/security/inode.c b/security/inode.c
index 6c326939750d..e6e07787eec9 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -159,7 +159,6 @@ static struct dentry *securityfs_create_dentry(const char *name, umode_t mode,
inode->i_fop = fops;
}
d_instantiate(dentry, inode);
- dget(dentry);
inode_unlock(dir);
return dentry;
@@ -306,7 +305,6 @@ void securityfs_remove(struct dentry *dentry)
simple_rmdir(dir, dentry);
else
simple_unlink(dir, dentry);
- dput(dentry);
}
inode_unlock(dir);
simple_release_fs(&mount, &mount_count);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 295/644] usb: xhci: print xhci->xhc_state when queue_command failed
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 294/644] securityfs: dont pin dentries twice, once is enough Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 296/644] cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag Greg Kroah-Hartman
` (354 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Su Hui, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Hui <suhui@nfschina.com>
[ Upstream commit 7919407eca2ef562fa6c98c41cfdf6f6cdd69d92 ]
When encounters some errors like these:
xhci_hcd 0000:4a:00.2: xHCI dying or halted, can't queue_command
xhci_hcd 0000:4a:00.2: FIXME: allocate a command ring segment
usb usb5-port6: couldn't allocate usb_device
It's hard to know whether xhc_state is dying or halted. So it's better
to print xhc_state's value which can help locate the resaon of the bug.
Signed-off-by: Su Hui <suhui@nfschina.com>
Link: https://lore.kernel.org/r/20250725060117.1773770-1-suhui@nfschina.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-ring.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index cd94b0a4e021..626f02605192 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -4486,7 +4486,8 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd,
if ((xhci->xhc_state & XHCI_STATE_DYING) ||
(xhci->xhc_state & XHCI_STATE_HALTED)) {
- xhci_dbg(xhci, "xHCI dying or halted, can't queue_command\n");
+ xhci_dbg(xhci, "xHCI dying or halted, can't queue_command. state: 0x%x\n",
+ xhci->xhc_state);
return -ESHUTDOWN;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 296/644] cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 295/644] usb: xhci: print xhci->xhc_state when queue_command failed Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 297/644] selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t Greg Kroah-Hartman
` (353 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Prashant Malani,
Viresh Kumar, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prashant Malani <pmalani@google.com>
[ Upstream commit 0a1416a49e63c320f6e6c1c8d07e1b58c0d4a3f3 ]
AMU counters on certain CPPC-based platforms tend to yield inaccurate
delivered performance measurements on systems that are idle/mostly idle.
This results in an inaccurate frequency being stored by cpufreq in its
policy structure when the CPU is brought online. [1]
Consequently, if the userspace governor tries to set the frequency to a
new value, there is a possibility that it would be the erroneous value
stored earlier. In such a scenario, cpufreq would assume that the
requested frequency has already been set and return early, resulting in
the correct/new frequency request never making it to the hardware.
Since the operating frequency is liable to this sort of inconsistency,
mark the CPPC driver with CPUFREQ_NEED_UPDATE_LIMITS so that it is always
invoked when a target frequency update is requested.
Link: https://lore.kernel.org/linux-pm/20250619000925.415528-3-pmalani@google.com/ [1]
Suggested-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Prashant Malani <pmalani@google.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Link: https://patch.msgid.link/20250722055611.130574-2-pmalani@google.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/cppc_cpufreq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c
index c5a4aa0c2c9a..b7294531816b 100644
--- a/drivers/cpufreq/cppc_cpufreq.c
+++ b/drivers/cpufreq/cppc_cpufreq.c
@@ -682,7 +682,7 @@ static struct freq_attr *cppc_cpufreq_attr[] = {
};
static struct cpufreq_driver cppc_cpufreq_driver = {
- .flags = CPUFREQ_CONST_LOOPS,
+ .flags = CPUFREQ_CONST_LOOPS | CPUFREQ_NEED_UPDATE_LIMITS,
.verify = cppc_verify_policy,
.target = cppc_cpufreq_set_target,
.get = cppc_cpufreq_get_rate,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 297/644] selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 296/644] cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 298/644] usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default Greg Kroah-Hartman
` (352 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cynthia Huang, Ben Zong-You Xie,
Thomas Gleixner, Muhammad Usama Anjum, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cynthia Huang <cynthia@andestech.com>
[ Upstream commit 04850819c65c8242072818655d4341e70ae998b5 ]
The kernel does not provide sys_futex() on 32-bit architectures that do not
support 32-bit time representations, such as riscv32.
As a result, glibc cannot define SYS_futex, causing compilation failures in
tests that rely on this syscall. Define SYS_futex as SYS_futex_time64 in
such cases to ensure successful compilation and compatibility.
Signed-off-by: Cynthia Huang <cynthia@andestech.com>
Signed-off-by: Ben Zong-You Xie <ben717@andestech.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Link: https://lore.kernel.org/all/20250710103630.3156130-1-ben717@andestech.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/futex/include/futextest.h | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/tools/testing/selftests/futex/include/futextest.h b/tools/testing/selftests/futex/include/futextest.h
index ddbcfc9b7bac..7a5fd1d5355e 100644
--- a/tools/testing/selftests/futex/include/futextest.h
+++ b/tools/testing/selftests/futex/include/futextest.h
@@ -47,6 +47,17 @@ typedef volatile u_int32_t futex_t;
FUTEX_PRIVATE_FLAG)
#endif
+/*
+ * SYS_futex is expected from system C library, in glibc some 32-bit
+ * architectures (e.g. RV32) are using 64-bit time_t, therefore it doesn't have
+ * SYS_futex defined but just SYS_futex_time64. Define SYS_futex as
+ * SYS_futex_time64 in this situation to ensure the compilation and the
+ * compatibility.
+ */
+#if !defined(SYS_futex) && defined(SYS_futex_time64)
+#define SYS_futex SYS_futex_time64
+#endif
+
/**
* futex() - SYS_futex syscall wrapper
* @uaddr: address of first futex
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 298/644] usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 297/644] selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 299/644] usb: xhci: Avoid showing warnings for dying controller Greg Kroah-Hartman
` (351 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benson Leung, Jameson Thies,
Heikki Krogerus, Sebastian Reichel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benson Leung <bleung@chromium.org>
[ Upstream commit af833e7f7db3cf4c82f063668e1b52297a30ec18 ]
ucsi_psy_get_current_max would return 0mA as the maximum current if
UCSI detected a BC or a Default USB Power sporce.
The comment in this function is true that we can't tell the difference
between DCP/CDP or SDP chargers, but we can guarantee that at least 1-unit
of USB 1.1/2.0 power is available, which is 100mA, which is a better
fallback value than 0, which causes some userspaces, including the ChromeOS
power manager, to regard this as a power source that is not providing
any power.
In reality, 100mA is guaranteed from all sources in these classes.
Signed-off-by: Benson Leung <bleung@chromium.org>
Reviewed-by: Jameson Thies <jthies@google.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Link: https://lore.kernel.org/r/20250717200805.3710473-1-bleung@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/ucsi/psy.c | 2 +-
drivers/usb/typec/ucsi/ucsi.h | 7 ++++---
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/typec/ucsi/psy.c b/drivers/usb/typec/ucsi/psy.c
index 56bf56517f75..b7d16ad38c44 100644
--- a/drivers/usb/typec/ucsi/psy.c
+++ b/drivers/usb/typec/ucsi/psy.c
@@ -142,7 +142,7 @@ static int ucsi_psy_get_current_max(struct ucsi_connector *con,
case UCSI_CONSTAT_PWR_OPMODE_DEFAULT:
/* UCSI can't tell b/w DCP/CDP or USB2/3x1/3x2 SDP chargers */
default:
- val->intval = 0;
+ val->intval = UCSI_TYPEC_DEFAULT_CURRENT * 1000;
break;
}
return 0;
diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h
index 87b1a54d68e8..44c788b4a8b3 100644
--- a/drivers/usb/typec/ucsi/ucsi.h
+++ b/drivers/usb/typec/ucsi/ucsi.h
@@ -309,9 +309,10 @@ struct ucsi {
#define UCSI_MAX_SVID 5
#define UCSI_MAX_ALTMODES (UCSI_MAX_SVID * 6)
-#define UCSI_TYPEC_VSAFE5V 5000
-#define UCSI_TYPEC_1_5_CURRENT 1500
-#define UCSI_TYPEC_3_0_CURRENT 3000
+#define UCSI_TYPEC_VSAFE5V 5000
+#define UCSI_TYPEC_DEFAULT_CURRENT 100
+#define UCSI_TYPEC_1_5_CURRENT 1500
+#define UCSI_TYPEC_3_0_CURRENT 3000
struct ucsi_connector {
int num;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 299/644] usb: xhci: Avoid showing warnings for dying controller
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 298/644] usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 300/644] usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command Greg Kroah-Hartman
` (350 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Mathias Nyman,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 65fc0fc137b5da3ee1f4ca4f61050fcb203d7582 ]
When a USB4 dock is unplugged from a system it won't respond to ring
events. The PCI core handles the surprise removal event and notifies
all PCI drivers. The XHCI PCI driver sets a flag that the device is
being removed, and when the device stops responding a flag is also
added to indicate it's dying.
When that flag is set don't bother to show warnings about a missing
controller.
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250717073107.488599-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index e9ebb6c7954f..2d8ca3356ff3 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -118,7 +118,8 @@ int xhci_halt(struct xhci_hcd *xhci)
ret = xhci_handshake(&xhci->op_regs->status,
STS_HALT, STS_HALT, XHCI_MAX_HALT_USEC);
if (ret) {
- xhci_warn(xhci, "Host halt failed, %d\n", ret);
+ if (!(xhci->xhc_state & XHCI_STATE_DYING))
+ xhci_warn(xhci, "Host halt failed, %d\n", ret);
return ret;
}
xhci->xhc_state |= XHCI_STATE_HALTED;
@@ -175,7 +176,8 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us)
state = readl(&xhci->op_regs->status);
if (state == ~(u32)0) {
- xhci_warn(xhci, "Host not accessible, reset failed.\n");
+ if (!(xhci->xhc_state & XHCI_STATE_DYING))
+ xhci_warn(xhci, "Host not accessible, reset failed.\n");
return -ENODEV;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 300/644] usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 299/644] usb: xhci: Avoid showing warnings for dying controller Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 301/644] usb: xhci: Avoid showing errors during surprise removal Greg Kroah-Hartman
` (349 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jay Chen, Mathias Nyman, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jay Chen <shawn2000100@gmail.com>
[ Upstream commit f72b9aa821a2bfe4b6dfec4be19f264d0673b008 ]
There is a subtle contradiction between sections of the xHCI 1.2 spec
regarding the initialization of Input Endpoint Context fields. Section
4.8.2 ("Endpoint Context Initialization") states that all fields should
be initialized to 0. However, Section 6.2.3 ("Endpoint Context", p.453)
specifies that the Average TRB Length (avg_trb_len) field shall be
greater than 0, and explicitly notes (p.454): "Software shall set
Average TRB Length to '8' for control endpoints."
Strictly setting all fields to 0 during initialization conflicts with
the specific recommendation for control endpoints. In practice, setting
avg_trb_len = 0 is not meaningful for the hardware/firmware, as the
value is used for bandwidth calculation.
Motivation: Our company is developing a custom Virtual xHC hardware
platform that strictly follows the xHCI spec and its recommendations.
During validation, we observed that enumeration fails and a parameter
error (TRB Completion Code = 5) is reported if avg_trb_len for EP0 is
not set to 8 as recommended by Section 6.2.3. This demonstrates the
importance of assigning a meaningful, non-zero value to avg_trb_len,
even in virtualized or emulated environments.
This patch explicitly sets avg_trb_len to 8 for EP0 in
xhci_setup_addressable_virt_dev(), as recommended in Section 6.2.3, to
prevent potential issues with xHCI host controllers that enforce the
spec strictly.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220033
Signed-off-by: Jay Chen <shawn2000100@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250717073107.488599-4-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-mem.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index 149128b89100..43cbaadf933d 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1209,6 +1209,8 @@ int xhci_setup_addressable_virt_dev(struct xhci_hcd *xhci, struct usb_device *ud
ep0_ctx->deq = cpu_to_le64(dev->eps[0].ring->first_seg->dma |
dev->eps[0].ring->cycle_state);
+ ep0_ctx->tx_info = cpu_to_le32(EP_AVG_TRB_LENGTH(8));
+
trace_xhci_setup_addressable_virt_device(dev);
/* Steps 7 and 8 were done in xhci_alloc_virt_device() */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 301/644] usb: xhci: Avoid showing errors during surprise removal
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 300/644] usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 302/644] gpio: wcd934x: check the return value of regmap_update_bits() Greg Kroah-Hartman
` (348 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Mathias Nyman,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 4b9c60e440525b729ac5f071e00bcee12e0a7e84 ]
When a USB4 dock is unplugged from a system it won't respond to ring
events. The PCI core handles the surprise removal event and notifies
all PCI drivers. The XHCI PCI driver sets a flag that the device is
being removed as well.
When that flag is set don't show messages in the cleanup path for
marking the controller dead.
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250717073107.488599-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-ring.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 626f02605192..d56740af8160 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1297,12 +1297,15 @@ static void xhci_kill_endpoint_urbs(struct xhci_hcd *xhci,
*/
void xhci_hc_died(struct xhci_hcd *xhci)
{
+ bool notify;
int i, j;
if (xhci->xhc_state & XHCI_STATE_DYING)
return;
- xhci_err(xhci, "xHCI host controller not responding, assume dead\n");
+ notify = !(xhci->xhc_state & XHCI_STATE_REMOVING);
+ if (notify)
+ xhci_err(xhci, "xHCI host controller not responding, assume dead\n");
xhci->xhc_state |= XHCI_STATE_DYING;
xhci_cleanup_command_queue(xhci);
@@ -1316,7 +1319,7 @@ void xhci_hc_died(struct xhci_hcd *xhci)
}
/* inform usb core hc died if PCI remove isn't already handling it */
- if (!(xhci->xhc_state & XHCI_STATE_REMOVING))
+ if (notify)
usb_hc_died(xhci_to_hcd(xhci));
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 302/644] gpio: wcd934x: check the return value of regmap_update_bits()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 301/644] usb: xhci: Avoid showing errors during surprise removal Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 303/644] cpufreq: Exit governor when failed to start old governor Greg Kroah-Hartman
` (347 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit ff0f0d7c6587e38c308be9905e36f86e98fb9c1f ]
regmap_update_bits() can fail so check its return value in
wcd_gpio_direction_output() for consistency with the rest of the code
and propagate any errors.
Link: https://lore.kernel.org/r/20250709-gpiochip-set-rv-gpio-remaining-v1-2-b8950f69618d@linaro.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-wcd934x.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/gpio/gpio-wcd934x.c b/drivers/gpio/gpio-wcd934x.c
index 97e6caedf1f3..c00968ce7a56 100644
--- a/drivers/gpio/gpio-wcd934x.c
+++ b/drivers/gpio/gpio-wcd934x.c
@@ -45,9 +45,12 @@ static int wcd_gpio_direction_output(struct gpio_chip *chip, unsigned int pin,
int val)
{
struct wcd_gpio_data *data = gpiochip_get_data(chip);
+ int ret;
- regmap_update_bits(data->map, WCD_REG_DIR_CTL_OFFSET,
- WCD_PIN_MASK(pin), WCD_PIN_MASK(pin));
+ ret = regmap_update_bits(data->map, WCD_REG_DIR_CTL_OFFSET,
+ WCD_PIN_MASK(pin), WCD_PIN_MASK(pin));
+ if (ret)
+ return ret;
return regmap_update_bits(data->map, WCD_REG_VAL_CTL_OFFSET,
WCD_PIN_MASK(pin),
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 303/644] cpufreq: Exit governor when failed to start old governor
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 302/644] gpio: wcd934x: check the return value of regmap_update_bits() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 304/644] ARM: rockchip: fix kernel hang during smp initialization Greg Kroah-Hartman
` (346 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lifeng Zheng, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lifeng Zheng <zhenglifeng1@huawei.com>
[ Upstream commit 0ae204405095abfbc2d694ee0fbb49bcbbe55c57 ]
Detect the result of starting old governor in cpufreq_set_policy(). If it
fails, exit the governor and clear policy->governor.
Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
Link: https://patch.msgid.link/20250709104145.2348017-5-zhenglifeng1@huawei.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/cpufreq.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
index 33c080e08623..addd20bf6be0 100644
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -2606,10 +2606,12 @@ static int cpufreq_set_policy(struct cpufreq_policy *policy,
pr_debug("starting governor %s failed\n", policy->governor->name);
if (old_gov) {
policy->governor = old_gov;
- if (cpufreq_init_governor(policy))
+ if (cpufreq_init_governor(policy)) {
policy->governor = NULL;
- else
- cpufreq_start_governor(policy);
+ } else if (cpufreq_start_governor(policy)) {
+ cpufreq_exit_governor(policy);
+ policy->governor = NULL;
+ }
}
return ret;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 304/644] ARM: rockchip: fix kernel hang during smp initialization
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 303/644] cpufreq: Exit governor when failed to start old governor Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 305/644] PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() Greg Kroah-Hartman
` (345 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Kochetkov, Heiko Stuebner,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Kochetkov <al.kochet@gmail.com>
[ Upstream commit 7cdb433bb44cdc87dc5260cdf15bf03cc1cd1814 ]
In order to bring up secondary CPUs main CPU write trampoline
code to SRAM. The trampoline code is written while secondary
CPUs are powered on (at least that true for RK3188 CPU).
Sometimes that leads to kernel hang. Probably because secondary
CPU execute trampoline code while kernel doesn't expect.
The patch moves SRAM initialization step to the point where all
secondary CPUs are powered down.
That fixes rarely hangs on RK3188:
[ 0.091568] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[ 0.091996] rockchip_smp_prepare_cpus: ncores 4
Signed-off-by: Alexander Kochetkov <al.kochet@gmail.com>
Link: https://lore.kernel.org/r/20250703140453.1273027-1-al.kochet@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-rockchip/platsmp.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/arch/arm/mach-rockchip/platsmp.c b/arch/arm/mach-rockchip/platsmp.c
index d60856898d97..17aee4701e81 100644
--- a/arch/arm/mach-rockchip/platsmp.c
+++ b/arch/arm/mach-rockchip/platsmp.c
@@ -279,11 +279,6 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus)
}
if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) {
- if (rockchip_smp_prepare_sram(node)) {
- of_node_put(node);
- return;
- }
-
/* enable the SCU power domain */
pmu_set_power_domain(PMU_PWRDN_SCU, true);
@@ -316,11 +311,19 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus)
asm ("mrc p15, 1, %0, c9, c0, 2\n" : "=r" (l2ctlr));
ncores = ((l2ctlr >> 24) & 0x3) + 1;
}
- of_node_put(node);
/* Make sure that all cores except the first are really off */
for (i = 1; i < ncores; i++)
pmu_set_power_domain(0 + i, false);
+
+ if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) {
+ if (rockchip_smp_prepare_sram(node)) {
+ of_node_put(node);
+ return;
+ }
+ }
+
+ of_node_put(node);
}
static void __init rk3036_smp_prepare_cpus(unsigned int max_cpus)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 305/644] PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 304/644] ARM: rockchip: fix kernel hang during smp initialization Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 306/644] EDAC/synopsys: Clear the ECC counters on init Greg Kroah-Hartman
` (344 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lifeng Zheng, Chanwoo Choi,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lifeng Zheng <zhenglifeng1@huawei.com>
[ Upstream commit 914cc799b28f17d369d5b4db3b941957d18157e8 ]
Replace sscanf() with kstrtoul() in set_freq_store() and check the result
to avoid invalid input.
Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
Link: https://lore.kernel.org/lkml/20250421030020.3108405-2-zhenglifeng1@huawei.com/
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/devfreq/governor_userspace.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/devfreq/governor_userspace.c b/drivers/devfreq/governor_userspace.c
index d69672ccacc4..8d057cea09d5 100644
--- a/drivers/devfreq/governor_userspace.c
+++ b/drivers/devfreq/governor_userspace.c
@@ -9,6 +9,7 @@
#include <linux/slab.h>
#include <linux/device.h>
#include <linux/devfreq.h>
+#include <linux/kstrtox.h>
#include <linux/pm.h>
#include <linux/mutex.h>
#include <linux/module.h>
@@ -39,10 +40,13 @@ static ssize_t set_freq_store(struct device *dev, struct device_attribute *attr,
unsigned long wanted;
int err = 0;
+ err = kstrtoul(buf, 0, &wanted);
+ if (err)
+ return err;
+
mutex_lock(&devfreq->lock);
data = devfreq->governor_data;
- sscanf(buf, "%lu", &wanted);
data->user_frequency = wanted;
data->valid = true;
err = update_devfreq(devfreq);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 306/644] EDAC/synopsys: Clear the ECC counters on init
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 305/644] PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 307/644] ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed Greg Kroah-Hartman
` (343 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shubhrajyoti Datta,
Borislav Petkov (AMD), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
[ Upstream commit b1dc7f097b78eb8d25b071ead2384b07a549692b ]
Clear the ECC error and counter registers during initialization/probe to avoid
reporting stale errors that may have occurred before EDAC registration.
For that, unify the Zynq and ZynqMP ECC state reading paths and simplify the
code.
[ bp: Massage commit message.
Fix an -Wsometimes-uninitialized warning as reported by
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202507141048.obUv3ZUm-lkp@intel.com ]
Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250713050753.7042-1-shubhrajyoti.datta@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/edac/synopsys_edac.c | 97 +++++++++++++++++-------------------
1 file changed, 46 insertions(+), 51 deletions(-)
diff --git a/drivers/edac/synopsys_edac.c b/drivers/edac/synopsys_edac.c
index e8ddb029f10d..cbc40f57b27b 100644
--- a/drivers/edac/synopsys_edac.c
+++ b/drivers/edac/synopsys_edac.c
@@ -346,20 +346,26 @@ struct synps_edac_priv {
#endif
};
+enum synps_platform_type {
+ ZYNQ,
+ ZYNQMP,
+ SYNPS,
+};
+
/**
* struct synps_platform_data - synps platform data structure.
+ * @platform: Identifies the target hardware platform
* @get_error_info: Get EDAC error info.
* @get_mtype: Get mtype.
* @get_dtype: Get dtype.
- * @get_ecc_state: Get ECC state.
* @get_mem_info: Get EDAC memory info
* @quirks: To differentiate IPs.
*/
struct synps_platform_data {
+ enum synps_platform_type platform;
int (*get_error_info)(struct synps_edac_priv *priv);
enum mem_type (*get_mtype)(const void __iomem *base);
enum dev_type (*get_dtype)(const void __iomem *base);
- bool (*get_ecc_state)(void __iomem *base);
#ifdef CONFIG_EDAC_DEBUG
u64 (*get_mem_info)(struct synps_edac_priv *priv);
#endif
@@ -734,51 +740,38 @@ static enum dev_type zynqmp_get_dtype(const void __iomem *base)
return dt;
}
-/**
- * zynq_get_ecc_state - Return the controller ECC enable/disable status.
- * @base: DDR memory controller base address.
- *
- * Get the ECC enable/disable status of the controller.
- *
- * Return: true if enabled, otherwise false.
- */
-static bool zynq_get_ecc_state(void __iomem *base)
+static bool get_ecc_state(struct synps_edac_priv *priv)
{
+ u32 ecctype, clearval;
enum dev_type dt;
- u32 ecctype;
-
- dt = zynq_get_dtype(base);
- if (dt == DEV_UNKNOWN)
- return false;
- ecctype = readl(base + SCRUB_OFST) & SCRUB_MODE_MASK;
- if ((ecctype == SCRUB_MODE_SECDED) && (dt == DEV_X2))
- return true;
-
- return false;
-}
-
-/**
- * zynqmp_get_ecc_state - Return the controller ECC enable/disable status.
- * @base: DDR memory controller base address.
- *
- * Get the ECC enable/disable status for the controller.
- *
- * Return: a ECC status boolean i.e true/false - enabled/disabled.
- */
-static bool zynqmp_get_ecc_state(void __iomem *base)
-{
- enum dev_type dt;
- u32 ecctype;
-
- dt = zynqmp_get_dtype(base);
- if (dt == DEV_UNKNOWN)
- return false;
-
- ecctype = readl(base + ECC_CFG0_OFST) & SCRUB_MODE_MASK;
- if ((ecctype == SCRUB_MODE_SECDED) &&
- ((dt == DEV_X2) || (dt == DEV_X4) || (dt == DEV_X8)))
- return true;
+ if (priv->p_data->platform == ZYNQ) {
+ dt = zynq_get_dtype(priv->baseaddr);
+ if (dt == DEV_UNKNOWN)
+ return false;
+
+ ecctype = readl(priv->baseaddr + SCRUB_OFST) & SCRUB_MODE_MASK;
+ if (ecctype == SCRUB_MODE_SECDED && dt == DEV_X2) {
+ clearval = ECC_CTRL_CLR_CE_ERR | ECC_CTRL_CLR_UE_ERR;
+ writel(clearval, priv->baseaddr + ECC_CTRL_OFST);
+ writel(0x0, priv->baseaddr + ECC_CTRL_OFST);
+ return true;
+ }
+ } else {
+ dt = zynqmp_get_dtype(priv->baseaddr);
+ if (dt == DEV_UNKNOWN)
+ return false;
+
+ ecctype = readl(priv->baseaddr + ECC_CFG0_OFST) & SCRUB_MODE_MASK;
+ if (ecctype == SCRUB_MODE_SECDED &&
+ (dt == DEV_X2 || dt == DEV_X4 || dt == DEV_X8)) {
+ clearval = readl(priv->baseaddr + ECC_CLR_OFST) |
+ ECC_CTRL_CLR_CE_ERR | ECC_CTRL_CLR_CE_ERRCNT |
+ ECC_CTRL_CLR_UE_ERR | ECC_CTRL_CLR_UE_ERRCNT;
+ writel(clearval, priv->baseaddr + ECC_CLR_OFST);
+ return true;
+ }
+ }
return false;
}
@@ -948,18 +941,18 @@ static int setup_irq(struct mem_ctl_info *mci,
}
static const struct synps_platform_data zynq_edac_def = {
+ .platform = ZYNQ,
.get_error_info = zynq_get_error_info,
.get_mtype = zynq_get_mtype,
.get_dtype = zynq_get_dtype,
- .get_ecc_state = zynq_get_ecc_state,
.quirks = 0,
};
static const struct synps_platform_data zynqmp_edac_def = {
+ .platform = ZYNQMP,
.get_error_info = zynqmp_get_error_info,
.get_mtype = zynqmp_get_mtype,
.get_dtype = zynqmp_get_dtype,
- .get_ecc_state = zynqmp_get_ecc_state,
#ifdef CONFIG_EDAC_DEBUG
.get_mem_info = zynqmp_get_mem_info,
#endif
@@ -971,10 +964,10 @@ static const struct synps_platform_data zynqmp_edac_def = {
};
static const struct synps_platform_data synopsys_edac_def = {
+ .platform = SYNPS,
.get_error_info = zynqmp_get_error_info,
.get_mtype = zynqmp_get_mtype,
.get_dtype = zynqmp_get_dtype,
- .get_ecc_state = zynqmp_get_ecc_state,
.quirks = (DDR_ECC_INTR_SUPPORT | DDR_ECC_INTR_SELF_CLEAR
#ifdef CONFIG_EDAC_DEBUG
| DDR_ECC_DATA_POISON_SUPPORT
@@ -1406,10 +1399,6 @@ static int mc_probe(struct platform_device *pdev)
if (!p_data)
return -ENODEV;
- if (!p_data->get_ecc_state(baseaddr)) {
- edac_printk(KERN_INFO, EDAC_MC, "ECC not enabled\n");
- return -ENXIO;
- }
layers[0].type = EDAC_MC_LAYER_CHIP_SELECT;
layers[0].size = SYNPS_EDAC_NR_CSROWS;
@@ -1429,6 +1418,12 @@ static int mc_probe(struct platform_device *pdev)
priv = mci->pvt_info;
priv->baseaddr = baseaddr;
priv->p_data = p_data;
+ if (!get_ecc_state(priv)) {
+ edac_printk(KERN_INFO, EDAC_MC, "ECC not enabled\n");
+ rc = -ENODEV;
+ goto free_edac_mc;
+ }
+
spin_lock_init(&priv->reglock);
mc_init(mci, pdev);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 307/644] ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 306/644] EDAC/synopsys: Clear the ECC counters on init Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 308/644] thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required Greg Kroah-Hartman
` (342 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit f40ecc2743652c0b0f19935f81baf57c601eb7f0 ]
ASoC has 2 functions to set bias level.
(A) snd_soc_dapm_force_bias_level()
(B) snd_soc_dapm_set_bias_level()
snd_soc_dapm_force_bias_level() (A) will set dapm->bias_level (a) if
successed.
(A) int snd_soc_dapm_force_bias_level(...)
{
...
if (ret == 0)
(a) dapm->bias_level = level;
...
}
snd_soc_dapm_set_bias_level() (B) is also a function that sets bias_level.
It will call snd_soc_dapm_force_bias_level() (A) inside, but doesn't
set dapm->bias_level by itself. One note is that (A) might not be called.
(B) static int snd_soc_dapm_set_bias_level(...)
{
...
ret = snd_soc_card_set_bias_level(...);
...
if (dapm != &card->dapm)
(A) ret = snd_soc_dapm_force_bias_level(...);
...
ret = snd_soc_card_set_bias_level_post(...);
...
}
dapm->bias_level will be set if (A) was called, but might not be set
if (B) was called, even though it calles set_bias_level() function.
We should set dapm->bias_level if we calls
snd_soc_dapm_set_bias_level() (B), too.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://patch.msgid.link/87qzyn4g4h.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-dapm.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index 538d84f1c29f..469ffc31068e 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -742,6 +742,10 @@ static int snd_soc_dapm_set_bias_level(struct snd_soc_dapm_context *dapm,
out:
trace_snd_soc_bias_level_done(card, level);
+ /* success */
+ if (ret == 0)
+ snd_soc_dapm_init_bias_level(dapm, level);
+
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 308/644] thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 307/644] ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 309/644] tools/nolibc: define time_t in terms of __kernel_old_time_t Greg Kroah-Hartman
` (341 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Collins, Anjelique Melendez,
Daniel Lezcano, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Collins <david.collins@oss.qualcomm.com>
[ Upstream commit f8e157ff2df46ddabd930815d196895976227831 ]
Certain TEMP_ALARM GEN2 PMIC peripherals need over-temperature stage 2
automatic PMIC partial shutdown. This will ensure that in the event of
reaching the hotter stage 3 over-temperature threshold, repeated faults
will be avoided during the automatic PMIC hardware full shutdown.
Modify the stage 2 shutdown control logic to ensure that stage 2
shutdown is enabled on all affected PMICs. Read the digital major
and minor revision registers to identify these PMICs.
Signed-off-by: David Collins <david.collins@oss.qualcomm.com>
Signed-off-by: Anjelique Melendez <anjelique.melendez@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250710224555.3047790-2-anjelique.melendez@oss.qualcomm.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 43 ++++++++++++++++-----
1 file changed, 34 insertions(+), 9 deletions(-)
diff --git a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
index 1037de19873a..f466bbfa128d 100644
--- a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
+++ b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright (c) 2011-2015, 2017, 2020, The Linux Foundation. All rights reserved.
+ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
*/
#include <linux/bitops.h>
@@ -17,6 +18,7 @@
#include "../thermal_core.h"
+#define QPNP_TM_REG_DIG_MINOR 0x00
#define QPNP_TM_REG_DIG_MAJOR 0x01
#define QPNP_TM_REG_TYPE 0x04
#define QPNP_TM_REG_SUBTYPE 0x05
@@ -32,7 +34,7 @@
#define STATUS_GEN2_STATE_MASK GENMASK(6, 4)
#define STATUS_GEN2_STATE_SHIFT 4
-#define SHUTDOWN_CTRL1_OVERRIDE_S2 BIT(6)
+#define SHUTDOWN_CTRL1_OVERRIDE_STAGE2 BIT(6)
#define SHUTDOWN_CTRL1_THRESHOLD_MASK GENMASK(1, 0)
#define SHUTDOWN_CTRL1_RATE_25HZ BIT(3)
@@ -80,6 +82,7 @@ struct qpnp_tm_chip {
/* protects .thresh, .stage and chip registers */
struct mutex lock;
bool initialized;
+ bool require_stage2_shutdown;
struct iio_channel *adc;
const long (*temp_map)[THRESH_COUNT][STAGE_COUNT];
@@ -222,13 +225,13 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
{
long stage2_threshold_min = (*chip->temp_map)[THRESH_MIN][1];
long stage2_threshold_max = (*chip->temp_map)[THRESH_MAX][1];
- bool disable_s2_shutdown = false;
+ bool disable_stage2_shutdown = false;
u8 reg;
WARN_ON(!mutex_is_locked(&chip->lock));
/*
- * Default: S2 and S3 shutdown enabled, thresholds at
+ * Default: Stage 2 and Stage 3 shutdown enabled, thresholds at
* lowest threshold set, monitoring at 25Hz
*/
reg = SHUTDOWN_CTRL1_RATE_25HZ;
@@ -243,12 +246,12 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
chip->thresh = THRESH_MAX -
((stage2_threshold_max - temp) /
TEMP_THRESH_STEP);
- disable_s2_shutdown = true;
+ disable_stage2_shutdown = true;
} else {
chip->thresh = THRESH_MAX;
if (chip->adc)
- disable_s2_shutdown = true;
+ disable_stage2_shutdown = true;
else
dev_warn(chip->dev,
"No ADC is configured and critical temperature %d mC is above the maximum stage 2 threshold of %ld mC! Configuring stage 2 shutdown at %ld mC.\n",
@@ -257,8 +260,8 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
skip:
reg |= chip->thresh;
- if (disable_s2_shutdown)
- reg |= SHUTDOWN_CTRL1_OVERRIDE_S2;
+ if (disable_stage2_shutdown && !chip->require_stage2_shutdown)
+ reg |= SHUTDOWN_CTRL1_OVERRIDE_STAGE2;
return qpnp_tm_write(chip, QPNP_TM_REG_SHUTDOWN_CTRL1, reg);
}
@@ -372,8 +375,8 @@ static int qpnp_tm_probe(struct platform_device *pdev)
{
struct qpnp_tm_chip *chip;
struct device_node *node;
- u8 type, subtype, dig_major;
- u32 res;
+ u8 type, subtype, dig_major, dig_minor;
+ u32 res, dig_revision;
int ret, irq;
node = pdev->dev.of_node;
@@ -428,6 +431,11 @@ static int qpnp_tm_probe(struct platform_device *pdev)
return ret;
}
+ ret = qpnp_tm_read(chip, QPNP_TM_REG_DIG_MINOR, &dig_minor);
+ if (ret < 0)
+ return dev_err_probe(&pdev->dev, ret,
+ "could not read dig_minor\n");
+
if (type != QPNP_TM_TYPE || (subtype != QPNP_TM_SUBTYPE_GEN1
&& subtype != QPNP_TM_SUBTYPE_GEN2)) {
dev_err(&pdev->dev, "invalid type 0x%02x or subtype 0x%02x\n",
@@ -441,6 +449,23 @@ static int qpnp_tm_probe(struct platform_device *pdev)
else
chip->temp_map = &temp_map_gen1;
+ if (chip->subtype == QPNP_TM_SUBTYPE_GEN2) {
+ dig_revision = (dig_major << 8) | dig_minor;
+ /*
+ * Check if stage 2 automatic partial shutdown must remain
+ * enabled to avoid potential repeated faults upon reaching
+ * over-temperature stage 3.
+ */
+ switch (dig_revision) {
+ case 0x0001:
+ case 0x0002:
+ case 0x0100:
+ case 0x0101:
+ chip->require_stage2_shutdown = true;
+ break;
+ }
+ }
+
/*
* Register the sensor before initializing the hardware to be able to
* read the trip points. get_temp() returns the default temperature
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 309/644] tools/nolibc: define time_t in terms of __kernel_old_time_t
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 308/644] thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 310/644] gpio: tps65912: check the return value of regmap_update_bits() Greg Kroah-Hartman
` (340 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Willy Tarreau,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit d5094bcb5bfdfea2cf0de8aaf77cc65db56cbdb5 ]
Nolibc assumes that the kernel ABI is using a time values that are as
large as a long integer. For most ABIs this holds true.
But for x32 this is not correct, as it uses 32bit longs but 64bit times.
Also the 'struct stat' implementation of nolibc relies on timespec::tv_sec
and time_t being the same type. While timespec::tv_sec comes from the
kernel and is of type __kernel_old_time_t, time_t is defined within nolibc.
Switch to the __kernel_old_time_t to always get the correct type.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://lore.kernel.org/r/20250712-nolibc-x32-v1-1-6d81cb798710@weissschuh.net
Acked-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/include/nolibc/std.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tools/include/nolibc/std.h b/tools/include/nolibc/std.h
index 1747ae125392..a0ea830e1ba1 100644
--- a/tools/include/nolibc/std.h
+++ b/tools/include/nolibc/std.h
@@ -33,6 +33,8 @@ typedef unsigned long uintptr_t;
typedef signed long intptr_t;
typedef signed long ptrdiff_t;
+#include <linux/types.h>
+
/* those are commonly provided by sys/types.h */
typedef unsigned int dev_t;
typedef unsigned long ino_t;
@@ -44,6 +46,6 @@ typedef unsigned long nlink_t;
typedef signed long off_t;
typedef signed long blksize_t;
typedef signed long blkcnt_t;
-typedef signed long time_t;
+typedef __kernel_old_time_t time_t;
#endif /* _NOLIBC_STD_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 310/644] gpio: tps65912: check the return value of regmap_update_bits()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 309/644] tools/nolibc: define time_t in terms of __kernel_old_time_t Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 311/644] ARM: tegra: Use I/O memcpy to write to IRAM Greg Kroah-Hartman
` (339 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit a0b2a6bbff8c26aafdecd320f38f52c341d5cafa ]
regmap_update_bits() can fail, check its return value like we do
elsewhere in the driver.
Link: https://lore.kernel.org/r/20250707-gpiochip-set-rv-gpio-round4-v1-2-35668aaaf6d2@linaro.org
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-tps65912.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/gpio/gpio-tps65912.c b/drivers/gpio/gpio-tps65912.c
index fab771cb6a87..bac757c191c2 100644
--- a/drivers/gpio/gpio-tps65912.c
+++ b/drivers/gpio/gpio-tps65912.c
@@ -49,10 +49,13 @@ static int tps65912_gpio_direction_output(struct gpio_chip *gc,
unsigned offset, int value)
{
struct tps65912_gpio *gpio = gpiochip_get_data(gc);
+ int ret;
/* Set the initial value */
- regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset,
- GPIO_SET_MASK, value ? GPIO_SET_MASK : 0);
+ ret = regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset,
+ GPIO_SET_MASK, value ? GPIO_SET_MASK : 0);
+ if (ret)
+ return ret;
return regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset,
GPIO_CFG_MASK, GPIO_CFG_MASK);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 311/644] ARM: tegra: Use I/O memcpy to write to IRAM
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 310/644] gpio: tps65912: check the return value of regmap_update_bits() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 312/644] selftests: tracing: Use mutex_unlock for testing glob filter Greg Kroah-Hartman
` (338 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaron Kling, Thierry Reding,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Kling <webgeek1234@gmail.com>
[ Upstream commit 398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1 ]
Kasan crashes the kernel trying to check boundaries when using the
normal memcpy.
Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
Link: https://lore.kernel.org/r/20250522-mach-tegra-kasan-v1-1-419041b8addb@gmail.com
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-tegra/reset.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/mach-tegra/reset.c b/arch/arm/mach-tegra/reset.c
index d5c805adf7a8..ea706fac6358 100644
--- a/arch/arm/mach-tegra/reset.c
+++ b/arch/arm/mach-tegra/reset.c
@@ -63,7 +63,7 @@ static void __init tegra_cpu_reset_handler_enable(void)
BUG_ON(is_enabled);
BUG_ON(tegra_cpu_reset_handler_size > TEGRA_IRAM_RESET_HANDLER_SIZE);
- memcpy(iram_base, (void *)__tegra_cpu_reset_handler_start,
+ memcpy_toio(iram_base, (void *)__tegra_cpu_reset_handler_start,
tegra_cpu_reset_handler_size);
err = call_firmware_op(set_cpu_boot_addr, 0, reset_address);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 312/644] selftests: tracing: Use mutex_unlock for testing glob filter
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 311/644] ARM: tegra: Use I/O memcpy to write to IRAM Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 313/644] ACPI: PRM: Reduce unnecessary printing to avoid user confusion Greg Kroah-Hartman
` (337 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu (Google),
Steven Rostedt (Google), Shuah Khan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
[ Upstream commit a089bb2822a49b0c5777a8936f82c1f8629231fb ]
Since commit c5b6ababd21a ("locking/mutex: implement
mutex_trylock_nested") makes mutex_trylock() as an inlined
function if CONFIG_DEBUG_LOCK_ALLOC=y, we can not use
mutex_trylock() for testing the glob filter of ftrace.
Use mutex_unlock instead.
Link: https://lore.kernel.org/r/175151680309.2149615.9795104805153538717.stgit@mhiramat.tok.corp.google.com
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
index 4b994b6df5ac..ed81eaf2afd6 100644
--- a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
+++ b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
@@ -29,7 +29,7 @@ ftrace_filter_check 'schedule*' '^schedule.*$'
ftrace_filter_check '*pin*lock' '.*pin.*lock$'
# filter by start*mid*
-ftrace_filter_check 'mutex*try*' '^mutex.*try.*'
+ftrace_filter_check 'mutex*unl*' '^mutex.*unl.*'
# Advanced full-glob matching feature is recently supported.
# Skip the tests if we are sure the kernel does not support it.
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 313/644] ACPI: PRM: Reduce unnecessary printing to avoid user confusion
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 312/644] selftests: tracing: Use mutex_unlock for testing glob filter Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 314/644] PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() Greg Kroah-Hartman
` (336 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhu Qiyu, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhu Qiyu <qiyuzhu2@amd.com>
[ Upstream commit 3db5648c4d608b5483470efc1da9780b081242dd ]
Commit 088984c8d54c ("ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM
handler and context") introduced non-essential printing "Failed to find
VA for GUID: xxxx, PA: 0x0" which may confuse users to think that
something wrong is going on while it is not the case.
According to the PRM Spec Section 4.1.2 [1], both static data buffer
address and ACPI parameter buffer address may be NULL if they are not
needed, so there is no need to print out the "Failed to find VA ... "
in those cases.
Link: https://uefi.org/sites/default/files/resources/Platform%20Runtime%20Mechanism%20-%20with%20legal%20notice.pdf # [1]
Signed-off-by: Zhu Qiyu <qiyuzhu2@amd.com>
Link: https://patch.msgid.link/20250704014104.82524-1-qiyuzhu2@amd.com
[ rjw: Edits in new comments, subject and changelog ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/prmt.c | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/prmt.c b/drivers/acpi/prmt.c
index 890c74c52beb..6290ed84c595 100644
--- a/drivers/acpi/prmt.c
+++ b/drivers/acpi/prmt.c
@@ -85,8 +85,6 @@ static u64 efi_pa_va_lookup(efi_guid_t *guid, u64 pa)
}
}
- pr_warn("Failed to find VA for GUID: %pUL, PA: 0x%llx", guid, pa);
-
return 0;
}
@@ -142,13 +140,37 @@ acpi_parse_prmt(union acpi_subtable_headers *header, const unsigned long end)
guid_copy(&th->guid, (guid_t *)handler_info->handler_guid);
th->handler_addr =
(void *)efi_pa_va_lookup(&th->guid, handler_info->handler_address);
+ /*
+ * Print a warning message if handler_addr is zero which is not expected to
+ * ever happen.
+ */
+ if (unlikely(!th->handler_addr))
+ pr_warn("Failed to find VA of handler for GUID: %pUL, PA: 0x%llx",
+ &th->guid, handler_info->handler_address);
th->static_data_buffer_addr =
efi_pa_va_lookup(&th->guid, handler_info->static_data_buffer_address);
+ /*
+ * According to the PRM specification, static_data_buffer_address can be zero,
+ * so avoid printing a warning message in that case. Otherwise, if the
+ * return value of efi_pa_va_lookup() is zero, print the message.
+ */
+ if (unlikely(!th->static_data_buffer_addr && handler_info->static_data_buffer_address))
+ pr_warn("Failed to find VA of static data buffer for GUID: %pUL, PA: 0x%llx",
+ &th->guid, handler_info->static_data_buffer_address);
th->acpi_param_buffer_addr =
efi_pa_va_lookup(&th->guid, handler_info->acpi_param_buffer_address);
+ /*
+ * According to the PRM specification, acpi_param_buffer_address can be zero,
+ * so avoid printing a warning message in that case. Otherwise, if the
+ * return value of efi_pa_va_lookup() is zero, print the message.
+ */
+ if (unlikely(!th->acpi_param_buffer_addr && handler_info->acpi_param_buffer_address))
+ pr_warn("Failed to find VA of acpi param buffer for GUID: %pUL, PA: 0x%llx",
+ &th->guid, handler_info->acpi_param_buffer_address);
+
} while (++cur_handler < tm->handler_count && (handler_info = get_next_handler(handler_info)));
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 314/644] PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 313/644] ACPI: PRM: Reduce unnecessary printing to avoid user confusion Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 315/644] thermal: sysfs: Return ENODATA instead of EAGAIN for reads Greg Kroah-Hartman
` (335 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ulf Hansson, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 89d9cec3b1e9c49bae9375a2db6dc49bc7468af0 ]
Clear power.needs_force_resume in pm_runtime_reinit() in case it has
been set by pm_runtime_force_suspend() invoked from a driver remove
callback.
Suggested-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://patch.msgid.link/9495163.CDJkKcVGEf@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/runtime.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
index 35e1a090ef90..26ea7f5c8d42 100644
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1714,6 +1714,11 @@ void pm_runtime_reinit(struct device *dev)
pm_runtime_put(dev->parent);
}
}
+ /*
+ * Clear power.needs_force_resume in case it has been set by
+ * pm_runtime_force_suspend() invoked from a driver remove callback.
+ */
+ dev->power.needs_force_resume = false;
}
/**
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 315/644] thermal: sysfs: Return ENODATA instead of EAGAIN for reads
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 314/644] PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 316/644] PM: sleep: console: Fix the black screen issue Greg Kroah-Hartman
` (334 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hsin-Te Yuan, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hsin-Te Yuan <yuanhsinte@chromium.org>
[ Upstream commit 1a4aabc27e95674837f2e25f4ef340c0469e6203 ]
According to POSIX spec, EAGAIN returned by read with O_NONBLOCK set
means the read would block. Hence, the common implementation in
nonblocking model will poll the file when the nonblocking read returns
EAGAIN. However, when the target file is thermal zone, this mechanism
will totally malfunction because thermal zone doesn't implement sysfs
notification and thus the poll will never return.
For example, the read in Golang implemnts such method and sometimes
hangs at reading some thermal zones via sysfs.
Change to return -ENODATA instead of -EAGAIN to userspace.
Signed-off-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
Link: https://patch.msgid.link/20250620-temp-v3-1-6becc6aeb66c@chromium.org
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/thermal_sysfs.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c
index de7cdec3db90..a21af02f6347 100644
--- a/drivers/thermal/thermal_sysfs.c
+++ b/drivers/thermal/thermal_sysfs.c
@@ -39,10 +39,13 @@ temp_show(struct device *dev, struct device_attribute *attr, char *buf)
ret = thermal_zone_get_temp(tz, &temperature);
- if (ret)
- return ret;
+ if (!ret)
+ return sprintf(buf, "%d\n", temperature);
- return sprintf(buf, "%d\n", temperature);
+ if (ret == -EAGAIN)
+ return -ENODATA;
+
+ return ret;
}
static ssize_t
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 316/644] PM: sleep: console: Fix the black screen issue
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 315/644] thermal: sysfs: Return ENODATA instead of EAGAIN for reads Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 317/644] ACPI: processor: fix acpi_object initialization Greg Kroah-Hartman
` (333 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, tuhaowen, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: tuhaowen <tuhaowen@uniontech.com>
[ Upstream commit 4266e8fa56d3d982bf451d382a410b9db432015c ]
When the computer enters sleep status without a monitor
connected, the system switches the console to the virtual
terminal tty63(SUSPEND_CONSOLE).
If a monitor is subsequently connected before waking up,
the system skips the required VT restoration process
during wake-up, leaving the console on tty63 instead of
switching back to tty1.
To fix this issue, a global flag vt_switch_done is introduced
to record whether the system has successfully switched to
the suspend console via vt_move_to_console() during suspend.
If the switch was completed, vt_switch_done is set to 1.
Later during resume, this flag is checked to ensure that
the original console is restored properly by calling
vt_move_to_console(orig_fgconsole, 0).
This prevents scenarios where the resume logic skips console
restoration due to incorrect detection of the console state,
especially when a monitor is reconnected before waking up.
Signed-off-by: tuhaowen <tuhaowen@uniontech.com>
Link: https://patch.msgid.link/20250611032345.29962-1-tuhaowen@uniontech.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/console.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kernel/power/console.c b/kernel/power/console.c
index fcdf0e14a47d..19c48aa5355d 100644
--- a/kernel/power/console.c
+++ b/kernel/power/console.c
@@ -16,6 +16,7 @@
#define SUSPEND_CONSOLE (MAX_NR_CONSOLES-1)
static int orig_fgconsole, orig_kmsg;
+static bool vt_switch_done;
static DEFINE_MUTEX(vt_switch_mutex);
@@ -136,17 +137,21 @@ void pm_prepare_console(void)
if (orig_fgconsole < 0)
return;
+ vt_switch_done = true;
+
orig_kmsg = vt_kmsg_redirect(SUSPEND_CONSOLE);
return;
}
void pm_restore_console(void)
{
- if (!pm_vt_switch())
+ if (!pm_vt_switch() && !vt_switch_done)
return;
if (orig_fgconsole >= 0) {
vt_move_to_console(orig_fgconsole, 0);
vt_kmsg_redirect(orig_kmsg);
}
+
+ vt_switch_done = false;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 317/644] ACPI: processor: fix acpi_object initialization
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 316/644] PM: sleep: console: Fix the black screen issue Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 318/644] mmc: sdhci-msm: Ensure SD card power isnt ON when card removed Greg Kroah-Hartman
` (332 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Ott, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Ott <sebott@redhat.com>
[ Upstream commit 13edf7539211d8f7d0068ce3ed143005f1da3547 ]
Initialization of the local acpi_object in acpi_processor_get_info()
only sets the first 4 bytes to zero and is thus incomplete. This is
indicated by messages like:
acpi ACPI0007:be: Invalid PBLK length [166288104]
Fix this by initializing all 16 bytes of the processor member of that
union.
Signed-off-by: Sebastian Ott <sebott@redhat.com>
Link: https://patch.msgid.link/20250703124215.12522-1-sebott@redhat.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpi_processor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
index 8bd5c4fa91f2..cfa75b14caa2 100644
--- a/drivers/acpi/acpi_processor.c
+++ b/drivers/acpi/acpi_processor.c
@@ -216,7 +216,7 @@ static inline int acpi_processor_hotadd_init(struct acpi_processor *pr)
static int acpi_processor_get_info(struct acpi_device *device)
{
- union acpi_object object = { 0 };
+ union acpi_object object = { .processor = { 0 } };
struct acpi_buffer buffer = { sizeof(union acpi_object), &object };
struct acpi_processor *pr = acpi_driver_data(device);
int device_declaration = 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 318/644] mmc: sdhci-msm: Ensure SD card power isnt ON when card removed
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 317/644] ACPI: processor: fix acpi_object initialization Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 319/644] ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path Greg Kroah-Hartman
` (331 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sarthak Garg, Adrian Hunter,
Ulf Hansson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sarthak Garg <quic_sartgarg@quicinc.com>
[ Upstream commit db58532188ebf51d52b1d7693d9e94c76b926e9f ]
Many mobile phones feature multi-card tray designs, where the same
tray is used for both SD and SIM cards. If the SD card is placed
at the outermost location in the tray, the SIM card may come in
contact with SD card power-supply while removing the tray, possibly
resulting in SIM damage.
To prevent that, make sure the SD card is really inserted by reading
the Card Detect pin state. If it's not, turn off the power in
sdhci_msm_check_power_status() and also set the BUS_FAIL power state
on the controller as part of pwr_irq handling for BUS_ON request.
Signed-off-by: Sarthak Garg <quic_sartgarg@quicinc.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20250701100659.3310386-1-quic_sartgarg@quicinc.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/sdhci-msm.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
index 4b727754d8e3..8fb2ba20e221 100644
--- a/drivers/mmc/host/sdhci-msm.c
+++ b/drivers/mmc/host/sdhci-msm.c
@@ -1560,6 +1560,7 @@ static void sdhci_msm_check_power_status(struct sdhci_host *host, u32 req_type)
{
struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
+ struct mmc_host *mmc = host->mmc;
bool done = false;
u32 val = SWITCHABLE_SIGNALING_VOLTAGE;
const struct sdhci_msm_offset *msm_offset =
@@ -1617,6 +1618,12 @@ static void sdhci_msm_check_power_status(struct sdhci_host *host, u32 req_type)
"%s: pwr_irq for req: (%d) timed out\n",
mmc_hostname(host->mmc), req_type);
}
+
+ if ((req_type & REQ_BUS_ON) && mmc->card && !mmc->ops->get_cd(mmc)) {
+ sdhci_writeb(host, 0, SDHCI_POWER_CONTROL);
+ host->pwr = 0;
+ }
+
pr_debug("%s: %s: request %d done\n", mmc_hostname(host->mmc),
__func__, req_type);
}
@@ -1675,6 +1682,13 @@ static void sdhci_msm_handle_pwr_irq(struct sdhci_host *host, int irq)
udelay(10);
}
+ if ((irq_status & CORE_PWRCTL_BUS_ON) && mmc->card &&
+ !mmc->ops->get_cd(mmc)) {
+ msm_host_writel(msm_host, CORE_PWRCTL_BUS_FAIL, host,
+ msm_offset->core_pwrctl_ctl);
+ return;
+ }
+
/* Handle BUS ON/OFF*/
if (irq_status & CORE_PWRCTL_BUS_ON) {
pwr_state = REQ_BUS_ON;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 319/644] ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 318/644] mmc: sdhci-msm: Ensure SD card power isnt ON when card removed Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 320/644] pps: clients: gpio: fix interrupt handling order in remove path Greg Kroah-Hartman
` (330 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Tony Luck,
Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit 4734c8b46b901cff2feda8b82abc710b65dc31c1 ]
When a GHES (Generic Hardware Error Source) triggers a panic, add the
TAINT_MACHINE_CHECK taint flag to the kernel. This explicitly marks the
kernel as tainted due to a machine check event, improving diagnostics
and post-mortem analysis. The taint is set with LOCKDEP_STILL_OK to
indicate lockdep remains valid.
At large scale deployment, this helps to quickly determine panics that
are coming due to hardware failures.
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Link: https://patch.msgid.link/20250702-add_tain-v1-1-9187b10914b9@debian.org
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/apei/ghes.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index 72087e05b5a5..250ea9ec5f0c 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -860,6 +860,8 @@ static void __ghes_panic(struct ghes *ghes,
__ghes_print_estatus(KERN_EMERG, ghes->generic, estatus);
+ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK);
+
ghes_clear_estatus(ghes, estatus, buf_paddr, fixmap_idx);
if (!panic_timeout)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 320/644] pps: clients: gpio: fix interrupt handling order in remove path
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 319/644] ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 321/644] reset: brcmstb: Enable reset drivers for ARCH_BCM2835 Greg Kroah-Hartman
` (329 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eliav Farber, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eliav Farber <farbere@amazon.com>
[ Upstream commit 6bca1e955830808dc90e0506b2951b4256b81bbb ]
The interrupt handler in pps_gpio_probe() is registered after calling
pps_register_source() using devm_request_irq(). However, in the
corresponding remove function, pps_unregister_source() is called before
the IRQ is freed, since devm-managed resources are released after the
remove function completes.
This creates a potential race condition where an interrupt may occur
after the PPS source is unregistered but before the handler is removed,
possibly leading to a kernel panic.
To prevent this, switch from devm-managed IRQ registration to manual
management by using request_irq() and calling free_irq() explicitly in
the remove path before unregistering the PPS source. This ensures the
interrupt handler is safely removed before deactivating the PPS source.
Signed-off-by: Eliav Farber <farbere@amazon.com>
Link: https://lore.kernel.org/r/20250527053355.37185-1-farbere@amazon.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pps/clients/pps-gpio.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/pps/clients/pps-gpio.c b/drivers/pps/clients/pps-gpio.c
index bf3b6f1aa984..41e1fdbcda16 100644
--- a/drivers/pps/clients/pps-gpio.c
+++ b/drivers/pps/clients/pps-gpio.c
@@ -206,8 +206,8 @@ static int pps_gpio_probe(struct platform_device *pdev)
}
/* register IRQ interrupt handler */
- ret = devm_request_irq(dev, data->irq, pps_gpio_irq_handler,
- get_irqf_trigger_flags(data), data->info.name, data);
+ ret = request_irq(data->irq, pps_gpio_irq_handler,
+ get_irqf_trigger_flags(data), data->info.name, data);
if (ret) {
pps_unregister_source(data->pps);
dev_err(dev, "failed to acquire IRQ %d\n", data->irq);
@@ -224,6 +224,7 @@ static int pps_gpio_remove(struct platform_device *pdev)
{
struct pps_gpio_device_data *data = platform_get_drvdata(pdev);
+ free_irq(data->irq, data);
pps_unregister_source(data->pps);
del_timer_sync(&data->echo_timer);
/* reset echo pin in any case */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 321/644] reset: brcmstb: Enable reset drivers for ARCH_BCM2835
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 320/644] pps: clients: gpio: fix interrupt handling order in remove path Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 322/644] mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() Greg Kroah-Hartman
` (328 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Robinson, Florian Fainelli,
Philipp Zabel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Robinson <pbrobinson@gmail.com>
[ Upstream commit 1d99f92f71b6b4b2eee776562c991428490f71ef ]
The BRCMSTB and BRCMSTB_RESCAL reset drivers are also
used in the BCM2712, AKA the RPi5. The RPi platforms
have typically used the ARCH_BCM2835, and the PCIe
support for this SoC can use this config which depends
on these drivers so enable building them when just that
arch option is enabled to ensure the platform works as
expected.
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://lore.kernel.org/r/20250630175301.846082-1-pbrobinson@gmail.com
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/reset/Kconfig | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/reset/Kconfig b/drivers/reset/Kconfig
index b0056ae5d463..d1bc691b2900 100644
--- a/drivers/reset/Kconfig
+++ b/drivers/reset/Kconfig
@@ -51,8 +51,8 @@ config RESET_BERLIN
config RESET_BRCMSTB
tristate "Broadcom STB reset controller"
- depends on ARCH_BRCMSTB || COMPILE_TEST
- default ARCH_BRCMSTB
+ depends on ARCH_BRCMSTB || ARCH_BCM2835 || COMPILE_TEST
+ default ARCH_BRCMSTB || ARCH_BCM2835
help
This enables the reset controller driver for Broadcom STB SoCs using
a SUN_TOP_CTRL_SW_INIT style controller.
@@ -60,11 +60,11 @@ config RESET_BRCMSTB
config RESET_BRCMSTB_RESCAL
bool "Broadcom STB RESCAL reset controller"
depends on HAS_IOMEM
- depends on ARCH_BRCMSTB || COMPILE_TEST
- default ARCH_BRCMSTB
+ depends on ARCH_BRCMSTB || ARCH_BCM2835 || COMPILE_TEST
+ default ARCH_BRCMSTB || ARCH_BCM2835
help
This enables the RESCAL reset controller for SATA, PCIe0, or PCIe1 on
- BCM7216.
+ BCM7216 or the BCM2712.
config RESET_HSDK
bool "Synopsys HSDK Reset Driver"
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 322/644] mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 321/644] reset: brcmstb: Enable reset drivers for ARCH_BCM2835 Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 323/644] x86/bugs: Avoid warning when overriding return thunk Greg Kroah-Hartman
` (327 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Avri Altman, Ulf Hansson, Ricky Wu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ulf Hansson <ulf.hansson@linaro.org>
[ Upstream commit 47a255f7d2eabee06cfbf5b1c2379749442fd01d ]
In the error path of sd_set_power_mode() we don't update host->power_mode,
which could lead to an imbalance of the runtime PM usage count. Fix this by
always updating host->power_mode.
Reviewed-by: Avri Altman <avri.altman@sandisk.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Acked-by: Ricky Wu <ricky_wu@realtek.com>
Link: https://lore.kernel.org/r/20250610111633.504366-2-ulf.hansson@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/rtsx_usb_sdmmc.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/mmc/host/rtsx_usb_sdmmc.c b/drivers/mmc/host/rtsx_usb_sdmmc.c
index 1be3a355f10d..ab7023d956eb 100644
--- a/drivers/mmc/host/rtsx_usb_sdmmc.c
+++ b/drivers/mmc/host/rtsx_usb_sdmmc.c
@@ -1032,9 +1032,7 @@ static int sd_set_power_mode(struct rtsx_usb_sdmmc *host,
err = sd_power_on(host);
}
- if (!err)
- host->power_mode = power_mode;
-
+ host->power_mode = power_mode;
return err;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 323/644] x86/bugs: Avoid warning when overriding return thunk
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 322/644] mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 324/644] ASoC: hdac_hdmi: Rate limit logging on connection and disconnection Greg Kroah-Hartman
` (326 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Borislav Petkov, Pawan Gupta,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
[ Upstream commit 9f85fdb9fc5a1bd308a10a0a7d7e34f2712ba58b ]
The purpose of the warning is to prevent an unexpected change to the return
thunk mitigation. However, there are legitimate cases where the return
thunk is intentionally set more than once. For example, ITS and SRSO both
can set the return thunk after retbleed has set it. In both the cases
retbleed is still mitigated.
Replace the warning with an info about the active return thunk.
Suggested-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250611-eibrs-fix-v4-3-5ff86cac6c61@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/bugs.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 261aa716971d..9e313ee9ba66 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -70,10 +70,9 @@ void (*x86_return_thunk)(void) __ro_after_init = &__x86_return_thunk;
static void __init set_return_thunk(void *thunk)
{
- if (x86_return_thunk != __x86_return_thunk)
- pr_warn("x86/bugs: return thunk changed\n");
-
x86_return_thunk = thunk;
+
+ pr_info("active return thunk: %ps\n", thunk);
}
/* Update SPEC_CTRL MSR and its cached copy unconditionally */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 324/644] ASoC: hdac_hdmi: Rate limit logging on connection and disconnection
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 323/644] x86/bugs: Avoid warning when overriding return thunk Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 325/644] ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 Greg Kroah-Hartman
` (325 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown <broonie@kernel.org>
[ Upstream commit c4ca928a6db1593802cd945f075a7e21dd0430c1 ]
We currently log parse failures for ELD data and some disconnection events
as errors without rate limiting. These log messages can be triggered very
frequently in some situations, especially ELD parsing when there is nothing
connected to a HDMI port which will generate:
hdmi-audio-codec hdmi-audio-codec.1.auto: HDMI: Unknown ELD version 0
While there's doubtless work that could be done on reducing the number of
connection notification callbacks it's possible these may be legitimately
generated by poor quality physical connections so let's use rate limiting
to mitigate the log spam for the parse errors and lower the severity for
disconnect logging to debug level.
Signed-off-by: Mark Brown <broonie@kernel.org>
Link: https://patch.msgid.link/20250613-asoc-hdmi-eld-logging-v1-1-76d64154d969@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/hdac_hdmi.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c
index 1acd82f81ba0..bafdaedbee86 100644
--- a/sound/soc/codecs/hdac_hdmi.c
+++ b/sound/soc/codecs/hdac_hdmi.c
@@ -1230,7 +1230,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev,
>> DRM_ELD_VER_SHIFT;
if (ver != ELD_VER_CEA_861D && ver != ELD_VER_PARTIAL) {
- dev_err(&hdev->dev, "HDMI: Unknown ELD version %d\n", ver);
+ dev_err_ratelimited(&hdev->dev,
+ "HDMI: Unknown ELD version %d\n", ver);
return -EINVAL;
}
@@ -1238,7 +1239,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev,
DRM_ELD_MNL_MASK) >> DRM_ELD_MNL_SHIFT;
if (mnl > ELD_MAX_MNL) {
- dev_err(&hdev->dev, "HDMI: MNL Invalid %d\n", mnl);
+ dev_err_ratelimited(&hdev->dev,
+ "HDMI: MNL Invalid %d\n", mnl);
return -EINVAL;
}
@@ -1297,8 +1299,8 @@ static void hdac_hdmi_present_sense(struct hdac_hdmi_pin *pin,
if (!port->eld.monitor_present || !port->eld.eld_valid) {
- dev_err(&hdev->dev, "%s: disconnect for pin:port %d:%d\n",
- __func__, pin->nid, port->id);
+ dev_dbg(&hdev->dev, "%s: disconnect for pin:port %d:%d\n",
+ __func__, pin->nid, port->id);
/*
* PCMs are not registered during device probe, so don't
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 325/644] ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 324/644] ASoC: hdac_hdmi: Rate limit logging on connection and disconnection Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 326/644] ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() Greg Kroah-Hartman
` (324 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 87aafc8580acf87fcaf1a7e30ed858d8c8d37d81 ]
code mistakenly used a hardcoded index (codec[1]) instead of
iterating, over the codec array using the loop variable i.
Use codec[i] instead of codec[1] to match the loop iteration.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20250621185233.4081094-1-alok.a.tiwari@oracle.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/intel8x0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/intel8x0.c b/sound/pci/intel8x0.c
index ae285c0a629c..f3df6fe2b7f1 100644
--- a/sound/pci/intel8x0.c
+++ b/sound/pci/intel8x0.c
@@ -2252,7 +2252,7 @@ static int snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
tmp |= chip->ac97_sdin[0] << ICH_DI1L_SHIFT;
for (i = 1; i < 4; i++) {
if (pcm->r[0].codec[i]) {
- tmp |= chip->ac97_sdin[pcm->r[0].codec[1]->num] << ICH_DI2L_SHIFT;
+ tmp |= chip->ac97_sdin[pcm->r[0].codec[i]->num] << ICH_DI2L_SHIFT;
break;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 326/644] ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 325/644] ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 327/644] usb: typec: intel_pmc_mux: Defer probe if SCU IPC isnt present Greg Kroah-Hartman
` (323 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Ujfalusi, Bard Liao,
Ranjani Sridharan, Liam Girdwood, Kai Vehmanen, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
[ Upstream commit 2d91cb261cac6d885954b8f5da28b5c176c18131 ]
snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will
leads to null pointer dereference.
This was reproduced with topology loading and marking a link as ignore
due to missing hardware component on the system.
On module removal the soc_tplg_remove_link() would call
snd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored,
no runtime was created.
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Link: https://patch.msgid.link/20250619084222.559-3-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index 1c4d8b96f77b..d28261ef1d4c 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -959,6 +959,9 @@ static int soc_dai_link_sanity_check(struct snd_soc_card *card,
void snd_soc_remove_pcm_runtime(struct snd_soc_card *card,
struct snd_soc_pcm_runtime *rtd)
{
+ if (!rtd)
+ return;
+
lockdep_assert_held(&client_mutex);
/* release machine specific resources */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 327/644] usb: typec: intel_pmc_mux: Defer probe if SCU IPC isnt present
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 326/644] ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 328/644] usb: core: usb_submit_urb: downgrade type check Greg Kroah-Hartman
` (322 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Michalec, Heikki Krogerus,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Michalec <tmichalec@google.com>
[ Upstream commit df9a825f330e76c72d1985bc9bdc4b8981e3d15f ]
If pmc_usb_probe is called before SCU IPC is registered, pmc_usb_probe
will fail.
Return -EPROBE_DEFER when pmc_usb_probe doesn't get SCU IPC device, so
the probe function can be called again after SCU IPC is initialized.
Signed-off-by: Tomasz Michalec <tmichalec@google.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250610154058.1859812-1-tmichalec@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/mux/intel_pmc_mux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/typec/mux/intel_pmc_mux.c b/drivers/usb/typec/mux/intel_pmc_mux.c
index a7313c2d9f0f..806ffeacdecb 100644
--- a/drivers/usb/typec/mux/intel_pmc_mux.c
+++ b/drivers/usb/typec/mux/intel_pmc_mux.c
@@ -650,7 +650,7 @@ static int pmc_usb_probe(struct platform_device *pdev)
pmc->ipc = devm_intel_scu_ipc_dev_get(&pdev->dev);
if (!pmc->ipc)
- return -ENODEV;
+ return -EPROBE_DEFER;
pmc->dev = &pdev->dev;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 328/644] usb: core: usb_submit_urb: downgrade type check
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 327/644] usb: typec: intel_pmc_mux: Defer probe if SCU IPC isnt present Greg Kroah-Hartman
@ 2025-08-26 11:06 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 329/644] pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() Greg Kroah-Hartman
` (321 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Alan Stern,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit 503bbde34cc3dd2acd231f277ba70c3f9ed22e59 ]
Checking for the endpoint type is no reason for a WARN, as that can
cause a reboot. A driver not checking the endpoint type must not cause a
reboot, as there is just no point in this. We cannot prevent a device
from doing something incorrect as a reaction to a transfer. Hence
warning for a mere assumption being wrong is not sensible.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20250612122149.2559724-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/core/urb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
index 33d62d7e3929..201f8519d9d6 100644
--- a/drivers/usb/core/urb.c
+++ b/drivers/usb/core/urb.c
@@ -499,7 +499,7 @@ int usb_submit_urb(struct urb *urb, gfp_t mem_flags)
/* Check that the pipe's type matches the endpoint's type */
if (usb_pipe_type_check(urb->dev, urb->pipe))
- dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
+ dev_warn_once(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
usb_pipetype(urb->pipe), pipetypes[xfertype]);
/* Check against a simple/standard policy */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 329/644] pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2025-08-26 11:06 ` [PATCH 5.15 328/644] usb: core: usb_submit_urb: downgrade type check Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 330/644] platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches Greg Kroah-Hartman
` (320 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gautham R. Shenoy, Shuah Khan,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gautham R. Shenoy <gautham.shenoy@amd.com>
[ Upstream commit cda7ac8ce7de84cf32a3871ba5f318aa3b79381e ]
In the function mperf_start(), mperf_monitor snapshots the time, tsc
and finally the aperf,mperf MSRs. However, this order of snapshotting
in is reversed in mperf_stop(). As a result, the C0 residency (which
is computed as delta_mperf * 100 / delta_tsc) is under-reported on
CPUs that is 100% busy.
Fix this by snapshotting time, tsc and then aperf,mperf in
mperf_stop() in the same order as in mperf_start().
Link: https://lore.kernel.org/r/20250612122355.19629-2-gautham.shenoy@amd.com
Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/power/cpupower/utils/idle_monitor/mperf_monitor.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
index 08a399b0be28..6ab9139f16af 100644
--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
@@ -240,9 +240,9 @@ static int mperf_stop(void)
int cpu;
for (cpu = 0; cpu < cpu_count; cpu++) {
- mperf_measure_stats(cpu);
- mperf_get_tsc(&tsc_at_measure_end[cpu]);
clock_gettime(CLOCK_REALTIME, &time_end[cpu]);
+ mperf_get_tsc(&tsc_at_measure_end[cpu]);
+ mperf_measure_stats(cpu);
}
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 330/644] platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 329/644] pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 331/644] platform/chrome: cros_ec_typec: Defer probe on missing EC parent Greg Kroah-Hartman
` (319 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Ilpo Järvinen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 6418a8504187dc7f5b6f9d0649c03e362cb0664b ]
When KCOV is enabled all functions get instrumented, unless the
__no_sanitize_coverage attribute is used. To prepare for
__no_sanitize_coverage being applied to __init functions[1], we have
to handle differences in how GCC's inline optimizations get resolved.
For thinkpad_acpi routines, this means forcing two functions to be
inline with __always_inline.
Link: https://lore.kernel.org/lkml/20250523043935.2009972-11-kees@kernel.org/ [1]
Signed-off-by: Kees Cook <kees@kernel.org>
Link: https://lore.kernel.org/r/20250529181831.work.439-kees@kernel.org
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/thinkpad_acpi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
index 9b700a3ad7b2..89a8e074c16d 100644
--- a/drivers/platform/x86/thinkpad_acpi.c
+++ b/drivers/platform/x86/thinkpad_acpi.c
@@ -523,12 +523,12 @@ static unsigned long __init tpacpi_check_quirks(
return 0;
}
-static inline bool __pure __init tpacpi_is_lenovo(void)
+static __always_inline bool __pure __init tpacpi_is_lenovo(void)
{
return thinkpad_id.vendor == PCI_VENDOR_ID_LENOVO;
}
-static inline bool __pure __init tpacpi_is_ibm(void)
+static __always_inline bool __pure __init tpacpi_is_ibm(void)
{
return thinkpad_id.vendor == PCI_VENDOR_ID_IBM;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 331/644] platform/chrome: cros_ec_typec: Defer probe on missing EC parent
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 330/644] platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 332/644] ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control Greg Kroah-Hartman
` (318 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Michalec,
Abhishek Pandit-Subedi, Tzung-Bi Shih, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Michalec <tmichalec@google.com>
[ Upstream commit 8866f4e557eba43e991f99711515217a95f62d2e ]
If cros_typec_probe is called before EC device is registered,
cros_typec_probe will fail. It may happen when cros-ec-typec.ko is
loaded before EC bus layer module (e.g. cros_ec_lpcs.ko,
cros_ec_spi.ko).
Return -EPROBE_DEFER when cros_typec_probe doesn't get EC device, so
the probe function can be called again after EC device is registered.
Signed-off-by: Tomasz Michalec <tmichalec@google.com>
Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Link: https://lore.kernel.org/r/20250610153748.1858519-1-tmichalec@google.com
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/chrome/cros_ec_typec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
index c065963b9a42..6f3fdd38c393 100644
--- a/drivers/platform/chrome/cros_ec_typec.c
+++ b/drivers/platform/chrome/cros_ec_typec.c
@@ -1110,8 +1110,8 @@ static int cros_typec_probe(struct platform_device *pdev)
typec->ec = dev_get_drvdata(pdev->dev.parent);
if (!typec->ec) {
- dev_err(dev, "couldn't find parent EC device\n");
- return -ENODEV;
+ dev_warn(dev, "couldn't find parent EC device\n");
+ return -EPROBE_DEFER;
}
platform_set_drvdata(pdev, typec);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 332/644] ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 331/644] platform/chrome: cros_ec_typec: Defer probe on missing EC parent Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 333/644] ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop Greg Kroah-Hartman
` (317 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Lucy Thrun,
Takashi Iwai, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lucy Thrun <lucy.thrun@digital-rabbithole.de>
[ Upstream commit a409c60111e6bb98fcabab2aeaa069daa9434ca0 ]
The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte
buffer if either string argument is too long. This triggers a compiler
warning.
Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent
overflow.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/
Signed-off-by: Lucy Thrun <lucy.thrun@digital-rabbithole.de>
Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_ca0132.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
index a922c5079880..57c51dc985d9 100644
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -4402,7 +4402,7 @@ static int add_tuning_control(struct hda_codec *codec,
}
knew.private_value =
HDA_COMPOSE_AMP_VAL(nid, 1, 0, type);
- sprintf(namestr, "%s %s Volume", name, dirstr[dir]);
+ snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]);
return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec));
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 333/644] ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 332/644] ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 334/644] ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros Greg Kroah-Hartman
` (316 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit 92f59aeb13252265c20e7aef1379a8080c57e0a2 ]
At the time being recalculate_boundary() is implemented with a
loop which shows up as costly in a perf profile, as depicted by
the annotate below:
0.00 : c057e934: 3d 40 7f ff lis r10,32767
0.03 : c057e938: 61 4a ff ff ori r10,r10,65535
0.21 : c057e93c: 7d 49 50 50 subf r10,r9,r10
5.39 : c057e940: 7d 3c 4b 78 mr r28,r9
2.11 : c057e944: 55 29 08 3c slwi r9,r9,1
3.04 : c057e948: 7c 09 50 40 cmplw r9,r10
2.47 : c057e94c: 40 81 ff f4 ble c057e940 <snd_pcm_ioctl+0xee0>
Total: 13.2% on that simple loop.
But what the loop does is to multiply the boundary by 2 until it is
over the wanted border. This can be avoided by using fls() to get the
boundary value order and shift it by the appropriate number of bits at
once.
This change provides the following profile:
0.04 : c057f6e8: 3d 20 7f ff lis r9,32767
0.02 : c057f6ec: 61 29 ff ff ori r9,r9,65535
0.34 : c057f6f0: 7d 5a 48 50 subf r10,r26,r9
0.23 : c057f6f4: 7c 1a 50 40 cmplw r26,r10
0.02 : c057f6f8: 41 81 00 20 bgt c057f718 <snd_pcm_ioctl+0xf08>
0.26 : c057f6fc: 7f 47 00 34 cntlzw r7,r26
0.09 : c057f700: 7d 48 00 34 cntlzw r8,r10
0.22 : c057f704: 7d 08 38 50 subf r8,r8,r7
0.04 : c057f708: 7f 5a 40 30 slw r26,r26,r8
0.35 : c057f70c: 7c 0a d0 40 cmplw r10,r26
0.13 : c057f710: 40 80 05 f8 bge c057fd08 <snd_pcm_ioctl+0x14f8>
0.00 : c057f714: 57 5a f8 7e srwi r26,r26,1
Total: 1.7% with that loopless alternative.
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Link: https://patch.msgid.link/4836e2cde653eebaf2709ebe30eec736bb8c67fd.1749202237.git.christophe.leroy@csgroup.eu
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/pcm_native.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index d6169fee5ea0..fdd3f293c439 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -24,6 +24,7 @@
#include <sound/minors.h>
#include <linux/uio.h>
#include <linux/delay.h>
+#include <linux/bitops.h>
#include "pcm_local.h"
@@ -3114,13 +3115,23 @@ struct snd_pcm_sync_ptr32 {
static snd_pcm_uframes_t recalculate_boundary(struct snd_pcm_runtime *runtime)
{
snd_pcm_uframes_t boundary;
+ snd_pcm_uframes_t border;
+ int order;
if (! runtime->buffer_size)
return 0;
- boundary = runtime->buffer_size;
- while (boundary * 2 <= 0x7fffffffUL - runtime->buffer_size)
- boundary *= 2;
- return boundary;
+
+ border = 0x7fffffffUL - runtime->buffer_size;
+ if (runtime->buffer_size > border)
+ return runtime->buffer_size;
+
+ order = __fls(border) - __fls(runtime->buffer_size);
+ boundary = runtime->buffer_size << order;
+
+ if (boundary <= border)
+ return boundary;
+ else
+ return boundary / 2;
}
static int snd_pcm_ioctl_sync_ptr_compat(struct snd_pcm_substream *substream,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 334/644] ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 333/644] ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 335/644] iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement Greg Kroah-Hartman
` (315 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cristian Ciocaltea, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
[ Upstream commit fd3ab72e42e9871a9902b945a2bf8bb87b49c718 ]
Fix all macro related issues identified by checkpatch.pl:
CHECK: Macro argument 'x' may be better as '(x)' to avoid precedence issues
Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250526-dualsense-alsa-jack-v1-3-1a821463b632@collabora.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer_quirks.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
index 5eccc8af839f..03cba220fff1 100644
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -2132,15 +2132,15 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer)
#define SND_RME_CLK_FREQMUL_SHIFT 18
#define SND_RME_CLK_FREQMUL_MASK 0x7
#define SND_RME_CLK_SYSTEM(x) \
- ((x >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK)
+ (((x) >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK)
#define SND_RME_CLK_AES(x) \
- ((x >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
+ (((x) >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
#define SND_RME_CLK_SPDIF(x) \
- ((x >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
+ (((x) >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
#define SND_RME_CLK_SYNC(x) \
- ((x >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK)
+ (((x) >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK)
#define SND_RME_CLK_FREQMUL(x) \
- ((x >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK)
+ (((x) >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK)
#define SND_RME_CLK_AES_LOCK 0x1
#define SND_RME_CLK_AES_SYNC 0x4
#define SND_RME_CLK_SPDIF_LOCK 0x2
@@ -2149,9 +2149,9 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer)
#define SND_RME_SPDIF_FORMAT_SHIFT 5
#define SND_RME_BINARY_MASK 0x1
#define SND_RME_SPDIF_IF(x) \
- ((x >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK)
+ (((x) >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK)
#define SND_RME_SPDIF_FORMAT(x) \
- ((x >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK)
+ (((x) >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK)
static const u32 snd_rme_rate_table[] = {
32000, 44100, 48000, 50000,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 335/644] iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 334/644] ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 336/644] ASoC: codecs: rt5640: Retry DEVICE_ID verification Greg Kroah-Hartman
` (314 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Santos, David Lechner,
Andy Shevchenko, Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Santos <Jonathan.Santos@analog.com>
[ Upstream commit 7e54d932873d91a55d1b89b7389876d78aeeab32 ]
The SYNC_IN pulse width must be at least 1.5 x Tmclk, corresponding to
~2.5 µs at the lowest supported MCLK frequency. Add a 3 µs delay to
ensure reliable synchronization timing even for the worst-case scenario.
Signed-off-by: Jonathan Santos <Jonathan.Santos@analog.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/d3ee92a533cd1207cf5c5cc4d7bdbb5c6c267f68.1749063024.git.Jonathan.Santos@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad7768-1.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c
index e240fac8b6b3..c518aeb35c70 100644
--- a/drivers/iio/adc/ad7768-1.c
+++ b/drivers/iio/adc/ad7768-1.c
@@ -203,6 +203,24 @@ static int ad7768_spi_reg_write(struct ad7768_state *st,
return spi_write(st->spi, st->data.d8, 2);
}
+static int ad7768_send_sync_pulse(struct ad7768_state *st)
+{
+ /*
+ * The datasheet specifies a minimum SYNC_IN pulse width of 1.5 × Tmclk,
+ * where Tmclk is the MCLK period. The supported MCLK frequencies range
+ * from 0.6 MHz to 17 MHz, which corresponds to a minimum SYNC_IN pulse
+ * width of approximately 2.5 µs in the worst-case scenario (0.6 MHz).
+ *
+ * Add a delay to ensure the pulse width is always sufficient to
+ * trigger synchronization.
+ */
+ gpiod_set_value_cansleep(st->gpio_sync_in, 1);
+ fsleep(3);
+ gpiod_set_value_cansleep(st->gpio_sync_in, 0);
+
+ return 0;
+}
+
static int ad7768_set_mode(struct ad7768_state *st,
enum ad7768_conv_mode mode)
{
@@ -288,10 +306,7 @@ static int ad7768_set_dig_fil(struct ad7768_state *st,
return ret;
/* A sync-in pulse is required every time the filter dec rate changes */
- gpiod_set_value(st->gpio_sync_in, 1);
- gpiod_set_value(st->gpio_sync_in, 0);
-
- return 0;
+ return ad7768_send_sync_pulse(st);
}
static int ad7768_set_freq(struct ad7768_state *st,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 336/644] ASoC: codecs: rt5640: Retry DEVICE_ID verification
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 335/644] iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 337/644] xen/netfront: Fix TX response spurious interrupts Greg Kroah-Hartman
` (313 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amadeusz Sławiński,
Cezary Rojewski, Xinxin Wan, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xinxin Wan <xinxin.wan@intel.com>
[ Upstream commit 19f971057b2d7b99c80530ec1052b45de236a8da ]
To be more resilient to codec-detection failures when the hardware
powers on slowly, add retry mechanism to the device verification check.
Similar pattern is found throughout a number of Realtek codecs. Our
tests show that 60ms delay is sufficient to address readiness issues on
rt5640 chip.
Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Signed-off-by: Xinxin Wan <xinxin.wan@intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://patch.msgid.link/20250530142120.2944095-3-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/rt5640.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c
index cd1db5caabad..9998bdb954ba 100644
--- a/sound/soc/codecs/rt5640.c
+++ b/sound/soc/codecs/rt5640.c
@@ -2837,6 +2837,11 @@ static int rt5640_i2c_probe(struct i2c_client *i2c,
}
regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val);
+ if (val != RT5640_DEVICE_ID) {
+ usleep_range(60000, 100000);
+ regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val);
+ }
+
if (val != RT5640_DEVICE_ID) {
dev_err(&i2c->dev,
"Device with ID register %#x is not rt5640/39\n", val);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 337/644] xen/netfront: Fix TX response spurious interrupts
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 336/644] ASoC: codecs: rt5640: Retry DEVICE_ID verification Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 338/644] ktest.pl: Prevent recursion of default variable options Greg Kroah-Hartman
` (312 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anthoine Bourgeois, Juergen Gross,
Elliott Mitchell, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anthoine Bourgeois <anthoine.bourgeois@vates.tech>
[ Upstream commit 114a2de6fa86d99ed9546cc9113a3cad58beef79 ]
We found at Vates that there are lot of spurious interrupts when
benchmarking the xen-net PV driver frontend. This issue appeared with a
patch that addresses security issue XSA-391 (b27d47950e48 "xen/netfront:
harden netfront against event channel storms"). On an iperf benchmark,
spurious interrupts can represent up to 50% of the interrupts.
Spurious interrupts are interrupts that are rised for nothing, there is
no work to do. This appends because the function that handles the
interrupts ("xennet_tx_buf_gc") is also called at the end of the request
path to garbage collect the responses received during the transmission
load.
The request path is doing the work that the interrupt handler should
have done otherwise. This is particurary true when there is more than
one vcpu and get worse linearly with the number of vcpu/queue.
Moreover, this problem is amplifyed by the penalty imposed by a spurious
interrupt. When an interrupt is found spurious the interrupt chip will
delay the EOI to slowdown the backend. This delay will allow more
responses to be handled by the request path and then there will be more
chance the next interrupt will not find any work to do, creating a new
spurious interrupt.
This causes performance issue. The solution here is to remove the calls
from the request path and let the interrupt handler do the processing of
the responses. This approch removes most of the spurious interrupts
(<0.05%) and also has the benefit of freeing up cycles in the request
path, allowing it to process more work, which improves performance
compared to masking the spurious interrupt one way or another.
This optimization changes a part of the code that is present since the
net frontend driver was upstreamed. There is no similar pattern in the
other xen PV drivers. Since the first commit of xen-netfront is a blob
that doesn't explain all the design choices I can only guess why this
specific mecanism was here. This could have been introduce to compensate
a slow backend at the time (maybe the backend was fixed or optimize
later) or a small queue. In 18 years, both frontend and backend gain lot
of features and optimizations that could have obsolete the feature of
reaping completions from the TX path.
Some vif throughput performance figures from a 8 vCPUs, 4GB of RAM HVM
guest(s):
Without this patch on the :
vm -> dom0: 4.5Gb/s
vm -> vm: 7.0Gb/s
Without XSA-391 patch (revert of b27d47950e48):
vm -> dom0: 8.3Gb/s
vm -> vm: 8.7Gb/s
With XSA-391 and this patch:
vm -> dom0: 11.5Gb/s
vm -> vm: 12.6Gb/s
v2:
- add revewed and tested by tags
- resend with the maintainers in the recipients list
v3:
- remove Fixes tag but keep the commit ref in the explanation
- add a paragraph on why this code was here
Signed-off-by: Anthoine Bourgeois <anthoine.bourgeois@vates.tech>
Reviewed-by: Juergen Gross <jgross@suse.com>
Tested-by: Elliott Mitchell <ehem+xen@m5p.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20250721093316.23560-1-anthoine.bourgeois@vates.tech>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/xen-netfront.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index 0add51f1b7e4..4b19d54fa2e2 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -639,8 +639,6 @@ static int xennet_xdp_xmit_one(struct net_device *dev,
tx_stats->packets++;
u64_stats_update_end(&tx_stats->syncp);
- xennet_tx_buf_gc(queue);
-
return 0;
}
@@ -850,9 +848,6 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
tx_stats->packets++;
u64_stats_update_end(&tx_stats->syncp);
- /* Note: It is not safe to access skb after xennet_tx_buf_gc()! */
- xennet_tx_buf_gc(queue);
-
if (!netfront_tx_slot_available(queue))
netif_tx_stop_queue(netdev_get_tx_queue(dev, queue->id));
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 338/644] ktest.pl: Prevent recursion of default variable options
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 337/644] xen/netfront: Fix TX response spurious interrupts Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 339/644] wifi: cfg80211: reject HTC bit for management frames Greg Kroah-Hartman
` (311 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Warthog9 Hawley, Dhaval Giani,
Steven Rostedt, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit 61f7e318e99d3b398670518dd3f4f8510d1800fc ]
If a default variable contains itself, do not recurse on it.
For example:
ADD_CONFIG := ${CONFIG_DIR}/temp_config
DEFAULTS
ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG}
The above works because the temp variable ADD_CONFIG (is a temp because it
is created with ":=") is already defined, it will be substituted in the
variable option. But if it gets commented out:
# ADD_CONFIG := ${CONFIG_DIR}/temp_config
DEFAULTS
ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG}
Then the above will go into a recursive loop where ${ADD_CONFIG} will
get replaced with the current definition of ADD_CONFIG which contains the
${ADD_CONFIG} and that will also try to get converted. ktest.pl will error
after 100 attempts of recursion and fail.
When replacing a variable with the default variable, if the default
variable contains itself, do not replace it.
Cc: "John Warthog9 Hawley" <warthog9@kernel.org>
Cc: Dhaval Giani <dhaval.giani@gmail.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/20250718202053.732189428@kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/ktest/ktest.pl | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
index 2109bd42c144..26544bba3f8f 100755
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -1351,7 +1351,10 @@ sub __eval_option {
# If a variable contains itself, use the default var
if (($var eq $name) && defined($opt{$var})) {
$o = $opt{$var};
- $retval = "$retval$o";
+ # Only append if the default doesn't contain itself
+ if ($o !~ m/\$\{$var\}/) {
+ $retval = "$retval$o";
+ }
} elsif (defined($opt{$o})) {
$o = $opt{$o};
$retval = "$retval$o";
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 339/644] wifi: cfg80211: reject HTC bit for management frames
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 338/644] ktest.pl: Prevent recursion of default variable options Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 340/644] s390/time: Use monotonic clock in get_cycles() Greg Kroah-Hartman
` (310 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit be06a8c7313943109fa870715356503c4c709cbc ]
Management frames sent by userspace should never have the
order/HTC bit set, reject that. It could also cause some
confusion with the length of the buffer and the header so
the validation might end up wrong.
Link: https://patch.msgid.link/20250718202307.97a0455f0f35.I1805355c7e331352df16611839bc8198c855a33f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/mlme.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 783acd2c4211..5c805a2bda62 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -661,7 +661,8 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
mgmt = (const struct ieee80211_mgmt *)params->buf;
- if (!ieee80211_is_mgmt(mgmt->frame_control))
+ if (!ieee80211_is_mgmt(mgmt->frame_control) ||
+ ieee80211_has_order(mgmt->frame_control))
return -EINVAL;
stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 340/644] s390/time: Use monotonic clock in get_cycles()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 339/644] wifi: cfg80211: reject HTC bit for management frames Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 341/644] be2net: Use correct byte order and format string for TCP seq and ack_seq Greg Kroah-Hartman
` (309 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sven Schnelle, Heiko Carstens,
Alexander Gordeev, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schnelle <svens@linux.ibm.com>
[ Upstream commit 09e7e29d2b49ba84bcefb3dc1657726d2de5bb24 ]
Otherwise the code might not work correctly when the clock
is changed.
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/include/asm/timex.h | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/arch/s390/include/asm/timex.h b/arch/s390/include/asm/timex.h
index bc50ee0e91ff..a046a4d13816 100644
--- a/arch/s390/include/asm/timex.h
+++ b/arch/s390/include/asm/timex.h
@@ -196,13 +196,6 @@ static inline unsigned long get_tod_clock_fast(void)
return get_tod_clock();
#endif
}
-
-static inline cycles_t get_cycles(void)
-{
- return (cycles_t) get_tod_clock() >> 2;
-}
-#define get_cycles get_cycles
-
int get_phys_clock(unsigned long *clock);
void init_cpu_timer(void);
@@ -225,6 +218,12 @@ static inline unsigned long get_tod_clock_monotonic(void)
return tod;
}
+static inline cycles_t get_cycles(void)
+{
+ return (cycles_t)get_tod_clock_monotonic() >> 2;
+}
+#define get_cycles get_cycles
+
/**
* tod_to_ns - convert a TOD format value to nanoseconds
* @todval: to be converted TOD format value
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 341/644] be2net: Use correct byte order and format string for TCP seq and ack_seq
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 340/644] s390/time: Use monotonic clock in get_cycles() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 342/644] et131x: Add missing check after DMA map Greg Kroah-Hartman
` (308 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 4701ee5044fb3992f1c910630a9673c2dc600ce5 ]
The TCP header fields seq and ack_seq are 32-bit values in network
byte order as (__be32). these fields were earlier printed using
ntohs(), which converts only 16-bit values and produces incorrect
results for 32-bit fields. This patch is changeing the conversion
to ntohl(), ensuring correct interpretation of these sequence numbers.
Notably, the format specifier is updated from %d to %u to reflect the
unsigned nature of these fields.
improves the accuracy of debug log messages for TCP sequence and
acknowledgment numbers during TX timeouts.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250717193552.3648791-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/emulex/benet/be_main.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
index c61dc7d05bcb..69284efbd517 100644
--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -1466,10 +1466,10 @@ static void be_tx_timeout(struct net_device *netdev, unsigned int txqueue)
ntohs(tcphdr->source));
dev_info(dev, "TCP dest port %d\n",
ntohs(tcphdr->dest));
- dev_info(dev, "TCP sequence num %d\n",
- ntohs(tcphdr->seq));
- dev_info(dev, "TCP ack_seq %d\n",
- ntohs(tcphdr->ack_seq));
+ dev_info(dev, "TCP sequence num %u\n",
+ ntohl(tcphdr->seq));
+ dev_info(dev, "TCP ack_seq %u\n",
+ ntohl(tcphdr->ack_seq));
} else if (ip_hdr(skb)->protocol ==
IPPROTO_UDP) {
udphdr = udp_hdr(skb);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 342/644] et131x: Add missing check after DMA map
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 341/644] be2net: Use correct byte order and format string for TCP seq and ack_seq Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 343/644] net: ag71xx: " Greg Kroah-Hartman
` (307 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Mark Einon,
Simon Horman, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit d61f6cb6f6ef3c70d2ccc0d9c85c508cb8017da9 ]
The DMA map functions can fail and should be tested for errors.
If the mapping fails, unmap and return an error.
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Acked-by: Mark Einon <mark.einon@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250716094733.28734-2-fourier.thomas@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/agere/et131x.c | 36 +++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/drivers/net/ethernet/agere/et131x.c b/drivers/net/ethernet/agere/et131x.c
index f4edc616388c..1869c0635e56 100644
--- a/drivers/net/ethernet/agere/et131x.c
+++ b/drivers/net/ethernet/agere/et131x.c
@@ -2460,6 +2460,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
skb->data,
skb_headlen(skb),
DMA_TO_DEVICE);
+ if (dma_mapping_error(&adapter->pdev->dev,
+ dma_addr))
+ return -ENOMEM;
+
desc[frag].addr_lo = lower_32_bits(dma_addr);
desc[frag].addr_hi = upper_32_bits(dma_addr);
frag++;
@@ -2469,6 +2473,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
skb->data,
skb_headlen(skb) / 2,
DMA_TO_DEVICE);
+ if (dma_mapping_error(&adapter->pdev->dev,
+ dma_addr))
+ return -ENOMEM;
+
desc[frag].addr_lo = lower_32_bits(dma_addr);
desc[frag].addr_hi = upper_32_bits(dma_addr);
frag++;
@@ -2479,6 +2487,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
skb_headlen(skb) / 2,
skb_headlen(skb) / 2,
DMA_TO_DEVICE);
+ if (dma_mapping_error(&adapter->pdev->dev,
+ dma_addr))
+ goto unmap_first_out;
+
desc[frag].addr_lo = lower_32_bits(dma_addr);
desc[frag].addr_hi = upper_32_bits(dma_addr);
frag++;
@@ -2490,6 +2502,9 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
0,
desc[frag].len_vlan,
DMA_TO_DEVICE);
+ if (dma_mapping_error(&adapter->pdev->dev, dma_addr))
+ goto unmap_out;
+
desc[frag].addr_lo = lower_32_bits(dma_addr);
desc[frag].addr_hi = upper_32_bits(dma_addr);
frag++;
@@ -2579,6 +2594,27 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
&adapter->regs->global.watchdog_timer);
}
return 0;
+
+unmap_out:
+ // Unmap the body of the packet with map_page
+ while (--i) {
+ frag--;
+ dma_addr = desc[frag].addr_lo;
+ dma_addr |= (u64)desc[frag].addr_hi << 32;
+ dma_unmap_page(&adapter->pdev->dev, dma_addr,
+ desc[frag].len_vlan, DMA_TO_DEVICE);
+ }
+
+unmap_first_out:
+ // Unmap the header with map_single
+ while (frag--) {
+ dma_addr = desc[frag].addr_lo;
+ dma_addr |= (u64)desc[frag].addr_hi << 32;
+ dma_unmap_single(&adapter->pdev->dev, dma_addr,
+ desc[frag].len_vlan, DMA_TO_DEVICE);
+ }
+
+ return -ENOMEM;
}
static int send_packet(struct sk_buff *skb, struct et131x_adapter *adapter)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 343/644] net: ag71xx: Add missing check after DMA map
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 342/644] et131x: Add missing check after DMA map Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 344/644] net/mlx5e: Properly access RCU protected qdisc_sleeping variable Greg Kroah-Hartman
` (306 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 96a1e15e60216b52da0e6da5336b6d7f5b0188b0 ]
The DMA map functions can fail and should be tested for errors.
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250716095733.37452-3-fourier.thomas@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/atheros/ag71xx.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/net/ethernet/atheros/ag71xx.c b/drivers/net/ethernet/atheros/ag71xx.c
index 9d8b214c129d..d5be9ca4d4fe 100644
--- a/drivers/net/ethernet/atheros/ag71xx.c
+++ b/drivers/net/ethernet/atheros/ag71xx.c
@@ -1287,6 +1287,11 @@ static bool ag71xx_fill_rx_buf(struct ag71xx *ag, struct ag71xx_buf *buf,
buf->rx.rx_buf = data;
buf->rx.dma_addr = dma_map_single(&ag->pdev->dev, data, ag->rx_buf_size,
DMA_FROM_DEVICE);
+ if (dma_mapping_error(&ag->pdev->dev, buf->rx.dma_addr)) {
+ skb_free_frag(data);
+ buf->rx.rx_buf = NULL;
+ return false;
+ }
desc->data = (u32)buf->rx.dma_addr + offset;
return true;
}
@@ -1585,6 +1590,10 @@ static netdev_tx_t ag71xx_hard_start_xmit(struct sk_buff *skb,
dma_addr = dma_map_single(&ag->pdev->dev, skb->data, skb->len,
DMA_TO_DEVICE);
+ if (dma_mapping_error(&ag->pdev->dev, dma_addr)) {
+ netif_dbg(ag, tx_err, ndev, "DMA mapping error\n");
+ goto err_drop;
+ }
i = ring->curr & ring_mask;
desc = ag71xx_ring_desc(ring, i);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 344/644] net/mlx5e: Properly access RCU protected qdisc_sleeping variable
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 343/644] net: ag71xx: " Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 345/644] arm64: Mark kernel as tainted on SAE and SError panic Greg Kroah-Hartman
` (305 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leon Romanovsky, Tariq Toukan,
Michal Swiatkowski, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@nvidia.com>
[ Upstream commit 2a601b2d35623065d31ebaf697b07502d54878c9 ]
qdisc_sleeping variable is declared as "struct Qdisc __rcu" and
as such needs proper annotation while accessing it.
Without rtnl_dereference(), the following error is generated by sparse:
drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: warning:
incorrect type in initializer (different address spaces)
drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: expected
struct Qdisc *qdisc
drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: got struct
Qdisc [noderef] __rcu *qdisc_sleeping
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Link: https://patch.msgid.link/1752675472-201445-4-git-send-email-tariqt@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/qos.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c
index 965838893432..7291ccabecba 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c
@@ -724,7 +724,7 @@ static void mlx5e_reactivate_qos_sq(struct mlx5e_priv *priv, u16 qid, struct net
static void mlx5e_reset_qdisc(struct net_device *dev, u16 qid)
{
struct netdev_queue *dev_queue = netdev_get_tx_queue(dev, qid);
- struct Qdisc *qdisc = dev_queue->qdisc_sleeping;
+ struct Qdisc *qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
if (!qdisc)
return;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 345/644] arm64: Mark kernel as tainted on SAE and SError panic
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 344/644] net/mlx5e: Properly access RCU protected qdisc_sleeping variable Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 346/644] rcu: Protect ->defer_qs_iw_pending from data race Greg Kroah-Hartman
` (304 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Mark Rutland,
Will Deacon, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit d7ce7e3a84642aadf7c4787f7ec4f58eb163d129 ]
Set TAINT_MACHINE_CHECK when SError or Synchronous External Abort (SEA)
interrupts trigger a panic to flag potential hardware faults. This
tainting mechanism aids in debugging and enables correlation of
hardware-related crashes in large-scale deployments.
This change aligns with similar patches[1] that mark machine check
events when the system crashes due to hardware errors.
Link: https://lore.kernel.org/all/20250702-add_tain-v1-1-9187b10914b9@debian.org/ [1]
Signed-off-by: Breno Leitao <leitao@debian.org>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20250716-vmcore_hw_error-v2-1-f187f7d62aba@debian.org
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/traps.c | 1 +
arch/arm64/mm/fault.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
index c71074cb2bef..6debe95f8a62 100644
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -883,6 +883,7 @@ void panic_bad_stack(struct pt_regs *regs, unsigned long esr, unsigned long far)
void __noreturn arm64_serror_panic(struct pt_regs *regs, unsigned long esr)
{
+ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK);
console_verbose();
pr_crit("SError Interrupt on CPU%d, code 0x%016lx -- %s\n",
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 632762039714..d293aac8c554 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -726,6 +726,7 @@ static int do_sea(unsigned long far, unsigned long esr, struct pt_regs *regs)
*/
siaddr = untagged_addr(far);
}
+ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK);
arm64_notify_die(inf->name, regs, inf->sig, inf->code, siaddr, esr);
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 346/644] rcu: Protect ->defer_qs_iw_pending from data race
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 345/644] arm64: Mark kernel as tainted on SAE and SError panic Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 347/644] net: mctp: Prevent duplicate binds Greg Kroah-Hartman
` (303 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul E. McKenney,
Frederic Weisbecker, Neeraj Upadhyay (AMD), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
[ Upstream commit 90c09d57caeca94e6f3f87c49e96a91edd40cbfd ]
On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is
invoked within an interrupts-disabled region of code [1], it will invoke
rcu_read_unlock_special(), which uses an irq-work handler to force the
system to notice when the RCU read-side critical section actually ends.
That end won't happen until interrupts are enabled at the soonest.
In some kernels, such as those booted with rcutree.use_softirq=y, the
irq-work handler is used unconditionally.
The per-CPU rcu_data structure's ->defer_qs_iw_pending field is
updated by the irq-work handler and is both read and updated by
rcu_read_unlock_special(). This resulted in the following KCSAN splat:
------------------------------------------------------------------------
BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special
read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:
rcu_read_unlock_special+0x175/0x260
__rcu_read_unlock+0x92/0xa0
rt_spin_unlock+0x9b/0xc0
__local_bh_enable+0x10d/0x170
__local_bh_enable_ip+0xfb/0x150
rcu_do_batch+0x595/0xc40
rcu_cpu_kthread+0x4e9/0x830
smpboot_thread_fn+0x24d/0x3b0
kthread+0x3bd/0x410
ret_from_fork+0x35/0x40
ret_from_fork_asm+0x1a/0x30
write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:
rcu_preempt_deferred_qs_handler+0x1e/0x30
irq_work_single+0xaf/0x160
run_irq_workd+0x91/0xc0
smpboot_thread_fn+0x24d/0x3b0
kthread+0x3bd/0x410
ret_from_fork+0x35/0x40
ret_from_fork_asm+0x1a/0x30
no locks held by irq_work/8/88.
irq event stamp: 200272
hardirqs last enabled at (200272): [<ffffffffb0f56121>] finish_task_switch+0x131/0x320
hardirqs last disabled at (200271): [<ffffffffb25c7859>] __schedule+0x129/0xd70
softirqs last enabled at (0): [<ffffffffb0ee093f>] copy_process+0x4df/0x1cc0
softirqs last disabled at (0): [<0000000000000000>] 0x0
------------------------------------------------------------------------
The problem is that irq-work handlers run with interrupts enabled, which
means that rcu_preempt_deferred_qs_handler() could be interrupted,
and that interrupt handler might contain an RCU read-side critical
section, which might invoke rcu_read_unlock_special(). In the strict
KCSAN mode of operation used by RCU, this constitutes a data race on
the ->defer_qs_iw_pending field.
This commit therefore disables interrupts across the portion of the
rcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending
field. This suffices because this handler is not a fast path.
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Neeraj Upadhyay (AMD) <neeraj.upadhyay@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/tree_plugin.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
index 9e84d603e882..73483f0fcf6b 100644
--- a/kernel/rcu/tree_plugin.h
+++ b/kernel/rcu/tree_plugin.h
@@ -607,10 +607,13 @@ static notrace void rcu_preempt_deferred_qs(struct task_struct *t)
*/
static void rcu_preempt_deferred_qs_handler(struct irq_work *iwp)
{
+ unsigned long flags;
struct rcu_data *rdp;
rdp = container_of(iwp, struct rcu_data, defer_qs_iw);
+ local_irq_save(flags);
rdp->defer_qs_iw_pending = false;
+ local_irq_restore(flags);
}
/*
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 347/644] net: mctp: Prevent duplicate binds
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 346/644] rcu: Protect ->defer_qs_iw_pending from data race Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 348/644] wifi: cfg80211: Fix interface type validation Greg Kroah-Hartman
` (302 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matt Johnston, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Johnston <matt@codeconstruct.com.au>
[ Upstream commit 3954502377ec05a1b37e2dc9bef0bacd4bbd71b2 ]
Disallow bind() calls that have the same arguments as existing bound
sockets. Previously multiple sockets could bind() to the same
type/local address, with an arbitrary socket receiving matched messages.
This is only a partial fix, a future commit will define precedence order
for MCTP_ADDR_ANY versus specific EID bind(), which are allowed to exist
together.
Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
Link: https://patch.msgid.link/20250710-mctp-bind-v4-2-8ec2f6460c56@codeconstruct.com.au
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mctp/af_mctp.c | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
index 53b3a294b042..61476eb6aac7 100644
--- a/net/mctp/af_mctp.c
+++ b/net/mctp/af_mctp.c
@@ -60,7 +60,6 @@ static int mctp_bind(struct socket *sock, struct sockaddr *addr, int addrlen)
lock_sock(sk);
- /* TODO: allow rebind */
if (sk_hashed(sk)) {
rc = -EADDRINUSE;
goto out_release;
@@ -252,15 +251,36 @@ static void mctp_sk_close(struct sock *sk, long timeout)
static int mctp_sk_hash(struct sock *sk)
{
struct net *net = sock_net(sk);
+ struct sock *existing;
+ struct mctp_sock *msk;
+ int rc;
+
+ msk = container_of(sk, struct mctp_sock, sk);
/* Bind lookup runs under RCU, remain live during that. */
sock_set_flag(sk, SOCK_RCU_FREE);
mutex_lock(&net->mctp.bind_lock);
+
+ /* Prevent duplicate binds. */
+ sk_for_each(existing, &net->mctp.binds) {
+ struct mctp_sock *mex =
+ container_of(existing, struct mctp_sock, sk);
+
+ if (mex->bind_type == msk->bind_type &&
+ mex->bind_addr == msk->bind_addr &&
+ mex->bind_net == msk->bind_net) {
+ rc = -EADDRINUSE;
+ goto out;
+ }
+ }
+
sk_add_node_rcu(sk, &net->mctp.binds);
- mutex_unlock(&net->mctp.bind_lock);
+ rc = 0;
- return 0;
+out:
+ mutex_unlock(&net->mctp.bind_lock);
+ return rc;
}
static void mctp_sk_unhash(struct sock *sk)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 348/644] wifi: cfg80211: Fix interface type validation
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 347/644] net: mctp: Prevent duplicate binds Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 349/644] net: ipv4: fix incorrect MTU in broadcast routes Greg Kroah-Hartman
` (301 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilan Peer, Miri Korenblit,
Johannes Berg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilan Peer <ilan.peer@intel.com>
[ Upstream commit 14450be2332a49445106403492a367412b8c23f4 ]
Fix a condition that verified valid values of interface types.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250709233537.7ad199ca5939.I0ac1ff74798bf59a87a57f2e18f2153c308b119b@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/cfg80211.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 963a810ed70d..66a75723f559 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -507,7 +507,7 @@ ieee80211_get_sband_iftype_data(const struct ieee80211_supported_band *sband,
{
int i;
- if (WARN_ON(iftype >= NL80211_IFTYPE_MAX))
+ if (WARN_ON(iftype >= NUM_NL80211_IFTYPES))
return NULL;
if (iftype == NL80211_IFTYPE_AP_VLAN)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 349/644] net: ipv4: fix incorrect MTU in broadcast routes
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 348/644] wifi: cfg80211: Fix interface type validation Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 350/644] net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() Greg Kroah-Hartman
` (300 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oscar Maes, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oscar Maes <oscmaes92@gmail.com>
[ Upstream commit 9e30ecf23b1b8f091f7d08b27968dea83aae7908 ]
Currently, __mkroute_output overrules the MTU value configured for
broadcast routes.
This buggy behaviour can be reproduced with:
ip link set dev eth1 mtu 9000
ip route del broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2
ip route add broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 mtu 1500
The maximum packet size should be 1500, but it is actually 8000:
ping -b 192.168.0.255 -s 8000
Fix __mkroute_output to allow MTU values to be configured for
for broadcast routes (to support a mixed-MTU local-area-network).
Signed-off-by: Oscar Maes <oscmaes92@gmail.com>
Link: https://patch.msgid.link/20250710142714.12986-1-oscmaes92@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/route.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index cbc584c386e9..df4cbf9ba288 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2565,7 +2565,6 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
do_cache = true;
if (type == RTN_BROADCAST) {
flags |= RTCF_BROADCAST | RTCF_LOCAL;
- fi = NULL;
} else if (type == RTN_MULTICAST) {
flags |= RTCF_MULTICAST | RTCF_LOCAL;
if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 350/644] net: thunderx: Fix format-truncation warning in bgx_acpi_match_id()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 349/644] net: ipv4: fix incorrect MTU in broadcast routes Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 351/644] sched/deadline: Fix accounting after global limits change Greg Kroah-Hartman
` (299 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Simon Horman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 53d20606c40678d425cc03f0978c614dca51f25e ]
The buffer bgx_sel used in snprintf() was too small to safely hold
the formatted string "BGX%d" for all valid bgx_id values. This caused
a -Wformat-truncation warning with `Werror` enabled during build.
Increase the buffer size from 5 to 7 and use `sizeof(bgx_sel)` in
snprintf() to ensure safety and suppress the warning.
Build warning:
CC drivers/net/ethernet/cavium/thunder/thunder_bgx.o
drivers/net/ethernet/cavium/thunder/thunder_bgx.c: In function
‘bgx_acpi_match_id’:
drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:27: error: ‘%d’
directive output may be truncated writing between 1 and 3 bytes into a
region of size 2 [-Werror=format-truncation=]
snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
^~
drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:23: note:
directive argument in the range [0, 255]
snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
^~~~~~~
drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:2: note:
‘snprintf’ output between 5 and 7 bytes into a destination of size 5
snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
compiler warning due to insufficient snprintf buffer size.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250711140532.2463602-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
index daaffae1a89f..1831066c7647 100644
--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
@@ -1427,9 +1427,9 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl,
{
struct acpi_buffer string = { ACPI_ALLOCATE_BUFFER, NULL };
struct bgx *bgx = context;
- char bgx_sel[5];
+ char bgx_sel[7];
- snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
+ snprintf(bgx_sel, sizeof(bgx_sel), "BGX%d", bgx->bgx_id);
if (ACPI_FAILURE(acpi_get_name(handle, ACPI_SINGLE_NAME, &string))) {
pr_warn("Invalid link device\n");
return AE_OK;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 351/644] sched/deadline: Fix accounting after global limits change
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 350/644] net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 352/644] wifi: iwlwifi: mvm: fix scan request validation Greg Kroah-Hartman
` (298 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcel Ziswiler, Juri Lelli,
Peter Zijlstra (Intel), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juri Lelli <juri.lelli@redhat.com>
[ Upstream commit 440989c10f4e32620e9e2717ca52c3ed7ae11048 ]
A global limits change (sched_rt_handler() logic) currently leaves stale
and/or incorrect values in variables related to accounting (e.g.
extra_bw).
Properly clean up per runqueue variables before implementing the change
and rebuild scheduling domains (so that accounting is also properly
restored) after such a change is complete.
Reported-by: Marcel Ziswiler <marcel.ziswiler@codethink.co.uk>
Signed-off-by: Juri Lelli <juri.lelli@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Marcel Ziswiler <marcel.ziswiler@codethink.co.uk> # nuc & rock5b
Link: https://lore.kernel.org/r/20250627115118.438797-4-juri.lelli@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/deadline.c | 4 +++-
kernel/sched/rt.c | 6 ++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index 66eb68c59f0b..708c3960bd06 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -2661,6 +2661,9 @@ void sched_dl_do_global(void)
if (global_rt_runtime() != RUNTIME_INF)
new_bw = to_ratio(global_rt_period(), global_rt_runtime());
+ for_each_possible_cpu(cpu)
+ init_dl_rq_bw_ratio(&cpu_rq(cpu)->dl);
+
for_each_possible_cpu(cpu) {
rcu_read_lock_sched();
@@ -2676,7 +2679,6 @@ void sched_dl_do_global(void)
raw_spin_unlock_irqrestore(&dl_b->lock, flags);
rcu_read_unlock_sched();
- init_dl_rq_bw_ratio(&cpu_rq(cpu)->dl);
}
}
diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
index 5fc99dce5145..9720b3c19ab9 100644
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -2861,6 +2861,12 @@ int sched_rt_handler(struct ctl_table *table, int write, void *buffer,
}
mutex_unlock(&mutex);
+ /*
+ * After changing maximum available bandwidth for DEADLINE, we need to
+ * recompute per root domain and per cpus variables accordingly.
+ */
+ rebuild_sched_domains();
+
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 352/644] wifi: iwlwifi: mvm: fix scan request validation
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 351/644] sched/deadline: Fix accounting after global limits change Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 353/644] s390/stp: Remove udelay from stp_sync_clock() Greg Kroah-Hartman
` (297 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Avraham Stern, Ilan Peer,
Miri Korenblit, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Avraham Stern <avraham.stern@intel.com>
[ Upstream commit 7c2f3ec7707188d8d5269ae2dce97d7be3e9f261 ]
The scan request validation function uses bitwise and instead
of logical and. Fix it.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250709230308.3fbc1f27871b.I7a8ee91f463c1a2d9d8561c8232e196885d02c43@changeid
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
index 16818dcdae22..3d0396b8afaa 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
@@ -832,7 +832,7 @@ static inline bool iwl_mvm_scan_fits(struct iwl_mvm *mvm, int n_ssids,
int n_channels)
{
return ((n_ssids <= PROBE_OPTION_MAX) &&
- (n_channels <= mvm->fw->ucode_capa.n_scan_channels) &
+ (n_channels <= mvm->fw->ucode_capa.n_scan_channels) &&
(ies->common_ie_len +
ies->len[NL80211_BAND_2GHZ] + ies->len[NL80211_BAND_5GHZ] +
ies->len[NL80211_BAND_6GHZ] <=
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 353/644] s390/stp: Remove udelay from stp_sync_clock()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 352/644] wifi: iwlwifi: mvm: fix scan request validation Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 354/644] wifi: mac80211: dont complete management TX on SAE commit Greg Kroah-Hartman
` (296 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Sven Schnelle,
Alexander Gordeev, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schnelle <svens@linux.ibm.com>
[ Upstream commit b367017cdac21781a74eff4e208d3d38e1f38d3f ]
When an stp sync check is handled on a system with multiple
cpus each cpu gets a machine check but only the first one
actually handles the sync operation. All other CPUs spin
waiting for the first one to finish with a short udelay().
But udelay can't be used here as the first CPU modifies tod_clock_base
before performing the sync op. During this timeframe
get_tod_clock_monotonic() might return a non-monotonic time.
The time spent waiting should be very short and udelay is a busy loop
anyways, therefore simply remove the udelay.
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/s390/kernel/time.c b/arch/s390/kernel/time.c
index f0a1484ee00b..58cdd4119f45 100644
--- a/arch/s390/kernel/time.c
+++ b/arch/s390/kernel/time.c
@@ -576,7 +576,7 @@ static int stp_sync_clock(void *data)
atomic_dec(&sync->cpus);
/* Wait for in_sync to be set. */
while (READ_ONCE(sync->in_sync) == 0)
- __udelay(1);
+ ;
}
if (sync->in_sync != 1)
/* Didn't work. Clear per-cpu in sync bit again. */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 354/644] wifi: mac80211: dont complete management TX on SAE commit
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 353/644] s390/stp: Remove udelay from stp_sync_clock() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 355/644] (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer Greg Kroah-Hartman
` (295 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hendrik Farr, Johannes Berg,
Miri Korenblit, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 6b04716cdcac37bdbacde34def08bc6fdb5fc4e2 ]
When SAE commit is sent and received in response, there's no
ordering for the SAE confirm messages. As such, don't call
drivers to stop listening on the channel when the confirm
message is still expected.
This fixes an issue if the local confirm is transmitted later
than the AP's confirm, for iwlwifi (and possibly mt76) the
AP's confirm would then get lost since the device isn't on
the channel at the time the AP transmit the confirm.
For iwlwifi at least, this also improves the overall timing
of the authentication handshake (by about 15ms according to
the report), likely since the session protection won't be
aborted and rescheduled.
Note that even before this, mgd_complete_tx() wasn't always
called for each call to mgd_prepare_tx() (e.g. in the case
of WEP key shared authentication), and the current drivers
that have the complete callback don't seem to mind. Document
this as well though.
Reported-by: Jan Hendrik Farr <kernel@jfarr.cc>
Closes: https://lore.kernel.org/all/aB30Ea2kRG24LINR@archlinux/
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250609213232.12691580e140.I3f1d3127acabcd58348a110ab11044213cf147d3@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/mac80211.h | 2 ++
net/mac80211/mlme.c | 9 ++++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index c713edfbe2b6..f101ef4a1fd6 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -3787,6 +3787,8 @@ struct ieee80211_prep_tx_info {
* @mgd_complete_tx: Notify the driver that the response frame for a previously
* transmitted frame announced with @mgd_prepare_tx was received, the data
* is filled similarly to @mgd_prepare_tx though the duration is not used.
+ * Note that this isn't always called for each mgd_prepare_tx() call, for
+ * example for SAE the 'confirm' messages can be on the air in any order.
*
* @mgd_protect_tdls_discover: Protect a TDLS discovery session. After sending
* a TDLS discovery-request, we expect a reply to arrive on the AP's
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index ae379bd9dccc..6e86a23c647d 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2960,6 +2960,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
struct ieee80211_prep_tx_info info = {
.subtype = IEEE80211_STYPE_AUTH,
};
+ bool sae_need_confirm = false;
sdata_assert_lock(sdata);
@@ -3005,6 +3006,8 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
jiffies + IEEE80211_AUTH_WAIT_SAE_RETRY;
ifmgd->auth_data->timeout_started = true;
run_again(sdata, ifmgd->auth_data->timeout);
+ if (auth_transaction == 1)
+ sae_need_confirm = true;
goto notify_driver;
}
@@ -3047,6 +3050,9 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
ifmgd->auth_data->expected_transaction == 2)) {
if (!ieee80211_mark_sta_auth(sdata, bssid))
return; /* ignore frame -- wait for timeout */
+ } else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
+ auth_transaction == 1) {
+ sae_need_confirm = true;
} else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
auth_transaction == 2) {
sdata_info(sdata, "SAE peer confirmed\n");
@@ -3055,7 +3061,8 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
notify_driver:
- drv_mgd_complete_tx(sdata->local, sdata, &info);
+ if (!sae_need_confirm)
+ drv_mgd_complete_tx(sdata->local, sdata, &info);
}
#define case_WLAN(type) \
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 355/644] (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 354/644] wifi: mac80211: dont complete management TX on SAE commit Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 356/644] ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc() Greg Kroah-Hartman
` (294 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Christophe Leroy,
Madhavan Srinivasan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 760b9b4f6de9a33ca56a05f950cabe82138d25bd ]
If the device configuration fails (if `dma_dev->device_config()`),
`sg_dma_address(&sg)` is not initialized and the jump to `err_dma_prep`
leads to calling `dma_unmap_single()` on `sg_dma_address(&sg)`.
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250610142918.169540-2-fourier.thomas@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c
index 04bf6ecf7d55..85e0fa7d902b 100644
--- a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c
+++ b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c
@@ -240,10 +240,8 @@ static int mpc512x_lpbfifo_kick(void)
dma_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
/* Make DMA channel work with LPB FIFO data register */
- if (dma_dev->device_config(lpbfifo.chan, &dma_conf)) {
- ret = -EINVAL;
- goto err_dma_prep;
- }
+ if (dma_dev->device_config(lpbfifo.chan, &dma_conf))
+ return -EINVAL;
sg_init_table(&sg, 1);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 356/644] ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc().
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 355/644] (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 357/644] drm/msm: use trylock for debugfs Greg Kroah-Hartman
` (293 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Eric Dumazet,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit dbd40f318cf2f59759bd170c401adc20ba360a3e ]
Since commit 63ed8de4be81 ("mld: add mc_lock for protecting
per-interface mld data"), every multicast resource is protected
by inet6_dev->mc_lock.
RTNL is unnecessary in terms of protection but still needed for
synchronisation between addrconf_ifdown() and __ipv6_dev_mc_inc().
Once we removed RTNL, there would be a race below, where we could
add a multicast address to a dead inet6_dev.
CPU1 CPU2
==== ====
addrconf_ifdown() __ipv6_dev_mc_inc()
if (idev->dead) <-- false
dead = true return -ENODEV;
ipv6_mc_destroy_dev() / ipv6_mc_down()
mutex_lock(&idev->mc_lock)
...
mutex_unlock(&idev->mc_lock)
mutex_lock(&idev->mc_lock)
...
mutex_unlock(&idev->mc_lock)
The race window can be easily closed by checking inet6_dev->dead
under inet6_dev->mc_lock in __ipv6_dev_mc_inc() as addrconf_ifdown()
will acquire it after marking inet6_dev dead.
Let's check inet6_dev->dead under mc_lock in __ipv6_dev_mc_inc().
Note that now __ipv6_dev_mc_inc() no longer depends on RTNL and
we can remove ASSERT_RTNL() there and the RTNL comment above
addrconf_join_solict().
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250702230210.3115355-4-kuni1840@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/addrconf.c | 7 +++----
net/ipv6/mcast.c | 11 +++++------
2 files changed, 8 insertions(+), 10 deletions(-)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index bb0e385992fc..43df9ad96e39 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2189,13 +2189,12 @@ void addrconf_dad_failure(struct sk_buff *skb, struct inet6_ifaddr *ifp)
in6_ifa_put(ifp);
}
-/* Join to solicited addr multicast group.
- * caller must hold RTNL */
+/* Join to solicited addr multicast group. */
void addrconf_join_solict(struct net_device *dev, const struct in6_addr *addr)
{
struct in6_addr maddr;
- if (dev->flags&(IFF_LOOPBACK|IFF_NOARP))
+ if (READ_ONCE(dev->flags) & (IFF_LOOPBACK | IFF_NOARP))
return;
addrconf_addr_solict_mult(addr, &maddr);
@@ -3784,7 +3783,7 @@ static int addrconf_ifdown(struct net_device *dev, bool unregister)
* Do not dev_put!
*/
if (unregister) {
- idev->dead = 1;
+ WRITE_ONCE(idev->dead, 1);
/* protected by rtnl_lock */
RCU_INIT_POINTER(dev->ip6_ptr, NULL);
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 574a30d7f930..77a9f17c816b 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -906,23 +906,22 @@ static struct ifmcaddr6 *mca_alloc(struct inet6_dev *idev,
static int __ipv6_dev_mc_inc(struct net_device *dev,
const struct in6_addr *addr, unsigned int mode)
{
- struct ifmcaddr6 *mc;
struct inet6_dev *idev;
-
- ASSERT_RTNL();
+ struct ifmcaddr6 *mc;
/* we need to take a reference on idev */
idev = in6_dev_get(dev);
-
if (!idev)
return -EINVAL;
- if (idev->dead) {
+ mutex_lock(&idev->mc_lock);
+
+ if (READ_ONCE(idev->dead)) {
+ mutex_unlock(&idev->mc_lock);
in6_dev_put(idev);
return -ENODEV;
}
- mutex_lock(&idev->mc_lock);
for_each_mc_mclock(idev, mc) {
if (ipv6_addr_equal(&mc->mca_addr, addr)) {
mc->mca_users++;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 357/644] drm/msm: use trylock for debugfs
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 356/644] ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 358/644] net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() Greg Kroah-Hartman
` (292 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Clark, Rob Clark,
Antonino Maniscalco, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Clark <robdclark@chromium.org>
[ Upstream commit 0a1ff88ec5b60b41ba830c5bf08b6cd8f45ab411 ]
This resolves a potential deadlock vs msm_gem_vm_close(). Otherwise for
_NO_SHARE buffers msm_gem_describe() could be trying to acquire the
shared vm resv, while already holding priv->obj_lock. But _vm_close()
might drop the last reference to a GEM obj while already holding the vm
resv, and msm_gem_free_object() needs to grab priv->obj_lock, a locking
inversion.
OTOH this is only for debugfs and it isn't critical if we undercount by
skipping a locked obj. So just use trylock() and move along if we can't
get the lock.
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Tested-by: Antonino Maniscalco <antomani103@gmail.com>
Reviewed-by: Antonino Maniscalco <antomani103@gmail.com>
Patchwork: https://patchwork.freedesktop.org/patch/661525/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_gem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
index d280dd64744d..36ced8f83434 100644
--- a/drivers/gpu/drm/msm/msm_gem.c
+++ b/drivers/gpu/drm/msm/msm_gem.c
@@ -886,7 +886,8 @@ void msm_gem_describe(struct drm_gem_object *obj, struct seq_file *m,
uint64_t off = drm_vma_node_start(&obj->vma_node);
const char *madv;
- msm_gem_lock(obj);
+ if (!msm_gem_trylock(obj))
+ return;
stats->all.count++;
stats->all.size += obj->size;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 358/644] net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 357/644] drm/msm: use trylock for debugfs Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 359/644] net: atlantic: add set_power to fw_ops for atl2 to fix wol Greg Kroah-Hartman
` (291 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mika Westerberg, zhangjianrong,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: zhangjianrong <zhangjianrong5@huawei.com>
[ Upstream commit 8ec31cb17cd355cea25cdb8496d9b3fbf1321647 ]
According to the description of tb_xdomain_enable_paths(), the third
parameter represents the transmit ring and the fifth parameter represents
the receive ring. tb_xdomain_disable_paths() is the same case.
[Jakub] Mika says: it works now because both rings ->hop is the same
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Link: https://lore.kernel.org/20250625051149.GD2824380@black.fi.intel.com
Signed-off-by: zhangjianrong <zhangjianrong5@huawei.com>
Link: https://patch.msgid.link/20250628094920.656658-1-zhangjianrong5@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/thunderbolt.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c
index 470852f7a64d..ba9f7062f5a7 100644
--- a/drivers/net/thunderbolt.c
+++ b/drivers/net/thunderbolt.c
@@ -380,9 +380,9 @@ static void tbnet_tear_down(struct tbnet *net, bool send_logout)
ret = tb_xdomain_disable_paths(net->xd,
net->local_transmit_path,
- net->rx_ring.ring->hop,
+ net->tx_ring.ring->hop,
net->remote_transmit_path,
- net->tx_ring.ring->hop);
+ net->rx_ring.ring->hop);
if (ret)
netdev_warn(net->dev, "failed to disable DMA paths\n");
@@ -631,9 +631,9 @@ static void tbnet_connected_work(struct work_struct *work)
goto err_free_rx_buffers;
ret = tb_xdomain_enable_paths(net->xd, net->local_transmit_path,
- net->rx_ring.ring->hop,
+ net->tx_ring.ring->hop,
net->remote_transmit_path,
- net->tx_ring.ring->hop);
+ net->rx_ring.ring->hop);
if (ret) {
netdev_err(net->dev, "failed to enable DMA paths\n");
goto err_free_tx_buffers;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 359/644] net: atlantic: add set_power to fw_ops for atl2 to fix wol
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 358/644] net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 360/644] net: fec: allow disable coalescing Greg Kroah-Hartman
` (290 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Work, Igor Russkikh,
Jakub Kicinski, Sasha Levin, Mark Starovoitov, Dmitry Bogdanov,
Pavel Belous, Nikita Danilov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Work <work.eric@gmail.com>
[ Upstream commit fad9cf216597a71936ac87143d1618fbbcf97cbe ]
Aquantia AQC113(C) using ATL2FW doesn't properly prepare the NIC for
enabling wake-on-lan. The FW operation `set_power` was only implemented
for `hw_atl` and not `hw_atl2`. Implement the `set_power` functionality
for `hw_atl2`.
Tested with both AQC113 and AQC113C devices. Confirmed you can shutdown
the system and wake from S5 using magic packets. NIC was previously
powered off when entering S5. If the NIC was configured for WOL by the
Windows driver, loading the atlantic driver would disable WOL.
Partially cherry-picks changes from commit,
https://github.com/Aquantia/AQtion/commit/37bd5cc
Attributing original authors from Marvell for the referenced commit.
Closes: https://github.com/Aquantia/AQtion/issues/70
Co-developed-by: Igor Russkikh <irusskikh@marvell.com>
Co-developed-by: Mark Starovoitov <mstarovoitov@marvell.com>
Co-developed-by: Dmitry Bogdanov <dbogdanov@marvell.com>
Co-developed-by: Pavel Belous <pbelous@marvell.com>
Co-developed-by: Nikita Danilov <ndanilov@marvell.com>
Signed-off-by: Eric Work <work.eric@gmail.com>
Reviewed-by: Igor Russkikh <irusskikh@marvell.com>
Link: https://patch.msgid.link/20250629051535.5172-1-work.eric@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/aquantia/atlantic/aq_hw.h | 2 +
.../atlantic/hw_atl2/hw_atl2_utils_fw.c | 39 +++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_hw.h b/drivers/net/ethernet/aquantia/atlantic/aq_hw.h
index dbd284660135..7f616abd3db2 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_hw.h
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_hw.h
@@ -113,6 +113,8 @@ struct aq_stats_s {
#define AQ_HW_POWER_STATE_D0 0U
#define AQ_HW_POWER_STATE_D3 3U
+#define AQ_FW_WAKE_ON_LINK_RTPM BIT(10)
+
#define AQ_HW_FLAG_STARTED 0x00000004U
#define AQ_HW_FLAG_STOPPING 0x00000008U
#define AQ_HW_FLAG_RESETTING 0x00000010U
diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c
index 58d426dda3ed..1c5c27a9f30d 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c
@@ -462,6 +462,44 @@ static int aq_a2_fw_get_mac_temp(struct aq_hw_s *self, int *temp)
return aq_a2_fw_get_phy_temp(self, temp);
}
+static int aq_a2_fw_set_wol_params(struct aq_hw_s *self, const u8 *mac, u32 wol)
+{
+ struct mac_address_aligned_s mac_address;
+ struct link_control_s link_control;
+ struct wake_on_lan_s wake_on_lan;
+
+ memcpy(mac_address.aligned.mac_address, mac, ETH_ALEN);
+ hw_atl2_shared_buffer_write(self, mac_address, mac_address);
+
+ memset(&wake_on_lan, 0, sizeof(wake_on_lan));
+
+ if (wol & WAKE_MAGIC)
+ wake_on_lan.wake_on_magic_packet = 1U;
+
+ if (wol & (WAKE_PHY | AQ_FW_WAKE_ON_LINK_RTPM))
+ wake_on_lan.wake_on_link_up = 1U;
+
+ hw_atl2_shared_buffer_write(self, sleep_proxy, wake_on_lan);
+
+ hw_atl2_shared_buffer_get(self, link_control, link_control);
+ link_control.mode = AQ_HOST_MODE_SLEEP_PROXY;
+ hw_atl2_shared_buffer_write(self, link_control, link_control);
+
+ return hw_atl2_shared_buffer_finish_ack(self);
+}
+
+static int aq_a2_fw_set_power(struct aq_hw_s *self, unsigned int power_state,
+ const u8 *mac)
+{
+ u32 wol = self->aq_nic_cfg->wol;
+ int err = 0;
+
+ if (wol)
+ err = aq_a2_fw_set_wol_params(self, mac, wol);
+
+ return err;
+}
+
static int aq_a2_fw_set_eee_rate(struct aq_hw_s *self, u32 speed)
{
struct link_options_s link_options;
@@ -605,6 +643,7 @@ const struct aq_fw_ops aq_a2_fw_ops = {
.set_state = aq_a2_fw_set_state,
.update_link_status = aq_a2_fw_update_link_status,
.update_stats = aq_a2_fw_update_stats,
+ .set_power = aq_a2_fw_set_power,
.get_mac_temp = aq_a2_fw_get_mac_temp,
.get_phy_temp = aq_a2_fw_get_phy_temp,
.set_eee_rate = aq_a2_fw_set_eee_rate,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 360/644] net: fec: allow disable coalescing
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 359/644] net: atlantic: add set_power to fw_ops for atl2 to fix wol Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 361/644] drm/amd/display: Separate set_gsl from set_gsl_source_select Greg Kroah-Hartman
` (289 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Rebmann, Wei Fang,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Rebmann <jre@pengutronix.de>
[ Upstream commit b7ad21258f9e9a7f58b19595d5ceed2cde3bed68 ]
In the current implementation, IP coalescing is always enabled and
cannot be disabled.
As setting maximum frames to 0 or 1, or setting delay to zero implies
immediate delivery of single packets/IRQs, disable coalescing in
hardware in these cases.
This also guarantees that coalescing is never enabled with ICFT or ICTT
set to zero, a configuration that could lead to unpredictable behaviour
according to i.MX8MP reference manual.
Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
Reviewed-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20250626-fec_deactivate_coalescing-v2-1-0b217f2e80da@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_main.c | 34 +++++++++++------------
1 file changed, 16 insertions(+), 18 deletions(-)
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index 5c860eef0300..437e72110ab5 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -2727,27 +2727,25 @@ static int fec_enet_us_to_itr_clock(struct net_device *ndev, int us)
static void fec_enet_itr_coal_set(struct net_device *ndev)
{
struct fec_enet_private *fep = netdev_priv(ndev);
- int rx_itr, tx_itr;
+ u32 rx_itr = 0, tx_itr = 0;
+ int rx_ictt, tx_ictt;
- /* Must be greater than zero to avoid unpredictable behavior */
- if (!fep->rx_time_itr || !fep->rx_pkts_itr ||
- !fep->tx_time_itr || !fep->tx_pkts_itr)
- return;
-
- /* Select enet system clock as Interrupt Coalescing
- * timer Clock Source
- */
- rx_itr = FEC_ITR_CLK_SEL;
- tx_itr = FEC_ITR_CLK_SEL;
+ rx_ictt = fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr);
+ tx_ictt = fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr);
- /* set ICFT and ICTT */
- rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr);
- rx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr));
- tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr);
- tx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr));
+ if (rx_ictt > 0 && fep->rx_pkts_itr > 1) {
+ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */
+ rx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL;
+ rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr);
+ rx_itr |= FEC_ITR_ICTT(rx_ictt);
+ }
- rx_itr |= FEC_ITR_EN;
- tx_itr |= FEC_ITR_EN;
+ if (tx_ictt > 0 && fep->tx_pkts_itr > 1) {
+ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */
+ tx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL;
+ tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr);
+ tx_itr |= FEC_ITR_ICTT(tx_ictt);
+ }
writel(tx_itr, fep->hwp + FEC_TXIC0);
writel(rx_itr, fep->hwp + FEC_RXIC0);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 361/644] drm/amd/display: Separate set_gsl from set_gsl_source_select
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 360/644] net: fec: allow disable coalescing Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 362/644] wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() Greg Kroah-Hartman
` (288 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nevenko Stupar, Ilya Bakoulin,
Ray Wu, Daniel Wheeler, Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Bakoulin <Ilya.Bakoulin@amd.com>
[ Upstream commit 660a467a5e7366cd6642de61f1aaeaf0d253ee68 ]
[Why/How]
Separate the checks for set_gsl and set_gsl_source_select, since
source_select may not be implemented/necessary.
Reviewed-by: Nevenko Stupar <nevenko.stupar@amd.com>
Signed-off-by: Ilya Bakoulin <Ilya.Bakoulin@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
index bf2a8f53694b..59d16c553800 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
@@ -160,14 +160,13 @@ static void dcn20_setup_gsl_group_as_lock(
}
/* at this point we want to program whether it's to enable or disable */
- if (pipe_ctx->stream_res.tg->funcs->set_gsl != NULL &&
- pipe_ctx->stream_res.tg->funcs->set_gsl_source_select != NULL) {
+ if (pipe_ctx->stream_res.tg->funcs->set_gsl != NULL) {
pipe_ctx->stream_res.tg->funcs->set_gsl(
pipe_ctx->stream_res.tg,
&gsl);
-
- pipe_ctx->stream_res.tg->funcs->set_gsl_source_select(
- pipe_ctx->stream_res.tg, group_idx, enable ? 4 : 0);
+ if (pipe_ctx->stream_res.tg->funcs->set_gsl_source_select != NULL)
+ pipe_ctx->stream_res.tg->funcs->set_gsl_source_select(
+ pipe_ctx->stream_res.tg, group_idx, enable ? 4 : 0);
} else
BREAK_TO_DEBUGGER();
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 362/644] wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 361/644] drm/amd/display: Separate set_gsl from set_gsl_source_select Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 363/644] wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect Greg Kroah-Hartman
` (287 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rand Deeb, Miri Korenblit,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rand Deeb <rand.sec96@gmail.com>
[ Upstream commit e3ad987e9dc7d1e12e3f2f1e623f0e174cd0ca78 ]
The 'index' variable in the rs_fill_link_cmd() function can reach
LINK_QUAL_MAX_RETRY_NUM during the execution of the inner loop. This
variable is used as an index for the lq_cmd->rs_table array, which has a
size of LINK_QUAL_MAX_RETRY_NUM, without proper validation.
Modify the condition of the inner loop to ensure that the 'index' variable
does not exceed LINK_QUAL_MAX_RETRY_NUM - 1, thereby preventing any
potential overflow issues.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
Link: https://patch.msgid.link/20240313101755.269209-1-rand.sec96@gmail.com
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
index 958bfc38d390..f44448a13172 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
@@ -2926,7 +2926,7 @@ static void rs_fill_link_cmd(struct iwl_priv *priv,
/* Repeat initial/next rate.
* For legacy IWL_NUMBER_TRY == 1, this loop will not execute.
* For HT IWL_HT_NUMBER_TRY == 3, this executes twice. */
- while (repeat_rate > 0 && (index < LINK_QUAL_MAX_RETRY_NUM)) {
+ while (repeat_rate > 0 && index < (LINK_QUAL_MAX_RETRY_NUM - 1)) {
if (is_legacy(tbl_type.lq_type)) {
if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE)
ant_toggle_cnt++;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 363/644] wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 362/644] wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 364/644] drm/amd/display: Fix failed to blank crtc! Greg Kroah-Hartman
` (286 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pagadala Yesu Anjaneyulu,
Miri Korenblit, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
[ Upstream commit cc8d9cbf269dab363c768bfa9312265bc807fca5 ]
Ensure descriptor is freed on error to avoid memory leak.
Signed-off-by: Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20250611222325.8158d15ec866.Ifa3e422c302397111f20a16da7509e6574bc19e3@changeid
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
index f1d07ddb3f83..2c5358fc05b1 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
@@ -2561,6 +2561,7 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt,
struct iwl_fw_dump_desc *desc;
unsigned int delay = 0;
bool monitor_only = false;
+ int ret;
if (trigger) {
u16 occurrences = le16_to_cpu(trigger->occurrences) - 1;
@@ -2591,7 +2592,11 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt,
desc->trig_desc.type = cpu_to_le32(trig);
memcpy(desc->trig_desc.data, str, len);
- return iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay);
+ ret = iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay);
+ if (ret)
+ kfree(desc);
+
+ return ret;
}
IWL_EXPORT_SYMBOL(iwl_fw_dbg_collect);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 364/644] drm/amd/display: Fix failed to blank crtc!
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 363/644] wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 365/644] wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` Greg Kroah-Hartman
` (285 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Kazlauskas, Wen Chen,
Fangzhi Zuo, Daniel Wheeler, Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wen Chen <Wen.Chen3@amd.com>
[ Upstream commit 01f60348d8fb6b3fbcdfc7bdde5d669f95b009a4 ]
[why]
DCN35 is having “DC: failed to blank crtc!” when running HPO
test cases. It's caused by not having sufficient udelay time.
[how]
Replace the old wait_for_blank_complete function with fsleep function to
sleep just until the next frame should come up. This way it doesn't poll
in case the pixel clock or other clock was bugged or until vactive and
the vblank are hit again.
Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Signed-off-by: Wen Chen <Wen.Chen3@amd.com>
Signed-off-by: Fangzhi Zuo <jerry.zuo@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
index 59d16c553800..3935c8b32a2b 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
@@ -729,7 +729,7 @@ enum dc_status dcn20_enable_stream_timing(
return DC_ERROR_UNEXPECTED;
}
- hws->funcs.wait_for_blank_complete(pipe_ctx->stream_res.opp);
+ fsleep(stream->timing.v_total * (stream->timing.h_total * 10000u / stream->timing.pix_clk_100hz));
params.vertical_total_min = stream->adjust.v_total_min;
params.vertical_total_max = stream->adjust.v_total_max;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 365/644] wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`.
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 364/644] drm/amd/display: Fix failed to blank crtc! Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 366/644] netmem: fix skb_frag_address_safe with unreadable skbs Greg Kroah-Hartman
` (284 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Ping-Ke Shih,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 44c0e191004f0e3aa1bdee3be248be14dbe5b020 ]
The function `_rtl_pci_init_one_rxdesc()` can fail even when the new
`skb` is passed because of a DMA mapping error. If it fails, the `skb`
is not saved in the rx ringbuffer and thus lost.
Compile tested only
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250616105631.444309-4-fourier.thomas@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index f024533d34a9..bccb959d8210 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -803,13 +803,19 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
skb = new_skb;
no_new:
if (rtlpriv->use_new_trx_flow) {
- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc,
- rxring_idx,
- rtlpci->rx_ring[rxring_idx].idx);
+ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc,
+ rxring_idx,
+ rtlpci->rx_ring[rxring_idx].idx)) {
+ if (new_skb)
+ dev_kfree_skb_any(skb);
+ }
} else {
- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc,
- rxring_idx,
- rtlpci->rx_ring[rxring_idx].idx);
+ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc,
+ rxring_idx,
+ rtlpci->rx_ring[rxring_idx].idx)) {
+ if (new_skb)
+ dev_kfree_skb_any(skb);
+ }
if (rtlpci->rx_ring[rxring_idx].idx ==
rtlpci->rxringcount - 1)
rtlpriv->cfg->ops->set_desc(hw, (u8 *)pdesc,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 366/644] netmem: fix skb_frag_address_safe with unreadable skbs
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 365/644] wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 367/644] wifi: iwlegacy: Check rate_idx range after addition Greg Kroah-Hartman
` (283 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ap420073, Mina Almasry,
Stanislav Fomichev, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mina Almasry <almasrymina@google.com>
[ Upstream commit 4672aec56d2e8edabcb74c3e2320301d106a377e ]
skb_frag_address_safe() needs a check that the
skb_frag_page exists check similar to skb_frag_address().
Cc: ap420073@gmail.com
Signed-off-by: Mina Almasry <almasrymina@google.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Link: https://patch.msgid.link/20250619175239.3039329-1-almasrymina@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/skbuff.h | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 9155d0d7f706..a8d6e976507e 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -3287,7 +3287,13 @@ static inline void *skb_frag_address(const skb_frag_t *frag)
*/
static inline void *skb_frag_address_safe(const skb_frag_t *frag)
{
- void *ptr = page_address(skb_frag_page(frag));
+ struct page *page = skb_frag_page(frag);
+ void *ptr;
+
+ if (!page)
+ return NULL;
+
+ ptr = page_address(page);
if (unlikely(!ptr))
return NULL;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 367/644] wifi: iwlegacy: Check rate_idx range after addition
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 366/644] netmem: fix skb_frag_address_safe with unreadable skbs Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 368/644] dpaa_eth: dont use fixed_phy_change_carrier Greg Kroah-Hartman
` (282 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Alexei Safin,
Stanislaw Gruszka, Johannes Berg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <stf_xl@wp.pl>
[ Upstream commit 0de19d5ae0b2c5b18b88c5c7f0442f707a207409 ]
Limit rate_idx to IL_LAST_OFDM_RATE for 5GHz band for thinkable case
the index is incorrect.
Reported-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reported-by: Alexei Safin <a.safin@rosa.ru>
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Reviewed-by: Fedor Pchelkin <pchelkin@ispras.ru>
Link: https://patch.msgid.link/20250525144524.GA172583@wp.pl
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
index ceab7704897d..df9d139a008e 100644
--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c
+++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
@@ -1575,8 +1575,11 @@ il4965_tx_cmd_build_rate(struct il_priv *il,
|| rate_idx > RATE_COUNT_LEGACY)
rate_idx = rate_lowest_index(&il->bands[info->band], sta);
/* For 5 GHZ band, remap mac80211 rate indices into driver indices */
- if (info->band == NL80211_BAND_5GHZ)
+ if (info->band == NL80211_BAND_5GHZ) {
rate_idx += IL_FIRST_OFDM_RATE;
+ if (rate_idx > IL_LAST_OFDM_RATE)
+ rate_idx = IL_LAST_OFDM_RATE;
+ }
/* Get PLCP rate for tx_cmd->rate_n_flags */
rate_plcp = il_rates[rate_idx].plcp;
/* Zero out flags for this packet */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 368/644] dpaa_eth: dont use fixed_phy_change_carrier
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 367/644] wifi: iwlegacy: Check rate_idx range after addition Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 369/644] drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual Greg Kroah-Hartman
` (281 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiner Kallweit, Jacob Keller,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiner Kallweit <hkallweit1@gmail.com>
[ Upstream commit d8155c1df5c8b717052567b188455d41fa7a8908 ]
This effectively reverts 6e8b0ff1ba4c ("dpaa_eth: Add change_carrier()
for Fixed PHYs"). Usage of fixed_phy_change_carrier() requires that
fixed_phy_register() has been called before, directly or indirectly.
And that's not the case in this driver.
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/7eb189b3-d5fd-4be6-8517-a66671a4e4e3@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
index 6fbf4efa0786..c2fe8827346f 100644
--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
@@ -52,7 +52,6 @@
#include <linux/percpu.h>
#include <linux/dma-mapping.h>
#include <linux/sort.h>
-#include <linux/phy_fixed.h>
#include <linux/bpf.h>
#include <linux/bpf_trace.h>
#include <soc/fsl/bman.h>
@@ -3168,7 +3167,6 @@ static const struct net_device_ops dpaa_ops = {
.ndo_stop = dpaa_eth_stop,
.ndo_tx_timeout = dpaa_tx_timeout,
.ndo_get_stats64 = dpaa_get_stats64,
- .ndo_change_carrier = fixed_phy_change_carrier,
.ndo_set_mac_address = dpaa_set_mac_address,
.ndo_validate_addr = eth_validate_addr,
.ndo_set_rx_mode = dpaa_set_rx_mode,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 369/644] drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 368/644] dpaa_eth: dont use fixed_phy_change_carrier Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 370/644] net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs Greg Kroah-Hartman
` (280 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Loup A. Griffais, Vicki Pfau,
Alex Deucher, Mario Limonciello, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 2d1ec1e955414e8e8358178011c35afca1a1c0b1 ]
Several other ASICs allow printing OD SCLK levels without setting DPM
control to manual. When OD is disabled it will show the range the
hardware supports. When OD is enabled it will show what values have
been programmed. Adjust VanGogh to work the same.
Cc: Pierre-Loup A. Griffais <pgriffais@valvesoftware.com>
Reported-by: Vicki Pfau <vi@endrift.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Link: https://lore.kernel.org/r/20250609031227.479079-1-superm1@kernel.org
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 37 ++++++++-----------
1 file changed, 15 insertions(+), 22 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
index 5a9b47133db1..d64a0a0d5b19 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
@@ -680,7 +680,6 @@ static int vangogh_print_clk_levels(struct smu_context *smu,
{
DpmClocks_t *clk_table = smu->smu_table.clocks_table;
SmuMetrics_t metrics;
- struct smu_dpm_context *smu_dpm_ctx = &(smu->smu_dpm);
int i, idx, size = 0, ret = 0;
uint32_t cur_value = 0, value = 0, count = 0;
bool cur_value_match_level = false;
@@ -695,31 +694,25 @@ static int vangogh_print_clk_levels(struct smu_context *smu,
switch (clk_type) {
case SMU_OD_SCLK:
- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
- size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK");
- size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
- (smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq);
- size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
- (smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq);
- }
+ size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK");
+ size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
+ (smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq);
+ size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
+ (smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq);
break;
case SMU_OD_CCLK:
- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
- size += sysfs_emit_at(buf, size, "CCLK_RANGE in Core%d:\n", smu->cpu_core_id_select);
- size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
- (smu->cpu_actual_soft_min_freq > 0) ? smu->cpu_actual_soft_min_freq : smu->cpu_default_soft_min_freq);
- size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
- (smu->cpu_actual_soft_max_freq > 0) ? smu->cpu_actual_soft_max_freq : smu->cpu_default_soft_max_freq);
- }
+ size += sysfs_emit_at(buf, size, "CCLK_RANGE in Core%d:\n", smu->cpu_core_id_select);
+ size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
+ (smu->cpu_actual_soft_min_freq > 0) ? smu->cpu_actual_soft_min_freq : smu->cpu_default_soft_min_freq);
+ size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
+ (smu->cpu_actual_soft_max_freq > 0) ? smu->cpu_actual_soft_max_freq : smu->cpu_default_soft_max_freq);
break;
case SMU_OD_RANGE:
- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
- size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE");
- size += sysfs_emit_at(buf, size, "SCLK: %7uMhz %10uMhz\n",
- smu->gfx_default_hard_min_freq, smu->gfx_default_soft_max_freq);
- size += sysfs_emit_at(buf, size, "CCLK: %7uMhz %10uMhz\n",
- smu->cpu_default_soft_min_freq, smu->cpu_default_soft_max_freq);
- }
+ size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE");
+ size += sysfs_emit_at(buf, size, "SCLK: %7uMhz %10uMhz\n",
+ smu->gfx_default_hard_min_freq, smu->gfx_default_soft_max_freq);
+ size += sysfs_emit_at(buf, size, "CCLK: %7uMhz %10uMhz\n",
+ smu->cpu_default_soft_min_freq, smu->cpu_default_soft_max_freq);
break;
case SMU_SOCCLK:
/* the level 3 ~ 6 of socclk use the same frequency for vangogh */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 370/644] net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 369/644] drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 371/644] gve: Return error for unknown admin queue command Greg Kroah-Hartman
` (279 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Lazar, Dragos Tatulea,
Gal Pressman, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 60a8b1a5d0824afda869f18dc0ecfe72f8dfda42 ]
When CONFIG_VLAN_8021Q=n, a set of stub helpers are used, three of these
helpers use BUG() unconditionally.
This code should not be reached, as callers of these functions should
always check for is_vlan_dev() first, but the usage of BUG() is not
recommended, replace it with WARN_ON() instead.
Reviewed-by: Alex Lazar <alazar@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Signed-off-by: Gal Pressman <gal@nvidia.com>
Link: https://patch.msgid.link/20250616132626.1749331-3-gal@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/if_vlan.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
index 64cfe7cd292c..3728e3978f83 100644
--- a/include/linux/if_vlan.h
+++ b/include/linux/if_vlan.h
@@ -248,19 +248,19 @@ vlan_for_each(struct net_device *dev,
static inline struct net_device *vlan_dev_real_dev(const struct net_device *dev)
{
- BUG();
+ WARN_ON_ONCE(1);
return NULL;
}
static inline u16 vlan_dev_vlan_id(const struct net_device *dev)
{
- BUG();
+ WARN_ON_ONCE(1);
return 0;
}
static inline __be16 vlan_dev_vlan_proto(const struct net_device *dev)
{
- BUG();
+ WARN_ON_ONCE(1);
return 0;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 371/644] gve: Return error for unknown admin queue command
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 370/644] net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 372/644] net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 Greg Kroah-Hartman
` (278 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit b11344f63fdd9e8c5121148a6965b41079071dd2 ]
In gve_adminq_issue_cmd(), return -EINVAL instead of 0 when an unknown
admin queue command opcode is encountered.
This prevents the function from silently succeeding on invalid input
and prevents undefined behavior by ensuring the function fails gracefully
when an unrecognized opcode is provided.
These changes improve error handling.
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20250616054504.1644770-2-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/google/gve/gve_adminq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/google/gve/gve_adminq.c b/drivers/net/ethernet/google/gve/gve_adminq.c
index 54d649e5ee65..872b169b920c 100644
--- a/drivers/net/ethernet/google/gve/gve_adminq.c
+++ b/drivers/net/ethernet/google/gve/gve_adminq.c
@@ -389,6 +389,7 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv,
break;
default:
dev_err(&priv->pdev->dev, "unknown AQ command opcode %d\n", opcode);
+ return -EINVAL;
}
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 372/644] net: dsa: b53: fix b53_imp_vlan_setup for BCM5325
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 371/644] gve: Return error for unknown admin queue command Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 373/644] net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 Greg Kroah-Hartman
` (277 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli,
Álvaro Fernández Rojas, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit c00df1018791185ea398f78af415a2a0aaa0c79c ]
CPU port should be B53_CPU_PORT instead of B53_CPU_PORT_25 for
B53_PVLAN_PORT_MASK register.
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Link: https://patch.msgid.link/20250614080000.1884236-14-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 3bd0d1632b65..091ca9ca49aa 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -507,6 +507,10 @@ void b53_imp_vlan_setup(struct dsa_switch *ds, int cpu_port)
unsigned int i;
u16 pvlan;
+ /* BCM5325 CPU port is at 8 */
+ if ((is5325(dev) || is5365(dev)) && cpu_port == B53_CPU_PORT_25)
+ cpu_port = B53_CPU_PORT;
+
/* Enable the IMP port to be in the same VLAN as the other ports
* on a per-port basis such that we only have Port i and IMP in
* the same VLAN.
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 373/644] net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 372/644] net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 374/644] net: dsa: b53: prevent DIS_LEARNING " Greg Kroah-Hartman
` (276 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli,
Álvaro Fernández Rojas, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 37883bbc45a8555d6eca88d3a9730504d2dac86c ]
BCM5325 doesn't implement GMII_PORT_OVERRIDE_CTRL register so we should
avoid reading or writing it.
PORT_OVERRIDE_RX_FLOW and PORT_OVERRIDE_TX_FLOW aren't defined on BCM5325
and we should use PORT_OVERRIDE_LP_FLOW_25 instead.
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Link: https://patch.msgid.link/20250614080000.1884236-12-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 21 +++++++++++++++++----
drivers/net/dsa/b53/b53_regs.h | 1 +
2 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 091ca9ca49aa..2def9ed34beb 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -1167,6 +1167,8 @@ static void b53_force_link(struct b53_device *dev, int port, int link)
if (port == dev->imp_port) {
off = B53_PORT_OVERRIDE_CTRL;
val = PORT_OVERRIDE_EN;
+ } else if (is5325(dev)) {
+ return;
} else {
off = B53_GMII_PORT_OVERRIDE_CTRL(port);
val = GMII_PO_EN;
@@ -1191,6 +1193,8 @@ static void b53_force_port_config(struct b53_device *dev, int port,
if (port == dev->imp_port) {
off = B53_PORT_OVERRIDE_CTRL;
val = PORT_OVERRIDE_EN;
+ } else if (is5325(dev)) {
+ return;
} else {
off = B53_GMII_PORT_OVERRIDE_CTRL(port);
val = GMII_PO_EN;
@@ -1221,10 +1225,19 @@ static void b53_force_port_config(struct b53_device *dev, int port,
return;
}
- if (rx_pause)
- reg |= PORT_OVERRIDE_RX_FLOW;
- if (tx_pause)
- reg |= PORT_OVERRIDE_TX_FLOW;
+ if (rx_pause) {
+ if (is5325(dev))
+ reg |= PORT_OVERRIDE_LP_FLOW_25;
+ else
+ reg |= PORT_OVERRIDE_RX_FLOW;
+ }
+
+ if (tx_pause) {
+ if (is5325(dev))
+ reg |= PORT_OVERRIDE_LP_FLOW_25;
+ else
+ reg |= PORT_OVERRIDE_TX_FLOW;
+ }
b53_write8(dev, B53_CTRL_PAGE, off, reg);
}
diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h
index b2c539a42154..e5776545a8a0 100644
--- a/drivers/net/dsa/b53/b53_regs.h
+++ b/drivers/net/dsa/b53/b53_regs.h
@@ -92,6 +92,7 @@
#define PORT_OVERRIDE_SPEED_10M (0 << PORT_OVERRIDE_SPEED_S)
#define PORT_OVERRIDE_SPEED_100M (1 << PORT_OVERRIDE_SPEED_S)
#define PORT_OVERRIDE_SPEED_1000M (2 << PORT_OVERRIDE_SPEED_S)
+#define PORT_OVERRIDE_LP_FLOW_25 BIT(3) /* BCM5325 only */
#define PORT_OVERRIDE_RV_MII_25 BIT(4) /* BCM5325 only */
#define PORT_OVERRIDE_RX_FLOW BIT(4)
#define PORT_OVERRIDE_TX_FLOW BIT(5)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 374/644] net: dsa: b53: prevent DIS_LEARNING access on BCM5325
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 373/644] net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 375/644] net: dsa: b53: prevent SWITCH_CTRL " Greg Kroah-Hartman
` (275 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli,
Álvaro Fernández Rojas, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 800728abd9f83bda4de62a30ce62a8b41c242020 ]
BCM5325 doesn't implement DIS_LEARNING register so we should avoid reading
or writing it.
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Link: https://patch.msgid.link/20250614080000.1884236-10-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 2def9ed34beb..ef6191d753e8 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -561,6 +561,9 @@ static void b53_port_set_learning(struct b53_device *dev, int port,
{
u16 reg;
+ if (is5325(dev))
+ return;
+
b53_read16(dev, B53_CTRL_PAGE, B53_DIS_LEARNING, ®);
if (learning)
reg &= ~BIT(port);
@@ -2034,7 +2037,13 @@ int b53_br_flags_pre(struct dsa_switch *ds, int port,
struct switchdev_brport_flags flags,
struct netlink_ext_ack *extack)
{
- if (flags.mask & ~(BR_FLOOD | BR_MCAST_FLOOD | BR_LEARNING))
+ struct b53_device *dev = ds->priv;
+ unsigned long mask = (BR_FLOOD | BR_MCAST_FLOOD);
+
+ if (!is5325(dev))
+ mask |= BR_LEARNING;
+
+ if (flags.mask & ~mask)
return -EINVAL;
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 375/644] net: dsa: b53: prevent SWITCH_CTRL access on BCM5325
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 374/644] net: dsa: b53: prevent DIS_LEARNING " Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 376/644] wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() Greg Kroah-Hartman
` (274 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli,
Álvaro Fernández Rojas, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 22ccaaca43440e90a3b68d2183045b42247dc4be ]
BCM5325 doesn't implement SWITCH_CTRL register so we should avoid reading
or writing it.
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Link: https://patch.msgid.link/20250614080000.1884236-8-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index ef6191d753e8..2de7a3254455 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -339,11 +339,12 @@ static void b53_set_forwarding(struct b53_device *dev, int enable)
b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_MODE, mgmt);
- /* Include IMP port in dumb forwarding mode
- */
- b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt);
- mgmt |= B53_MII_DUMB_FWDG_EN;
- b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt);
+ if (!is5325(dev)) {
+ /* Include IMP port in dumb forwarding mode */
+ b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt);
+ mgmt |= B53_MII_DUMB_FWDG_EN;
+ b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt);
+ }
/* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether
* frames should be flooded or not.
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 376/644] wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 375/644] net: dsa: b53: prevent SWITCH_CTRL " Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 377/644] net: ncsi: Fix buffer overflow in fetching version id Greg Kroah-Hartman
` (273 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Ping-Ke Shih,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 76b3e5078d76f0eeadb7aacf9845399f8473da0d ]
When `dma_mapping_error()` is true, if a new `skb` has been allocated,
then it must be de-allocated.
Compile tested only
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250613074014.69856-2-fourier.thomas@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index bccb959d8210..02821588673e 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -573,8 +573,11 @@ static int _rtl_pci_init_one_rxdesc(struct ieee80211_hw *hw,
dma_map_single(&rtlpci->pdev->dev, skb_tail_pointer(skb),
rtlpci->rxbuffersize, DMA_FROM_DEVICE);
bufferaddress = *((dma_addr_t *)skb->cb);
- if (dma_mapping_error(&rtlpci->pdev->dev, bufferaddress))
+ if (dma_mapping_error(&rtlpci->pdev->dev, bufferaddress)) {
+ if (!new_skb)
+ kfree_skb(skb);
return 0;
+ }
rtlpci->rx_ring[rxring_idx].rx_buf[desc_idx] = skb;
if (rtlpriv->use_new_trx_flow) {
/* skb->cb may be 64 bit address */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 377/644] net: ncsi: Fix buffer overflow in fetching version id
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 376/644] wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 378/644] drm/ttm: Should to return the evict error Greg Kroah-Hartman
` (272 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hari Kalavakunta, Paul Fertser,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
[ Upstream commit 8e16170ae972c7fed132bc928914a2ffb94690fc ]
In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
need to be null terminated while its size occupies the full size
of the field. Fix the buffer overflow issue by adding one
additional byte for null terminator.
Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
Reviewed-by: Paul Fertser <fercerpav@gmail.com>
Link: https://patch.msgid.link/20250610193338.1368-1-kalavakunta.hari.prasad@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ncsi/internal.h | 2 +-
net/ncsi/ncsi-rsp.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
index 2c260f33b55c..ad1f671ffc37 100644
--- a/net/ncsi/internal.h
+++ b/net/ncsi/internal.h
@@ -110,7 +110,7 @@ struct ncsi_channel_version {
u8 update; /* NCSI version update */
char alpha1; /* NCSI version alpha1 */
char alpha2; /* NCSI version alpha2 */
- u8 fw_name[12]; /* Firmware name string */
+ u8 fw_name[12 + 1]; /* Firmware name string */
u32 fw_version; /* Firmware version */
u16 pci_ids[4]; /* PCI identification */
u32 mf_id; /* Manufacture ID */
diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 8668888c5a2f..d5ed80731e89 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -775,6 +775,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr)
ncv->alpha1 = rsp->alpha1;
ncv->alpha2 = rsp->alpha2;
memcpy(ncv->fw_name, rsp->fw_name, 12);
+ ncv->fw_name[12] = '\0';
ncv->fw_version = ntohl(rsp->fw_version);
for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++)
ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 378/644] drm/ttm: Should to return the evict error
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 377/644] net: ncsi: Fix buffer overflow in fetching version id Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 379/644] uapi: in6: restore visibility of most IPv6 socket options Greg Kroah-Hartman
` (271 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emily Deng, Christian König,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emily Deng <Emily.Deng@amd.com>
[ Upstream commit 4e16a9a00239db5d819197b9a00f70665951bf50 ]
For the evict fail case, the evict error should be returned.
v2: Consider ENOENT case.
v3: Abort directly when the eviction failed for some reason (except for -ENOENT)
and not wait for the move to finish
Signed-off-by: Emily Deng <Emily.Deng@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Link: https://lore.kernel.org/r/20250603091154.3472646-1-Emily.Deng@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/ttm/ttm_resource.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/ttm/ttm_resource.c b/drivers/gpu/drm/ttm/ttm_resource.c
index 2c590b4c46cb..9a8f565aa6ad 100644
--- a/drivers/gpu/drm/ttm/ttm_resource.c
+++ b/drivers/gpu/drm/ttm/ttm_resource.c
@@ -150,6 +150,9 @@ int ttm_resource_manager_evict_all(struct ttm_device *bdev,
}
spin_unlock(&bdev->lru_lock);
+ if (ret && ret != -ENOENT)
+ return ret;
+
spin_lock(&man->move_lock);
fence = dma_fence_get(man->move);
spin_unlock(&man->move_lock);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 379/644] uapi: in6: restore visibility of most IPv6 socket options
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 378/644] drm/ttm: Should to return the evict error Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 380/644] drm/ttm: Respect the shrinker core free target Greg Kroah-Hartman
` (270 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 31557b3487b349464daf42bc4366153743c1e727 ]
A decade ago commit 6d08acd2d32e ("in6: fix conflict with glibc")
hid the definitions of IPV6 options, because GCC was complaining
about duplicates. The commit did not list the warnings seen, but
trying to recreate them now I think they are (building iproute2):
In file included from ./include/uapi/rdma/rdma_user_cm.h:39,
from rdma.h:16,
from res.h:9,
from res-ctx.c:7:
../include/uapi/linux/in6.h:171:9: warning: ‘IPV6_ADD_MEMBERSHIP’ redefined
171 | #define IPV6_ADD_MEMBERSHIP 20
| ^~~~~~~~~~~~~~~~~~~
In file included from /usr/include/netinet/in.h:37,
from rdma.h:13:
/usr/include/bits/in.h:233:10: note: this is the location of the previous definition
233 | # define IPV6_ADD_MEMBERSHIP IPV6_JOIN_GROUP
| ^~~~~~~~~~~~~~~~~~~
../include/uapi/linux/in6.h:172:9: warning: ‘IPV6_DROP_MEMBERSHIP’ redefined
172 | #define IPV6_DROP_MEMBERSHIP 21
| ^~~~~~~~~~~~~~~~~~~~
/usr/include/bits/in.h:234:10: note: this is the location of the previous definition
234 | # define IPV6_DROP_MEMBERSHIP IPV6_LEAVE_GROUP
| ^~~~~~~~~~~~~~~~~~~~
Compilers don't complain about redefinition if the defines
are identical, but here we have the kernel using the literal
value, and glibc using an indirection (defining to a name
of another define, with the same numerical value).
Problem is, the commit in question hid all the IPV6 socket
options, and glibc has a pretty sparse list. For instance
it lacks Flow Label related options. Willem called this out
in commit 3fb321fde22d ("selftests/net: ipv6 flowlabel"):
/* uapi/glibc weirdness may leave this undefined */
#ifndef IPV6_FLOWINFO
#define IPV6_FLOWINFO 11
#endif
More interestingly some applications (socat) use
a #ifdef IPV6_FLOWINFO to gate compilation of thier
rudimentary flow label support. (For added confusion
socat misspells it as IPV4_FLOWINFO in some places.)
Hide only the two defines we know glibc has a problem
with. If we discover more warnings we can hide more
but we should avoid covering the entire block of
defines for "IPV6 socket options".
Link: https://patch.msgid.link/20250609143933.1654417-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/in6.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h
index ff8d21f9e95b..5a47339ef7d7 100644
--- a/include/uapi/linux/in6.h
+++ b/include/uapi/linux/in6.h
@@ -152,7 +152,6 @@ struct in6_flowlabel_req {
/*
* IPV6 socket options
*/
-#if __UAPI_DEF_IPV6_OPTIONS
#define IPV6_ADDRFORM 1
#define IPV6_2292PKTINFO 2
#define IPV6_2292HOPOPTS 3
@@ -169,8 +168,10 @@ struct in6_flowlabel_req {
#define IPV6_MULTICAST_IF 17
#define IPV6_MULTICAST_HOPS 18
#define IPV6_MULTICAST_LOOP 19
+#if __UAPI_DEF_IPV6_OPTIONS
#define IPV6_ADD_MEMBERSHIP 20
#define IPV6_DROP_MEMBERSHIP 21
+#endif
#define IPV6_ROUTER_ALERT 22
#define IPV6_MTU_DISCOVER 23
#define IPV6_MTU 24
@@ -203,7 +204,6 @@ struct in6_flowlabel_req {
#define IPV6_IPSEC_POLICY 34
#define IPV6_XFRM_POLICY 35
#define IPV6_HDRINCL 36
-#endif
/*
* Multicast:
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 380/644] drm/ttm: Respect the shrinker core free target
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 379/644] uapi: in6: restore visibility of most IPv6 socket options Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 381/644] net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325 Greg Kroah-Hartman
` (269 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tvrtko Ursulin, Christian König,
Thomas Hellström, Tvrtko Ursulin, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
[ Upstream commit eac21f8ebeb4f84d703cf41dc3f81d16fa9dc00a ]
Currently the TTM shrinker aborts shrinking as soon as it frees pages from
any of the page order pools and by doing so it can fail to respect the
freeing target which was configured by the shrinker core.
We use the wording "can fail" because the number of freed pages will
depend on the presence of pages in the pools and the order of the pools on
the LRU list. For example if there are no free pages in the high order
pools the shrinker core may require multiple passes over the TTM shrinker
before it will free the default target of 128 pages (assuming there are
free pages in the low order pools). This inefficiency can be compounded by
the pool LRU where multiple further calls into the TTM shrinker are
required to end up looking at the pool with pages.
Improve this by never freeing less than the shrinker core has requested.
At the same time we start reporting the number of scanned pages (freed in
this case), which prevents the core shrinker from giving up on the TTM
shrinker too soon and moving on.
v2:
* Simplify loop logic. (Christian)
* Improve commit message.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Link: https://lore.kernel.org/r/20250603112750.34997-2-tvrtko.ursulin@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/ttm/ttm_pool.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/ttm/ttm_pool.c b/drivers/gpu/drm/ttm/ttm_pool.c
index 346db24719f9..69968b3cb73d 100644
--- a/drivers/gpu/drm/ttm/ttm_pool.c
+++ b/drivers/gpu/drm/ttm/ttm_pool.c
@@ -588,7 +588,6 @@ void ttm_pool_fini(struct ttm_pool *pool)
}
}
-/* As long as pages are available make sure to release at least one */
static unsigned long ttm_pool_shrinker_scan(struct shrinker *shrink,
struct shrink_control *sc)
{
@@ -596,9 +595,12 @@ static unsigned long ttm_pool_shrinker_scan(struct shrinker *shrink,
do
num_freed += ttm_pool_shrink();
- while (!num_freed && atomic_long_read(&allocated_pages));
+ while (num_freed < sc->nr_to_scan &&
+ atomic_long_read(&allocated_pages));
- return num_freed;
+ sc->nr_scanned = num_freed;
+
+ return num_freed ?: SHRINK_STOP;
}
/* Return the number of pages available or SHRINK_EMPTY if we have none */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 381/644] net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 380/644] drm/ttm: Respect the shrinker core free target Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 382/644] vhost: fail early when __vhost_add_used() fails Greg Kroah-Hartman
` (268 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli,
Álvaro Fernández Rojas, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Álvaro Fernández Rojas <noltari@gmail.com>
[ Upstream commit 044d5ce2788b165798bfd173548e61bf7b6baf4d ]
BCM5325 doesn't implement B53_UC_FWD_EN, B53_MC_FWD_EN or B53_IPMC_FWD_EN.
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Link: https://patch.msgid.link/20250614080000.1884236-9-noltari@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 18 +++++++++++-------
drivers/net/dsa/b53/b53_regs.h | 1 +
2 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 2de7a3254455..42fd1b4ed56e 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -344,14 +344,18 @@ static void b53_set_forwarding(struct b53_device *dev, int enable)
b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt);
mgmt |= B53_MII_DUMB_FWDG_EN;
b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt);
- }
- /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether
- * frames should be flooded or not.
- */
- b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt);
- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN;
- b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt);
+ /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether
+ * frames should be flooded or not.
+ */
+ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt);
+ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN;
+ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt);
+ } else {
+ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt);
+ mgmt |= B53_IP_MCAST_25;
+ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt);
+ }
}
static void b53_enable_vlan(struct b53_device *dev, int port, bool enable,
diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h
index e5776545a8a0..77fb7ae660b8 100644
--- a/drivers/net/dsa/b53/b53_regs.h
+++ b/drivers/net/dsa/b53/b53_regs.h
@@ -104,6 +104,7 @@
/* IP Multicast control (8 bit) */
#define B53_IP_MULTICAST_CTRL 0x21
+#define B53_IP_MCAST_25 BIT(0)
#define B53_IPMC_FWD_EN BIT(1)
#define B53_UC_FWD_EN BIT(6)
#define B53_MC_FWD_EN BIT(7)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 382/644] vhost: fail early when __vhost_add_used() fails
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 381/644] net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325 Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 383/644] watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition Greg Kroah-Hartman
` (267 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eugenio Pérez, Jason Wang,
Michael S. Tsirkin, Lei Yang, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
[ Upstream commit b4ba1207d45adaafa2982c035898b36af2d3e518 ]
This patch fails vhost_add_used_n() early when __vhost_add_used()
fails to make sure used idx is not updated with stale used ring
information.
Reported-by: Eugenio Pérez <eperezma@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Message-Id: <20250714084755.11921-2-jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Lei Yang <leiyang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vhost/vhost.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 061af5dc92e6..973e079025a9 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2421,6 +2421,9 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads,
}
r = __vhost_add_used_n(vq, heads, count);
+ if (r < 0)
+ return r;
+
/* Make sure buffer is written before we update index. */
smp_wmb();
if (vhost_put_used_idx(vq)) {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 383/644] watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 382/644] vhost: fail early when __vhost_add_used() fails Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 384/644] cifs: Fix calling CIFSFindFirst() for root path without msearch Greg Kroah-Hartman
` (266 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaron Plattner, Timur Tabi,
Guenter Roeck, Wim Van Sebroeck, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Plattner <aplattner@nvidia.com>
[ Upstream commit 48defdf6b083f74a44e1f742db284960d3444aec ]
The MediaTek implementation of the sbsa_gwdt watchdog has a race
condition where a write to SBSA_GWDT_WRR is ignored if it occurs while
the hardware is processing a timeout refresh that asserts WS0.
Detect this based on the hardware implementer and adjust
wdd->min_hw_heartbeat_ms to avoid the race by forcing the keepalive ping
to be one second later.
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Acked-by: Timur Tabi <ttabi@nvidia.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20250721230640.2244915-1-aplattner@nvidia.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/sbsa_gwdt.c | 50 +++++++++++++++++++++++++++++++++---
1 file changed, 47 insertions(+), 3 deletions(-)
diff --git a/drivers/watchdog/sbsa_gwdt.c b/drivers/watchdog/sbsa_gwdt.c
index 7bf28545b47a..f07ffc7b8312 100644
--- a/drivers/watchdog/sbsa_gwdt.c
+++ b/drivers/watchdog/sbsa_gwdt.c
@@ -76,11 +76,17 @@
#define SBSA_GWDT_VERSION_MASK 0xF
#define SBSA_GWDT_VERSION_SHIFT 16
+#define SBSA_GWDT_IMPL_MASK 0x7FF
+#define SBSA_GWDT_IMPL_SHIFT 0
+#define SBSA_GWDT_IMPL_MEDIATEK 0x426
+
/**
* struct sbsa_gwdt - Internal representation of the SBSA GWDT
* @wdd: kernel watchdog_device structure
* @clk: store the System Counter clock frequency, in Hz.
* @version: store the architecture version
+ * @need_ws0_race_workaround:
+ * indicate whether to adjust wdd->timeout to avoid a race with WS0
* @refresh_base: Virtual address of the watchdog refresh frame
* @control_base: Virtual address of the watchdog control frame
*/
@@ -88,6 +94,7 @@ struct sbsa_gwdt {
struct watchdog_device wdd;
u32 clk;
int version;
+ bool need_ws0_race_workaround;
void __iomem *refresh_base;
void __iomem *control_base;
};
@@ -162,6 +169,31 @@ static int sbsa_gwdt_set_timeout(struct watchdog_device *wdd,
*/
sbsa_gwdt_reg_write(((u64)gwdt->clk / 2) * timeout, gwdt);
+ /*
+ * Some watchdog hardware has a race condition where it will ignore
+ * sbsa_gwdt_keepalive() if it is called at the exact moment that a
+ * timeout occurs and WS0 is being asserted. Unfortunately, the default
+ * behavior of the watchdog core is very likely to trigger this race
+ * when action=0 because it programs WOR to be half of the desired
+ * timeout, and watchdog_next_keepalive() chooses the exact same time to
+ * send keepalive pings.
+ *
+ * This triggers a race where sbsa_gwdt_keepalive() can be called right
+ * as WS0 is being asserted, and affected hardware will ignore that
+ * write and continue to assert WS0. After another (timeout / 2)
+ * seconds, the same race happens again. If the driver wins then the
+ * explicit refresh will reset WS0 to false but if the hardware wins,
+ * then WS1 is asserted and the system resets.
+ *
+ * Avoid the problem by scheduling keepalive heartbeats one second later
+ * than the WOR timeout.
+ *
+ * This workaround might not be needed in a future revision of the
+ * hardware.
+ */
+ if (gwdt->need_ws0_race_workaround)
+ wdd->min_hw_heartbeat_ms = timeout * 500 + 1000;
+
return 0;
}
@@ -203,12 +235,15 @@ static int sbsa_gwdt_keepalive(struct watchdog_device *wdd)
static void sbsa_gwdt_get_version(struct watchdog_device *wdd)
{
struct sbsa_gwdt *gwdt = watchdog_get_drvdata(wdd);
- int ver;
+ int iidr, ver, impl;
- ver = readl(gwdt->control_base + SBSA_GWDT_W_IIDR);
- ver = (ver >> SBSA_GWDT_VERSION_SHIFT) & SBSA_GWDT_VERSION_MASK;
+ iidr = readl(gwdt->control_base + SBSA_GWDT_W_IIDR);
+ ver = (iidr >> SBSA_GWDT_VERSION_SHIFT) & SBSA_GWDT_VERSION_MASK;
+ impl = (iidr >> SBSA_GWDT_IMPL_SHIFT) & SBSA_GWDT_IMPL_MASK;
gwdt->version = ver;
+ gwdt->need_ws0_race_workaround =
+ !action && (impl == SBSA_GWDT_IMPL_MEDIATEK);
}
static int sbsa_gwdt_start(struct watchdog_device *wdd)
@@ -300,6 +335,15 @@ static int sbsa_gwdt_probe(struct platform_device *pdev)
else
wdd->max_hw_heartbeat_ms = GENMASK_ULL(47, 0) / gwdt->clk * 1000;
+ if (gwdt->need_ws0_race_workaround) {
+ /*
+ * A timeout of 3 seconds means that WOR will be set to 1.5
+ * seconds and the heartbeat will be scheduled every 2.5
+ * seconds.
+ */
+ wdd->min_timeout = 3;
+ }
+
status = readl(cf_base + SBSA_GWDT_WCS);
if (status & SBSA_GWDT_WCS_WS1) {
dev_warn(dev, "System reset by WDT.\n");
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 384/644] cifs: Fix calling CIFSFindFirst() for root path without msearch
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 383/644] watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 385/644] crypto: hisilicon/hpre - fix dma unmap sequence Greg Kroah-Hartman
` (265 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Steve French,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pali Rohár <pali@kernel.org>
[ Upstream commit b460249b9a1dab7a9f58483e5349d045ad6d585c ]
To query root path (without msearch wildcard) it is needed to
send pattern '\' instead of '' (empty string).
This allows to use CIFSFindFirst() to query information about root path
which is being used in followup changes.
This change fixes the stat() syscall called on the root path on the mount.
It is because stat() syscall uses the cifs_query_path_info() function and
it can fallback to the CIFSFindFirst() usage with msearch=false.
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/cifssmb.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 6ca08e473a7e..e6541bd5c63d 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -4362,6 +4362,12 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon,
pSMB->FileName[name_len] = 0;
pSMB->FileName[name_len+1] = 0;
name_len += 2;
+ } else if (!searchName[0]) {
+ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb);
+ pSMB->FileName[1] = 0;
+ pSMB->FileName[2] = 0;
+ pSMB->FileName[3] = 0;
+ name_len = 4;
}
} else {
name_len = copy_path_name(pSMB->FileName, searchName);
@@ -4373,6 +4379,10 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon,
pSMB->FileName[name_len] = '*';
pSMB->FileName[name_len+1] = 0;
name_len += 2;
+ } else if (!searchName[0]) {
+ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb);
+ pSMB->FileName[1] = 0;
+ name_len = 2;
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 385/644] crypto: hisilicon/hpre - fix dma unmap sequence
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 384/644] cifs: Fix calling CIFSFindFirst() for root path without msearch Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 386/644] ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr Greg Kroah-Hartman
` (264 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhiqi Song, Chenghai Huang,
Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhiqi Song <songzhiqi1@huawei.com>
[ Upstream commit 982fd1a74de63c388c060e4fa6f7fbd088d6d02e ]
Perform DMA unmapping operations before processing data.
Otherwise, there may be unsynchronized data accessed by
the CPU when the SWIOTLB is enabled.
Signed-off-by: Zhiqi Song <songzhiqi1@huawei.com>
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/hisilicon/hpre/hpre_crypto.c b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
index 4062251fd1b6..14e2f2042a55 100644
--- a/drivers/crypto/hisilicon/hpre/hpre_crypto.c
+++ b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
@@ -1458,11 +1458,13 @@ static void hpre_ecdh_cb(struct hpre_ctx *ctx, void *resp)
if (overtime_thrhld && hpre_is_bd_timeout(req, overtime_thrhld))
atomic64_inc(&dfx[HPRE_OVER_THRHLD_CNT].value);
+ /* Do unmap before data processing */
+ hpre_ecdh_hw_data_clr_all(ctx, req, areq->dst, areq->src);
+
p = sg_virt(areq->dst);
memmove(p, p + ctx->key_sz - curve_sz, curve_sz);
memmove(p + curve_sz, p + areq->dst_len - curve_sz, curve_sz);
- hpre_ecdh_hw_data_clr_all(ctx, req, areq->dst, areq->src);
kpp_request_complete(areq, ret);
atomic64_inc(&dfx[HPRE_RECV_CNT].value);
@@ -1766,9 +1768,11 @@ static void hpre_curve25519_cb(struct hpre_ctx *ctx, void *resp)
if (overtime_thrhld && hpre_is_bd_timeout(req, overtime_thrhld))
atomic64_inc(&dfx[HPRE_OVER_THRHLD_CNT].value);
+ /* Do unmap before data processing */
+ hpre_curve25519_hw_data_clr_all(ctx, req, areq->dst, areq->src);
+
hpre_key_to_big_end(sg_virt(areq->dst), CURVE25519_KEY_SIZE);
- hpre_curve25519_hw_data_clr_all(ctx, req, areq->dst, areq->src);
kpp_request_complete(areq, ret);
atomic64_inc(&dfx[HPRE_RECV_CNT].value);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 386/644] ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 385/644] crypto: hisilicon/hpre - fix dma unmap sequence Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 387/644] scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated Greg Kroah-Hartman
` (263 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+544248a761451c0df72f,
Theodore Tso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
[ Upstream commit 099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42 ]
A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data()
when an inode had the INLINE_DATA_FL flag set but was missing the
system.data extended attribute.
Since this can happen due to a maiciouly fuzzed file system, we
shouldn't BUG, but rather, report it as a corrupted file system.
Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii
ext4_create_inline_data() and ext4_inline_data_truncate().
Reported-by: syzbot+544248a761451c0df72f@syzkaller.appspotmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/inline.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index a1cc14156ced..d2cdb151a9c1 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -298,7 +298,11 @@ static int ext4_create_inline_data(handle_t *handle,
if (error)
goto out;
- BUG_ON(!is.s.not_found);
+ if (!is.s.not_found) {
+ EXT4_ERROR_INODE(inode, "unexpected inline data xattr");
+ error = -EFSCORRUPTED;
+ goto out;
+ }
error = ext4_xattr_ibody_set(handle, inode, &i, &is);
if (error) {
@@ -349,7 +353,11 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
if (error)
goto out;
- BUG_ON(is.s.not_found);
+ if (is.s.not_found) {
+ EXT4_ERROR_INODE(inode, "missing inline data xattr");
+ error = -EFSCORRUPTED;
+ goto out;
+ }
len -= EXT4_MIN_INLINE_DATA_SIZE;
value = kzalloc(len, GFP_NOFS);
@@ -1981,7 +1989,12 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
if ((err = ext4_xattr_ibody_find(inode, &i, &is)) != 0)
goto out_error;
- BUG_ON(is.s.not_found);
+ if (is.s.not_found) {
+ EXT4_ERROR_INODE(inode,
+ "missing inline data xattr");
+ err = -EFSCORRUPTED;
+ goto out_error;
+ }
value_len = le32_to_cpu(is.s.here->e_value_size);
value = kmalloc(value_len, GFP_NOFS);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 387/644] scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 386/644] ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 388/644] fs/orangefs: use snprintf() instead of sprintf() Greg Kroah-Hartman
` (262 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Showrya M N, Potnuri Bharat Teja,
Chris Leech, Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Showrya M N <showrya@chelsio.com>
[ Upstream commit 3ea3a256ed81f95ab0f3281a0e234b01a9cae605 ]
In case of an ib_fast_reg_mr allocation failure during iSER setup, the
machine hits a panic because iscsi_conn->dd_data is initialized
unconditionally, even when no memory is allocated (dd_size == 0). This
leads invalid pointer dereference during connection teardown.
Fix by setting iscsi_conn->dd_data only if memory is actually allocated.
Panic trace:
------------
iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12
iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers
BUG: unable to handle page fault for address: fffffffffffffff8
RIP: 0010:swake_up_locked.part.5+0xa/0x40
Call Trace:
complete+0x31/0x40
iscsi_iser_conn_stop+0x88/0xb0 [ib_iser]
iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi]
iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi]
iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi]
? netlink_lookup+0x12f/0x1b0
? netlink_deliver_tap+0x2c/0x200
netlink_unicast+0x1ab/0x280
netlink_sendmsg+0x257/0x4f0
? _copy_from_user+0x29/0x60
sock_sendmsg+0x5f/0x70
Signed-off-by: Showrya M N <showrya@chelsio.com>
Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
Link: https://lore.kernel.org/r/20250627112329.19763-1-showrya@chelsio.com
Reviewed-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/libiscsi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index d422e8fd7137..225aa8279960 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -3104,7 +3104,8 @@ iscsi_conn_setup(struct iscsi_cls_session *cls_session, int dd_size,
conn = cls_conn->dd_data;
memset(conn, 0, sizeof(*conn) + dd_size);
- conn->dd_data = cls_conn->dd_data + sizeof(*conn);
+ if (dd_size)
+ conn->dd_data = cls_conn->dd_data + sizeof(*conn);
conn->session = session;
conn->cls_conn = cls_conn;
conn->c_stage = ISCSI_CONN_INITIAL_STAGE;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 388/644] fs/orangefs: use snprintf() instead of sprintf()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 387/644] scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated Greg Kroah-Hartman
@ 2025-08-26 11:07 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 389/644] watchdog: dw_wdt: Fix default timeout Greg Kroah-Hartman
` (261 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amir Mohammad Jahangirzad,
Mike Marshall, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
[ Upstream commit cdfa1304657d6f23be8fd2bb0516380a3c89034e ]
sprintf() is discouraged for use with bounded destination buffers
as it does not prevent buffer overflows when the formatted output
exceeds the destination buffer size. snprintf() is a safer
alternative as it limits the number of bytes written and ensures
NUL-termination.
Replace sprintf() with snprintf() for copying the debug string
into a temporary buffer, using ORANGEFS_MAX_DEBUG_STRING_LEN as
the maximum size to ensure safe formatting and prevent memory
corruption in edge cases.
EDIT: After this patch sat on linux-next for a few days, Dan
Carpenter saw it and suggested that I use scnprintf instead of
snprintf. I made the change and retested.
Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/orangefs/orangefs-debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
index b57140ebfad0..cd4bfd92ebd6 100644
--- a/fs/orangefs/orangefs-debugfs.c
+++ b/fs/orangefs/orangefs-debugfs.c
@@ -354,7 +354,7 @@ static ssize_t orangefs_debug_read(struct file *file,
goto out;
mutex_lock(&orangefs_debug_lock);
- sprintf_ret = sprintf(buf, "%s", (char *)file->private_data);
+ sprintf_ret = scnprintf(buf, ORANGEFS_MAX_DEBUG_STRING_LEN, "%s", (char *)file->private_data);
mutex_unlock(&orangefs_debug_lock);
read_ret = simple_read_from_buffer(ubuf, count, ppos, buf, sprintf_ret);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 389/644] watchdog: dw_wdt: Fix default timeout
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2025-08-26 11:07 ` [PATCH 5.15 388/644] fs/orangefs: use snprintf() instead of sprintf() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 390/644] MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} Greg Kroah-Hartman
` (260 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Reichel, Guenter Roeck,
Wim Van Sebroeck, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sebastian.reichel@collabora.com>
[ Upstream commit ac3dbb91e0167d017f44701dd51c1efe30d0c256 ]
The Synopsys Watchdog driver sets the default timeout to 30 seconds,
but on some devices this is not a valid timeout. E.g. on RK3588 the
actual timeout being used is 44 seconds instead.
Once the watchdog is started the value is updated accordingly, but
it would be better to expose a sensible timeout to userspace without
the need to first start the watchdog.
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20250717-dw-wdt-fix-initial-timeout-v1-1-86dc864d48dd@kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/dw_wdt.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/watchdog/dw_wdt.c b/drivers/watchdog/dw_wdt.c
index 498c1c403fc9..7571fc2df541 100644
--- a/drivers/watchdog/dw_wdt.c
+++ b/drivers/watchdog/dw_wdt.c
@@ -660,6 +660,8 @@ static int dw_wdt_drv_probe(struct platform_device *pdev)
} else {
wdd->timeout = DW_WDT_DEFAULT_SECONDS;
watchdog_init_timeout(wdd, 0, dev);
+ /* Limit timeout value to hardware constraints. */
+ dw_wdt_set_timeout(wdd, wdd->timeout);
}
platform_set_drvdata(pdev, dw_wdt);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 390/644] MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free}
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 389/644] watchdog: dw_wdt: Fix default timeout Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 391/644] watchdog: iTCO_wdt: Report error if timeout configuration fails Greg Kroah-Hartman
` (259 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shiji Yang, Thomas Bogendoerfer,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shiji Yang <yangshiji66@outlook.com>
[ Upstream commit 844615dd0f2d95c018ec66b943e08af22b62aff3 ]
These functions are exported but their prototypes are not defined.
This patch adds the missing function prototypes to fix the following
compilation warnings:
arch/mips/kernel/vpe-mt.c:180:7: error: no previous prototype for 'vpe_alloc' [-Werror=missing-prototypes]
180 | void *vpe_alloc(void)
| ^~~~~~~~~
arch/mips/kernel/vpe-mt.c:198:5: error: no previous prototype for 'vpe_start' [-Werror=missing-prototypes]
198 | int vpe_start(void *vpe, unsigned long start)
| ^~~~~~~~~
arch/mips/kernel/vpe-mt.c:208:5: error: no previous prototype for 'vpe_stop' [-Werror=missing-prototypes]
208 | int vpe_stop(void *vpe)
| ^~~~~~~~
arch/mips/kernel/vpe-mt.c:229:5: error: no previous prototype for 'vpe_free' [-Werror=missing-prototypes]
229 | int vpe_free(void *vpe)
| ^~~~~~~~
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/include/asm/vpe.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/mips/include/asm/vpe.h b/arch/mips/include/asm/vpe.h
index ef7e07829607..0094709b617d 100644
--- a/arch/mips/include/asm/vpe.h
+++ b/arch/mips/include/asm/vpe.h
@@ -123,4 +123,12 @@ void cleanup_tc(struct tc *tc);
int __init vpe_module_init(void);
void __exit vpe_module_exit(void);
+
+#ifdef CONFIG_MIPS_VPE_LOADER_MT
+void *vpe_alloc(void);
+int vpe_start(void *vpe, unsigned long start);
+int vpe_stop(void *vpe);
+int vpe_free(void *vpe);
+#endif /* CONFIG_MIPS_VPE_LOADER_MT */
+
#endif /* _ASM_VPE_H */
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 391/644] watchdog: iTCO_wdt: Report error if timeout configuration fails
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 390/644] MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 392/644] scsi: bfa: Double-free fix Greg Kroah-Hartman
` (258 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ziyan Fu, Guenter Roeck,
Wim Van Sebroeck, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziyan Fu <fuzy5@lenovo.com>
[ Upstream commit 40efc43eb7ffb5a4e2f998c13b8cfb555e671b92 ]
The driver probes with the invalid timeout value when
'iTCO_wdt_set_timeout()' fails, as its return value is not checked. In
this case, when executing "wdctl", we may get:
Device: /dev/watchdog0
Timeout: 30 seconds
Timeleft: 613 seconds
The timeout value is the value of "heartbeat" or "WATCHDOG_TIMEOUT", and
the timeleft value is calculated from the register value we actually read
(0xffff) by masking with 0x3ff and converting ticks to seconds (* 6 / 10).
Add error handling to return the failure code if 'iTCO_wdt_set_timeout()'
fails, ensuring the driver probe fails and prevents invalid operation.
Signed-off-by: Ziyan Fu <fuzy5@lenovo.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20250704073518.7838-1-13281011316@163.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/iTCO_wdt.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/watchdog/iTCO_wdt.c b/drivers/watchdog/iTCO_wdt.c
index 3cebb83b3e67..02bcbfe8f8c9 100644
--- a/drivers/watchdog/iTCO_wdt.c
+++ b/drivers/watchdog/iTCO_wdt.c
@@ -605,7 +605,11 @@ static int iTCO_wdt_probe(struct platform_device *pdev)
/* Check that the heartbeat value is within it's range;
if not reset to the default */
if (iTCO_wdt_set_timeout(&p->wddev, heartbeat)) {
- iTCO_wdt_set_timeout(&p->wddev, WATCHDOG_TIMEOUT);
+ ret = iTCO_wdt_set_timeout(&p->wddev, WATCHDOG_TIMEOUT);
+ if (ret != 0) {
+ dev_err(dev, "Failed to set watchdog timeout (%d)\n", WATCHDOG_TIMEOUT);
+ return ret;
+ }
dev_info(dev, "timeout value out of range, using %d\n",
WATCHDOG_TIMEOUT);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 392/644] scsi: bfa: Double-free fix
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 391/644] watchdog: iTCO_wdt: Report error if timeout configuration fails Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 393/644] jfs: truncate good inode pages when hard link is 0 Greg Kroah-Hartman
` (257 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, jackysliu, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: jackysliu <1972843537@qq.com>
[ Upstream commit add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9 ]
When the bfad_im_probe() function fails during initialization, the memory
pointed to by bfad->im is freed without setting bfad->im to NULL.
Subsequently, during driver uninstallation, when the state machine enters
the bfad_sm_stopping state and calls the bfad_im_probe_undo() function,
it attempts to free the memory pointed to by bfad->im again, thereby
triggering a double-free vulnerability.
Set bfad->im to NULL if probing fails.
Signed-off-by: jackysliu <1972843537@qq.com>
Link: https://lore.kernel.org/r/tencent_3BB950D6D2D470976F55FC879206DE0B9A09@qq.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/bfa/bfad_im.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c
index 6b5841b1c06e..38292bc43d91 100644
--- a/drivers/scsi/bfa/bfad_im.c
+++ b/drivers/scsi/bfa/bfad_im.c
@@ -707,6 +707,7 @@ bfad_im_probe(struct bfad_s *bfad)
if (bfad_thread_workq(bfad) != BFA_STATUS_OK) {
kfree(im);
+ bfad->im = NULL;
return BFA_STATUS_FAILED;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 393/644] jfs: truncate good inode pages when hard link is 0
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 392/644] scsi: bfa: Double-free fix Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 394/644] jfs: Regular file corruption check Greg Kroah-Hartman
` (256 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6e516bb515d93230bc7b,
Lizhi Xu, Dave Kleikamp, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
[ Upstream commit 2d91b3765cd05016335cd5df5e5c6a29708ec058 ]
The fileset value of the inode copy from the disk by the reproducer is
AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its
inode pages are not truncated. This causes the bugon to be triggered when
executing clear_inode() because nrpages is greater than 0.
Reported-by: syzbot+6e516bb515d93230bc7b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6e516bb515d93230bc7b
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c
index 072821b50ab9..e132dafa1b6c 100644
--- a/fs/jfs/inode.c
+++ b/fs/jfs/inode.c
@@ -145,9 +145,9 @@ void jfs_evict_inode(struct inode *inode)
if (!inode->i_nlink && !is_bad_inode(inode)) {
dquot_initialize(inode);
+ truncate_inode_pages_final(&inode->i_data);
if (JFS_IP(inode)->fileset == FILESYSTEM_I) {
struct inode *ipimap = JFS_SBI(inode->i_sb)->ipimap;
- truncate_inode_pages_final(&inode->i_data);
if (test_cflag(COMMIT_Freewmap, inode))
jfs_free_zero_link(inode);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 394/644] jfs: Regular file corruption check
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 393/644] jfs: truncate good inode pages when hard link is 0 Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 395/644] jfs: upper bound check of tree index in dbAllocAG Greg Kroah-Hartman
` (255 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+630f6d40b3ccabc8e96e,
Edward Adam Davis, Dave Kleikamp, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit 2d04df8116426b6c7b9f8b9b371250f666a2a2fb ]
The reproducer builds a corrupted file on disk with a negative i_size value.
Add a check when opening this file to avoid subsequent operation failures.
Reported-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=630f6d40b3ccabc8e96e
Tested-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/file.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/jfs/file.c b/fs/jfs/file.c
index 1d732fd223d4..5c28883eee4e 100644
--- a/fs/jfs/file.c
+++ b/fs/jfs/file.c
@@ -44,6 +44,9 @@ static int jfs_open(struct inode *inode, struct file *file)
{
int rc;
+ if (S_ISREG(inode->i_mode) && inode->i_size < 0)
+ return -EIO;
+
if ((rc = dquot_file_open(inode, file)))
return rc;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 395/644] jfs: upper bound check of tree index in dbAllocAG
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 394/644] jfs: Regular file corruption check Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 396/644] MIPS: Dont crash in stack_top() for tasks without ABI or vDSO Greg Kroah-Hartman
` (254 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+cffd18309153948f3c3e,
Arnaud Lecomte, Dave Kleikamp, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaud Lecomte <contact@arnaud-lcm.com>
[ Upstream commit c214006856ff52a8ff17ed8da52d50601d54f9ce ]
When computing the tree index in dbAllocAG, we never check if we are
out of bounds realative to the size of the stree.
This could happen in a scenario where the filesystem metadata are
corrupted.
Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e
Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index c2d4349cd959..f4f4c5ec38c6 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1457,6 +1457,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
(1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp->db_agwidth;
ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1));
+ if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) {
+ jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n");
+ release_metapage(mp);
+ return -EIO;
+ }
+
/* dmap control page trees fan-out by 4 and a single allocation
* group may be described by 1 or 2 subtrees within the ag level
* dmap control page, depending upon the ag size. examine the ag's
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 396/644] MIPS: Dont crash in stack_top() for tasks without ABI or vDSO
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 395/644] jfs: upper bound check of tree index in dbAllocAG Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 397/644] media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control Greg Kroah-Hartman
` (253 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, David Gow,
Huacai Chen, Thomas Bogendoerfer, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
[ Upstream commit e9f4a6b3421e936c3ee9d74710243897d74dbaa2 ]
Not all tasks have an ABI associated or vDSO mapped,
for example kthreads never do.
If such a task ever ends up calling stack_top(), it will derefence the
NULL ABI pointer and crash.
This can for example happen when using kunit:
mips_stack_top+0x28/0xc0
arch_pick_mmap_layout+0x190/0x220
kunit_vm_mmap_init+0xf8/0x138
__kunit_add_resource+0x40/0xa8
kunit_vm_mmap+0x88/0xd8
usercopy_test_init+0xb8/0x240
kunit_try_run_case+0x5c/0x1a8
kunit_generic_run_threadfn_adapter+0x28/0x50
kthread+0x118/0x240
ret_from_kernel_thread+0x14/0x1c
Only dereference the ABI point if it is set.
The GIC page is also included as it is specific to the vDSO.
Also move the randomization adjustment into the same conditional.
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: David Gow <davidgow@google.com>
Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/kernel/process.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
index cbff1b974f88..b9ef72ab967f 100644
--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -688,18 +688,20 @@ unsigned long mips_stack_top(void)
}
/* Space for the VDSO, data page & GIC user page */
- top -= PAGE_ALIGN(current->thread.abi->vdso->size);
- top -= PAGE_SIZE;
- top -= mips_gic_present() ? PAGE_SIZE : 0;
+ if (current->thread.abi) {
+ top -= PAGE_ALIGN(current->thread.abi->vdso->size);
+ top -= PAGE_SIZE;
+ top -= mips_gic_present() ? PAGE_SIZE : 0;
+
+ /* Space to randomize the VDSO base */
+ if (current->flags & PF_RANDOMIZE)
+ top -= VDSO_RANDOMIZE_SIZE;
+ }
/* Space for cache colour alignment */
if (cpu_has_dc_aliases)
top -= shm_align_mask + 1;
- /* Space to randomize the VDSO base */
- if (current->flags & PF_RANDOMIZE)
- top -= VDSO_RANDOMIZE_SIZE;
-
return top;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 397/644] media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 396/644] MIPS: Dont crash in stack_top() for tasks without ABI or vDSO Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 398/644] leds: leds-lp50xx: Handle reg to get correct multi_index Greg Kroah-Hartman
` (252 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Söderlund, Sakari Ailus,
Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
[ Upstream commit 5a0abb8909b9dcf347fce1d201ac6686ac33fd64 ]
When operating a pipeline with a missing V4L2_CID_LINK_FREQ control this
two line warning is printed each time the pipeline is started. Reduce
this excessive logging by only warning once for the missing control.
Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/v4l2-core/v4l2-common.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/media/v4l2-core/v4l2-common.c b/drivers/media/v4l2-core/v4l2-common.c
index 04af03285a20..90f76a7ff447 100644
--- a/drivers/media/v4l2-core/v4l2-common.c
+++ b/drivers/media/v4l2-core/v4l2-common.c
@@ -470,10 +470,10 @@ s64 v4l2_get_link_freq(struct v4l2_ctrl_handler *handler, unsigned int mul,
freq = div_u64(v4l2_ctrl_g_ctrl_int64(ctrl) * mul, div);
- pr_warn("%s: Link frequency estimated using pixel rate: result might be inaccurate\n",
- __func__);
- pr_warn("%s: Consider implementing support for V4L2_CID_LINK_FREQ in the transmitter driver\n",
- __func__);
+ pr_warn_once("%s: Link frequency estimated using pixel rate: result might be inaccurate\n",
+ __func__);
+ pr_warn_once("%s: Consider implementing support for V4L2_CID_LINK_FREQ in the transmitter driver\n",
+ __func__);
}
return freq > 0 ? freq : -EINVAL;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 398/644] leds: leds-lp50xx: Handle reg to get correct multi_index
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 397/644] media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 399/644] RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() Greg Kroah-Hartman
` (251 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Adolfsson, Jacek Anaszewski,
Lee Jones, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Adolfsson <johan.adolfsson@axis.com>
[ Upstream commit 2e84a5e5374232e6f356ce5c079a5658d7e4af2c ]
mc_subled used for multi_index needs well defined array indexes,
to guarantee the desired result, use reg for that.
If devicetree child nodes is processed in random or reverse order
you may end up with multi_index "blue green red" instead of the expected
"red green blue".
If user space apps uses multi_index to deduce how to control the leds
they would most likely be broken without this patch if devicetree
processing is reversed (which it appears to be).
arch/arm/boot/dts/aspeed/aspeed-bmc-facebook-fuji.dts has reg set
but I don't see how it can have worked without this change.
If reg is not set, an error is returned,
If reg is out of range, an error is returned.
reg within led child nodes starts with 0, to map to the iout in each bank.
Signed-off-by: Johan Adolfsson <johan.adolfsson@axis.com>
Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
Link: https://lore.kernel.org/r/20250617-led-fix-v7-1-cdbe8efc88fa@axis.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/leds-lp50xx.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/leds/leds-lp50xx.c b/drivers/leds/leds-lp50xx.c
index 401df1e2e05d..a2748e467451 100644
--- a/drivers/leds/leds-lp50xx.c
+++ b/drivers/leds/leds-lp50xx.c
@@ -487,6 +487,7 @@ static int lp50xx_probe_dt(struct lp50xx *priv)
}
fwnode_for_each_child_node(child, led_node) {
+ int multi_index;
ret = fwnode_property_read_u32(led_node, "color",
&color_id);
if (ret) {
@@ -494,8 +495,16 @@ static int lp50xx_probe_dt(struct lp50xx *priv)
dev_err(priv->dev, "Cannot read color\n");
goto child_out;
}
+ ret = fwnode_property_read_u32(led_node, "reg", &multi_index);
+ if (ret != 0) {
+ dev_err(priv->dev, "reg must be set\n");
+ return -EINVAL;
+ } else if (multi_index >= LP50XX_LEDS_PER_MODULE) {
+ dev_err(priv->dev, "reg %i out of range\n", multi_index);
+ return -EINVAL;
+ }
- mc_led_info[num_colors].color_index = color_id;
+ mc_led_info[multi_index].color_index = color_id;
num_colors++;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 399/644] RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 398/644] leds: leds-lp50xx: Handle reg to get correct multi_index Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 400/644] RDMA/core: reduce stack using in nldev_stat_get_doit() Greg Kroah-Hartman
` (250 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yury Norov [NVIDIA], Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yury Norov [NVIDIA] <yury.norov@gmail.com>
[ Upstream commit 59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a ]
The function divides number of online CPUs by num_core_siblings, and
later checks the divider by zero. This implies a possibility to get
and divide-by-zero runtime error. Fix it by moving the check prior to
division. This also helps to save one indentation level.
Signed-off-by: Yury Norov [NVIDIA] <yury.norov@gmail.com>
Link: https://patch.msgid.link/20250604193947.11834-3-yury.norov@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hfi1/affinity.c | 44 +++++++++++++++------------
1 file changed, 24 insertions(+), 20 deletions(-)
diff --git a/drivers/infiniband/hw/hfi1/affinity.c b/drivers/infiniband/hw/hfi1/affinity.c
index 4c403d9e90cb..2b17acbb3569 100644
--- a/drivers/infiniband/hw/hfi1/affinity.c
+++ b/drivers/infiniband/hw/hfi1/affinity.c
@@ -967,31 +967,35 @@ static void find_hw_thread_mask(uint hw_thread_no, cpumask_var_t hw_thread_mask,
struct hfi1_affinity_node_list *affinity)
{
int possible, curr_cpu, i;
- uint num_cores_per_socket = node_affinity.num_online_cpus /
+ uint num_cores_per_socket;
+
+ cpumask_copy(hw_thread_mask, &affinity->proc.mask);
+
+ if (affinity->num_core_siblings == 0)
+ return;
+
+ num_cores_per_socket = node_affinity.num_online_cpus /
affinity->num_core_siblings /
node_affinity.num_online_nodes;
- cpumask_copy(hw_thread_mask, &affinity->proc.mask);
- if (affinity->num_core_siblings > 0) {
- /* Removing other siblings not needed for now */
- possible = cpumask_weight(hw_thread_mask);
- curr_cpu = cpumask_first(hw_thread_mask);
- for (i = 0;
- i < num_cores_per_socket * node_affinity.num_online_nodes;
- i++)
- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
-
- for (; i < possible; i++) {
- cpumask_clear_cpu(curr_cpu, hw_thread_mask);
- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
- }
+ /* Removing other siblings not needed for now */
+ possible = cpumask_weight(hw_thread_mask);
+ curr_cpu = cpumask_first(hw_thread_mask);
+ for (i = 0;
+ i < num_cores_per_socket * node_affinity.num_online_nodes;
+ i++)
+ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
- /* Identifying correct HW threads within physical cores */
- cpumask_shift_left(hw_thread_mask, hw_thread_mask,
- num_cores_per_socket *
- node_affinity.num_online_nodes *
- hw_thread_no);
+ for (; i < possible; i++) {
+ cpumask_clear_cpu(curr_cpu, hw_thread_mask);
+ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
}
+
+ /* Identifying correct HW threads within physical cores */
+ cpumask_shift_left(hw_thread_mask, hw_thread_mask,
+ num_cores_per_socket *
+ node_affinity.num_online_nodes *
+ hw_thread_no);
}
int hfi1_get_proc_affinity(int node)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 400/644] RDMA/core: reduce stack using in nldev_stat_get_doit()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 399/644] RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 401/644] scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure Greg Kroah-Hartman
` (249 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 43163f4c30f94d2103c948a247cdf2cda5068ca7 ]
In the s390 defconfig, gcc-10 and earlier end up inlining three functions
into nldev_stat_get_doit(), and each of them uses some 600 bytes of stack.
The result is a function with an overly large stack frame and a warning:
drivers/infiniband/core/nldev.c:2466:1: error: the frame size of 1720 bytes is larger than 1280 bytes [-Werror=frame-larger-than=]
Mark the three functions noinline_for_stack to prevent this, ensuring
that only one copy of the nlattr array is on the stack of each function.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://patch.msgid.link/20250620113335.3776965-1-arnd@kernel.org
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/nldev.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
index 050bafc7c52d..1bfa957b8775 100644
--- a/drivers/infiniband/core/nldev.c
+++ b/drivers/infiniband/core/nldev.c
@@ -1391,10 +1391,11 @@ static const struct nldev_fill_res_entry fill_entries[RDMA_RESTRACK_MAX] = {
};
-static int res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct netlink_ext_ack *extack,
- enum rdma_restrack_type res_type,
- res_fill_func_t fill_func)
+static noinline_for_stack int
+res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct netlink_ext_ack *extack,
+ enum rdma_restrack_type res_type,
+ res_fill_func_t fill_func)
{
const struct nldev_fill_res_entry *fe = &fill_entries[res_type];
struct nlattr *tb[RDMA_NLDEV_ATTR_MAX];
@@ -2041,10 +2042,10 @@ static int nldev_stat_del_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
return ret;
}
-static int stat_get_doit_default_counter(struct sk_buff *skb,
- struct nlmsghdr *nlh,
- struct netlink_ext_ack *extack,
- struct nlattr *tb[])
+static noinline_for_stack int
+stat_get_doit_default_counter(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct netlink_ext_ack *extack,
+ struct nlattr *tb[])
{
struct rdma_hw_stats *stats;
struct nlattr *table_attr;
@@ -2130,8 +2131,9 @@ static int stat_get_doit_default_counter(struct sk_buff *skb,
return ret;
}
-static int stat_get_doit_qp(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct netlink_ext_ack *extack, struct nlattr *tb[])
+static noinline_for_stack int
+stat_get_doit_qp(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct netlink_ext_ack *extack, struct nlattr *tb[])
{
static enum rdma_nl_counter_mode mode;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 401/644] scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 400/644] RDMA/core: reduce stack using in nldev_stat_get_doit() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 402/644] scsi: mpt3sas: Correctly handle ATA device errors Greg Kroah-Hartman
` (248 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Tee, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Tee <justin.tee@broadcom.com>
[ Upstream commit 6698796282e828733cde3329c887b4ae9e5545e9 ]
If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the
resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may
occur before sli4_hba.hdwqs are allocated. This may result in a null
pointer dereference when attempting to take the abts_io_buf_list_lock for
the first hardware queue. Fix by adding a null ptr check on
phba->sli4_hba.hdwq and early return because this situation means there
must have been an error during port initialization.
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20250618192138.124116-4-justintee8345@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_scsi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
index d9fb5e09fb53..520491a8b56e 100644
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -454,6 +454,10 @@ lpfc_sli4_vport_delete_fcp_xri_aborted(struct lpfc_vport *vport)
if (!(vport->cfg_enable_fc4_type & LPFC_ENABLE_FCP))
return;
+ /* may be called before queues established if hba_setup fails */
+ if (!phba->sli4_hba.hdwq)
+ return;
+
spin_lock_irqsave(&phba->hbalock, iflag);
for (idx = 0; idx < phba->cfg_hdw_queue; idx++) {
qp = &phba->sli4_hba.hdwq[idx];
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 402/644] scsi: mpt3sas: Correctly handle ATA device errors
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 401/644] scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 403/644] pinctrl: stm32: Manage irq affinity settings Greg Kroah-Hartman
` (247 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Yafang Shao,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit 15592a11d5a5c8411ac8494ec49736b658f6fbff ]
With the ATA error model, an NCQ command failure always triggers an abort
(termination) of all NCQ commands queued on the device. In such case, the
SAT or the host must handle the failed command according to the command
sense data and immediately retry all other NCQ commands that were aborted
due to the failed NCQ command.
For SAS HBAs controlled by the mpt3sas driver, NCQ command aborts are not
handled by the HBA SAT and sent back to the host, with an ioc log
information equal to 0x31080000 (IOC_LOGINFO_PREFIX_PL with the PL code
PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR). The function
_scsih_io_done() always forces a retry of commands terminated with the
status MPI2_IOCSTATUS_SCSI_IOC_TERMINATED using the SCSI result
DID_SOFT_ERROR, regardless of the log_info for the command. This
correctly forces the retry of collateral NCQ abort commands, but with the
retry counter for the command being incremented. If a command to an ATA
device is subject to too many retries due to other NCQ commands failing
(e.g. read commands trying to access unreadable sectors), the collateral
NCQ abort commands may be terminated with an error as they run out of
retries. This violates the SAT specification and causes hard-to-debug
command errors.
Solve this issue by modifying the handling of the
MPI2_IOCSTATUS_SCSI_IOC_TERMINATED status to check if a command is for an
ATA device and if the command loginfo indicates an NCQ collateral
abort. If that is the case, force the command retry using the SCSI result
DID_IMM_RETRY to avoid incrementing the command retry count.
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20250606052747.742998-3-dlemoal@kernel.org
Tested-by: Yafang Shao <laoar.shao@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
index 055929021818..0066a99587d9 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -197,6 +197,14 @@ struct sense_info {
#define MPT3SAS_PORT_ENABLE_COMPLETE (0xFFFD)
#define MPT3SAS_ABRT_TASK_SET (0xFFFE)
#define MPT3SAS_REMOVE_UNRESPONDING_DEVICES (0xFFFF)
+
+/*
+ * SAS Log info code for a NCQ collateral abort after an NCQ error:
+ * IOC_LOGINFO_PREFIX_PL | PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR
+ * See: drivers/message/fusion/lsi/mpi_log_sas.h
+ */
+#define IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR 0x31080000
+
/**
* struct fw_event_work - firmware event struct
* @list: link list framework
@@ -5812,6 +5820,17 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index, u32 reply)
scmd->result = DID_TRANSPORT_DISRUPTED << 16;
goto out;
}
+ if (log_info == IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR) {
+ /*
+ * This is a ATA NCQ command aborted due to another NCQ
+ * command failure. We must retry this command
+ * immediately but without incrementing its retry
+ * counter.
+ */
+ WARN_ON_ONCE(xfer_cnt != 0);
+ scmd->result = DID_IMM_RETRY << 16;
+ break;
+ }
if (log_info == 0x31110630) {
if (scmd->retries > 2) {
scmd->result = DID_NO_CONNECT << 16;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 403/644] pinctrl: stm32: Manage irq affinity settings
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 402/644] scsi: mpt3sas: Correctly handle ATA device errors Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 404/644] media: tc358743: Check I2C succeeded during probe Greg Kroah-Hartman
` (246 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cheick Traore, Antonio Borneo,
Linus Walleij, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cheick Traore <cheick.traore@foss.st.com>
[ Upstream commit 4c5cc2f65386e22166ce006efe515c667aa075e4 ]
Trying to set the affinity of the interrupts associated to stm32
pinctrl results in a write error.
Fill struct irq_chip::irq_set_affinity to use the default helper
function.
Signed-off-by: Cheick Traore <cheick.traore@foss.st.com>
Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Link: https://lore.kernel.org/20250610143042.295376-3-antonio.borneo@foss.st.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/stm32/pinctrl-stm32.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
index abb12a5c3c32..821ec5a97551 100644
--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
+++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
@@ -412,6 +412,7 @@ static struct irq_chip stm32_gpio_irq_chip = {
.irq_set_wake = irq_chip_set_wake_parent,
.irq_request_resources = stm32_gpio_irq_request_resources,
.irq_release_resources = stm32_gpio_irq_release_resources,
+ .irq_set_affinity = IS_ENABLED(CONFIG_SMP) ? irq_chip_set_affinity_parent : NULL,
};
static int stm32_gpio_domain_translate(struct irq_domain *d,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 404/644] media: tc358743: Check I2C succeeded during probe
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 403/644] pinctrl: stm32: Manage irq affinity settings Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 405/644] media: tc358743: Return an appropriate colorspace from tc358743_set_fmt Greg Kroah-Hartman
` (245 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Stevenson, Hans Verkuil,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Stevenson <dave.stevenson@raspberrypi.com>
[ Upstream commit 303d81635e1d9c949b370215cc94526ed81f2e3d ]
The probe for the TC358743 reads the CHIPID register from
the device and compares it to the expected value of 0.
If the I2C request fails then that also returns 0, so
the driver loads thinking that the device is there.
Generally I2C communications are reliable so there is
limited need to check the return value on every transfer,
therefore only amend the one read during probe to check
for I2C errors.
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/tc358743.c | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index 87feada1f602..fe53823ba6f7 100644
--- a/drivers/media/i2c/tc358743.c
+++ b/drivers/media/i2c/tc358743.c
@@ -110,7 +110,7 @@ static inline struct tc358743_state *to_state(struct v4l2_subdev *sd)
/* --------------- I2C --------------- */
-static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
+static int i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
{
struct tc358743_state *state = to_state(sd);
struct i2c_client *client = state->i2c_client;
@@ -136,6 +136,7 @@ static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
v4l2_err(sd, "%s: reading register 0x%x from 0x%x failed\n",
__func__, reg, client->addr);
}
+ return err != ARRAY_SIZE(msgs);
}
static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
@@ -192,15 +193,24 @@ static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
}
}
-static noinline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n)
+static noinline u32 i2c_rdreg_err(struct v4l2_subdev *sd, u16 reg, u32 n,
+ int *err)
{
+ int error;
__le32 val = 0;
- i2c_rd(sd, reg, (u8 __force *)&val, n);
+ error = i2c_rd(sd, reg, (u8 __force *)&val, n);
+ if (err)
+ *err = error;
return le32_to_cpu(val);
}
+static inline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n)
+{
+ return i2c_rdreg_err(sd, reg, n, NULL);
+}
+
static noinline void i2c_wrreg(struct v4l2_subdev *sd, u16 reg, u32 val, u32 n)
{
__le32 raw = cpu_to_le32(val);
@@ -229,6 +239,13 @@ static u16 i2c_rd16(struct v4l2_subdev *sd, u16 reg)
return i2c_rdreg(sd, reg, 2);
}
+static int i2c_rd16_err(struct v4l2_subdev *sd, u16 reg, u16 *value)
+{
+ int err;
+ *value = i2c_rdreg_err(sd, reg, 2, &err);
+ return err;
+}
+
static void i2c_wr16(struct v4l2_subdev *sd, u16 reg, u16 val)
{
i2c_wrreg(sd, reg, val, 2);
@@ -2042,6 +2059,7 @@ static int tc358743_probe(struct i2c_client *client)
struct tc358743_platform_data *pdata = client->dev.platform_data;
struct v4l2_subdev *sd;
u16 irq_mask = MASK_HDMI_MSK | MASK_CSI_MSK;
+ u16 chipid;
int err;
if (!i2c_check_functionality(client->adapter, I2C_FUNC_SMBUS_BYTE_DATA))
@@ -2073,7 +2091,8 @@ static int tc358743_probe(struct i2c_client *client)
sd->flags |= V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS;
/* i2c access */
- if ((i2c_rd16(sd, CHIPID) & MASK_CHIPID) != 0) {
+ if (i2c_rd16_err(sd, CHIPID, &chipid) ||
+ (chipid & MASK_CHIPID) != 0) {
v4l2_info(sd, "not a TC358743 on address 0x%x\n",
client->addr << 1);
return -ENODEV;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 405/644] media: tc358743: Return an appropriate colorspace from tc358743_set_fmt
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 404/644] media: tc358743: Check I2C succeeded during probe Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 406/644] media: tc358743: Increase FIFO trigger level to 374 Greg Kroah-Hartman
` (244 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Stevenson, Hans Verkuil,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Stevenson <dave.stevenson@raspberrypi.com>
[ Upstream commit 377cc006a364dfdab2f3f221cfad63a9265200b8 ]
When calling tc358743_set_fmt, the code was calling tc358743_get_fmt
to choose a valid format. However that sets the colorspace
based on information read back from the chip, not the colour
format requested.
The result was that if you called try or set format for UYVY
when the current format was RGB3 then you would get told SRGB,
and try RGB3 when current was UYVY and you would get told
SMPTE170M.
The value programmed in the VI_REP register for the colorspace
is always set by this driver, therefore there is no need to read
back the value, and never set to REC709.
Return the colorspace based on the format set/tried instead.
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/tc358743.c | 44 ++++++++++++++----------------------
1 file changed, 17 insertions(+), 27 deletions(-)
diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index fe53823ba6f7..a389e2d58d3d 100644
--- a/drivers/media/i2c/tc358743.c
+++ b/drivers/media/i2c/tc358743.c
@@ -1686,12 +1686,23 @@ static int tc358743_enum_mbus_code(struct v4l2_subdev *sd,
return 0;
}
+static u32 tc358743_g_colorspace(u32 code)
+{
+ switch (code) {
+ case MEDIA_BUS_FMT_RGB888_1X24:
+ return V4L2_COLORSPACE_SRGB;
+ case MEDIA_BUS_FMT_UYVY8_1X16:
+ return V4L2_COLORSPACE_SMPTE170M;
+ default:
+ return 0;
+ }
+}
+
static int tc358743_get_fmt(struct v4l2_subdev *sd,
struct v4l2_subdev_state *sd_state,
struct v4l2_subdev_format *format)
{
struct tc358743_state *state = to_state(sd);
- u8 vi_rep = i2c_rd8(sd, VI_REP);
if (format->pad != 0)
return -EINVAL;
@@ -1701,23 +1712,7 @@ static int tc358743_get_fmt(struct v4l2_subdev *sd,
format->format.height = state->timings.bt.height;
format->format.field = V4L2_FIELD_NONE;
- switch (vi_rep & MASK_VOUT_COLOR_SEL) {
- case MASK_VOUT_COLOR_RGB_FULL:
- case MASK_VOUT_COLOR_RGB_LIMITED:
- format->format.colorspace = V4L2_COLORSPACE_SRGB;
- break;
- case MASK_VOUT_COLOR_601_YCBCR_LIMITED:
- case MASK_VOUT_COLOR_601_YCBCR_FULL:
- format->format.colorspace = V4L2_COLORSPACE_SMPTE170M;
- break;
- case MASK_VOUT_COLOR_709_YCBCR_FULL:
- case MASK_VOUT_COLOR_709_YCBCR_LIMITED:
- format->format.colorspace = V4L2_COLORSPACE_REC709;
- break;
- default:
- format->format.colorspace = 0;
- break;
- }
+ format->format.colorspace = tc358743_g_colorspace(format->format.code);
return 0;
}
@@ -1731,19 +1726,14 @@ static int tc358743_set_fmt(struct v4l2_subdev *sd,
u32 code = format->format.code; /* is overwritten by get_fmt */
int ret = tc358743_get_fmt(sd, sd_state, format);
- format->format.code = code;
+ if (code == MEDIA_BUS_FMT_RGB888_1X24 ||
+ code == MEDIA_BUS_FMT_UYVY8_1X16)
+ format->format.code = code;
+ format->format.colorspace = tc358743_g_colorspace(format->format.code);
if (ret)
return ret;
- switch (code) {
- case MEDIA_BUS_FMT_RGB888_1X24:
- case MEDIA_BUS_FMT_UYVY8_1X16:
- break;
- default:
- return -EINVAL;
- }
-
if (format->which == V4L2_SUBDEV_FORMAT_TRY)
return 0;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 406/644] media: tc358743: Increase FIFO trigger level to 374
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 405/644] media: tc358743: Return an appropriate colorspace from tc358743_set_fmt Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 407/644] media: usb: hdpvr: disable zero-length read messages Greg Kroah-Hartman
` (243 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Stevenson, Hans Verkuil,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Stevenson <dave.stevenson@raspberrypi.com>
[ Upstream commit 86addd25314a1e77dbdcfddfeed0bab2f27da0e2 ]
The existing fixed value of 16 worked for UYVY 720P60 over
2 lanes at 594MHz, or UYVY 1080P60 over 4 lanes. (RGB888
1080P60 needs 6 lanes at 594MHz).
It doesn't allow for lower resolutions to work as the FIFO
underflows.
374 is required for 1080P24 or 1080P30 UYVY over 2 lanes @
972Mbit/s, but >374 means that the FIFO underflows on 1080P50
UYVY over 2 lanes @ 972Mbit/s.
Whilst it would be nice to compute it, the required information
isn't published by Toshiba.
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/tc358743.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index a389e2d58d3d..3167beca4056 100644
--- a/drivers/media/i2c/tc358743.c
+++ b/drivers/media/i2c/tc358743.c
@@ -1960,8 +1960,19 @@ static int tc358743_probe_of(struct tc358743_state *state)
state->pdata.refclk_hz = clk_get_rate(refclk);
state->pdata.ddc5v_delay = DDC5V_DELAY_100_MS;
state->pdata.enable_hdcp = false;
- /* A FIFO level of 16 should be enough for 2-lane 720p60 at 594 MHz. */
- state->pdata.fifo_level = 16;
+ /*
+ * Ideally the FIFO trigger level should be set based on the input and
+ * output data rates, but the calculations required are buried in
+ * Toshiba's register settings spreadsheet.
+ * A value of 16 works with a 594Mbps data rate for 720p60 (using 2
+ * lanes) and 1080p60 (using 4 lanes), but fails when the data rate
+ * is increased, or a lower pixel clock is used that result in CSI
+ * reading out faster than the data is arriving.
+ *
+ * A value of 374 works with both those modes at 594Mbps, and with most
+ * modes on 972Mbps.
+ */
+ state->pdata.fifo_level = 374;
/*
* The PLL input clock is obtained by dividing refclk by pll_prd.
* It must be between 6 MHz and 40 MHz, lower frequency is better.
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 407/644] media: usb: hdpvr: disable zero-length read messages
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 406/644] media: tc358743: Increase FIFO trigger level to 374 Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 408/644] media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() Greg Kroah-Hartman
` (242 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Hans Verkuil,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit b5ae5a79825ba8037b0be3ef677a24de8c063abf ]
This driver passes the length of an i2c_msg directly to
usb_control_msg(). If the message is now a read and of length 0, it
violates the USB protocol and a warning will be printed. Enable the
I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length
read messages altogether.
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/media/usb/hdpvr/hdpvr-i2c.c b/drivers/media/usb/hdpvr/hdpvr-i2c.c
index 070559b01b01..54956a8ff15e 100644
--- a/drivers/media/usb/hdpvr/hdpvr-i2c.c
+++ b/drivers/media/usb/hdpvr/hdpvr-i2c.c
@@ -165,10 +165,16 @@ static const struct i2c_algorithm hdpvr_algo = {
.functionality = hdpvr_functionality,
};
+/* prevent invalid 0-length usb_control_msg */
+static const struct i2c_adapter_quirks hdpvr_quirks = {
+ .flags = I2C_AQ_NO_ZERO_LEN_READ,
+};
+
static const struct i2c_adapter hdpvr_i2c_adapter_template = {
.name = "Hauppauge HD PVR I2C",
.owner = THIS_MODULE,
.algo = &hdpvr_algo,
+ .quirks = &hdpvr_quirks,
};
static int hdpvr_activate_ir(struct hdpvr_device *dev)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 408/644] media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 407/644] media: usb: hdpvr: disable zero-length read messages Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 409/644] media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar Greg Kroah-Hartman
` (241 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Guo, Mauro Carvalho Chehab,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Guo <alexguo1023@gmail.com>
[ Upstream commit ce5cac69b2edac3e3246fee03e8f4c2a1075238b ]
In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and
msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing
msg[0].buf[2] without sanity check, null pointer deref would happen. We add
check on msg[0].len to prevent crash. Similar issue occurs when access
msg[1].buf[0] and msg[1].buf[1].
Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Signed-off-by: Alex Guo <alexguo1023@gmail.com>
Link: https://lore.kernel.org/r/20250616013231.730221-1-alexguo1023@gmail.com
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-frontends/dib7000p.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c
index 8c426baf76ee..a4d060fb1bab 100644
--- a/drivers/media/dvb-frontends/dib7000p.c
+++ b/drivers/media/dvb-frontends/dib7000p.c
@@ -2261,8 +2261,12 @@ static int dib7090p_rw_on_apb(struct i2c_adapter *i2c_adap,
u16 word;
if (num == 1) { /* write */
+ if (msg[0].len < 3)
+ return -EOPNOTSUPP;
dib7000p_write_word(state, apb_address, ((msg[0].buf[1] << 8) | (msg[0].buf[2])));
} else {
+ if (msg[1].len < 2)
+ return -EOPNOTSUPP;
word = dib7000p_read_word(state, apb_address);
msg[1].buf[0] = (word >> 8) & 0xff;
msg[1].buf[1] = (word) & 0xff;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 409/644] media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 408/644] media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 410/644] media: uvcvideo: Fix bandwidth issue for Alcor camera Greg Kroah-Hartman
` (240 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Guo, Mauro Carvalho Chehab,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Guo <alexguo1023@gmail.com>
[ Upstream commit ed0234c8458b3149f15e496b48a1c9874dd24a1b ]
In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add
check on msg[0].len to prevent crash.
Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Signed-off-by: Alex Guo <alexguo1023@gmail.com>
Link: https://lore.kernel.org/r/20250616013353.738790-1-alexguo1023@gmail.com
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-frontends/dib7000p.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/media/dvb-frontends/dib7000p.c
+++ b/drivers/media/dvb-frontends/dib7000p.c
@@ -2200,6 +2200,9 @@ static int w7090p_tuner_write_serpar(str
u16 i = 1000;
u16 serpar_num = msg[0].buf[0];
+ if (msg[0].len < 3)
+ return -EOPNOTSUPP;
+
while (n_overflow == 1 && i) {
n_overflow = (dib7000p_read_word(state, 1984) >> 1) & 0x1;
i--;
@@ -2220,6 +2223,9 @@ static int w7090p_tuner_read_serpar(stru
u16 serpar_num = msg[0].buf[0];
u16 read_word;
+ if (msg[0].len < 1 || msg[1].len < 2)
+ return -EOPNOTSUPP;
+
while (n_overflow == 1 && i) {
n_overflow = (dib7000p_read_word(state, 1984) >> 1) & 0x1;
i--;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 410/644] media: uvcvideo: Fix bandwidth issue for Alcor camera
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 409/644] media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 411/644] crypto: octeontx2 - add timeout for load_fvc completion poll Greg Kroah-Hartman
` (239 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, chenchangcheng, Ricardo Ribalda,
Laurent Pinchart, Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: chenchangcheng <chenchangcheng@kylinos.cn>
[ Upstream commit 9764401bf6f8a20eb11c2e78470f20fee91a9ea7 ]
Some broken device return wrong dwMaxPayloadTransferSize fields as
follows:
[ 218.632537] uvcvideo: Device requested 2752512 B/frame bandwidth.
[ 218.632598] uvcvideo: No fast enough alt setting for requested bandwidth.
When dwMaxPayloadTransferSize is greater than maxpsize, it will prevent
the camera from starting. So use the bandwidth of maxpsize.
Signed-off-by: chenchangcheng <chenchangcheng@kylinos.cn>
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/20250510061803.811433-1-ccc194101@163.com
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/uvc/uvc_video.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
index 446fe67e07c4..89a43c0558ed 100644
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -231,6 +231,15 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream,
ctrl->dwMaxPayloadTransferSize = bandwidth;
}
+
+ if (stream->intf->num_altsetting > 1 &&
+ ctrl->dwMaxPayloadTransferSize > stream->maxpsize) {
+ dev_warn_ratelimited(&stream->intf->dev,
+ "UVC non compliance: the max payload transmission size (%u) exceeds the size of the ep max packet (%u). Using the max size.\n",
+ ctrl->dwMaxPayloadTransferSize,
+ stream->maxpsize);
+ ctrl->dwMaxPayloadTransferSize = stream->maxpsize;
+ }
}
static size_t uvc_video_ctrl_size(struct uvc_streaming *stream)
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 411/644] crypto: octeontx2 - add timeout for load_fvc completion poll
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 410/644] media: uvcvideo: Fix bandwidth issue for Alcor camera Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 412/644] md: dm-zoned-target: Initialize return variable r to avoid uninitialized use Greg Kroah-Hartman
` (238 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srujana Challa, Bharat Bhushan,
Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bharat Bhushan <bbhushan2@marvell.com>
[ Upstream commit 2157e50f65d2030f07ea27ef7ac4cfba772e98ac ]
Adds timeout to exit from possible infinite loop, which polls
on CPT instruction(load_fvc) completion.
Signed-off-by: Srujana Challa <schalla@marvell.com>
Signed-off-by: Bharat Bhushan <bbhushan2@marvell.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
index 7c1b92aaab39..6bee19394857 100644
--- a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
+++ b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
@@ -1419,6 +1419,7 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf)
dma_addr_t rptr_baddr;
struct pci_dev *pdev;
u32 len, compl_rlen;
+ int timeout = 10000;
int ret, etype;
void *rptr;
@@ -1483,16 +1484,27 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf)
etype);
otx2_cpt_fill_inst(&inst, &iq_cmd, rptr_baddr);
lfs->ops->send_cmd(&inst, 1, &cptpf->lfs.lf[0]);
+ timeout = 10000;
while (lfs->ops->cpt_get_compcode(result) ==
- OTX2_CPT_COMPLETION_CODE_INIT)
+ OTX2_CPT_COMPLETION_CODE_INIT) {
cpu_relax();
+ udelay(1);
+ timeout--;
+ if (!timeout) {
+ ret = -ENODEV;
+ cptpf->is_eng_caps_discovered = false;
+ dev_warn(&pdev->dev, "Timeout on CPT load_fvc completion poll\n");
+ goto error_no_response;
+ }
+ }
cptpf->eng_caps[etype].u = be64_to_cpup(rptr);
}
- dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL);
cptpf->is_eng_caps_discovered = true;
+error_no_response:
+ dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL);
free_result:
kfree(result);
lf_cleanup:
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 412/644] md: dm-zoned-target: Initialize return variable r to avoid uninitialized use
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 411/644] crypto: octeontx2 - add timeout for load_fvc completion poll Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 413/644] i3c: add missing include to internal header Greg Kroah-Hartman
` (237 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Purva Yeshi, Mikulas Patocka,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Purva Yeshi <purvayeshi550@gmail.com>
[ Upstream commit 487767bff572d46f7c37ad846c4078f6d6c9cc55 ]
Fix Smatch-detected error:
drivers/md/dm-zoned-target.c:1073 dmz_iterate_devices()
error: uninitialized symbol 'r'.
Smatch detects a possible use of the uninitialized variable 'r' in
dmz_iterate_devices() because if dmz->nr_ddevs is zero, the loop is
skipped and 'r' is returned without being set, leading to undefined
behavior.
Initialize 'r' to 0 before the loop. This ensures that if there are no
devices to iterate over, the function still returns a defined value.
Signed-off-by: Purva Yeshi <purvayeshi550@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-zoned-target.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/dm-zoned-target.c b/drivers/md/dm-zoned-target.c
index 48b56d6434f7..98c3c8be3bcc 100644
--- a/drivers/md/dm-zoned-target.c
+++ b/drivers/md/dm-zoned-target.c
@@ -1066,7 +1066,7 @@ static int dmz_iterate_devices(struct dm_target *ti,
struct dmz_target *dmz = ti->private;
unsigned int zone_nr_sectors = dmz_zone_nr_sectors(dmz->metadata);
sector_t capacity;
- int i, r;
+ int i, r = 0;
for (i = 0; i < dmz->nr_ddevs; i++) {
capacity = dmz->dev[i].capacity & ~(zone_nr_sectors - 1);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 413/644] i3c: add missing include to internal header
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 412/644] md: dm-zoned-target: Initialize return variable r to avoid uninitialized use Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 414/644] rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 Greg Kroah-Hartman
` (236 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Wolfram Sang,
Frank Li, Alexandre Belloni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 3b661ca549b9e5bb11d0bc97ada6110aac3282d2 ]
LKP found a random config which failed to build because IO accessors
were not defined:
In file included from drivers/i3c/master.c:21:
drivers/i3c/internals.h: In function 'i3c_writel_fifo':
>> drivers/i3c/internals.h:35:9: error: implicit declaration of function 'writesl' [-Werror=implicit-function-declaration]
Add the proper header to where the IO accessors are used.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202507150208.BZDzzJ5E-lkp@intel.com/
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250717120046.9022-2-wsa+renesas@sang-engineering.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/internals.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i3c/internals.h b/drivers/i3c/internals.h
index 86b7b44cfca2..1906c711f38a 100644
--- a/drivers/i3c/internals.h
+++ b/drivers/i3c/internals.h
@@ -9,6 +9,7 @@
#define I3C_INTERNALS_H
#include <linux/i3c/master.h>
+#include <linux/io.h>
extern struct bus_type i3c_bus_type;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 414/644] rtc: ds1307: handle oscillator stop flag (OSF) for ds1341
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 413/644] i3c: add missing include to internal header Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 415/644] i3c: dont fail if GETHDRCAP is unsupported Greg Kroah-Hartman
` (235 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Meagan Lloyd, Tyler Hicks,
Rodolfo Giometti, Alexandre Belloni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
[ Upstream commit 523923cfd5d622b8f4ba893fdaf29fa6adeb8c3e ]
In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the
kernel time as long as rtc_read_time() succeeds. In some power loss
situations, our supercapacitor-backed DS1342 RTC comes up with either an
unpredictable future time or the default 01/01/00 from the datasheet.
The oscillator stop flag (OSF) is set in these scenarios due to the
power loss and can be used to determine the validity of the RTC data.
This change expands the oscillator stop flag (OSF) handling that has
already been implemented for some chips to the ds1341 chip (DS1341 and
DS1342 share a datasheet). This handling manages the validity of the RTC
data in .read_time and .set_time based on the OSF.
Signed-off-by: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
Reviewed-by: Tyler Hicks <code@tyhicks.com>
Acked-by: Rodolfo Giometti <giometti@enneenne.com>
Link: https://lore.kernel.org/r/1749665656-30108-3-git-send-email-meaganlloyd@linux.microsoft.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-ds1307.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
index 1e621080f666..f8e32f5c37e3 100644
--- a/drivers/rtc/rtc-ds1307.c
+++ b/drivers/rtc/rtc-ds1307.c
@@ -273,6 +273,13 @@ static int ds1307_get_time(struct device *dev, struct rtc_time *t)
if (tmp & DS1340_BIT_OSF)
return -EINVAL;
break;
+ case ds_1341:
+ ret = regmap_read(ds1307->regmap, DS1337_REG_STATUS, &tmp);
+ if (ret)
+ return ret;
+ if (tmp & DS1337_BIT_OSF)
+ return -EINVAL;
+ break;
case ds_1388:
ret = regmap_read(ds1307->regmap, DS1388_REG_FLAG, &tmp);
if (ret)
@@ -371,6 +378,10 @@ static int ds1307_set_time(struct device *dev, struct rtc_time *t)
regmap_update_bits(ds1307->regmap, DS1340_REG_FLAG,
DS1340_BIT_OSF, 0);
break;
+ case ds_1341:
+ regmap_update_bits(ds1307->regmap, DS1337_REG_STATUS,
+ DS1337_BIT_OSF, 0);
+ break;
case ds_1388:
regmap_update_bits(ds1307->regmap, DS1388_REG_FLAG,
DS1388_BIT_OSF, 0);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 415/644] i3c: dont fail if GETHDRCAP is unsupported
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 414/644] rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 416/644] dm-mpath: dont print the "loaded" message if registering fails Greg Kroah-Hartman
` (234 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Frank Li,
Alexandre Belloni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 447270cdb41b1c8c3621bb14b93a6749f942556e ]
'I3C_BCR_HDR_CAP' is still spec v1.0 and has been renamed to 'advanced
capabilities' in v1.1 onwards. The ST pressure sensor LPS22DF does not
have HDR, but has the 'advanced cap' bit set. The core still wants to
get additional information using the CCC 'GETHDRCAP' (or GETCAPS in v1.1
onwards). Not all controllers support this CCC and will notify the upper
layers about it. For instantiating the device, we can ignore this
unsupported CCC as standard communication will work. Without this patch,
the device will not be instantiated at all.
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/r/20250704204524.6124-1-wsa+renesas@sang-engineering.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index ea6556f91302..717b337f9e22 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -1262,7 +1262,7 @@ static int i3c_master_retrieve_dev_info(struct i3c_dev_desc *dev)
if (dev->info.bcr & I3C_BCR_HDR_CAP) {
ret = i3c_master_gethdrcap_locked(master, &dev->info);
- if (ret)
+ if (ret && ret != -ENOTSUPP)
return ret;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 416/644] dm-mpath: dont print the "loaded" message if registering fails
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 415/644] i3c: dont fail if GETHDRCAP is unsupported Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 417/644] i2c: Force DLL0945 touchpad i2c freq to 100khz Greg Kroah-Hartman
` (233 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
[ Upstream commit 6e11952a6abc4641dc8ae63f01b318b31b44e8db ]
If dm_register_path_selector, don't print the "version X loaded" message.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-ps-historical-service-time.c | 4 +++-
drivers/md/dm-ps-queue-length.c | 4 +++-
drivers/md/dm-ps-round-robin.c | 4 +++-
drivers/md/dm-ps-service-time.c | 4 +++-
4 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/md/dm-ps-historical-service-time.c b/drivers/md/dm-ps-historical-service-time.c
index 82f2a06153dc..683ac2e03079 100644
--- a/drivers/md/dm-ps-historical-service-time.c
+++ b/drivers/md/dm-ps-historical-service-time.c
@@ -540,8 +540,10 @@ static int __init dm_hst_init(void)
{
int r = dm_register_path_selector(&hst_ps);
- if (r < 0)
+ if (r < 0) {
DMERR("register failed %d", r);
+ return r;
+ }
DMINFO("version " HST_VERSION " loaded");
diff --git a/drivers/md/dm-ps-queue-length.c b/drivers/md/dm-ps-queue-length.c
index cef70657bbbc..cc5eff8853ab 100644
--- a/drivers/md/dm-ps-queue-length.c
+++ b/drivers/md/dm-ps-queue-length.c
@@ -259,8 +259,10 @@ static int __init dm_ql_init(void)
{
int r = dm_register_path_selector(&ql_ps);
- if (r < 0)
+ if (r < 0) {
DMERR("register failed %d", r);
+ return r;
+ }
DMINFO("version " QL_VERSION " loaded");
diff --git a/drivers/md/dm-ps-round-robin.c b/drivers/md/dm-ps-round-robin.c
index 27f44c5fa04e..6f10c4f879ec 100644
--- a/drivers/md/dm-ps-round-robin.c
+++ b/drivers/md/dm-ps-round-robin.c
@@ -216,8 +216,10 @@ static int __init dm_rr_init(void)
{
int r = dm_register_path_selector(&rr_ps);
- if (r < 0)
+ if (r < 0) {
DMERR("register failed %d", r);
+ return r;
+ }
DMINFO("version " RR_VERSION " loaded");
diff --git a/drivers/md/dm-ps-service-time.c b/drivers/md/dm-ps-service-time.c
index 3ec9c33265c5..eea15af86e69 100644
--- a/drivers/md/dm-ps-service-time.c
+++ b/drivers/md/dm-ps-service-time.c
@@ -341,8 +341,10 @@ static int __init dm_st_init(void)
{
int r = dm_register_path_selector(&st_ps);
- if (r < 0)
+ if (r < 0) {
DMERR("register failed %d", r);
+ return r;
+ }
DMINFO("version " ST_VERSION " loaded");
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 417/644] i2c: Force DLL0945 touchpad i2c freq to 100khz
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 416/644] dm-mpath: dont print the "loaded" message if registering fails Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 418/644] kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c Greg Kroah-Hartman
` (232 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, fangzhong.zhou, Wolfram Sang,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: fangzhong.zhou <myth5@myth5.com>
[ Upstream commit 0b7c9528facdb5a73ad78fea86d2e95a6c48dbc4 ]
This patch fixes an issue where the touchpad cursor movement becomes
slow on the Dell Precision 5560. Force the touchpad freq to 100khz
as a workaround.
Tested on Dell Precision 5560 with 6.14 to 6.14.6. Cursor movement
is now smooth and responsive.
Signed-off-by: fangzhong.zhou <myth5@myth5.com>
[wsa: kept sorting and removed unnecessary parts from commit msg]
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-core-acpi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
index 8b06f5d4a4c3..3fabf4b1f6fd 100644
--- a/drivers/i2c/i2c-core-acpi.c
+++ b/drivers/i2c/i2c-core-acpi.c
@@ -342,6 +342,7 @@ static const struct acpi_device_id i2c_acpi_force_100khz_device_ids[] = {
* the device works without issues on Windows at what is expected to be
* a 400KHz frequency. The root cause of the issue is not known.
*/
+ { "DLL0945", 0 },
{ "ELAN06FA", 0 },
{}
};
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 418/644] kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 417/644] i2c: Force DLL0945 touchpad i2c freq to 100khz Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 419/644] kconfig: nconf: Ensure null termination where strncpy is used Greg Kroah-Hartman
` (231 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suchit Karunakaran, Nicolas Schier,
Masahiro Yamada, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suchit Karunakaran <suchitkarunakaran@gmail.com>
[ Upstream commit 5ac726653a1029a2eccba93bbe59e01fc9725828 ]
strcpy() performs no bounds checking and can lead to buffer overflows if
the input string exceeds the destination buffer size. This patch replaces
it with strncpy(), and null terminates the input string.
Signed-off-by: Suchit Karunakaran <suchitkarunakaran@gmail.com>
Reviewed-by: Nicolas Schier <nicolas.schier@linux.dev>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/kconfig/lxdialog/inputbox.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
index 1dcfb288ee63..327b60cdb8da 100644
--- a/scripts/kconfig/lxdialog/inputbox.c
+++ b/scripts/kconfig/lxdialog/inputbox.c
@@ -39,8 +39,10 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
if (!init)
instr[0] = '\0';
- else
- strcpy(instr, init);
+ else {
+ strncpy(instr, init, sizeof(dialog_input_result) - 1);
+ instr[sizeof(dialog_input_result) - 1] = '\0';
+ }
do_resize:
if (getmaxy(stdscr) <= (height - INPUTBOX_HEIGTH_MIN))
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 419/644] kconfig: nconf: Ensure null termination where strncpy is used
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 418/644] kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 420/644] scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans Greg Kroah-Hartman
` (230 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shankari Anand, Masahiro Yamada,
Randy Dunlap, Nicolas Schier, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shankari Anand <shankari.ak0208@gmail.com>
[ Upstream commit f468992936894c9ce3b1659cf38c230d33b77a16 ]
strncpy() does not guarantee null-termination if the source string is
longer than the destination buffer.
Ensure the buffer is explicitly null-terminated to prevent potential
string overflows or undefined behavior.
Signed-off-by: Shankari Anand <shankari.ak0208@gmail.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Nicolas Schier <n.schier@avm.de>
Acked-by: Nicolas Schier <n.schier@avm.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/kconfig/nconf.c | 2 ++
scripts/kconfig/nconf.gui.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
index 7b371bd7fb36..8b166ccb0447 100644
--- a/scripts/kconfig/nconf.c
+++ b/scripts/kconfig/nconf.c
@@ -585,6 +585,8 @@ static void item_add_str(const char *fmt, ...)
tmp_str,
sizeof(k_menu_items[index].str));
+ k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1] = '\0';
+
free_item(curses_menu_items[index]);
curses_menu_items[index] = new_item(
k_menu_items[index].str,
diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
index 9aedf40f1dc0..da06ea2afe08 100644
--- a/scripts/kconfig/nconf.gui.c
+++ b/scripts/kconfig/nconf.gui.c
@@ -349,6 +349,7 @@ int dialog_inputbox(WINDOW *main_window,
x = (columns-win_cols)/2;
strncpy(result, init, *result_len);
+ result[*result_len - 1] = '\0';
/* create the windows */
win = newwin(win_lines, win_cols, y, x);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 420/644] scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 419/644] kconfig: nconf: Ensure null termination where strncpy is used Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 421/644] scsi: target: core: Generate correct identifiers for PR OUT transport IDs Greg Kroah-Hartman
` (229 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit 37c4e72b0651e7697eb338cd1fb09feef472cc1a ]
sas_user_scan() did not fully process wildcard channel scans
(SCAN_WILD_CARD) when a transport-specific user_scan() callback was
present. Only channel 0 would be scanned via user_scan(), while the
remaining channels were skipped, potentially missing devices.
user_scan() invokes updated sas_user_scan() for channel 0, and if
successful, iteratively scans remaining channels (1 to
shost->max_channel) via scsi_scan_host_selected(). This ensures complete
wildcard scanning without affecting transport-specific scanning behavior.
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/r/20250624061649.17990-1-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_scan.c | 2 +-
drivers/scsi/scsi_transport_sas.c | 60 ++++++++++++++++++++++++-------
2 files changed, 49 insertions(+), 13 deletions(-)
diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
index f00b4624e46b..e39648762896 100644
--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
@@ -1762,7 +1762,7 @@ int scsi_scan_host_selected(struct Scsi_Host *shost, unsigned int channel,
return 0;
}
-
+EXPORT_SYMBOL(scsi_scan_host_selected);
static void scsi_sysfs_add_devices(struct Scsi_Host *shost)
{
struct scsi_device *sdev;
diff --git a/drivers/scsi/scsi_transport_sas.c b/drivers/scsi/scsi_transport_sas.c
index 8649608faec2..87c5ed56e47b 100644
--- a/drivers/scsi/scsi_transport_sas.c
+++ b/drivers/scsi/scsi_transport_sas.c
@@ -41,6 +41,8 @@
#include <scsi/scsi_transport_sas.h>
#include "scsi_sas_internal.h"
+#include "scsi_priv.h"
+
struct sas_host_attrs {
struct list_head rphy_list;
struct mutex lock;
@@ -1681,32 +1683,66 @@ int scsi_is_sas_rphy(const struct device *dev)
}
EXPORT_SYMBOL(scsi_is_sas_rphy);
-
-/*
- * SCSI scan helper
- */
-
-static int sas_user_scan(struct Scsi_Host *shost, uint channel,
- uint id, u64 lun)
+static void scan_channel_zero(struct Scsi_Host *shost, uint id, u64 lun)
{
struct sas_host_attrs *sas_host = to_sas_host_attrs(shost);
struct sas_rphy *rphy;
- mutex_lock(&sas_host->lock);
list_for_each_entry(rphy, &sas_host->rphy_list, list) {
if (rphy->identify.device_type != SAS_END_DEVICE ||
rphy->scsi_target_id == -1)
continue;
- if ((channel == SCAN_WILD_CARD || channel == 0) &&
- (id == SCAN_WILD_CARD || id == rphy->scsi_target_id)) {
+ if (id == SCAN_WILD_CARD || id == rphy->scsi_target_id) {
scsi_scan_target(&rphy->dev, 0, rphy->scsi_target_id,
lun, SCSI_SCAN_MANUAL);
}
}
- mutex_unlock(&sas_host->lock);
+}
- return 0;
+/*
+ * SCSI scan helper
+ */
+
+static int sas_user_scan(struct Scsi_Host *shost, uint channel,
+ uint id, u64 lun)
+{
+ struct sas_host_attrs *sas_host = to_sas_host_attrs(shost);
+ int res = 0;
+ int i;
+
+ switch (channel) {
+ case 0:
+ mutex_lock(&sas_host->lock);
+ scan_channel_zero(shost, id, lun);
+ mutex_unlock(&sas_host->lock);
+ break;
+
+ case SCAN_WILD_CARD:
+ mutex_lock(&sas_host->lock);
+ scan_channel_zero(shost, id, lun);
+ mutex_unlock(&sas_host->lock);
+
+ for (i = 1; i <= shost->max_channel; i++) {
+ res = scsi_scan_host_selected(shost, i, id, lun,
+ SCSI_SCAN_MANUAL);
+ if (res)
+ goto exit_scan;
+ }
+ break;
+
+ default:
+ if (channel < shost->max_channel) {
+ res = scsi_scan_host_selected(shost, channel, id, lun,
+ SCSI_SCAN_MANUAL);
+ } else {
+ res = -EINVAL;
+ }
+ break;
+ }
+
+exit_scan:
+ return res;
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 421/644] scsi: target: core: Generate correct identifiers for PR OUT transport IDs
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 420/644] scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 422/644] scsi: aacraid: Stop using PCI_IRQ_AFFINITY Greg Kroah-Hartman
` (228 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maurizio Lombardi, Dmitry Bogdanov,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maurizio Lombardi <mlombard@redhat.com>
[ Upstream commit 6e0f6aa44b68335df404a2df955055f416b5f2aa ]
Fix target_parse_pr_out_transport_id() to return a string representing
the transport ID in a human-readable format (e.g., naa.xxxxxxxx...) for
various SCSI protocol types (SAS, FCP, SRP, SBP).
Previously, the function returned a pointer to the raw binary buffer,
which was incorrectly compared against human-readable strings, causing
comparisons to fail. Now, the function writes a properly formatted
string into a buffer provided by the caller. The output format depends
on the transport protocol:
* SAS: 64-bit identifier, "naa." prefix.
* FCP: 64-bit identifier, colon separated values.
* SBP: 64-bit identifier, no prefix.
* SRP: 128-bit identifier, "0x" prefix.
* iSCSI: IQN string.
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Link: https://lore.kernel.org/r/20250714133738.11054-1-mlombard@redhat.com
Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_fabric_lib.c | 63 +++++++++++++++++++------
drivers/target/target_core_internal.h | 4 +-
drivers/target/target_core_pr.c | 18 +++----
3 files changed, 60 insertions(+), 25 deletions(-)
diff --git a/drivers/target/target_core_fabric_lib.c b/drivers/target/target_core_fabric_lib.c
index 6600ae44f29d..d3ab251ba049 100644
--- a/drivers/target/target_core_fabric_lib.c
+++ b/drivers/target/target_core_fabric_lib.c
@@ -257,11 +257,41 @@ static int iscsi_get_pr_transport_id_len(
return len;
}
-static char *iscsi_parse_pr_out_transport_id(
+static void sas_parse_pr_out_transport_id(char *buf, char *i_str)
+{
+ char hex[17] = {};
+
+ bin2hex(hex, buf + 4, 8);
+ snprintf(i_str, TRANSPORT_IQN_LEN, "naa.%s", hex);
+}
+
+static void srp_parse_pr_out_transport_id(char *buf, char *i_str)
+{
+ char hex[33] = {};
+
+ bin2hex(hex, buf + 8, 16);
+ snprintf(i_str, TRANSPORT_IQN_LEN, "0x%s", hex);
+}
+
+static void fcp_parse_pr_out_transport_id(char *buf, char *i_str)
+{
+ snprintf(i_str, TRANSPORT_IQN_LEN, "%8phC", buf + 8);
+}
+
+static void sbp_parse_pr_out_transport_id(char *buf, char *i_str)
+{
+ char hex[17] = {};
+
+ bin2hex(hex, buf + 8, 8);
+ snprintf(i_str, TRANSPORT_IQN_LEN, "%s", hex);
+}
+
+static bool iscsi_parse_pr_out_transport_id(
struct se_portal_group *se_tpg,
char *buf,
u32 *out_tid_len,
- char **port_nexus_ptr)
+ char **port_nexus_ptr,
+ char *i_str)
{
char *p;
int i;
@@ -282,7 +312,7 @@ static char *iscsi_parse_pr_out_transport_id(
if ((format_code != 0x00) && (format_code != 0x40)) {
pr_err("Illegal format code: 0x%02x for iSCSI"
" Initiator Transport ID\n", format_code);
- return NULL;
+ return false;
}
/*
* If the caller wants the TransportID Length, we set that value for the
@@ -306,7 +336,7 @@ static char *iscsi_parse_pr_out_transport_id(
pr_err("Unable to locate \",i,0x\" separator"
" for Initiator port identifier: %s\n",
&buf[4]);
- return NULL;
+ return false;
}
*p = '\0'; /* Terminate iSCSI Name */
p += 5; /* Skip over ",i,0x" separator */
@@ -339,7 +369,8 @@ static char *iscsi_parse_pr_out_transport_id(
} else
*port_nexus_ptr = NULL;
- return &buf[4];
+ strscpy(i_str, &buf[4], TRANSPORT_IQN_LEN);
+ return true;
}
int target_get_pr_transport_id_len(struct se_node_acl *nacl,
@@ -387,33 +418,35 @@ int target_get_pr_transport_id(struct se_node_acl *nacl,
}
}
-const char *target_parse_pr_out_transport_id(struct se_portal_group *tpg,
- char *buf, u32 *out_tid_len, char **port_nexus_ptr)
+bool target_parse_pr_out_transport_id(struct se_portal_group *tpg,
+ char *buf, u32 *out_tid_len, char **port_nexus_ptr, char *i_str)
{
- u32 offset;
-
switch (tpg->proto_id) {
case SCSI_PROTOCOL_SAS:
/*
* Assume the FORMAT CODE 00b from spc4r17, 7.5.4.7 TransportID
* for initiator ports using SCSI over SAS Serial SCSI Protocol.
*/
- offset = 4;
+ sas_parse_pr_out_transport_id(buf, i_str);
break;
- case SCSI_PROTOCOL_SBP:
case SCSI_PROTOCOL_SRP:
+ srp_parse_pr_out_transport_id(buf, i_str);
+ break;
case SCSI_PROTOCOL_FCP:
- offset = 8;
+ fcp_parse_pr_out_transport_id(buf, i_str);
+ break;
+ case SCSI_PROTOCOL_SBP:
+ sbp_parse_pr_out_transport_id(buf, i_str);
break;
case SCSI_PROTOCOL_ISCSI:
return iscsi_parse_pr_out_transport_id(tpg, buf, out_tid_len,
- port_nexus_ptr);
+ port_nexus_ptr, i_str);
default:
pr_err("Unknown proto_id: 0x%02x\n", tpg->proto_id);
- return NULL;
+ return false;
}
*port_nexus_ptr = NULL;
*out_tid_len = 24;
- return buf + offset;
+ return true;
}
diff --git a/drivers/target/target_core_internal.h b/drivers/target/target_core_internal.h
index a889a6237d9c..1e8dbfcc4323 100644
--- a/drivers/target/target_core_internal.h
+++ b/drivers/target/target_core_internal.h
@@ -103,8 +103,8 @@ int target_get_pr_transport_id_len(struct se_node_acl *nacl,
int target_get_pr_transport_id(struct se_node_acl *nacl,
struct t10_pr_registration *pr_reg, int *format_code,
unsigned char *buf);
-const char *target_parse_pr_out_transport_id(struct se_portal_group *tpg,
- char *buf, u32 *out_tid_len, char **port_nexus_ptr);
+bool target_parse_pr_out_transport_id(struct se_portal_group *tpg,
+ char *buf, u32 *out_tid_len, char **port_nexus_ptr, char *i_str);
/* target_core_hba.c */
struct se_hba *core_alloc_hba(const char *, u32, u32);
diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
index f4a797d3c573..28ba6a3109f2 100644
--- a/drivers/target/target_core_pr.c
+++ b/drivers/target/target_core_pr.c
@@ -1487,11 +1487,12 @@ core_scsi3_decode_spec_i_port(
LIST_HEAD(tid_dest_list);
struct pr_transport_id_holder *tidh_new, *tidh, *tidh_tmp;
unsigned char *buf, *ptr, proto_ident;
- const unsigned char *i_str = NULL;
+ unsigned char i_str[TRANSPORT_IQN_LEN];
char *iport_ptr = NULL, i_buf[PR_REG_ISID_ID_LEN];
sense_reason_t ret;
u32 tpdl, tid_len = 0;
u32 dest_rtpi = 0;
+ bool tid_found;
/*
* Allocate a struct pr_transport_id_holder and setup the
@@ -1580,9 +1581,9 @@ core_scsi3_decode_spec_i_port(
dest_rtpi = tmp_lun->lun_rtpi;
iport_ptr = NULL;
- i_str = target_parse_pr_out_transport_id(tmp_tpg,
- ptr, &tid_len, &iport_ptr);
- if (!i_str)
+ tid_found = target_parse_pr_out_transport_id(tmp_tpg,
+ ptr, &tid_len, &iport_ptr, i_str);
+ if (!tid_found)
continue;
/*
* Determine if this SCSI device server requires that
@@ -3148,13 +3149,14 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
struct t10_pr_registration *pr_reg, *pr_res_holder, *dest_pr_reg;
struct t10_reservation *pr_tmpl = &dev->t10_pr;
unsigned char *buf;
- const unsigned char *initiator_str;
+ unsigned char initiator_str[TRANSPORT_IQN_LEN];
char *iport_ptr = NULL, i_buf[PR_REG_ISID_ID_LEN] = { };
u32 tid_len, tmp_tid_len;
int new_reg = 0, type, scope, matching_iname;
sense_reason_t ret;
unsigned short rtpi;
unsigned char proto_ident;
+ bool tid_found;
if (!se_sess || !se_lun) {
pr_err("SPC-3 PR: se_sess || struct se_lun is NULL!\n");
@@ -3273,9 +3275,9 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
ret = TCM_INVALID_PARAMETER_LIST;
goto out;
}
- initiator_str = target_parse_pr_out_transport_id(dest_se_tpg,
- &buf[24], &tmp_tid_len, &iport_ptr);
- if (!initiator_str) {
+ tid_found = target_parse_pr_out_transport_id(dest_se_tpg,
+ &buf[24], &tmp_tid_len, &iport_ptr, initiator_str);
+ if (!tid_found) {
pr_err("SPC-3 PR REGISTER_AND_MOVE: Unable to locate"
" initiator_str from Transport ID\n");
ret = TCM_INVALID_PARAMETER_LIST;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 422/644] scsi: aacraid: Stop using PCI_IRQ_AFFINITY
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 421/644] scsi: target: core: Generate correct identifiers for PR OUT transport IDs Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 423/644] ipmi: Use dev_warn_ratelimited() for incorrect message warnings Greg Kroah-Hartman
` (227 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Garry, John Meneghini,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Garry <john.g.garry@oracle.com>
[ Upstream commit dafeaf2c03e71255438ffe5a341d94d180e6c88e ]
When PCI_IRQ_AFFINITY is set for calling pci_alloc_irq_vectors(), it
means interrupts are spread around the available CPUs. It also means that
the interrupts become managed, which means that an interrupt is shutdown
when all the CPUs in the interrupt affinity mask go offline.
Using managed interrupts in this way means that we should ensure that
completions should not occur on HW queues where the associated interrupt
is shutdown. This is typically achieved by ensuring only CPUs which are
online can generate IO completion traffic to the HW queue which they are
mapped to (so that they can also serve completion interrupts for that HW
queue).
The problem in the driver is that a CPU can generate completions to a HW
queue whose interrupt may be shutdown, as the CPUs in the HW queue
interrupt affinity mask may be offline. This can cause IOs to never
complete and hang the system. The driver maintains its own CPU <-> HW
queue mapping for submissions, see aac_fib_vector_assign(), but this does
not reflect the CPU <-> HW queue interrupt affinity mapping.
Commit 9dc704dcc09e ("scsi: aacraid: Reply queue mapping to CPUs based on
IRQ affinity") tried to remedy this issue may mapping CPUs properly to HW
queue interrupts. However this was later reverted in commit c5becf57dd56
("Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ
affinity") - it seems that there were other reports of hangs. I guess
that this was due to some implementation issue in the original commit or
maybe a HW issue.
Fix the very original hang by just not using managed interrupts by not
setting PCI_IRQ_AFFINITY. In this way, all CPUs will be in each HW queue
affinity mask, so should not create completion problems if any CPUs go
offline.
Signed-off-by: John Garry <john.g.garry@oracle.com>
Link: https://lore.kernel.org/r/20250715111535.499853-1-john.g.garry@oracle.com
Closes: https://lore.kernel.org/linux-scsi/20250618192427.3845724-1-jmeneghi@redhat.com/
Reviewed-by: John Meneghini <jmeneghi@redhat.com>
Tested-by: John Meneghini <jmeneghi@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/aacraid/comminit.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
index 34e45c87cae0..7b520e824c29 100644
--- a/drivers/scsi/aacraid/comminit.c
+++ b/drivers/scsi/aacraid/comminit.c
@@ -481,8 +481,7 @@ void aac_define_int_mode(struct aac_dev *dev)
pci_find_capability(dev->pdev, PCI_CAP_ID_MSIX)) {
min_msix = 2;
i = pci_alloc_irq_vectors(dev->pdev,
- min_msix, msi_count,
- PCI_IRQ_MSIX | PCI_IRQ_AFFINITY);
+ min_msix, msi_count, PCI_IRQ_MSIX);
if (i > 0) {
dev->msi_enabled = 1;
msi_count = i;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 423/644] ipmi: Use dev_warn_ratelimited() for incorrect message warnings
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 422/644] scsi: aacraid: Stop using PCI_IRQ_AFFINITY Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 424/644] kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed() Greg Kroah-Hartman
` (226 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Corey Minyard,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit ec50ec378e3fd83bde9b3d622ceac3509a60b6b5 ]
During BMC firmware upgrades on live systems, the ipmi_msghandler
generates excessive "BMC returned incorrect response" warnings
while the BMC is temporarily offline. This can flood system logs
in large deployments.
Replace dev_warn() with dev_warn_ratelimited() to throttle these
warnings and prevent log spam during BMC maintenance operations.
Signed-off-by: Breno Leitao <leitao@debian.org>
Message-ID: <20250710-ipmi_ratelimit-v1-1-6d417015ebe9@debian.org>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 15c211c5d6f4..af563ee827aa 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -4294,10 +4294,10 @@ static int handle_one_recv_msg(struct ipmi_smi *intf,
* The NetFN and Command in the response is not even
* marginally correct.
*/
- dev_warn(intf->si_dev,
- "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n",
- (msg->data[0] >> 2) | 1, msg->data[1],
- msg->rsp[0] >> 2, msg->rsp[1]);
+ dev_warn_ratelimited(intf->si_dev,
+ "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n",
+ (msg->data[0] >> 2) | 1, msg->data[1],
+ msg->rsp[0] >> 2, msg->rsp[1]);
/* Generate an error response for the message. */
msg->rsp[0] = msg->data[0] | (1 << 2);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 424/644] kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 423/644] ipmi: Use dev_warn_ratelimited() for incorrect message warnings Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 425/644] kconfig: gconf: fix potential memory leak in renderer_edited() Greg Kroah-Hartman
` (225 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit cae9cdbcd9af044810bcceeb43a87accca47c71d ]
The on_treeview2_cursor_changed() handler is connected to both the left
and right tree views, but it hardcodes model2 (the GtkTreeModel of the
right tree view). This is incorrect. Get the associated model from the
view.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/kconfig/gconf.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c
index 5d1404178e48..87f8a4db5bc6 100644
--- a/scripts/kconfig/gconf.c
+++ b/scripts/kconfig/gconf.c
@@ -977,13 +977,14 @@ on_treeview2_key_press_event(GtkWidget * widget,
void
on_treeview2_cursor_changed(GtkTreeView * treeview, gpointer user_data)
{
+ GtkTreeModel *model = gtk_tree_view_get_model(treeview);
GtkTreeSelection *selection;
GtkTreeIter iter;
struct menu *menu;
selection = gtk_tree_view_get_selection(treeview);
- if (gtk_tree_selection_get_selected(selection, &model2, &iter)) {
- gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1);
+ if (gtk_tree_selection_get_selected(selection, &model, &iter)) {
+ gtk_tree_model_get(model, &iter, COL_MENU, &menu, -1);
text_insert_help(menu);
}
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 425/644] kconfig: gconf: fix potential memory leak in renderer_edited()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 424/644] kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 426/644] kconfig: lxdialog: fix space to (de)select options Greg Kroah-Hartman
` (224 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Randy Dunlap,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit f72ed4c6a375e52a3f4b75615e4a89d29d8acea7 ]
If gtk_tree_model_get_iter() fails, gtk_tree_path_free() is not called.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/kconfig/gconf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c
index 87f8a4db5bc6..3c726ead8f7e 100644
--- a/scripts/kconfig/gconf.c
+++ b/scripts/kconfig/gconf.c
@@ -783,7 +783,7 @@ static void renderer_edited(GtkCellRendererText * cell,
struct symbol *sym;
if (!gtk_tree_model_get_iter(model2, &iter, path))
- return;
+ goto free;
gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1);
sym = menu->sym;
@@ -795,6 +795,7 @@ static void renderer_edited(GtkCellRendererText * cell,
update_tree(&rootmenu, NULL);
+free:
gtk_tree_path_free(path);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 426/644] kconfig: lxdialog: fix space to (de)select options
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 425/644] kconfig: gconf: fix potential memory leak in renderer_edited() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 427/644] ipmi: Fix strcpy source and destination the same Greg Kroah-Hartman
` (223 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yann E. MORIN, Peter Korsgaard,
Cherniaev Andrei, Masahiro Yamada, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yann E. MORIN <yann.morin.1998@free.fr>
[ Upstream commit 694174f94ebeeb5ec5cc0e9de9b40c82057e1d95 ]
In case a menu has comment without letters/numbers (eg. characters
matching the regexp '^[^[:alpha:][:digit:]]+$', for example - or *),
hitting space will cycle through those comments, rather than
selecting/deselecting the currently-highlighted option.
This is the behaviour of hitting any letter/digit: jump to the next
option which prompt starts with that letter. The only letters that
do not behave as such are 'y' 'm' and 'n'. Prompts that start with
one of those three letters are instead matched on the first letter
that is not 'y', 'm' or 'n'.
Fix that by treating 'space' as we treat y/m/n, ie. as an action key,
not as shortcut to jump to prompt.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Cherniaev Andrei <dungeonlords789@naver.com>
[masahiro: took from Buildroot, adjusted the commit subject]
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--git a/scripts/kconfig/lxdialog/menubox.c b/scripts/kconfig/lxdialog/menubox.c
index 58c2f8afe59b..7e10e919fbdc 100644
--- a/scripts/kconfig/lxdialog/menubox.c
+++ b/scripts/kconfig/lxdialog/menubox.c
@@ -272,7 +272,7 @@ int dialog_menu(const char *title, const char *prompt,
if (key < 256 && isalpha(key))
key = tolower(key);
- if (strchr("ynmh", key))
+ if (strchr("ynmh ", key))
i = max_choice;
else {
for (i = choice + 1; i < max_choice; i++) {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 427/644] ipmi: Fix strcpy source and destination the same
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 426/644] kconfig: lxdialog: fix space to (de)select options Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 428/644] net: phy: smsc: add proper reset flags for LAN8710A Greg Kroah-Hartman
` (222 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Corey Minyard,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Corey Minyard <corey@minyard.net>
[ Upstream commit 8ffcb7560b4a15faf821df95e3ab532b2b020f8c ]
The source and destination of some strcpy operations was the same.
Split out the part of the operations that needed to be done for those
particular calls so the unnecessary copy wasn't done.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202506140756.EFXXvIP4-lkp@intel.com/
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_watchdog.c | 59 ++++++++++++++++++++++---------
1 file changed, 42 insertions(+), 17 deletions(-)
diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c
index 883b4a341012..56be20f7485b 100644
--- a/drivers/char/ipmi/ipmi_watchdog.c
+++ b/drivers/char/ipmi/ipmi_watchdog.c
@@ -1198,14 +1198,8 @@ static struct ipmi_smi_watcher smi_watcher = {
.smi_gone = ipmi_smi_gone
};
-static int action_op(const char *inval, char *outval)
+static int action_op_set_val(const char *inval)
{
- if (outval)
- strcpy(outval, action);
-
- if (!inval)
- return 0;
-
if (strcmp(inval, "reset") == 0)
action_val = WDOG_TIMEOUT_RESET;
else if (strcmp(inval, "none") == 0)
@@ -1216,18 +1210,26 @@ static int action_op(const char *inval, char *outval)
action_val = WDOG_TIMEOUT_POWER_DOWN;
else
return -EINVAL;
- strcpy(action, inval);
return 0;
}
-static int preaction_op(const char *inval, char *outval)
+static int action_op(const char *inval, char *outval)
{
+ int rv;
+
if (outval)
- strcpy(outval, preaction);
+ strcpy(outval, action);
if (!inval)
return 0;
+ rv = action_op_set_val(inval);
+ if (!rv)
+ strcpy(action, inval);
+ return rv;
+}
+static int preaction_op_set_val(const char *inval)
+{
if (strcmp(inval, "pre_none") == 0)
preaction_val = WDOG_PRETIMEOUT_NONE;
else if (strcmp(inval, "pre_smi") == 0)
@@ -1240,18 +1242,26 @@ static int preaction_op(const char *inval, char *outval)
preaction_val = WDOG_PRETIMEOUT_MSG_INT;
else
return -EINVAL;
- strcpy(preaction, inval);
return 0;
}
-static int preop_op(const char *inval, char *outval)
+static int preaction_op(const char *inval, char *outval)
{
+ int rv;
+
if (outval)
- strcpy(outval, preop);
+ strcpy(outval, preaction);
if (!inval)
return 0;
+ rv = preaction_op_set_val(inval);
+ if (!rv)
+ strcpy(preaction, inval);
+ return 0;
+}
+static int preop_op_set_val(const char *inval)
+{
if (strcmp(inval, "preop_none") == 0)
preop_val = WDOG_PREOP_NONE;
else if (strcmp(inval, "preop_panic") == 0)
@@ -1260,7 +1270,22 @@ static int preop_op(const char *inval, char *outval)
preop_val = WDOG_PREOP_GIVE_DATA;
else
return -EINVAL;
- strcpy(preop, inval);
+ return 0;
+}
+
+static int preop_op(const char *inval, char *outval)
+{
+ int rv;
+
+ if (outval)
+ strcpy(outval, preop);
+
+ if (!inval)
+ return 0;
+
+ rv = preop_op_set_val(inval);
+ if (!rv)
+ strcpy(preop, inval);
return 0;
}
@@ -1297,18 +1322,18 @@ static int __init ipmi_wdog_init(void)
{
int rv;
- if (action_op(action, NULL)) {
+ if (action_op_set_val(action)) {
action_op("reset", NULL);
pr_info("Unknown action '%s', defaulting to reset\n", action);
}
- if (preaction_op(preaction, NULL)) {
+ if (preaction_op_set_val(preaction)) {
preaction_op("pre_none", NULL);
pr_info("Unknown preaction '%s', defaulting to none\n",
preaction);
}
- if (preop_op(preop, NULL)) {
+ if (preop_op_set_val(preop)) {
preop_op("preop_none", NULL);
pr_info("Unknown preop '%s', defaulting to none\n", preop);
}
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 428/644] net: phy: smsc: add proper reset flags for LAN8710A
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 427/644] ipmi: Fix strcpy source and destination the same Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 429/644] block: avoid possible overflow for chunk_sectors check in blk_stack_limits() Greg Kroah-Hartman
` (221 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Buday Csaba, Csókás Bence,
Andrew Lunn, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Buday Csaba <buday.csaba@prolan.hu>
[ Upstream commit 57ec5a8735dc5dccd1ee68afdb1114956a3fce0d ]
According to the LAN8710A datasheet (Rev. B, section 3.8.5.1), a hardware
reset is required after power-on, and the reference clock (REF_CLK) must be
established before asserting reset.
Signed-off-by: Buday Csaba <buday.csaba@prolan.hu>
Cc: Csókás Bence <csokas.bence@prolan.hu>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250728152916.46249-2-csokas.bence@prolan.hu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/smsc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
index 5c3ebb66fceb..4175df632de2 100644
--- a/drivers/net/phy/smsc.c
+++ b/drivers/net/phy/smsc.c
@@ -452,6 +452,7 @@ static struct phy_driver smsc_phy_driver[] = {
/* PHY_BASIC_FEATURES */
+ .flags = PHY_RST_AFTER_CLK_EN,
.probe = smsc_phy_probe,
.remove = smsc_phy_remove,
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 429/644] block: avoid possible overflow for chunk_sectors check in blk_stack_limits()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 428/644] net: phy: smsc: add proper reset flags for LAN8710A Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 430/644] pNFS: Fix stripe mapping in block/scsi layout Greg Kroah-Hartman
` (220 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hannes Reinecke, Martin K. Petersen,
John Garry, Damien Le Moal, Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Garry <john.g.garry@oracle.com>
[ Upstream commit 448dfecc7ff807822ecd47a5c052acedca7d09e8 ]
In blk_stack_limits(), we check that the t->chunk_sectors value is a
multiple of the t->physical_block_size value.
However, by finding the chunk_sectors value in bytes, we may overflow
the unsigned int which holds chunk_sectors, so change the check to be
based on sectors.
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20250729091448.1691334-2-john.g.garry@oracle.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-settings.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/blk-settings.c b/block/blk-settings.c
index 1b92e6624951..d501084bab4a 100644
--- a/block/blk-settings.c
+++ b/block/blk-settings.c
@@ -596,7 +596,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b,
}
/* chunk_sectors a multiple of the physical block size? */
- if ((t->chunk_sectors << 9) & (t->physical_block_size - 1)) {
+ if (t->chunk_sectors % (t->physical_block_size >> SECTOR_SHIFT)) {
t->chunk_sectors = 0;
t->misaligned = 1;
ret = -1;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 430/644] pNFS: Fix stripe mapping in block/scsi layout
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 429/644] block: avoid possible overflow for chunk_sectors check in blk_stack_limits() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 431/644] pNFS: Fix disk addr range check " Greg Kroah-Hartman
` (219 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Bashirov, Christoph Hellwig,
Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Bashirov <sergeybashirov@gmail.com>
[ Upstream commit 81438498a285759f31e843ac4800f82a5ce6521f ]
Because of integer division, we need to carefully calculate the
disk offset. Consider the example below for a stripe of 6 volumes,
a chunk size of 4096, and an offset of 70000.
chunk = div_u64(offset, dev->chunk_size) = 70000 / 4096 = 17
offset = chunk * dev->chunk_size = 17 * 4096 = 69632
disk_offset_wrong = div_u64(offset, dev->nr_children) = 69632 / 6 = 11605
disk_chunk = div_u64(chunk, dev->nr_children) = 17 / 6 = 2
disk_offset = disk_chunk * dev->chunk_size = 2 * 4096 = 8192
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250701122341.199112-1-sergeybashirov@gmail.com
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/blocklayout/dev.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c
index 16412d6636e8..4e176d7d704d 100644
--- a/fs/nfs/blocklayout/dev.c
+++ b/fs/nfs/blocklayout/dev.c
@@ -199,10 +199,11 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset,
struct pnfs_block_dev *child;
u64 chunk;
u32 chunk_idx;
+ u64 disk_chunk;
u64 disk_offset;
chunk = div_u64(offset, dev->chunk_size);
- div_u64_rem(chunk, dev->nr_children, &chunk_idx);
+ disk_chunk = div_u64_rem(chunk, dev->nr_children, &chunk_idx);
if (chunk_idx >= dev->nr_children) {
dprintk("%s: invalid chunk idx %d (%lld/%lld)\n",
@@ -215,7 +216,7 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset,
offset = chunk * dev->chunk_size;
/* disk offset of the stripe */
- disk_offset = div_u64(offset, dev->nr_children);
+ disk_offset = disk_chunk * dev->chunk_size;
child = &dev->children[chunk_idx];
child->map(child, disk_offset, map);
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 431/644] pNFS: Fix disk addr range check in block/scsi layout
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 430/644] pNFS: Fix stripe mapping in block/scsi layout Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 432/644] pNFS: Handle RPC size limit for layoutcommits Greg Kroah-Hartman
` (218 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Bashirov, Christoph Hellwig,
Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Bashirov <sergeybashirov@gmail.com>
[ Upstream commit 7db6e66663681abda54f81d5916db3a3b8b1a13d ]
At the end of the isect translation, disc_addr represents the physical
disk offset. Thus, end calculated from disk_addr is also a physical disk
offset. Therefore, range checking should be done using map->disk_offset,
not map->start.
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250702133226.212537-1-sergeybashirov@gmail.com
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/blocklayout/blocklayout.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c
index dc657b12822d..76423557f5b3 100644
--- a/fs/nfs/blocklayout/blocklayout.c
+++ b/fs/nfs/blocklayout/blocklayout.c
@@ -166,8 +166,8 @@ do_add_page_to_bio(struct bio *bio, int npg, int rw, sector_t isect,
/* limit length to what the device mapping allows */
end = disk_addr + *len;
- if (end >= map->start + map->len)
- *len = map->start + map->len - disk_addr;
+ if (end >= map->disk_offset + map->len)
+ *len = map->disk_offset + map->len - disk_addr;
retry:
if (!bio) {
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 432/644] pNFS: Handle RPC size limit for layoutcommits
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 431/644] pNFS: Fix disk addr range check " Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 433/644] pNFS: Fix uninited ptr deref in block/scsi layout Greg Kroah-Hartman
` (217 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konstantin Evtushenko,
Sergey Bashirov, Christoph Hellwig, Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Bashirov <sergeybashirov@gmail.com>
[ Upstream commit d897d81671bc4615c80f4f3bd5e6b218f59df50c ]
When there are too many block extents for a layoutcommit, they may not
all fit into the maximum-sized RPC. This patch allows the generic pnfs
code to properly handle -ENOSPC returned by the block/scsi layout driver
and trigger additional layoutcommits if necessary.
Co-developed-by: Konstantin Evtushenko <koevtushenko@yandex.com>
Signed-off-by: Konstantin Evtushenko <koevtushenko@yandex.com>
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250630183537.196479-5-sergeybashirov@gmail.com
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/pnfs.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index b41c6fced75a..ef273b71f019 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -3216,6 +3216,7 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync)
struct nfs_inode *nfsi = NFS_I(inode);
loff_t end_pos;
int status;
+ bool mark_as_dirty = false;
if (!pnfs_layoutcommit_outstanding(inode))
return 0;
@@ -3267,19 +3268,23 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync)
if (ld->prepare_layoutcommit) {
status = ld->prepare_layoutcommit(&data->args);
if (status) {
- put_cred(data->cred);
+ if (status != -ENOSPC)
+ put_cred(data->cred);
spin_lock(&inode->i_lock);
set_bit(NFS_INO_LAYOUTCOMMIT, &nfsi->flags);
if (end_pos > nfsi->layout->plh_lwb)
nfsi->layout->plh_lwb = end_pos;
- goto out_unlock;
+ if (status != -ENOSPC)
+ goto out_unlock;
+ spin_unlock(&inode->i_lock);
+ mark_as_dirty = true;
}
}
status = nfs4_proc_layoutcommit(data, sync);
out:
- if (status)
+ if (status || mark_as_dirty)
mark_inode_dirty_sync(inode);
dprintk("<-- %s status %d\n", __func__, status);
return status;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 433/644] pNFS: Fix uninited ptr deref in block/scsi layout
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 432/644] pNFS: Handle RPC size limit for layoutcommits Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 434/644] rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe Greg Kroah-Hartman
` (216 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konstantin Evtushenko,
Sergey Bashirov, Christoph Hellwig, Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Bashirov <sergeybashirov@gmail.com>
[ Upstream commit 9768797c219326699778fba9cd3b607b2f1e7950 ]
The error occurs on the third attempt to encode extents. When function
ext_tree_prepare_commit() reallocates a larger buffer to retry encoding
extents, the "layoutupdate_pages" page array is initialized only after the
retry loop. But ext_tree_free_commitdata() is called on every iteration
and tries to put pages in the array, thus dereferencing uninitialized
pointers.
An additional problem is that there is no limit on the maximum possible
buffer_size. When there are too many extents, the client may create a
layoutcommit that is larger than the maximum possible RPC size accepted
by the server.
During testing, we observed two typical scenarios. First, one memory page
for extents is enough when we work with small files, append data to the
end of the file, or preallocate extents before writing. But when we fill
a new large file without preallocating, the number of extents can be huge,
and counting the number of written extents in ext_tree_encode_commit()
does not help much. Since this number increases even more between
unlocking and locking of ext_tree, the reallocated buffer may not be
large enough again and again.
Co-developed-by: Konstantin Evtushenko <koevtushenko@yandex.com>
Signed-off-by: Konstantin Evtushenko <koevtushenko@yandex.com>
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250630183537.196479-2-sergeybashirov@gmail.com
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/blocklayout/extent_tree.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/fs/nfs/blocklayout/extent_tree.c b/fs/nfs/blocklayout/extent_tree.c
index 8f7cff7a4293..0add0f329816 100644
--- a/fs/nfs/blocklayout/extent_tree.c
+++ b/fs/nfs/blocklayout/extent_tree.c
@@ -552,6 +552,15 @@ static int ext_tree_encode_commit(struct pnfs_block_layout *bl, __be32 *p,
return ret;
}
+/**
+ * ext_tree_prepare_commit - encode extents that need to be committed
+ * @arg: layout commit data
+ *
+ * Return values:
+ * %0: Success, all required extents are encoded
+ * %-ENOSPC: Some extents are encoded, but not all, due to RPC size limit
+ * %-ENOMEM: Out of memory, extents not encoded
+ */
int
ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
{
@@ -568,12 +577,12 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
start_p = page_address(arg->layoutupdate_page);
arg->layoutupdate_pages = &arg->layoutupdate_page;
-retry:
- ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, &count, &arg->lastbytewritten);
+ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size,
+ &count, &arg->lastbytewritten);
if (unlikely(ret)) {
ext_tree_free_commitdata(arg, buffer_size);
- buffer_size = ext_tree_layoutupdate_size(bl, count);
+ buffer_size = NFS_SERVER(arg->inode)->wsize;
count = 0;
arg->layoutupdate_pages =
@@ -588,7 +597,8 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
return -ENOMEM;
}
- goto retry;
+ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size,
+ &count, &arg->lastbytewritten);
}
*start_p = cpu_to_be32(count);
@@ -608,7 +618,7 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
}
dprintk("%s found %zu ranges\n", __func__, count);
- return 0;
+ return ret;
}
void
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 434/644] rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 433/644] pNFS: Fix uninited ptr deref in block/scsi layout Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 435/644] scsi: lpfc: Remove redundant assignment to avoid memory leak Greg Kroah-Hartman
` (215 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Meagan Lloyd, Tyler Hicks,
Rodolfo Giometti, Alexandre Belloni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
[ Upstream commit 48458654659c9c2e149c211d86637f1592470da5 ]
In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the
kernel time as long as rtc_read_time() succeeds. In some power loss
situations, our supercapacitor-backed DS1342 RTC comes up with either an
unpredictable future time or the default 01/01/00 from the datasheet.
The oscillator stop flag (OSF) is set in these scenarios due to the
power loss and can be used to determine the validity of the RTC data.
Some chip types in the ds1307 driver already have OSF handling to
determine whether .read_time provides valid RTC data or returns -EINVAL.
This change removes the clear of the OSF in .probe as the OSF needs to
be preserved to expand the OSF handling to the ds1341 chip type (note
that DS1341 and DS1342 share a datasheet).
Signed-off-by: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
Reviewed-by: Tyler Hicks <code@tyhicks.com>
Acked-by: Rodolfo Giometti <giometti@enneenne.com>
Link: https://lore.kernel.org/r/1749665656-30108-2-git-send-email-meaganlloyd@linux.microsoft.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-ds1307.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
index f8e32f5c37e3..e02bc2a2e77f 100644
--- a/drivers/rtc/rtc-ds1307.c
+++ b/drivers/rtc/rtc-ds1307.c
@@ -1819,10 +1819,8 @@ static int ds1307_probe(struct i2c_client *client,
regmap_write(ds1307->regmap, DS1337_REG_CONTROL,
regs[0]);
- /* oscillator fault? clear flag, and warn */
+ /* oscillator fault? warn */
if (regs[1] & DS1337_BIT_OSF) {
- regmap_write(ds1307->regmap, DS1337_REG_STATUS,
- regs[1] & ~DS1337_BIT_OSF);
dev_warn(ds1307->dev, "SET TIME!\n");
}
break;
--
2.39.5
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 435/644] scsi: lpfc: Remove redundant assignment to avoid memory leak
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 434/644] rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 436/644] ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe() Greg Kroah-Hartman
` (214 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Justin Tee,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
[ Upstream commit eea6cafb5890db488fce1c69d05464214616d800 ]
Remove the redundant assignment if kzalloc() succeeds to avoid memory
leak.
Fixes: bd2cdd5e400f ("scsi: lpfc: NVME Initiator: Add debugfs support")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Link: https://lore.kernel.org/r/20250801185202.42631-1-jiashengjiangcool@gmail.com
Reviewed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_debugfs.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index a15ad76aee21..b2578186df63 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -6279,7 +6279,6 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
}
phba->nvmeio_trc_on = 1;
phba->nvmeio_trc_output_idx = 0;
- phba->nvmeio_trc = NULL;
} else {
nvmeio_off:
phba->nvmeio_trc_size = 0;
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 436/644] ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 435/644] scsi: lpfc: Remove redundant assignment to avoid memory leak Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 437/644] ASoC: soc-dai.h: merge DAI call back functions into ops Greg Kroah-Hartman
` (213 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 5c5a7521e9364a40fe2c1b67ab79991e3e9085df ]
dai->probed is used at snd_soc_pcm_dai_probe/remove(),
and used to call real remove() function only when it was probed.
int snd_soc_pcm_dai_probe(...)
{
...
for_each_rtd_dais(rtd, i, dai) {
...
if (dai->driver->probe) {
(A) int ret = dai->driver->probe(dai);
if (ret < 0)
return soc_dai_ret(dai, ret);
}
=> dai->probed = 1;
}
...
}
int snd_soc_pcm_dai_remove(...)
{
...
for_each_rtd_dais(rtd, i, dai) {
...
=> if (dai->probed &&
...) {
...
}
=> dai->probed = 0;
}
...
}
But on probe() case, we need to check dai->probed before calling
real probe() function at (A), otherwise real probe() might be called
multi times (but real remove() will be called only once).
This patch checks it at probe().
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/87wn3u64e6.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0e270f32975f ("ASoC: fsl_sai: replace regmap_write with regmap_update_bits")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/soc-dai.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/soc-dai.c b/sound/soc/soc-dai.c
index 8165f5537043..703aa9a76d03 100644
--- a/sound/soc/soc-dai.c
+++ b/sound/soc/soc-dai.c
@@ -561,6 +561,9 @@ int snd_soc_pcm_dai_probe(struct snd_soc_pcm_runtime *rtd, int order)
if (dai->driver->probe_order != order)
continue;
+ if (dai->probed)
+ continue;
+
if (dai->driver->probe) {
int ret = dai->driver->probe(dai);
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 437/644] ASoC: soc-dai.h: merge DAI call back functions into ops
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 436/644] ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 438/644] ASoC: fsl_sai: replace regmap_write with regmap_update_bits Greg Kroah-Hartman
` (212 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit 3e8bcec0787d1a73703c915c31cb00a2fd18ccbf ]
snd_soc_dai_driver has .ops for call back functions (A), but it also
has other call back functions (B). It is duplicated and confusable.
struct snd_soc_dai_driver {
...
^ int (*probe)(...);
| int (*remove)(...);
(B) int (*compress_new)(...);
| int (*pcm_new)(...);
v ...
(A) const struct snd_soc_dai_ops *ops;
...
}
This patch merges (B) into (A).
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/87v8dpb0w6.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 0e270f32975f ("ASoC: fsl_sai: replace regmap_write with regmap_update_bits")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/sound/soc-dai.h | 13 ++++++++
sound/soc/generic/audio-graph-card.c | 2 +-
sound/soc/soc-core.c | 25 ++++++++++++++++
sound/soc/soc-dai.c | 44 ++++++++++++++++------------
4 files changed, 64 insertions(+), 20 deletions(-)
diff --git a/include/sound/soc-dai.h b/include/sound/soc-dai.h
index ef3bb1bcea4e..b42dbe2469af 100644
--- a/include/sound/soc-dai.h
+++ b/include/sound/soc-dai.h
@@ -266,6 +266,15 @@ int snd_soc_dai_compr_get_metadata(struct snd_soc_dai *dai,
struct snd_compr_metadata *metadata);
struct snd_soc_dai_ops {
+ /* DAI driver callbacks */
+ int (*probe)(struct snd_soc_dai *dai);
+ int (*remove)(struct snd_soc_dai *dai);
+ /* compress dai */
+ int (*compress_new)(struct snd_soc_pcm_runtime *rtd, int num);
+ /* Optional Callback used at pcm creation*/
+ int (*pcm_new)(struct snd_soc_pcm_runtime *rtd,
+ struct snd_soc_dai *dai);
+
/*
* DAI clocking configuration, all optional.
* Called by soc_card drivers, normally in their hw_params.
@@ -347,6 +356,10 @@ struct snd_soc_dai_ops {
u64 *auto_selectable_formats;
int num_auto_selectable_formats;
+ /* probe ordering - for components with runtime dependencies */
+ int probe_order;
+ int remove_order;
+
/* bit field */
unsigned int no_capture_mute:1;
};
diff --git a/sound/soc/generic/audio-graph-card.c b/sound/soc/generic/audio-graph-card.c
index 89814f68ff56..e50527766dcc 100644
--- a/sound/soc/generic/audio-graph-card.c
+++ b/sound/soc/generic/audio-graph-card.c
@@ -114,7 +114,7 @@ static bool soc_component_is_pcm(struct snd_soc_dai_link_component *dlc)
struct snd_soc_dai *dai = snd_soc_find_dai_with_mutex(dlc);
if (dai && (dai->component->driver->pcm_construct ||
- dai->driver->pcm_new))
+ (dai->driver->ops && dai->driver->ops->pcm_new)))
return true;
return false;
diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index d28261ef1d4c..854d8f62008e 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2454,6 +2454,7 @@ struct snd_soc_dai *snd_soc_register_dai(struct snd_soc_component *component,
{
struct device *dev = component->dev;
struct snd_soc_dai *dai;
+ struct snd_soc_dai_ops *ops; /* REMOVE ME */
dev_dbg(dev, "ASoC: dynamically register DAI %s\n", dev_name(dev));
@@ -2484,6 +2485,30 @@ struct snd_soc_dai *snd_soc_register_dai(struct snd_soc_component *component,
if (!dai->name)
return NULL;
+ /* REMOVE ME */
+ if (dai_drv->probe ||
+ dai_drv->remove ||
+ dai_drv->compress_new ||
+ dai_drv->pcm_new ||
+ dai_drv->probe_order ||
+ dai_drv->remove_order) {
+
+ ops = devm_kzalloc(dev, sizeof(struct snd_soc_dai_ops), GFP_KERNEL);
+ if (!ops)
+ return NULL;
+ if (dai_drv->ops)
+ memcpy(ops, dai_drv->ops, sizeof(struct snd_soc_dai_ops));
+
+ ops->probe = dai_drv->probe;
+ ops->remove = dai_drv->remove;
+ ops->compress_new = dai_drv->compress_new;
+ ops->pcm_new = dai_drv->pcm_new;
+ ops->probe_order = dai_drv->probe_order;
+ ops->remove_order = dai_drv->remove_order;
+
+ dai_drv->ops = ops;
+ }
+
dai->component = component;
dai->dev = dev;
dai->driver = dai_drv;
diff --git a/sound/soc/soc-dai.c b/sound/soc/soc-dai.c
index 703aa9a76d03..4f7edef1e735 100644
--- a/sound/soc/soc-dai.c
+++ b/sound/soc/soc-dai.c
@@ -473,8 +473,9 @@ int snd_soc_dai_compress_new(struct snd_soc_dai *dai,
struct snd_soc_pcm_runtime *rtd, int num)
{
int ret = -ENOTSUPP;
- if (dai->driver->compress_new)
- ret = dai->driver->compress_new(rtd, num);
+ if (dai->driver->ops &&
+ dai->driver->ops->compress_new)
+ ret = dai->driver->ops->compress_new(rtd, num);
return soc_dai_ret(dai, ret);
}
@@ -558,19 +559,20 @@ int snd_soc_pcm_dai_probe(struct snd_soc_pcm_runtime *rtd, int order)
int i;
for_each_rtd_dais(rtd, i, dai) {
- if (dai->driver->probe_order != order)
- continue;
-
if (dai->probed)
continue;
- if (dai->driver->probe) {
- int ret = dai->driver->probe(dai);
+ if (dai->driver->ops) {
+ if (dai->driver->ops->probe_order != order)
+ continue;
- if (ret < 0)
- return soc_dai_ret(dai, ret);
- }
+ if (dai->driver->ops->probe) {
+ int ret = dai->driver->ops->probe(dai);
+ if (ret < 0)
+ return soc_dai_ret(dai, ret);
+ }
+ }
dai->probed = 1;
}
@@ -583,16 +585,19 @@ int snd_soc_pcm_dai_remove(struct snd_soc_pcm_runtime *rtd, int order)
int i, r, ret = 0;
for_each_rtd_dais(rtd, i, dai) {
- if (dai->driver->remove_order != order)
+ if (!dai->probed)
continue;
- if (dai->probed &&
- dai->driver->remove) {
- r = dai->driver->remove(dai);
- if (r < 0)
- ret = r; /* use last error */
- }
+ if (dai->driver->ops) {
+ if (dai->driver->ops->remove_order != order)
+ continue;
+ if (dai->driver->ops->remove) {
+ r = dai->driver->ops->remove(dai);
+ if (r < 0)
+ ret = r; /* use last error */
+ }
+ }
dai->probed = 0;
}
@@ -605,8 +610,9 @@ int snd_soc_pcm_dai_new(struct snd_soc_pcm_runtime *rtd)
int i;
for_each_rtd_dais(rtd, i, dai) {
- if (dai->driver->pcm_new) {
- int ret = dai->driver->pcm_new(rtd, dai);
+ if (dai->driver->ops &&
+ dai->driver->ops->pcm_new) {
+ int ret = dai->driver->ops->pcm_new(rtd, dai);
if (ret < 0)
return soc_dai_ret(dai, ret);
}
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 438/644] ASoC: fsl_sai: replace regmap_write with regmap_update_bits
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 437/644] ASoC: soc-dai.h: merge DAI call back functions into ops Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 439/644] drm/amdgpu: fix incorrect vm flags to map bo Greg Kroah-Hartman
` (211 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 0e270f32975fd21874185ba53653630dd40bf560 ]
Use the regmap_write() for software reset in fsl_sai_config_disable would
cause the FSL_SAI_CSR_BCE bit to be cleared. Refer to
commit 197c53c8ecb34 ("ASoC: fsl_sai: Don't disable bitclock for i.MX8MP")
FSL_SAI_CSR_BCE should not be cleared. So need to use regmap_update_bits()
instead of regmap_write() for these bit operations.
Fixes: dc78f7e59169d ("ASoC: fsl_sai: Force a software reset when starting in consumer mode")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20250807020318.2143219-1-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_sai.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
index 058b179f5453..45d8ef029a63 100644
--- a/sound/soc/fsl/fsl_sai.c
+++ b/sound/soc/fsl/fsl_sai.c
@@ -586,9 +586,9 @@ static void fsl_sai_config_disable(struct fsl_sai *sai, int dir)
* are running concurrently.
*/
/* Software Reset */
- regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR);
+ regmap_update_bits(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR, FSL_SAI_CSR_SR);
/* Clear SR bit to finish the reset */
- regmap_write(sai->regmap, FSL_SAI_xCSR(tx, ofs), 0);
+ regmap_update_bits(sai->regmap, FSL_SAI_xCSR(tx, ofs), FSL_SAI_CSR_SR, 0);
}
static int fsl_sai_trigger(struct snd_pcm_substream *substream, int cmd,
@@ -718,11 +718,11 @@ static int fsl_sai_dai_probe(struct snd_soc_dai *cpu_dai)
unsigned int ofs = sai->soc_data->reg_offset;
/* Software Reset for both Tx and Rx */
- regmap_write(sai->regmap, FSL_SAI_TCSR(ofs), FSL_SAI_CSR_SR);
- regmap_write(sai->regmap, FSL_SAI_RCSR(ofs), FSL_SAI_CSR_SR);
+ regmap_update_bits(sai->regmap, FSL_SAI_TCSR(ofs), FSL_SAI_CSR_SR, FSL_SAI_CSR_SR);
+ regmap_update_bits(sai->regmap, FSL_SAI_RCSR(ofs), FSL_SAI_CSR_SR, FSL_SAI_CSR_SR);
/* Clear SR bit to finish the reset */
- regmap_write(sai->regmap, FSL_SAI_TCSR(ofs), 0);
- regmap_write(sai->regmap, FSL_SAI_RCSR(ofs), 0);
+ regmap_update_bits(sai->regmap, FSL_SAI_TCSR(ofs), FSL_SAI_CSR_SR, 0);
+ regmap_update_bits(sai->regmap, FSL_SAI_RCSR(ofs), FSL_SAI_CSR_SR, 0);
regmap_update_bits(sai->regmap, FSL_SAI_TCR1(ofs),
FSL_SAI_CR1_RFW_MASK(sai->soc_data->fifo_depth),
@@ -1303,11 +1303,11 @@ static int fsl_sai_runtime_resume(struct device *dev)
regcache_cache_only(sai->regmap, false);
regcache_mark_dirty(sai->regmap);
- regmap_write(sai->regmap, FSL_SAI_TCSR(ofs), FSL_SAI_CSR_SR);
- regmap_write(sai->regmap, FSL_SAI_RCSR(ofs), FSL_SAI_CSR_SR);
+ regmap_update_bits(sai->regmap, FSL_SAI_TCSR(ofs), FSL_SAI_CSR_SR, FSL_SAI_CSR_SR);
+ regmap_update_bits(sai->regmap, FSL_SAI_RCSR(ofs), FSL_SAI_CSR_SR, FSL_SAI_CSR_SR);
usleep_range(1000, 2000);
- regmap_write(sai->regmap, FSL_SAI_TCSR(ofs), 0);
- regmap_write(sai->regmap, FSL_SAI_RCSR(ofs), 0);
+ regmap_update_bits(sai->regmap, FSL_SAI_TCSR(ofs), FSL_SAI_CSR_SR, 0);
+ regmap_update_bits(sai->regmap, FSL_SAI_RCSR(ofs), FSL_SAI_CSR_SR, 0);
ret = regcache_sync(sai->regmap);
if (ret)
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 439/644] drm/amdgpu: fix incorrect vm flags to map bo
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 438/644] ASoC: fsl_sai: replace regmap_write with regmap_update_bits Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 440/644] ext4: fix largest free orders lists corruption on mb_optimize_scan switch Greg Kroah-Hartman
` (210 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jack Xiao, Likun Gao, Alex Deucher,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jack Xiao <Jack.Xiao@amd.com>
[ Upstream commit 040bc6d0e0e9c814c9c663f6f1544ebaff6824a8 ]
It should use vm flags instead of pte flags
to specify bo vm attributes.
Fixes: 7946340fa389 ("drm/amdgpu: Move csa related code to separate file")
Signed-off-by: Jack Xiao <Jack.Xiao@amd.com>
Reviewed-by: Likun Gao <Likun.Gao@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit b08425fa77ad2f305fe57a33dceb456be03b653f)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c
index da21e60bb827..f5441ce15373 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c
@@ -93,8 +93,8 @@ int amdgpu_map_static_csa(struct amdgpu_device *adev, struct amdgpu_vm *vm,
}
r = amdgpu_vm_bo_map(adev, *bo_va, csa_addr, 0, size,
- AMDGPU_PTE_READABLE | AMDGPU_PTE_WRITEABLE |
- AMDGPU_PTE_EXECUTABLE);
+ AMDGPU_VM_PAGE_READABLE | AMDGPU_VM_PAGE_WRITEABLE |
+ AMDGPU_VM_PAGE_EXECUTABLE);
if (r) {
DRM_ERROR("failed to do bo_map on static CSA, err=%d\n", r);
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 440/644] ext4: fix largest free orders lists corruption on mb_optimize_scan switch
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 439/644] drm/amdgpu: fix incorrect vm flags to map bo Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 441/644] usb: core: config: Prevent OOB read in SS endpoint companion parsing Greg Kroah-Hartman
` (209 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Baokun Li, Zhang Yi,
Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 7d345aa1fac4c2ec9584fbd6f389f2c2368671d5 upstream.
The grp->bb_largest_free_order is updated regardless of whether
mb_optimize_scan is enabled. This can lead to inconsistencies between
grp->bb_largest_free_order and the actual s_mb_largest_free_orders list
index when mb_optimize_scan is repeatedly enabled and disabled via remount.
For example, if mb_optimize_scan is initially enabled, largest free
order is 3, and the group is in s_mb_largest_free_orders[3]. Then,
mb_optimize_scan is disabled via remount, block allocations occur,
updating largest free order to 2. Finally, mb_optimize_scan is re-enabled
via remount, more block allocations update largest free order to 1.
At this point, the group would be removed from s_mb_largest_free_orders[3]
under the protection of s_mb_largest_free_orders_locks[2]. This lock
mismatch can lead to list corruption.
To fix this, whenever grp->bb_largest_free_order changes, we now always
attempt to remove the group from its old order list. However, we only
insert the group into the new order list if `mb_optimize_scan` is enabled.
This approach helps prevent lock inconsistencies and ensures the data in
the order lists remains reliable.
Fixes: 196e402adf2e ("ext4: improve cr 0 / cr 1 group scanning")
CC: stable@vger.kernel.org
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Link: https://patch.msgid.link/20250714130327.1830534-12-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 33 ++++++++++++++-------------------
1 file changed, 14 insertions(+), 19 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1082,33 +1082,28 @@ static void
mb_set_largest_free_order(struct super_block *sb, struct ext4_group_info *grp)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
- int i;
+ int new, old = grp->bb_largest_free_order;
- for (i = MB_NUM_ORDERS(sb) - 1; i >= 0; i--)
- if (grp->bb_counters[i] > 0)
+ for (new = MB_NUM_ORDERS(sb) - 1; new >= 0; new--)
+ if (grp->bb_counters[new] > 0)
break;
+
/* No need to move between order lists? */
- if (!test_opt2(sb, MB_OPTIMIZE_SCAN) ||
- i == grp->bb_largest_free_order) {
- grp->bb_largest_free_order = i;
+ if (new == old)
return;
- }
- if (grp->bb_largest_free_order >= 0) {
- write_lock(&sbi->s_mb_largest_free_orders_locks[
- grp->bb_largest_free_order]);
+ if (old >= 0 && !list_empty(&grp->bb_largest_free_order_node)) {
+ write_lock(&sbi->s_mb_largest_free_orders_locks[old]);
list_del_init(&grp->bb_largest_free_order_node);
- write_unlock(&sbi->s_mb_largest_free_orders_locks[
- grp->bb_largest_free_order]);
+ write_unlock(&sbi->s_mb_largest_free_orders_locks[old]);
}
- grp->bb_largest_free_order = i;
- if (grp->bb_largest_free_order >= 0 && grp->bb_free) {
- write_lock(&sbi->s_mb_largest_free_orders_locks[
- grp->bb_largest_free_order]);
+
+ grp->bb_largest_free_order = new;
+ if (test_opt2(sb, MB_OPTIMIZE_SCAN) && new >= 0 && grp->bb_free) {
+ write_lock(&sbi->s_mb_largest_free_orders_locks[new]);
list_add_tail(&grp->bb_largest_free_order_node,
- &sbi->s_mb_largest_free_orders[grp->bb_largest_free_order]);
- write_unlock(&sbi->s_mb_largest_free_orders_locks[
- grp->bb_largest_free_order]);
+ &sbi->s_mb_largest_free_orders[new]);
+ write_unlock(&sbi->s_mb_largest_free_orders_locks[new]);
}
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 441/644] usb: core: config: Prevent OOB read in SS endpoint companion parsing
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 440/644] ext4: fix largest free orders lists corruption on mb_optimize_scan switch Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 442/644] misc: rtsx: usb: Ensure mmc child device is active when card is present Greg Kroah-Hartman
` (208 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xinyu Liu, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xinyu Liu <katieeliu@tencent.com>
commit cf16f408364efd8a68f39011a3b073c83a03612d upstream.
usb_parse_ss_endpoint_companion() checks descriptor type before length,
enabling a potentially odd read outside of the buffer size.
Fix this up by checking the size first before looking at any of the
fields in the descriptor.
Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -81,8 +81,14 @@ static void usb_parse_ss_endpoint_compan
*/
desc = (struct usb_ss_ep_comp_descriptor *) buffer;
- if (desc->bDescriptorType != USB_DT_SS_ENDPOINT_COMP ||
- size < USB_DT_SS_EP_COMP_SIZE) {
+ if (size < USB_DT_SS_EP_COMP_SIZE) {
+ dev_notice(ddev,
+ "invalid SuperSpeed endpoint companion descriptor "
+ "of length %d, skipping\n", size);
+ return;
+ }
+
+ if (desc->bDescriptorType != USB_DT_SS_ENDPOINT_COMP) {
dev_notice(ddev, "No SuperSpeed endpoint companion for config %d "
" interface %d altsetting %d ep %d: "
"using minimum values\n",
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 442/644] misc: rtsx: usb: Ensure mmc child device is active when card is present
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 441/644] usb: core: config: Prevent OOB read in SS endpoint companion parsing Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 443/644] usb: typec: ucsi: Update power_supply on power role change Greg Kroah-Hartman
` (207 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ricky Wu, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricky Wu <ricky_wu@realtek.com>
commit 966c5cd72be8989c8a559ddef8e8ff07a37c5eb0 upstream.
When a card is present in the reader, the driver currently defers
autosuspend by returning -EAGAIN during the suspend callback to
trigger USB remote wakeup signaling. However, this does not guarantee
that the mmc child device has been resumed, which may cause issues if
it remains suspended while the card is accessible.
This patch ensures that all child devices, including the mmc host
controller, are explicitly resumed before returning -EAGAIN. This
fixes a corner case introduced by earlier remote wakeup handling,
improving reliability of runtime PM when a card is inserted.
Fixes: 883a87ddf2f1 ("misc: rtsx_usb: Use USB remote wakeup signaling for card insertion detection")
Cc: stable@vger.kernel.org
Signed-off-by: Ricky Wu <ricky_wu@realtek.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://lore.kernel.org/r/20250711140143.2105224-1-ricky_wu@realtek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/cardreader/rtsx_usb.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/drivers/misc/cardreader/rtsx_usb.c
+++ b/drivers/misc/cardreader/rtsx_usb.c
@@ -698,6 +698,12 @@ static void rtsx_usb_disconnect(struct u
}
#ifdef CONFIG_PM
+static int rtsx_usb_resume_child(struct device *dev, void *data)
+{
+ pm_request_resume(dev);
+ return 0;
+}
+
static int rtsx_usb_suspend(struct usb_interface *intf, pm_message_t message)
{
struct rtsx_ucr *ucr =
@@ -713,8 +719,10 @@ static int rtsx_usb_suspend(struct usb_i
mutex_unlock(&ucr->dev_mutex);
/* Defer the autosuspend if card exists */
- if (val & (SD_CD | MS_CD))
+ if (val & (SD_CD | MS_CD)) {
+ device_for_each_child(&intf->dev, NULL, rtsx_usb_resume_child);
return -EAGAIN;
+ }
} else {
/* There is an ongoing operation*/
return -EAGAIN;
@@ -724,12 +732,6 @@ static int rtsx_usb_suspend(struct usb_i
return 0;
}
-static int rtsx_usb_resume_child(struct device *dev, void *data)
-{
- pm_request_resume(dev);
- return 0;
-}
-
static int rtsx_usb_resume(struct usb_interface *intf)
{
device_for_each_child(&intf->dev, NULL, rtsx_usb_resume_child);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 443/644] usb: typec: ucsi: Update power_supply on power role change
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 442/644] misc: rtsx: usb: Ensure mmc child device is active when card is present Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 444/644] comedi: fix race between polling and detaching Greg Kroah-Hartman
` (206 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Myrrh Periwinkle,
Heikki Krogerus
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
commit 7616f006db07017ef5d4ae410fca99279aaca7aa upstream.
The current power direction of an USB-C port also influences the
power_supply's online status, so a power role change should also update
the power_supply.
Fixes an issue on some systems where plugging in a normal USB device in
for the first time after a reboot will cause upower to erroneously
consider the system to be connected to AC power.
Cc: stable <stable@kernel.org>
Fixes: 0e6371fbfba3 ("usb: typec: ucsi: Report power supply changes")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250721-fix-ucsi-pwr-dir-notify-v1-1-e53d5340cb38@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/ucsi/ucsi.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -793,6 +793,7 @@ static void ucsi_handle_connector_change
if (con->status.change & UCSI_CONSTAT_CONNECT_CHANGE) {
typec_set_pwr_role(con->port, role);
+ ucsi_port_psy_changed(con);
switch (UCSI_CONSTAT_PARTNER_TYPE(con->status.flags)) {
case UCSI_CONSTAT_PARTNER_TYPE_UFP:
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 444/644] comedi: fix race between polling and detaching
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 443/644] usb: typec: ucsi: Update power_supply on power role change Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 445/644] thunderbolt: Fix copy+paste error in match_service_id() Greg Kroah-Hartman
` (205 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+01523a0ae5600aef5895,
Jens Axboe, Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 35b6fc51c666fc96355be5cd633ed0fe4ccf68b2 upstream.
syzbot reports a use-after-free in comedi in the below link, which is
due to comedi gladly removing the allocated async area even though poll
requests are still active on the wait_queue_head inside of it. This can
cause a use-after-free when the poll entries are later triggered or
removed, as the memory for the wait_queue_head has been freed. We need
to check there are no tasks queued on any of the subdevices' wait queues
before allowing the device to be detached by the `COMEDI_DEVCONFIG`
ioctl.
Tasks will read-lock `dev->attach_lock` before adding themselves to the
subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl
handler by write-locking `dev->attach_lock` before checking that all of
the subdevices are safe to be deleted. This includes testing for any
sleepers on the subdevices' wait queues. It remains locked until the
device has been detached. This requires the `comedi_device_detach()`
function to be refactored slightly, moving the bulk of it into new
function `comedi_device_detach_locked()`.
Note that the refactor of `comedi_device_detach()` results in
`comedi_device_cancel_all()` now being called while `dev->attach_lock`
is write-locked, which wasn't the case previously, but that does not
matter.
Thanks to Jens Axboe for diagnosing the problem and co-developing this
patch.
Cc: stable <stable@kernel.org>
Fixes: 2f3fdcd7ce93 ("staging: comedi: add rw_semaphore to protect against device detachment")
Link: https://lore.kernel.org/all/687bd5fe.a70a0220.693ce.0091.GAE@google.com/
Reported-by: syzbot+01523a0ae5600aef5895@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=01523a0ae5600aef5895
Co-developed-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Tested-by: Jens Axboe <axboe@kernel.dk>
Link: https://lore.kernel.org/r/20250722155316.27432-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/comedi_fops.c | 33 +++++++++++++++++++++++++--------
drivers/comedi/comedi_internal.h | 1 +
drivers/comedi/drivers.c | 13 ++++++++++---
3 files changed, 36 insertions(+), 11 deletions(-)
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -783,6 +783,7 @@ static int is_device_busy(struct comedi_
struct comedi_subdevice *s;
int i;
+ lockdep_assert_held_write(&dev->attach_lock);
lockdep_assert_held(&dev->mutex);
if (!dev->attached)
return 0;
@@ -791,7 +792,16 @@ static int is_device_busy(struct comedi_
s = &dev->subdevices[i];
if (s->busy)
return 1;
- if (s->async && comedi_buf_is_mmapped(s))
+ if (!s->async)
+ continue;
+ if (comedi_buf_is_mmapped(s))
+ return 1;
+ /*
+ * There may be tasks still waiting on the subdevice's wait
+ * queue, although they should already be about to be removed
+ * from it since the subdevice has no active async command.
+ */
+ if (wq_has_sleeper(&s->async->wait_head))
return 1;
}
@@ -821,15 +831,22 @@ static int do_devconfig_ioctl(struct com
return -EPERM;
if (!arg) {
- if (is_device_busy(dev))
- return -EBUSY;
- if (dev->attached) {
- struct module *driver_module = dev->driver->module;
+ int rc = 0;
- comedi_device_detach(dev);
- module_put(driver_module);
+ if (dev->attached) {
+ down_write(&dev->attach_lock);
+ if (is_device_busy(dev)) {
+ rc = -EBUSY;
+ } else {
+ struct module *driver_module =
+ dev->driver->module;
+
+ comedi_device_detach_locked(dev);
+ module_put(driver_module);
+ }
+ up_write(&dev->attach_lock);
}
- return 0;
+ return rc;
}
if (copy_from_user(&it, arg, sizeof(it)))
--- a/drivers/comedi/comedi_internal.h
+++ b/drivers/comedi/comedi_internal.h
@@ -50,6 +50,7 @@ extern struct mutex comedi_drivers_list_
int insn_inval(struct comedi_device *dev, struct comedi_subdevice *s,
struct comedi_insn *insn, unsigned int *data);
+void comedi_device_detach_locked(struct comedi_device *dev);
void comedi_device_detach(struct comedi_device *dev);
int comedi_device_attach(struct comedi_device *dev,
struct comedi_devconfig *it);
--- a/drivers/comedi/drivers.c
+++ b/drivers/comedi/drivers.c
@@ -159,7 +159,7 @@ static void comedi_device_detach_cleanup
int i;
struct comedi_subdevice *s;
- lockdep_assert_held(&dev->attach_lock);
+ lockdep_assert_held_write(&dev->attach_lock);
lockdep_assert_held(&dev->mutex);
if (dev->subdevices) {
for (i = 0; i < dev->n_subdevices; i++) {
@@ -196,16 +196,23 @@ static void comedi_device_detach_cleanup
comedi_clear_hw_dev(dev);
}
-void comedi_device_detach(struct comedi_device *dev)
+void comedi_device_detach_locked(struct comedi_device *dev)
{
+ lockdep_assert_held_write(&dev->attach_lock);
lockdep_assert_held(&dev->mutex);
comedi_device_cancel_all(dev);
- down_write(&dev->attach_lock);
dev->attached = false;
dev->detach_count++;
if (dev->driver)
dev->driver->detach(dev);
comedi_device_detach_cleanup(dev);
+}
+
+void comedi_device_detach(struct comedi_device *dev)
+{
+ lockdep_assert_held(&dev->mutex);
+ down_write(&dev->attach_lock);
+ comedi_device_detach_locked(dev);
up_write(&dev->attach_lock);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 445/644] thunderbolt: Fix copy+paste error in match_service_id()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 444/644] comedi: fix race between polling and detaching Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 446/644] cdc-acm: fix race between initial clearing halt and open Greg Kroah-Hartman
` (204 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Eric Biggers
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 5cc1f66cb23cccc704e3def27ad31ed479e934a5 upstream.
The second instance of TBSVC_MATCH_PROTOCOL_VERSION seems to have been
intended to be TBSVC_MATCH_PROTOCOL_REVISION.
Fixes: d1ff70241a27 ("thunderbolt: Add support for XDomain discovery protocol")
Cc: stable <stable@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Link: https://lore.kernel.org/r/20250721050136.30004-1-ebiggers@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/domain.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/thunderbolt/domain.c
+++ b/drivers/thunderbolt/domain.c
@@ -38,7 +38,7 @@ static bool match_service_id(const struc
return false;
}
- if (id->match_flags & TBSVC_MATCH_PROTOCOL_VERSION) {
+ if (id->match_flags & TBSVC_MATCH_PROTOCOL_REVISION) {
if (id->protocol_revision != svc->prtcrevs)
return false;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 446/644] cdc-acm: fix race between initial clearing halt and open
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 445/644] thunderbolt: Fix copy+paste error in match_service_id() Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 447/644] btrfs: fix log tree replay failure due to file with 0 links and extents Greg Kroah-Hartman
` (203 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Oliver Neukum
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 64690a90cd7c6db16d3af8616be1f4bf8d492850 upstream.
On the devices that need their endpoints to get an
initial clear_halt, this needs to be done before
the devices can be opened. That means it needs to be
before the devices are registered.
Fixes: 15bf722e6f6c0 ("cdc-acm: Add support of ATOL FPrint fiscal printers")
Cc: stable <stable@kernel.org>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20250717141259.2345605-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1500,6 +1500,12 @@ skip_countries:
goto err_remove_files;
}
+ if (quirks & CLEAR_HALT_CONDITIONS) {
+ /* errors intentionally ignored */
+ usb_clear_halt(usb_dev, acm->in);
+ usb_clear_halt(usb_dev, acm->out);
+ }
+
tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor,
&control_interface->dev);
if (IS_ERR(tty_dev)) {
@@ -1507,11 +1513,6 @@ skip_countries:
goto err_release_data_interface;
}
- if (quirks & CLEAR_HALT_CONDITIONS) {
- usb_clear_halt(usb_dev, acm->in);
- usb_clear_halt(usb_dev, acm->out);
- }
-
dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor);
return 0;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 447/644] btrfs: fix log tree replay failure due to file with 0 links and extents
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 446/644] cdc-acm: fix race between initial clearing halt and open Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 448/644] btrfs: do not allow relocation of partially dropped subvolumes Greg Kroah-Hartman
` (202 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Jung, burneddi, Russell Haley,
Boris Burkov, Filipe Manana, David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 0a32e4f0025a74c70dcab4478e9b29c22f5ecf2f upstream.
If we log a new inode (not persisted in a past transaction) that has 0
links and extents, then log another inode with an higher inode number, we
end up with failing to replay the log tree with -EINVAL. The steps for
this are:
1) create new file A
2) write some data to file A
3) open an fd on file A
4) unlink file A
5) fsync file A using the previously open fd
6) create file B (has higher inode number than file A)
7) fsync file B
8) power fail before current transaction commits
Now when attempting to mount the fs, the log replay will fail with
-ENOENT at replay_one_extent() when attempting to replay the first
extent of file A. The failure comes when trying to open the inode for
file A in the subvolume tree, since it doesn't exist.
Before commit 5f61b961599a ("btrfs: fix inode lookup error handling
during log replay"), the returned error was -EIO instead of -ENOENT,
since we converted any errors when attempting to read an inode during
log replay to -EIO.
The reason for this is that the log replay procedure fails to ignore
the current inode when we are at the stage LOG_WALK_REPLAY_ALL, our
current inode has 0 links and last inode we processed in the previous
stage has a non 0 link count. In other words, the issue is that at
replay_one_extent() we only update wc->ignore_cur_inode if the current
replay stage is LOG_WALK_REPLAY_INODES.
Fix this by updating wc->ignore_cur_inode whenever we find an inode item
regardless of the current replay stage. This is a simple solution and easy
to backport, but later we can do other alternatives like avoid logging
extents or inode items other than the inode item for inodes with a link
count of 0.
The problem with the wc->ignore_cur_inode logic has been around since
commit f2d72f42d5fa ("Btrfs: fix warning when replaying log after fsync
of a tmpfile") but it only became frequent to hit since the more recent
commit 5e85262e542d ("btrfs: fix fsync of files with no hard links not
persisting deletion"), because we stopped skipping inodes with a link
count of 0 when logging, while before the problem would only be triggered
if trying to replay a log tree created with an older kernel which has a
logged inode with 0 links.
A test case for fstests will be submitted soon.
Reported-by: Peter Jung <ptr1337@cachyos.org>
Link: https://lore.kernel.org/linux-btrfs/fce139db-4458-4788-bb97-c29acf6cb1df@cachyos.org/
Reported-by: burneddi <burneddi@protonmail.com>
Link: https://lore.kernel.org/linux-btrfs/lh4W-Lwc0Mbk-QvBhhQyZxf6VbM3E8VtIvU3fPIQgweP_Q1n7wtlUZQc33sYlCKYd-o6rryJQfhHaNAOWWRKxpAXhM8NZPojzsJPyHMf2qY=@protonmail.com/#t
Reported-by: Russell Haley <yumpusamongus@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/598ecc75-eb80-41b3-83c2-f2317fbb9864@gmail.com/
Fixes: f2d72f42d5fa ("Btrfs: fix warning when replaying log after fsync of a tmpfile")
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-log.c | 48 ++++++++++++++++++++++++++++++------------------
1 file changed, 30 insertions(+), 18 deletions(-)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -313,8 +313,7 @@ struct walk_control {
/*
* Ignore any items from the inode currently being processed. Needs
- * to be set every time we find a BTRFS_INODE_ITEM_KEY and we are in
- * the LOG_WALK_REPLAY_INODES stage.
+ * to be set every time we find a BTRFS_INODE_ITEM_KEY.
*/
bool ignore_cur_inode;
@@ -2581,23 +2580,30 @@ static int replay_one_buffer(struct btrf
nritems = btrfs_header_nritems(eb);
for (i = 0; i < nritems; i++) {
- btrfs_item_key_to_cpu(eb, &key, i);
+ struct btrfs_inode_item *inode_item;
- /* inode keys are done during the first stage */
- if (key.type == BTRFS_INODE_ITEM_KEY &&
- wc->stage == LOG_WALK_REPLAY_INODES) {
- struct btrfs_inode_item *inode_item;
- u32 mode;
+ btrfs_item_key_to_cpu(eb, &key, i);
- inode_item = btrfs_item_ptr(eb, i,
- struct btrfs_inode_item);
+ if (key.type == BTRFS_INODE_ITEM_KEY) {
+ inode_item = btrfs_item_ptr(eb, i, struct btrfs_inode_item);
/*
- * If we have a tmpfile (O_TMPFILE) that got fsync'ed
- * and never got linked before the fsync, skip it, as
- * replaying it is pointless since it would be deleted
- * later. We skip logging tmpfiles, but it's always
- * possible we are replaying a log created with a kernel
- * that used to log tmpfiles.
+ * An inode with no links is either:
+ *
+ * 1) A tmpfile (O_TMPFILE) that got fsync'ed and never
+ * got linked before the fsync, skip it, as replaying
+ * it is pointless since it would be deleted later.
+ * We skip logging tmpfiles, but it's always possible
+ * we are replaying a log created with a kernel that
+ * used to log tmpfiles;
+ *
+ * 2) A non-tmpfile which got its last link deleted
+ * while holding an open fd on it and later got
+ * fsynced through that fd. We always log the
+ * parent inodes when inode->last_unlink_trans is
+ * set to the current transaction, so ignore all the
+ * inode items for this inode. We will delete the
+ * inode when processing the parent directory with
+ * replay_dir_deletes().
*/
if (btrfs_inode_nlink(eb, inode_item) == 0) {
wc->ignore_cur_inode = true;
@@ -2605,8 +2611,14 @@ static int replay_one_buffer(struct btrf
} else {
wc->ignore_cur_inode = false;
}
- ret = replay_xattr_deletes(wc->trans, root, log,
- path, key.objectid);
+ }
+
+ /* Inode keys are done during the first stage. */
+ if (key.type == BTRFS_INODE_ITEM_KEY &&
+ wc->stage == LOG_WALK_REPLAY_INODES) {
+ u32 mode;
+
+ ret = replay_xattr_deletes(wc->trans, root, log, path, key.objectid);
if (ret)
break;
mode = btrfs_inode_mode(eb, inode_item);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 448/644] btrfs: do not allow relocation of partially dropped subvolumes
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 447/644] btrfs: fix log tree replay failure due to file with 0 links and extents Greg Kroah-Hartman
@ 2025-08-26 11:08 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 449/644] fbdev: Fix vmalloc out-of-bounds write in fast_imageblit Greg Kroah-Hartman
` (201 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo,
David Sterba
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit 4289b494ac553e74e86fed1c66b2bf9530bc1082 upstream.
[BUG]
There is an internal report that balance triggered transaction abort,
with the following call trace:
item 85 key (594509824 169 0) itemoff 12599 itemsize 33
extent refs 1 gen 197740 flags 2
ref#0: tree block backref root 7
item 86 key (594558976 169 0) itemoff 12566 itemsize 33
extent refs 1 gen 197522 flags 2
ref#0: tree block backref root 7
...
BTRFS error (device loop0): extent item not found for insert, bytenr 594526208 num_bytes 16384 parent 449921024 root_objectid 934 owner 1 offset 0
BTRFS error (device loop0): failed to run delayed ref for logical 594526208 num_bytes 16384 type 182 action 1 ref_mod 1: -117
------------[ cut here ]------------
BTRFS: Transaction aborted (error -117)
WARNING: CPU: 1 PID: 6963 at ../fs/btrfs/extent-tree.c:2168 btrfs_run_delayed_refs+0xfa/0x110 [btrfs]
And btrfs check doesn't report anything wrong related to the extent
tree.
[CAUSE]
The cause is a little complex, firstly the extent tree indeed doesn't
have the backref for 594526208.
The extent tree only have the following two backrefs around that bytenr
on-disk:
item 65 key (594509824 METADATA_ITEM 0) itemoff 13880 itemsize 33
refs 1 gen 197740 flags TREE_BLOCK
tree block skinny level 0
(176 0x7) tree block backref root CSUM_TREE
item 66 key (594558976 METADATA_ITEM 0) itemoff 13847 itemsize 33
refs 1 gen 197522 flags TREE_BLOCK
tree block skinny level 0
(176 0x7) tree block backref root CSUM_TREE
But the such missing backref item is not an corruption on disk, as the
offending delayed ref belongs to subvolume 934, and that subvolume is
being dropped:
item 0 key (934 ROOT_ITEM 198229) itemoff 15844 itemsize 439
generation 198229 root_dirid 256 bytenr 10741039104 byte_limit 0 bytes_used 345571328
last_snapshot 198229 flags 0x1000000000001(RDONLY) refs 0
drop_progress key (206324 EXTENT_DATA 2711650304) drop_level 2
level 2 generation_v2 198229
And that offending tree block 594526208 is inside the dropped range of
that subvolume. That explains why there is no backref item for that
bytenr and why btrfs check is not reporting anything wrong.
But this also shows another problem, as btrfs will do all the orphan
subvolume cleanup at a read-write mount.
So half-dropped subvolume should not exist after an RW mount, and
balance itself is also exclusive to subvolume cleanup, meaning we
shouldn't hit a subvolume half-dropped during relocation.
The root cause is, there is no orphan item for this subvolume.
In fact there are 5 subvolumes from around 2021 that have the same
problem.
It looks like the original report has some older kernels running, and
caused those zombie subvolumes.
Thankfully upstream commit 8d488a8c7ba2 ("btrfs: fix subvolume/snapshot
deletion not triggered on mount") has long fixed the bug.
[ENHANCEMENT]
For repairing such old fs, btrfs-progs will be enhanced.
Considering how delayed the problem will show up (at run delayed ref
time) and at that time we have to abort transaction already, it is too
late.
Instead here we reject any half-dropped subvolume for reloc tree at the
earliest time, preventing confusion and extra time wasted on debugging
similar bugs.
CC: stable@vger.kernel.org # 5.15+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/relocation.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -749,6 +749,25 @@ static struct btrfs_root *create_reloc_r
if (root->root_key.objectid == objectid) {
u64 commit_root_gen;
+ /*
+ * Relocation will wait for cleaner thread, and any half-dropped
+ * subvolume will be fully cleaned up at mount time.
+ * So here we shouldn't hit a subvolume with non-zero drop_progress.
+ *
+ * If this isn't the case, error out since it can make us attempt to
+ * drop references for extents that were already dropped before.
+ */
+ if (unlikely(btrfs_disk_key_objectid(&root->root_item.drop_progress))) {
+ struct btrfs_key cpu_key;
+
+ btrfs_disk_key_to_cpu(&cpu_key, &root->root_item.drop_progress);
+ btrfs_err(fs_info,
+ "cannot relocate partially dropped subvolume %llu, drop progress key (%llu %u %llu)",
+ objectid, cpu_key.objectid, cpu_key.type, cpu_key.offset);
+ ret = -EUCLEAN;
+ goto fail;
+ }
+
/* called by btrfs_init_reloc_root */
ret = btrfs_copy_root(trans, root, root->commit_root, &eb,
BTRFS_TREE_RELOC_OBJECTID);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 449/644] fbdev: Fix vmalloc out-of-bounds write in fast_imageblit
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2025-08-26 11:08 ` [PATCH 5.15 448/644] btrfs: do not allow relocation of partially dropped subvolumes Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 450/644] parisc: Makefile: fix a typo in palo.conf Greg Kroah-Hartman
` (200 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sravan Kumar Gundu, Helge Deller,
syzbot+c4b7aa0513823e2ea880
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
commit af0db3c1f898144846d4c172531a199bb3ca375d upstream.
This issue triggers when a userspace program does an ioctl
FBIOPUT_CON2FBMAP by passing console number and frame buffer number.
Ideally this maps console to frame buffer and updates the screen if
console is visible.
As part of mapping it has to do resize of console according to frame
buffer info. if this resize fails and returns from vc_do_resize() and
continues further. At this point console and new frame buffer are mapped
and sets display vars. Despite failure still it continue to proceed
updating the screen at later stages where vc_data is related to previous
frame buffer and frame buffer info and display vars are mapped to new
frame buffer and eventully leading to out-of-bounds write in
fast_imageblit(). This bheviour is excepted only when fg_console is
equal to requested console which is a visible console and updates screen
with invalid struct references in fbcon_putcs().
Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880
Signed-off-by: Sravan Kumar Gundu <sravankumarlpu@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fbcon.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -804,7 +804,8 @@ static void con2fb_init_display(struct v
fg_vc->vc_rows);
}
- update_screen(vc_cons[fg_console].d);
+ if (fg_console != unit)
+ update_screen(vc_cons[fg_console].d);
}
/**
@@ -1342,6 +1343,7 @@ static void fbcon_set_disp(struct fb_inf
struct vc_data *svc;
struct fbcon_ops *ops = info->fbcon_par;
int rows, cols;
+ unsigned long ret = 0;
p = &fb_display[unit];
@@ -1392,11 +1394,10 @@ static void fbcon_set_disp(struct fb_inf
rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
cols /= vc->vc_font.width;
rows /= vc->vc_font.height;
- vc_resize(vc, cols, rows);
+ ret = vc_resize(vc, cols, rows);
- if (con_is_visible(vc)) {
+ if (con_is_visible(vc) && !ret)
update_screen(vc);
- }
}
static __inline__ void ywrap_up(struct vc_data *vc, int count)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 450/644] parisc: Makefile: fix a typo in palo.conf
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 449/644] fbdev: Fix vmalloc out-of-bounds write in fast_imageblit Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 451/644] mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() Greg Kroah-Hartman
` (199 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Masahiro Yamada,
James E.J. Bottomley, Helge Deller, linux-parisc
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
commit 963f1b20a8d2a098954606b9725cd54336a2a86c upstream.
Correct "objree" to "objtree". "objree" is not defined.
Fixes: 75dd47472b92 ("kbuild: remove src and obj from the top Makefile")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
Cc: Helge Deller <deller@gmx.de>
Cc: linux-parisc@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.3+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/parisc/Makefile
+++ b/arch/parisc/Makefile
@@ -136,7 +136,7 @@ palo lifimage: vmlinuz
fi
@if test ! -f "$(PALOCONF)"; then \
cp $(srctree)/arch/parisc/defpalo.conf $(objtree)/palo.conf; \
- echo 'A generic palo config file ($(objree)/palo.conf) has been created for you.'; \
+ echo 'A generic palo config file ($(objtree)/palo.conf) has been created for you.'; \
echo 'You should check it and re-run "make palo".'; \
echo 'WARNING: the "lifimage" file is now placed in this directory by default!'; \
false; \
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 451/644] mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 450/644] parisc: Makefile: fix a typo in palo.conf Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 452/644] mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock Greg Kroah-Hartman
` (198 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Waiman Long, Catalin Marinas,
Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
commit d1534ae23c2b6be350c8ab060803fbf6e9682adc upstream.
A soft lockup warning was observed on a relative small system x86-64
system with 16 GB of memory when running a debug kernel with kmemleak
enabled.
watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]
The test system was running a workload with hot unplug happening in
parallel. Then kemleak decided to disable itself due to its inability to
allocate more kmemleak objects. The debug kernel has its
CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.
The soft lockup happened in kmemleak_do_cleanup() when the existing
kmemleak objects were being removed and deleted one-by-one in a loop via a
workqueue. In this particular case, there are at least 40,000 objects
that need to be processed and given the slowness of a debug kernel and the
fact that a raw_spinlock has to be acquired and released in
__delete_object(), it could take a while to properly handle all these
objects.
As kmemleak has been disabled in this case, the object removal and
deletion process can be further optimized as locking isn't really needed.
However, it is probably not worth the effort to optimize for such an edge
case that should rarely happen. So the simple solution is to call
cond_resched() at periodic interval in the iteration loop to avoid soft
lockup.
Link: https://lkml.kernel.org/r/20250728190248.605750-1-longman@redhat.com
Signed-off-by: Waiman Long <longman@redhat.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kmemleak.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -1859,6 +1859,7 @@ static const struct file_operations kmem
static void __kmemleak_do_cleanup(void)
{
struct kmemleak_object *object, *tmp;
+ unsigned int cnt = 0;
/*
* Kmemleak has already been disabled, no need for RCU list traversal
@@ -1867,6 +1868,10 @@ static void __kmemleak_do_cleanup(void)
list_for_each_entry_safe(object, tmp, &object_list, object_list) {
__remove_object(object);
__delete_object(object);
+
+ /* Call cond_resched() once per 64 iterations to avoid soft lockup */
+ if (!(++cnt & 0x3f))
+ cond_resched();
}
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 452/644] mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 451/644] mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 453/644] media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() Greg Kroah-Hartman
` (197 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Jakub Kicinski,
Catalin Marinas, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
commit 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 upstream.
When netpoll is enabled, calling pr_warn_once() while holding
kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock
inversion with the netconsole subsystem. This occurs because
pr_warn_once() may trigger netpoll, which eventually leads to
__alloc_skb() and back into kmemleak code, attempting to reacquire
kmemleak_lock.
This is the path for the deadlock.
mem_pool_alloc()
-> raw_spin_lock_irqsave(&kmemleak_lock, flags);
-> pr_warn_once()
-> netconsole subsystem
-> netpoll
-> __alloc_skb
-> __create_object
-> raw_spin_lock_irqsave(&kmemleak_lock, flags);
Fix this by setting a flag and issuing the pr_warn_once() after
kmemleak_lock is released.
Link: https://lkml.kernel.org/r/20250731-kmemleak_lock-v1-1-728fd470198f@debian.org
Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations")
Signed-off-by: Breno Leitao <leitao@debian.org>
Reported-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kmemleak.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -419,6 +419,7 @@ static struct kmemleak_object *mem_pool_
{
unsigned long flags;
struct kmemleak_object *object;
+ bool warn = false;
/* try the slab allocator first */
if (object_cache) {
@@ -436,8 +437,10 @@ static struct kmemleak_object *mem_pool_
else if (mem_pool_free_count)
object = &mem_pool[--mem_pool_free_count];
else
- pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
+ warn = true;
raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
+ if (warn)
+ pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
return object;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 453/644] media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 452/644] mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 454/644] media: uvcvideo: Do not mark valid metadata as invalid Greg Kroah-Hartman
` (196 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Youngjun Lee, Laurent Pinchart,
Ricardo Ribalda, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Youngjun Lee <yjjuny.lee@samsung.com>
commit 782b6a718651eda3478b1824b37a8b3185d2740c upstream.
The buffer length check before calling uvc_parse_format() only ensured
that the buffer has at least 3 bytes (buflen > 2), buf the function
accesses buffer[3], requiring at least 4 bytes.
This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
Fix it by checking that the buffer has at least 4 bytes in
uvc_parse_format().
Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
Cc: stable@vger.kernel.org
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://lore.kernel.org/r/20250610124107.37360-1-yjjuny.lee@samsung.com
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_driver.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -512,6 +512,9 @@ static int uvc_parse_format(struct uvc_d
unsigned int i, n;
u8 ftype;
+ if (buflen < 4)
+ return -EINVAL;
+
format->type = buffer[2];
format->index = buffer[3];
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 454/644] media: uvcvideo: Do not mark valid metadata as invalid
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 453/644] media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 455/644] HID: magicmouse: avoid setting up battery timer when not needed Greg Kroah-Hartman
` (195 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Hans de Goede,
Ricardo Ribalda, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit bda2859bff0b9596a19648f3740c697ce4c71496 upstream.
Currently, the driver performs a length check of the metadata buffer
before the actual metadata size is known and before the metadata is
decided to be copied. This results in valid metadata buffers being
incorrectly marked as invalid.
Move the length check to occur after the metadata size is determined and
is decided to be copied.
Cc: stable@vger.kernel.org
Fixes: 088ead255245 ("media: uvcvideo: Add a metadata device node")
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Hans de Goede <hansg@kernel.org>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://lore.kernel.org/r/20250707-uvc-meta-v8-1-ed17f8b1218b@chromium.org
Signed-off-by: Hans de Goede <hansg@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_video.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -1335,12 +1335,6 @@ static void uvc_video_decode_meta(struct
if (!meta_buf || length == 2)
return;
- if (meta_buf->length - meta_buf->bytesused <
- length + sizeof(meta->ns) + sizeof(meta->sof)) {
- meta_buf->error = 1;
- return;
- }
-
has_pts = mem[1] & UVC_STREAM_PTS;
has_scr = mem[1] & UVC_STREAM_SCR;
@@ -1361,6 +1355,12 @@ static void uvc_video_decode_meta(struct
!memcmp(scr, stream->clock.last_scr, 6)))
return;
+ if (meta_buf->length - meta_buf->bytesused <
+ length + sizeof(meta->ns) + sizeof(meta->sof)) {
+ meta_buf->error = 1;
+ return;
+ }
+
meta = (struct uvc_meta_buf *)((u8 *)meta_buf->mem + meta_buf->bytesused);
local_irq_save(flags);
time = uvc_video_get_time();
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 455/644] HID: magicmouse: avoid setting up battery timer when not needed
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 454/644] media: uvcvideo: Do not mark valid metadata as invalid Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 456/644] serial: 8250: fix panic due to PSLVERR Greg Kroah-Hartman
` (194 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aditya Garg, Jiri Kosina
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aditya Garg <gargaditya08@live.com>
commit 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 upstream.
Currently, the battery timer is set up for all devices using
hid-magicmouse, irrespective of whether they actually need it or not.
The current implementation requires the battery timer for Magic Mouse 2
and Magic Trackpad 2 when connected via USB only. Add checks to ensure
that the battery timer is only set up when they are connected via USB.
Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB")
Cc: stable@vger.kernel.org
Signed-off-by: Aditya Garg <gargaditya08@live.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-magicmouse.c | 53 ++++++++++++++++++++++++++++++-------------
1 file changed, 37 insertions(+), 16 deletions(-)
--- a/drivers/hid/hid-magicmouse.c
+++ b/drivers/hid/hid-magicmouse.c
@@ -741,15 +741,29 @@ static void magicmouse_enable_mt_work(st
hid_err(msc->hdev, "unable to request touch data (%d)\n", ret);
}
+static bool is_usb_magicmouse2(__u32 vendor, __u32 product)
+{
+ if (vendor != USB_VENDOR_ID_APPLE)
+ return false;
+ return product == USB_DEVICE_ID_APPLE_MAGICMOUSE2;
+}
+
+static bool is_usb_magictrackpad2(__u32 vendor, __u32 product)
+{
+ if (vendor != USB_VENDOR_ID_APPLE)
+ return false;
+ return product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2;
+}
+
static int magicmouse_fetch_battery(struct hid_device *hdev)
{
#ifdef CONFIG_HID_BATTERY_STRENGTH
struct hid_report_enum *report_enum;
struct hid_report *report;
- if (!hdev->battery || hdev->vendor != USB_VENDOR_ID_APPLE ||
- (hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2 &&
- hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2))
+ if (!hdev->battery ||
+ (!is_usb_magicmouse2(hdev->vendor, hdev->product) &&
+ !is_usb_magictrackpad2(hdev->vendor, hdev->product)))
return -1;
report_enum = &hdev->report_enum[hdev->battery_report_type];
@@ -811,14 +825,17 @@ static int magicmouse_probe(struct hid_d
return ret;
}
- timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0);
- mod_timer(&msc->battery_timer,
- jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS));
- magicmouse_fetch_battery(hdev);
-
- if (id->vendor == USB_VENDOR_ID_APPLE &&
- (id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 ||
- (id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 && hdev->type != HID_TYPE_USBMOUSE)))
+ if (is_usb_magicmouse2(id->vendor, id->product) ||
+ is_usb_magictrackpad2(id->vendor, id->product)) {
+ timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0);
+ mod_timer(&msc->battery_timer,
+ jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS));
+ magicmouse_fetch_battery(hdev);
+ }
+
+ if (is_usb_magicmouse2(id->vendor, id->product) ||
+ (is_usb_magictrackpad2(id->vendor, id->product) &&
+ hdev->type != HID_TYPE_USBMOUSE))
return 0;
if (!msc->input) {
@@ -873,7 +890,10 @@ static int magicmouse_probe(struct hid_d
return 0;
err_stop_hw:
- del_timer_sync(&msc->battery_timer);
+ if (is_usb_magicmouse2(id->vendor, id->product) ||
+ is_usb_magictrackpad2(id->vendor, id->product))
+ del_timer_sync(&msc->battery_timer);
+
hid_hw_stop(hdev);
return ret;
}
@@ -884,7 +904,9 @@ static void magicmouse_remove(struct hid
if (msc) {
cancel_delayed_work_sync(&msc->work);
- del_timer_sync(&msc->battery_timer);
+ if (is_usb_magicmouse2(hdev->vendor, hdev->product) ||
+ is_usb_magictrackpad2(hdev->vendor, hdev->product))
+ del_timer_sync(&msc->battery_timer);
}
hid_hw_stop(hdev);
@@ -901,9 +923,8 @@ static __u8 *magicmouse_report_fixup(str
* 0x05, 0x01, // Usage Page (Generic Desktop) 0
* 0x09, 0x02, // Usage (Mouse) 2
*/
- if (hdev->vendor == USB_VENDOR_ID_APPLE &&
- (hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 ||
- hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2) &&
+ if ((is_usb_magicmouse2(hdev->vendor, hdev->product) ||
+ is_usb_magictrackpad2(hdev->vendor, hdev->product)) &&
*rsize == 83 && rdesc[46] == 0x84 && rdesc[58] == 0x85) {
hid_info(hdev,
"fixing up magicmouse battery report descriptor\n");
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 456/644] serial: 8250: fix panic due to PSLVERR
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 455/644] HID: magicmouse: avoid setting up battery timer when not needed Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 457/644] cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table() Greg Kroah-Hartman
` (193 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yunhui Cui, John Ogness, stable,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yunhui Cui <cuiyunhui@bytedance.com>
commit 7f8fdd4dbffc05982b96caf586f77a014b2a9353 upstream.
When the PSLVERR_RESP_EN parameter is set to 1, the device generates
an error response if an attempt is made to read an empty RBR (Receive
Buffer Register) while the FIFO is enabled.
In serial8250_do_startup(), calling serial_port_out(port, UART_LCR,
UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes
dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter
function enables the FIFO via serial_out(p, UART_FCR, p->fcr).
Execution proceeds to the serial_port_in(port, UART_RX).
This satisfies the PSLVERR trigger condition.
When another CPU (e.g., using printk()) is accessing the UART (UART
is busy), the current CPU fails the check (value & ~UART_LCR_SPAR) ==
(lcr & ~UART_LCR_SPAR) in dw8250_check_lcr(), causing it to enter
dw8250_force_idle().
Put serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under the port->lock
to fix this issue.
Panic backtrace:
[ 0.442336] Oops - unknown exception [#1]
[ 0.442343] epc : dw8250_serial_in32+0x1e/0x4a
[ 0.442351] ra : serial8250_do_startup+0x2c8/0x88e
...
[ 0.442416] console_on_rootfs+0x26/0x70
Fixes: c49436b657d0 ("serial: 8250_dw: Improve unwritable LCR workaround")
Link: https://lore.kernel.org/all/84cydt5peu.fsf@jogness.linutronix.de/T/
Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
Reviewed-by: John Ogness <john.ogness@linutronix.de>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20250723023322.464-2-cuiyunhui@bytedance.com
[ Applied fix to serial8250_do_startup() instead of serial8250_initialize() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_port.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -2332,9 +2332,8 @@ int serial8250_do_startup(struct uart_po
/*
* Now, initialize the UART
*/
- serial_port_out(port, UART_LCR, UART_LCR_WLEN8);
-
spin_lock_irqsave(&port->lock, flags);
+ serial_port_out(port, UART_LCR, UART_LCR_WLEN8);
if (up->port.flags & UPF_FOURPORT) {
if (!up->port.irq)
up->port.mctrl |= TIOCM_OUT1;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 457/644] cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 456/644] serial: 8250: fix panic due to PSLVERR Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 458/644] m68k: Fix lost column on framebuffer debug console Greg Kroah-Hartman
` (192 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Viresh Kumar
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit 4a26df233266a628157d7f0285451d8655defdfc upstream.
The freq_tables[] array has num_possible_cpus() elements so, to avoid an
out of bounds access, this loop should be capped at "< nb_cpus" instead
of "<= nb_cpus". The freq_tables[] array is allocated in
armada_8k_cpufreq_init().
Cc: stable@vger.kernel.org
Fixes: f525a670533d ("cpufreq: ap806: add cpufreq driver for Armada 8K")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/armada-8k-cpufreq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/cpufreq/armada-8k-cpufreq.c
+++ b/drivers/cpufreq/armada-8k-cpufreq.c
@@ -96,7 +96,7 @@ static void armada_8k_cpufreq_free_table
{
int opps_index, nb_cpus = num_possible_cpus();
- for (opps_index = 0 ; opps_index <= nb_cpus; opps_index++) {
+ for (opps_index = 0 ; opps_index < nb_cpus; opps_index++) {
int i;
/* If cpu_dev is NULL then we reached the end of the array */
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 458/644] m68k: Fix lost column on framebuffer debug console
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 457/644] cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 459/644] usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() Greg Kroah-Hartman
` (191 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Finn Thain, Stan Johnson,
Geert Uytterhoeven
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Finn Thain <fthain@linux-m68k.org>
commit 210a1ce8ed4391b64a888b3fb4b5611a13f5ccc7 upstream.
Move the cursor position rightward after rendering the character,
not before. This avoids complications that arise when the recursive
console_putc call has to wrap the line and/or scroll the display.
This also fixes the linewrap bug that crops off the rightmost column.
When the cursor is at the bottom of the display, a linefeed will not
move the cursor position further downward. Instead, the display scrolls
upward. Avoid the repeated add/subtract sequence by way of a single
subtraction at the initialization of console_struct_num_rows.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Finn Thain <fthain@linux-m68k.org>
Tested-by: Stan Johnson <userm57@yahoo.com>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/9d4e8c68a456d5f2bc254ac6f87a472d066ebd5e.1743115195.git.fthain@linux-m68k.org
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/m68k/kernel/head.S | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
--- a/arch/m68k/kernel/head.S
+++ b/arch/m68k/kernel/head.S
@@ -3379,6 +3379,7 @@ L(console_clear_loop):
movel %d4,%d1 /* screen height in pixels */
divul %a0@(FONT_DESC_HEIGHT),%d1 /* d1 = max num rows */
+ subql #1,%d1 /* row range is 0 to num - 1 */
movel %d0,%a2@(Lconsole_struct_num_columns)
movel %d1,%a2@(Lconsole_struct_num_rows)
@@ -3525,15 +3526,14 @@ func_start console_putc,%a0/%a1/%d0-%d7
cmpib #10,%d7
jne L(console_not_lf)
movel %a0@(Lconsole_struct_cur_row),%d0
- addil #1,%d0
- movel %d0,%a0@(Lconsole_struct_cur_row)
movel %a0@(Lconsole_struct_num_rows),%d1
cmpl %d1,%d0
jcs 1f
- subil #1,%d0
- movel %d0,%a0@(Lconsole_struct_cur_row)
console_scroll
+ jra L(console_exit)
1:
+ addql #1,%d0
+ movel %d0,%a0@(Lconsole_struct_cur_row)
jra L(console_exit)
L(console_not_lf):
@@ -3560,12 +3560,6 @@ L(console_not_cr):
*/
L(console_not_home):
movel %a0@(Lconsole_struct_cur_column),%d0
- addql #1,%a0@(Lconsole_struct_cur_column)
- movel %a0@(Lconsole_struct_num_columns),%d1
- cmpl %d1,%d0
- jcs 1f
- console_putc #'\n' /* recursion is OK! */
-1:
movel %a0@(Lconsole_struct_cur_row),%d1
/*
@@ -3612,6 +3606,23 @@ L(console_do_font_scanline):
addq #1,%d1
dbra %d7,L(console_read_char_scanline)
+ /*
+ * Register usage in the code below:
+ * a0 = pointer to console globals
+ * d0 = cursor column
+ * d1 = cursor column limit
+ */
+
+ lea %pc@(L(console_globals)),%a0
+
+ movel %a0@(Lconsole_struct_cur_column),%d0
+ addql #1,%d0
+ movel %d0,%a0@(Lconsole_struct_cur_column) /* Update cursor pos */
+ movel %a0@(Lconsole_struct_num_columns),%d1
+ cmpl %d1,%d0
+ jcs L(console_exit)
+ console_putc #'\n' /* Line wrap using tail recursion */
+
L(console_exit):
func_return console_putc
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 459/644] usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 458/644] m68k: Fix lost column on framebuffer debug console Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 460/644] usb: gadget: udc: renesas_usb3: fix device leak at unbind Greg Kroah-Hartman
` (190 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 8d1b02e5d7e3a6d2acffb1f4c094678fda9e3456 upstream.
After a recent change in clang to expose uninitialized warnings from
const variables [1], there is a warning in cxacru_heavy_init():
drivers/usb/atm/cxacru.c:1104:6: error: variable 'bp' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized]
1104 | if (instance->modem_type->boot_rom_patch) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/usb/atm/cxacru.c:1113:39: note: uninitialized use occurs here
1113 | cxacru_upload_firmware(instance, fw, bp);
| ^~
drivers/usb/atm/cxacru.c:1104:2: note: remove the 'if' if its condition is always true
1104 | if (instance->modem_type->boot_rom_patch) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/usb/atm/cxacru.c:1095:32: note: initialize the variable 'bp' to silence this warning
1095 | const struct firmware *fw, *bp;
| ^
| = NULL
While the warning is technically correct that bp is conditionally passed
uninitialized to cxacru_upload_firmware(), it is ultimately a false
positive warning on the uninitialized use of bp because the same
condition that initializes bp, instance->modem_type->boot_rom_patch, is
the same one that gates the use of bp within cxacru_upload_firmware().
As this warning occurs in clang's frontend before inlining occurs, it
cannot know that these conditions are indentical to avoid the warning.
Manually inline cxacru_upload_firmware() into cxacru_heavy_init(), as
that is its only callsite, so that clang can see that bp is initialized
and used under the same condition, clearing up the warning without any
functional changes to the code (LLVM was already doing this inlining
later).
Cc: stable@vger.kernel.org
Fixes: 1b0e61465234 ("[PATCH] USB ATM: driver for the Conexant AccessRunner chipset cxacru")
Closes: https://github.com/ClangBuiltLinux/linux/issues/2102
Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cdee01472c7 [1]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20250722-usb-cxacru-fix-clang-21-uninit-warning-v2-1-6708a18decd2@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/atm/cxacru.c | 106 +++++++++++++++++++++--------------------------
1 file changed, 49 insertions(+), 57 deletions(-)
--- a/drivers/usb/atm/cxacru.c
+++ b/drivers/usb/atm/cxacru.c
@@ -980,25 +980,60 @@ cleanup:
return ret;
}
-static void cxacru_upload_firmware(struct cxacru_data *instance,
- const struct firmware *fw,
- const struct firmware *bp)
+
+static int cxacru_find_firmware(struct cxacru_data *instance,
+ char *phase, const struct firmware **fw_p)
{
- int ret;
+ struct usbatm_data *usbatm = instance->usbatm;
+ struct device *dev = &usbatm->usb_intf->dev;
+ char buf[16];
+
+ sprintf(buf, "cxacru-%s.bin", phase);
+ usb_dbg(usbatm, "cxacru_find_firmware: looking for %s\n", buf);
+
+ if (request_firmware(fw_p, buf, dev)) {
+ usb_dbg(usbatm, "no stage %s firmware found\n", phase);
+ return -ENOENT;
+ }
+
+ usb_info(usbatm, "found firmware %s\n", buf);
+
+ return 0;
+}
+
+static int cxacru_heavy_init(struct usbatm_data *usbatm_instance,
+ struct usb_interface *usb_intf)
+{
+ const struct firmware *fw, *bp;
+ struct cxacru_data *instance = usbatm_instance->driver_data;
struct usbatm_data *usbatm = instance->usbatm;
struct usb_device *usb_dev = usbatm->usb_dev;
__le16 signature[] = { usb_dev->descriptor.idVendor,
usb_dev->descriptor.idProduct };
__le32 val;
+ int ret;
+
+ ret = cxacru_find_firmware(instance, "fw", &fw);
+ if (ret) {
+ usb_warn(usbatm_instance, "firmware (cxacru-fw.bin) unavailable (system misconfigured?)\n");
+ return ret;
+ }
- usb_dbg(usbatm, "%s\n", __func__);
+ if (instance->modem_type->boot_rom_patch) {
+ ret = cxacru_find_firmware(instance, "bp", &bp);
+ if (ret) {
+ usb_warn(usbatm_instance, "boot ROM patch (cxacru-bp.bin) unavailable (system misconfigured?)\n");
+ release_firmware(fw);
+ return ret;
+ }
+ }
/* FirmwarePllFClkValue */
val = cpu_to_le32(instance->modem_type->pll_f_clk);
ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, PLLFCLK_ADDR, (u8 *) &val, 4);
if (ret) {
usb_err(usbatm, "FirmwarePllFClkValue failed: %d\n", ret);
- return;
+ goto done;
}
/* FirmwarePllBClkValue */
@@ -1006,7 +1041,7 @@ static void cxacru_upload_firmware(struc
ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, PLLBCLK_ADDR, (u8 *) &val, 4);
if (ret) {
usb_err(usbatm, "FirmwarePllBClkValue failed: %d\n", ret);
- return;
+ goto done;
}
/* Enable SDRAM */
@@ -1014,7 +1049,7 @@ static void cxacru_upload_firmware(struc
ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, SDRAMEN_ADDR, (u8 *) &val, 4);
if (ret) {
usb_err(usbatm, "Enable SDRAM failed: %d\n", ret);
- return;
+ goto done;
}
/* Firmware */
@@ -1022,7 +1057,7 @@ static void cxacru_upload_firmware(struc
ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, FW_ADDR, fw->data, fw->size);
if (ret) {
usb_err(usbatm, "Firmware upload failed: %d\n", ret);
- return;
+ goto done;
}
/* Boot ROM patch */
@@ -1031,7 +1066,7 @@ static void cxacru_upload_firmware(struc
ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, BR_ADDR, bp->data, bp->size);
if (ret) {
usb_err(usbatm, "Boot ROM patching failed: %d\n", ret);
- return;
+ goto done;
}
}
@@ -1039,7 +1074,7 @@ static void cxacru_upload_firmware(struc
ret = cxacru_fw(usb_dev, FW_WRITE_MEM, 0x2, 0x0, SIG_ADDR, (u8 *) signature, 4);
if (ret) {
usb_err(usbatm, "Signature storing failed: %d\n", ret);
- return;
+ goto done;
}
usb_info(usbatm, "starting device\n");
@@ -1051,7 +1086,7 @@ static void cxacru_upload_firmware(struc
}
if (ret) {
usb_err(usbatm, "Passing control to firmware failed: %d\n", ret);
- return;
+ goto done;
}
/* Delay to allow firmware to start up. */
@@ -1065,53 +1100,10 @@ static void cxacru_upload_firmware(struc
ret = cxacru_cm(instance, CM_REQUEST_CARD_GET_STATUS, NULL, 0, NULL, 0);
if (ret < 0) {
usb_err(usbatm, "modem failed to initialize: %d\n", ret);
- return;
- }
-}
-
-static int cxacru_find_firmware(struct cxacru_data *instance,
- char *phase, const struct firmware **fw_p)
-{
- struct usbatm_data *usbatm = instance->usbatm;
- struct device *dev = &usbatm->usb_intf->dev;
- char buf[16];
-
- sprintf(buf, "cxacru-%s.bin", phase);
- usb_dbg(usbatm, "cxacru_find_firmware: looking for %s\n", buf);
-
- if (request_firmware(fw_p, buf, dev)) {
- usb_dbg(usbatm, "no stage %s firmware found\n", phase);
- return -ENOENT;
+ goto done;
}
- usb_info(usbatm, "found firmware %s\n", buf);
-
- return 0;
-}
-
-static int cxacru_heavy_init(struct usbatm_data *usbatm_instance,
- struct usb_interface *usb_intf)
-{
- const struct firmware *fw, *bp;
- struct cxacru_data *instance = usbatm_instance->driver_data;
- int ret = cxacru_find_firmware(instance, "fw", &fw);
-
- if (ret) {
- usb_warn(usbatm_instance, "firmware (cxacru-fw.bin) unavailable (system misconfigured?)\n");
- return ret;
- }
-
- if (instance->modem_type->boot_rom_patch) {
- ret = cxacru_find_firmware(instance, "bp", &bp);
- if (ret) {
- usb_warn(usbatm_instance, "boot ROM patch (cxacru-bp.bin) unavailable (system misconfigured?)\n");
- release_firmware(fw);
- return ret;
- }
- }
-
- cxacru_upload_firmware(instance, fw, bp);
-
+done:
if (instance->modem_type->boot_rom_patch)
release_firmware(bp);
release_firmware(fw);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 460/644] usb: gadget: udc: renesas_usb3: fix device leak at unbind
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 459/644] usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 461/644] usb: dwc3: meson-g12a: fix device leaks " Greg Kroah-Hartman
` (189 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yoshihiro Shimoda, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 868837b0a94c6b1b1fdbc04d3ba218ca83432393 upstream.
Make sure to drop the reference to the companion device taken during
probe when the driver is unbound.
Fixes: 39facfa01c9f ("usb: gadget: udc: renesas_usb3: Add register of usb role switch")
Cc: stable@vger.kernel.org # 4.19
Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20250724091910.21092-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/renesas_usb3.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/gadget/udc/renesas_usb3.c
+++ b/drivers/usb/gadget/udc/renesas_usb3.c
@@ -2566,6 +2566,7 @@ static int renesas_usb3_remove(struct pl
struct renesas_usb3 *usb3 = platform_get_drvdata(pdev);
debugfs_remove_recursive(usb3->dentry);
+ put_device(usb3->host_dev);
device_remove_file(&pdev->dev, &dev_attr_role);
cancel_work_sync(&usb3->role_work);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 461/644] usb: dwc3: meson-g12a: fix device leaks at unbind
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 460/644] usb: gadget: udc: renesas_usb3: fix device leak at unbind Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 462/644] bus: mhi: host: Fix endianness of BHI vector table Greg Kroah-Hartman
` (188 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Johan Hovold,
Martin Blumenstingl
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 93b400f4951404d040197943a25d6fef9f8ccabb upstream.
Make sure to drop the references taken to the child devices by
of_find_device_by_node() during probe on driver unbind.
Fixes: c99993376f72 ("usb: dwc3: Add Amlogic G12A DWC3 glue")
Cc: stable@vger.kernel.org # 5.2
Cc: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://lore.kernel.org/r/20250724091910.21092-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-meson-g12a.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/dwc3/dwc3-meson-g12a.c
+++ b/drivers/usb/dwc3/dwc3-meson-g12a.c
@@ -847,6 +847,9 @@ static int dwc3_meson_g12a_remove(struct
if (priv->drvdata->otg_switch_supported)
usb_role_switch_unregister(priv->role_switch);
+ put_device(priv->switch_desc.udc);
+ put_device(priv->switch_desc.usb2_port);
+
of_platform_depopulate(dev);
for (i = 0 ; i < PHY_COUNT ; ++i) {
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 462/644] bus: mhi: host: Fix endianness of BHI vector table
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 461/644] usb: dwc3: meson-g12a: fix device leaks " Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 463/644] vt: keyboard: Dont process Unicode characters in K_OFF mode Greg Kroah-Hartman
` (187 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Wilhelm,
Manivannan Sadhasivam, Jeff Hugo, Krishna Chaitanya Chundru
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Wilhelm <alexander.wilhelm@westermo.com>
commit f471578e8b1a90623674433a01a8845110bc76ce upstream.
On big endian platform like PowerPC, the MHI bus (which is little endian)
does not start properly. The following example shows the error messages by
using QCN9274 WLAN device with ath12k driver:
ath12k_pci 0001:01:00.0: BAR 0: assigned [mem 0xc00000000-0xc001fffff 64bit]
ath12k_pci 0001:01:00.0: MSI vectors: 1
ath12k_pci 0001:01:00.0: Hardware name: qcn9274 hw2.0
ath12k_pci 0001:01:00.0: failed to set mhi state: POWER_ON(2)
ath12k_pci 0001:01:00.0: failed to start mhi: -110
ath12k_pci 0001:01:00.0: failed to power up :-110
ath12k_pci 0001:01:00.0: failed to create soc core: -110
ath12k_pci 0001:01:00.0: failed to init core: -110
ath12k_pci: probe of 0001:01:00.0 failed with error -110
The issue seems to be with the incorrect DMA address/size used for
transferring the firmware image over BHI. So fix it by converting the DMA
address and size of the BHI vector table to little endian format before
sending them to the device.
Fixes: 6cd330ae76ff ("bus: mhi: core: Add support for ringing channel/event ring doorbells")
Signed-off-by: Alexander Wilhelm <alexander.wilhelm@westermo.com>
[mani: added stable tag and reworded commit message]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250519145837.958153-1-alexander.wilhelm@westermo.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/mhi/host/boot.c | 8 ++++----
drivers/bus/mhi/host/internal.h | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/bus/mhi/host/boot.c
+++ b/drivers/bus/mhi/host/boot.c
@@ -30,8 +30,8 @@ void mhi_rddm_prepare(struct mhi_control
unsigned int i;
for (i = 0; i < img_info->entries - 1; i++, mhi_buf++, bhi_vec++) {
- bhi_vec->dma_addr = mhi_buf->dma_addr;
- bhi_vec->size = mhi_buf->len;
+ bhi_vec->dma_addr = cpu_to_le64(mhi_buf->dma_addr);
+ bhi_vec->size = cpu_to_le64(mhi_buf->len);
}
dev_dbg(dev, "BHIe programming for RDDM\n");
@@ -376,8 +376,8 @@ static void mhi_firmware_copy(struct mhi
while (remainder) {
to_cpy = min(remainder, mhi_buf->len);
memcpy(mhi_buf->buf, buf, to_cpy);
- bhi_vec->dma_addr = mhi_buf->dma_addr;
- bhi_vec->size = to_cpy;
+ bhi_vec->dma_addr = cpu_to_le64(mhi_buf->dma_addr);
+ bhi_vec->size = cpu_to_le64(to_cpy);
buf += to_cpy;
remainder -= to_cpy;
--- a/drivers/bus/mhi/host/internal.h
+++ b/drivers/bus/mhi/host/internal.h
@@ -263,8 +263,8 @@ struct mhi_ring_element {
};
struct bhi_vec_entry {
- u64 dma_addr;
- u64 size;
+ __le64 dma_addr;
+ __le64 size;
};
enum mhi_cmd_type {
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 463/644] vt: keyboard: Dont process Unicode characters in K_OFF mode
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 462/644] bus: mhi: host: Fix endianness of BHI vector table Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 464/644] vt: defkeymap: Map keycodes above 127 to K_HOLE Greg Kroah-Hartman
` (186 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Myrrh Periwinkle, stable, Jiri Slaby
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
commit b1cc2092ea7a52e2c435aee6d2b1bcb773202663 upstream.
We don't process Unicode characters if the virtual terminal is in raw
mode, so there's no reason why we shouldn't do the same for K_OFF
(especially since people would expect K_OFF to actually turn off all VT
key processing).
Fixes: 9fc3de9c8356 ("vt: Add virtual console keyboard mode OFF")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Cc: stable <stable@kernel.org>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://lore.kernel.org/r/20250702-vt-misc-unicode-fixes-v1-1-c27e143cc2eb@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/keyboard.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -1484,7 +1484,7 @@ static void kbd_keycode(unsigned int key
rc = atomic_notifier_call_chain(&keyboard_notifier_list,
KBD_UNICODE, ¶m);
if (rc != NOTIFY_STOP)
- if (down && !raw_mode)
+ if (down && !(raw_mode || kbd->kbdmode == VC_OFF))
k_unicode(vc, keysym, !down);
return;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 464/644] vt: defkeymap: Map keycodes above 127 to K_HOLE
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 463/644] vt: keyboard: Dont process Unicode characters in K_OFF mode Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 465/644] lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap Greg Kroah-Hartman
` (185 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Myrrh Periwinkle, stable, Jiri Slaby
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
commit b43cb4ff85da5cf29c4cd351ef1d7dd8210780f7 upstream.
The maximum number of keycodes got bumped to 256 a very long time ago,
but the default keymaps were never adjusted to match. This is causing
the kernel to interpret keycodes above 127 as U+0000 if the shipped
generated keymap is used.
Fix this by mapping all keycodes above 127 to K_HOLE so the kernel
ignores them.
The contents of this patche were generated by rerunning `loadkeys
--mktable --unicode` and only including the changes to map keycodes
above 127 to K_HOLE.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
Cc: stable <stable@kernel.org>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://lore.kernel.org/r/20250702-vt-misc-unicode-fixes-v1-2-c27e143cc2eb@qtmlabs.xyz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/defkeymap.c_shipped | 112 +++++++++++++++++++++++++++++++++++++
1 file changed, 112 insertions(+)
--- a/drivers/tty/vt/defkeymap.c_shipped
+++ b/drivers/tty/vt/defkeymap.c_shipped
@@ -23,6 +23,22 @@ unsigned short plain_map[NR_KEYS] = {
0xf118, 0xf601, 0xf602, 0xf117, 0xf600, 0xf119, 0xf115, 0xf116,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
static unsigned short shift_map[NR_KEYS] = {
@@ -42,6 +58,22 @@ static unsigned short shift_map[NR_KEYS]
0xf20b, 0xf601, 0xf602, 0xf117, 0xf600, 0xf20a, 0xf115, 0xf116,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
static unsigned short altgr_map[NR_KEYS] = {
@@ -61,6 +93,22 @@ static unsigned short altgr_map[NR_KEYS]
0xf118, 0xf601, 0xf602, 0xf117, 0xf600, 0xf119, 0xf115, 0xf116,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
static unsigned short ctrl_map[NR_KEYS] = {
@@ -80,6 +128,22 @@ static unsigned short ctrl_map[NR_KEYS]
0xf118, 0xf601, 0xf602, 0xf117, 0xf600, 0xf119, 0xf115, 0xf116,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
static unsigned short shift_ctrl_map[NR_KEYS] = {
@@ -99,6 +163,22 @@ static unsigned short shift_ctrl_map[NR_
0xf118, 0xf601, 0xf602, 0xf117, 0xf600, 0xf119, 0xf115, 0xf116,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
static unsigned short alt_map[NR_KEYS] = {
@@ -118,6 +198,22 @@ static unsigned short alt_map[NR_KEYS] =
0xf118, 0xf210, 0xf211, 0xf117, 0xf600, 0xf119, 0xf115, 0xf116,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
static unsigned short ctrl_alt_map[NR_KEYS] = {
@@ -137,6 +233,22 @@ static unsigned short ctrl_alt_map[NR_KE
0xf118, 0xf601, 0xf602, 0xf117, 0xf600, 0xf119, 0xf115, 0xf20c,
0xf11a, 0xf10c, 0xf10d, 0xf11b, 0xf11c, 0xf110, 0xf311, 0xf11d,
0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
+ 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200, 0xf200,
};
ushort *key_maps[MAX_NR_KEYMAPS] = {
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 465/644] lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 464/644] vt: defkeymap: Map keycodes above 127 to K_HOLE Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 466/644] Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" Greg Kroah-Hartman
` (184 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, kernel test robot, Eric Biggers
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 22375adaa0d9fbba9646c8e2b099c6e87c97bfae upstream.
The MIPS32r2 ChaCha code has never been buildable with the clang
assembler. First, clang doesn't support the 'rotl' pseudo-instruction:
error: unknown instruction, did you mean: rol, rotr?
Second, clang requires that both operands of the 'wsbh' instruction be
explicitly given:
error: too few operands for instruction
To fix this, align the code with the real instruction set by (1) using
the real instruction 'rotr' instead of the nonstandard pseudo-
instruction 'rotl', and (2) explicitly giving both operands to 'wsbh'.
To make removing the use of 'rotl' a bit easier, also remove the
unnecessary special-casing for big endian CPUs at
.Lchacha_mips_xor_bytes. The tail handling is actually
endian-independent since it processes one byte at a time. On big endian
CPUs the old code byte-swapped SAVED_X, then iterated through it in
reverse order. But the byteswap and reverse iteration canceled out.
Tested with chacha20poly1305-selftest in QEMU using "-M malta" with both
little endian and big endian mips32r2 kernels.
Fixes: 49aa7c00eddf ("crypto: mips/chacha - import 32r2 ChaCha code from Zinc")
Cc: stable@vger.kernel.org
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202505080409.EujEBwA0-lkp@intel.com/
Link: https://lore.kernel.org/r/20250619225535.679301-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/crypto/chacha-core.S | 20 +++++++-------------
1 file changed, 7 insertions(+), 13 deletions(-)
--- a/arch/mips/crypto/chacha-core.S
+++ b/arch/mips/crypto/chacha-core.S
@@ -55,17 +55,13 @@
#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
#define MSB 0
#define LSB 3
-#define ROTx rotl
-#define ROTR(n) rotr n, 24
#define CPU_TO_LE32(n) \
- wsbh n; \
+ wsbh n, n; \
rotr n, 16;
#else
#define MSB 3
#define LSB 0
-#define ROTx rotr
#define CPU_TO_LE32(n)
-#define ROTR(n)
#endif
#define FOR_EACH_WORD(x) \
@@ -192,10 +188,10 @@ CONCAT3(.Lchacha_mips_xor_aligned_, PLUS
xor X(W), X(B); \
xor X(Y), X(C); \
xor X(Z), X(D); \
- rotl X(V), S; \
- rotl X(W), S; \
- rotl X(Y), S; \
- rotl X(Z), S;
+ rotr X(V), 32 - S; \
+ rotr X(W), 32 - S; \
+ rotr X(Y), 32 - S; \
+ rotr X(Z), 32 - S;
.text
.set reorder
@@ -372,21 +368,19 @@ chacha_crypt_arch:
/* First byte */
lbu T1, 0(IN)
addiu $at, BYTES, 1
- CPU_TO_LE32(SAVED_X)
- ROTR(SAVED_X)
xor T1, SAVED_X
sb T1, 0(OUT)
beqz $at, .Lchacha_mips_xor_done
/* Second byte */
lbu T1, 1(IN)
addiu $at, BYTES, 2
- ROTx SAVED_X, 8
+ rotr SAVED_X, 8
xor T1, SAVED_X
sb T1, 1(OUT)
beqz $at, .Lchacha_mips_xor_done
/* Third byte */
lbu T1, 2(IN)
- ROTx SAVED_X, 8
+ rotr SAVED_X, 8
xor T1, SAVED_X
sb T1, 2(OUT)
b .Lchacha_mips_xor_done
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 466/644] Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()"
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 465/644] lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 467/644] ext4: check fast symlink for ea_inode correctly Greg Kroah-Hartman
` (183 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jari Ruusu, Yi Yang, GONG Ruiqi,
Helge Deller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit e4fc307d8e24f122402907ebf585248cad52841d upstream.
This reverts commit 864f9963ec6b4b76d104d595ba28110b87158003.
The patch is wrong as it checks vc_origin against vc_screenbuf,
while in text mode it should compare against vga_vram_base.
As such it broke VGA text scrolling, which can be reproduced like this:
(1) boot a kernel that is configured to use text mode VGA-console
(2) type commands: ls -l /usr/bin | less -S
(3) scroll up/down with cursor-down/up keys
Reported-by: Jari Ruusu <jariruusu@protonmail.com>
Cc: stable@vger.kernel.org
Cc: Yi Yang <yiyang13@huawei.com>
Cc: GONG Ruiqi <gongruiqi1@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/console/vgacon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1170,7 +1170,7 @@ static bool vgacon_scroll(struct vc_data
c->vc_screenbuf_size - delta);
c->vc_origin = vga_vram_end - c->vc_screenbuf_size;
vga_rolled_over = 0;
- } else if (oldo - delta >= (unsigned long)c->vc_screenbuf)
+ } else
c->vc_origin -= delta;
c->vc_scr_end = c->vc_origin + c->vc_screenbuf_size;
scr_memsetw((u16 *) (c->vc_origin), c->vc_video_erase_char,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 467/644] ext4: check fast symlink for ea_inode correctly
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 466/644] Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 468/644] ext4: fix fsmap end of range reporting with bigalloc Greg Kroah-Hartman
` (182 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Dilger, Li Dongyang,
Alex Zhuravlev, Oleg Drokin, Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Dilger <adilger@dilger.ca>
commit b4cc4a4077268522e3d0d34de4b2dc144e2330fa upstream.
The check for a fast symlink in the presence of only an
external xattr inode is incorrect. If a fast symlink does
not have an xattr block (i_file_acl == 0), but does have
an external xattr inode that increases inode i_blocks, then
the check for a fast symlink will incorrectly fail and
__ext4_iget()->ext4_ind_check_inode() will report the inode
is corrupt when it "validates" i_data[] on the next read:
# ln -s foo /mnt/tmp/bar
# setfattr -h -n trusted.test \
-v "$(yes | head -n 4000)" /mnt/tmp/bar
# umount /mnt/tmp
# mount /mnt/tmp
# ls -l /mnt/tmp
ls: cannot access '/mnt/tmp/bar': Structure needs cleaning
total 4
? l?????????? ? ? ? ? ? bar
# dmesg | tail -1
EXT4-fs error (device dm-8): __ext4_iget:5098:
inode #24578: block 7303014: comm ls: invalid block
(note that "block 7303014" = 0x6f6f66 = "foo" in LE order).
ext4_inode_is_fast_symlink() should check the superblock
EXT4_FEATURE_INCOMPAT_EA_INODE feature flag, not the inode
EXT4_EA_INODE_FL, since the latter is only set on the xattr
inode itself, and not on the inode that uses this xattr.
Cc: stable@vger.kernel.org
Fixes: fc82228a5e38 ("ext4: support fast symlinks from ext3 file systems")
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Li Dongyang <dongyangli@ddn.com>
Reviewed-by: Alex Zhuravlev <bzzz@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Reviewed-on: https://review.whamcloud.com/59879
Lustre-bug-id: https://jira.whamcloud.com/browse/LU-19121
Link: https://patch.msgid.link/20250717063709.757077-1-adilger@dilger.ca
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -148,7 +148,7 @@ static int ext4_meta_trans_blocks(struct
*/
int ext4_inode_is_fast_symlink(struct inode *inode)
{
- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
+ if (!ext4_has_feature_ea_inode(inode->i_sb)) {
int ea_blocks = EXT4_I(inode)->i_file_acl ?
EXT4_CLUSTER_SIZE(inode->i_sb) >> 9 : 0;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 468/644] ext4: fix fsmap end of range reporting with bigalloc
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 467/644] ext4: check fast symlink for ea_inode correctly Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 469/644] ext4: fix reserved gdt blocks handling in fsmap Greg Kroah-Hartman
` (181 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Disha Goel, Ojaswin Mujoo,
Darrick J. Wong, Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
commit bae76c035bf0852844151e68098c9b7cd63ef238 upstream.
With bigalloc enabled, the logic to report last extent has a bug since
we try to use cluster units instead of block units. This can cause an
issue where extra incorrect entries might be returned back to the
user. This was flagged by generic/365 with 64k bs and -O bigalloc.
** Details of issue **
The issue was noticed on 5G 64k blocksize FS with -O bigalloc which has
only 1 bg.
$ xfs_io -c "fsmap -d" /mnt/scratch
0: 253:48 [0..127]: static fs metadata 128 /* sb */
1: 253:48 [128..255]: special 102:1 128 /* gdt */
3: 253:48 [256..383]: special 102:3 128 /* block bitmap */
4: 253:48 [384..2303]: unknown 1920 /* flex bg empty space */
5: 253:48 [2304..2431]: special 102:4 128 /* inode bitmap */
6: 253:48 [2432..4351]: unknown 1920 /* flex bg empty space */
7: 253:48 [4352..6911]: inodes 2560
8: 253:48 [6912..538623]: unknown 531712
9: 253:48 [538624..10485759]: free space 9947136
The issue can be seen with:
$ xfs_io -c "fsmap -d 0 3" /mnt/scratch
0: 253:48 [0..127]: static fs metadata 128
1: 253:48 [384..2047]: unknown 1664
Only the first entry was expected to be returned but we get 2. This is
because:
ext4_getfsmap_datadev()
first_cluster, last_cluster = 0
...
info->gfi_last = true;
ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, 0, info);
fsb = C2B(1) = 16
fslen = 0
...
/* Merge in any relevant extents from the meta_list */
list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) {
...
// since fsb = 16, considers all metadata which starts before 16 blockno
iter 1: error = ext4_getfsmap_helper(sb, info, p); // p = sb (0,1), nop
info->gfi_next_fsblk = 1
iter 2: error = ext4_getfsmap_helper(sb, info, p); // p = gdt (1,2), nop
info->gfi_next_fsblk = 2
iter 3: error = ext4_getfsmap_helper(sb, info, p); // p = blk bitmap (2,3), nop
info->gfi_next_fsblk = 3
iter 4: error = ext4_getfsmap_helper(sb, info, p); // p = ino bitmap (18,19)
if (rec_blk > info->gfi_next_fsblk) { // (18 > 3)
// emits an extra entry ** BUG **
}
}
Fix this by directly calling ext4_getfsmap_datadev() with a dummy
record that has fmr_physical set to (end_fsb + 1) instead of
last_cluster + 1. By using the block instead of cluster we get the
correct behavior.
Replacing ext4_getfsmap_datadev_helper() with ext4_getfsmap_helper()
is okay since the gfi_lastfree and metadata checks in
ext4_getfsmap_datadev_helper() are anyways redundant when we only want
to emit the last allocated block of the range, as we have already
taken care of emitting metadata and any last free blocks.
Cc: stable@kernel.org
Reported-by: Disha Goel <disgoel@linux.ibm.com>
Fixes: 4a622e4d477b ("ext4: fix FS_IOC_GETFSMAP handling")
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Link: https://patch.msgid.link/e7472c8535c9c5ec10f425f495366864ea12c9da.1754377641.git.ojaswin@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fsmap.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/fs/ext4/fsmap.c
+++ b/fs/ext4/fsmap.c
@@ -526,6 +526,7 @@ static int ext4_getfsmap_datadev(struct
ext4_group_t end_ag;
ext4_grpblk_t first_cluster;
ext4_grpblk_t last_cluster;
+ struct ext4_fsmap irec;
int error = 0;
bofs = le32_to_cpu(sbi->s_es->s_first_data_block);
@@ -609,10 +610,18 @@ static int ext4_getfsmap_datadev(struct
goto err;
}
- /* Report any gaps at the end of the bg */
+ /*
+ * The dummy record below will cause ext4_getfsmap_helper() to report
+ * any allocated blocks at the end of the range.
+ */
+ irec.fmr_device = 0;
+ irec.fmr_physical = end_fsb + 1;
+ irec.fmr_length = 0;
+ irec.fmr_owner = EXT4_FMR_OWN_FREE;
+ irec.fmr_flags = 0;
+
info->gfi_last = true;
- error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1,
- 0, info);
+ error = ext4_getfsmap_helper(sb, info, &irec);
if (error)
goto err;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 469/644] ext4: fix reserved gdt blocks handling in fsmap
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 468/644] ext4: fix fsmap end of range reporting with bigalloc Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 470/644] ext4: dont try to clear the orphan_present feature block device is r/o Greg Kroah-Hartman
` (180 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Ojaswin Mujoo,
Darrick J. Wong, Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
commit 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 upstream.
In some cases like small FSes with no meta_bg and where the resize
doesn't need extra gdt blocks as it can fit in the current one,
s_reserved_gdt_blocks is set as 0, which causes fsmap to emit a 0
length entry, which is incorrect.
$ mkfs.ext4 -b 65536 -O bigalloc /dev/sda 5G
$ mount /dev/sda /mnt/scratch
$ xfs_io -c "fsmap -d" /mnt/scartch
0: 253:48 [0..127]: static fs metadata 128
1: 253:48 [128..255]: special 102:1 128
2: 253:48 [256..255]: special 102:2 0 <---- 0 len entry
3: 253:48 [256..383]: special 102:3 128
Fix this by adding a check for this case.
Cc: stable@kernel.org
Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls")
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Link: https://patch.msgid.link/08781b796453a5770112aa96ad14c864fbf31935.1754377641.git.ojaswin@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fsmap.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/ext4/fsmap.c
+++ b/fs/ext4/fsmap.c
@@ -393,6 +393,14 @@ static unsigned int ext4_getfsmap_find_s
/* Reserved GDT blocks */
if (!ext4_has_feature_meta_bg(sb) || metagroup < first_meta_bg) {
len = le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks);
+
+ /*
+ * mkfs.ext4 can set s_reserved_gdt_blocks as 0 in some cases,
+ * check for that.
+ */
+ if (!len)
+ return 0;
+
error = ext4_getfsmap_fill(meta_list, fsb, len,
EXT4_FMR_OWN_RESV_GDT);
if (error)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 470/644] ext4: dont try to clear the orphan_present feature block device is r/o
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 469/644] ext4: fix reserved gdt blocks handling in fsmap Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 471/644] ext4: use kmalloc_array() for array space allocation Greg Kroah-Hartman
` (179 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit c5e104a91e7b6fa12c1dc2d8bf84abb7ef9b89ad upstream.
When the file system is frozen in preparation for taking an LVM
snapshot, the journal is checkpointed and if the orphan_file feature
is enabled, and the orphan file is empty, we clear the orphan_present
feature flag. But if there are pending inodes that need to be removed
the orphan_present feature flag can't be cleared.
The problem comes if the block device is read-only. In that case, we
can't process the orphan inode list, so it is skipped in
ext4_orphan_cleanup(). But then in ext4_mark_recovery_complete(),
this results in the ext4 error "Orphan file not empty on read-only fs"
firing and the file system mount is aborted.
Fix this by clearing the needs_recovery flag in the block device is
read-only. We do this after the call to ext4_load_and_init-journal()
since there are some error checks need to be done in case the journal
needs to be replayed and the block device is read-only, or if the
block device containing the externa journal is read-only, etc.
Cc: stable@kernel.org
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108271
Cc: stable@vger.kernel.org
Fixes: 02f310fcf47f ("ext4: Speedup ext4 orphan inode handling")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -4669,6 +4669,8 @@ static int ext4_fill_super(struct super_
err = ext4_load_journal(sb, es, parsed_opts.journal_devnum);
if (err)
goto failed_mount3a;
+ if (bdev_read_only(sb->s_bdev))
+ needs_recovery = 0;
} else if (test_opt(sb, NOLOAD) && !sb_rdonly(sb) &&
ext4_has_feature_journal_needs_recovery(sb)) {
ext4_msg(sb, KERN_ERR, "required journal recovery "
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 471/644] ext4: use kmalloc_array() for array space allocation
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 470/644] ext4: dont try to clear the orphan_present feature block device is r/o Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 472/644] ext4: fix hole length calculation overflow in non-extent inodes Greg Kroah-Hartman
` (178 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Liao Yuanhong, Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liao Yuanhong <liaoyuanhong@vivo.com>
commit 76dba1fe277f6befd6ef650e1946f626c547387a upstream.
Replace kmalloc(size * sizeof) with kmalloc_array() for safer memory
allocation and overflow prevention.
Cc: stable@kernel.org
Signed-off-by: Liao Yuanhong <liaoyuanhong@vivo.com>
Link: https://patch.msgid.link/20250811125816.570142-1-liaoyuanhong@vivo.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/orphan.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/ext4/orphan.c
+++ b/fs/ext4/orphan.c
@@ -590,8 +590,9 @@ int ext4_init_orphan_info(struct super_b
}
oi->of_blocks = inode->i_size >> sb->s_blocksize_bits;
oi->of_csum_seed = EXT4_I(inode)->i_csum_seed;
- oi->of_binfo = kmalloc(oi->of_blocks*sizeof(struct ext4_orphan_block),
- GFP_KERNEL);
+ oi->of_binfo = kmalloc_array(oi->of_blocks,
+ sizeof(struct ext4_orphan_block),
+ GFP_KERNEL);
if (!oi->of_binfo) {
ret = -ENOMEM;
goto out_put;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 472/644] ext4: fix hole length calculation overflow in non-extent inodes
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 471/644] ext4: use kmalloc_array() for array space allocation Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 473/644] scsi: mpi3mr: Fix race between config read submit and interrupt completion Greg Kroah-Hartman
` (177 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Qu Wenruo, Zhang Yi,
Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
commit 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 upstream.
In a filesystem with a block size larger than 4KB, the hole length
calculation for a non-extent inode in ext4_ind_map_blocks() can easily
exceed INT_MAX. Then it could return a zero length hole and trigger the
following waring and infinite in the iomap infrastructure.
------------[ cut here ]------------
WARNING: CPU: 3 PID: 434101 at fs/iomap/iter.c:34 iomap_iter_done+0x148/0x190
CPU: 3 UID: 0 PID: 434101 Comm: fsstress Not tainted 6.16.0-rc7+ #128 PREEMPT(voluntary)
Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : iomap_iter_done+0x148/0x190
lr : iomap_iter+0x174/0x230
sp : ffff8000880af740
x29: ffff8000880af740 x28: ffff0000db8e6840 x27: 0000000000000000
x26: 0000000000000000 x25: ffff8000880af830 x24: 0000004000000000
x23: 0000000000000002 x22: 000001bfdbfa8000 x21: ffffa6a41c002e48
x20: 0000000000000001 x19: ffff8000880af808 x18: 0000000000000000
x17: 0000000000000000 x16: ffffa6a495ee6cd0 x15: 0000000000000000
x14: 00000000000003d4 x13: 00000000fa83b2da x12: 0000b236fc95f18c
x11: ffffa6a4978b9c08 x10: 0000000000001da0 x9 : ffffa6a41c1a2a44
x8 : ffff8000880af5c8 x7 : 0000000001000000 x6 : 0000000000000000
x5 : 0000000000000004 x4 : 000001bfdbfa8000 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000004004030000 x0 : 0000000000000000
Call trace:
iomap_iter_done+0x148/0x190 (P)
iomap_iter+0x174/0x230
iomap_fiemap+0x154/0x1d8
ext4_fiemap+0x110/0x140 [ext4]
do_vfs_ioctl+0x4b8/0xbc0
__arm64_sys_ioctl+0x8c/0x120
invoke_syscall+0x6c/0x100
el0_svc_common.constprop.0+0x48/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x38/0x120
el0t_64_sync_handler+0x10c/0x138
el0t_64_sync+0x198/0x1a0
---[ end trace 0000000000000000 ]---
Cc: stable@kernel.org
Fixes: facab4d9711e ("ext4: return hole from ext4_map_blocks()")
Reported-by: Qu Wenruo <wqu@suse.com>
Closes: https://lore.kernel.org/linux-ext4/9b650a52-9672-4604-a765-bb6be55d1e4a@gmx.com/
Tested-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Link: https://patch.msgid.link/20250811064532.1788289-1-yi.zhang@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/indirect.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/ext4/indirect.c
+++ b/fs/ext4/indirect.c
@@ -539,7 +539,7 @@ int ext4_ind_map_blocks(handle_t *handle
int indirect_blks;
int blocks_to_boundary = 0;
int depth;
- int count = 0;
+ u64 count = 0;
ext4_fsblk_t first_block = 0;
trace_ext4_ind_map_blocks_enter(inode, map->m_lblk, map->m_len, flags);
@@ -588,7 +588,7 @@ int ext4_ind_map_blocks(handle_t *handle
count++;
/* Fill in size of a hole we found */
map->m_pblk = 0;
- map->m_len = min_t(unsigned int, map->m_len, count);
+ map->m_len = umin(map->m_len, count);
goto cleanup;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 473/644] scsi: mpi3mr: Fix race between config read submit and interrupt completion
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 472/644] ext4: fix hole length calculation overflow in non-extent inodes Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 474/644] ata: libata-scsi: Fix ata_to_sense_error() status handling Greg Kroah-Hartman
` (176 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chandrakanth Patil, Ranjan Kumar,
Martin K. Petersen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
commit e6327c4acf925bb6d6d387d76fc3bd94471e10d8 upstream.
The "is_waiting" flag was updated after calling complete(), which could
lead to a race where the waiting thread wakes up before the flag is
cleared. This may cause a missed wakeup or stale state check.
Reorder the operations to update "is_waiting" before signaling completion
to ensure consistent state.
Fixes: 824a156633df ("scsi: mpi3mr: Base driver code")
Cc: stable@vger.kernel.org
Co-developed-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/r/20250627194539.48851-2-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -372,8 +372,8 @@ static void mpi3mr_process_admin_reply_d
mrioc->facts.reply_sz);
}
if (cmdptr->is_waiting) {
- complete(&cmdptr->done);
cmdptr->is_waiting = 0;
+ complete(&cmdptr->done);
} else if (cmdptr->callback)
cmdptr->callback(mrioc, cmdptr);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 474/644] ata: libata-scsi: Fix ata_to_sense_error() status handling
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 473/644] scsi: mpi3mr: Fix race between config read submit and interrupt completion Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 475/644] zynq_fpga: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
` (175 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenz Brun, Brandon Schwartz,
Damien Le Moal, Hannes Reinecke, Martin K. Petersen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit cf3fc037623c54de48d2ec1a1ee686e2d1de2d45 upstream.
Commit 8ae720449fca ("libata: whitespace fixes in ata_to_sense_error()")
inadvertantly added the entry 0x40 (ATA_DRDY) to the stat_table array in
the function ata_to_sense_error(). This entry ties a failed qc which has
a status filed equal to ATA_DRDY to the sense key ILLEGAL REQUEST with
the additional sense code UNALIGNED WRITE COMMAND. This entry will be
used to generate a failed qc sense key and sense code when the qc is
missing sense data and there is no match for the qc error field in the
sense_table array of ata_to_sense_error().
As a result, for a failed qc for which we failed to get sense data (e.g.
read log 10h failed if qc is an NCQ command, or REQUEST SENSE EXT
command failed for the non-ncq case, the user very often end up seeing
the completely misleading "unaligned write command" error, even if qc
was not a write command. E.g.:
sd 0:0:0:0: [sda] tag#12 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s
sd 0:0:0:0: [sda] tag#12 Sense Key : Illegal Request [current]
sd 0:0:0:0: [sda] tag#12 Add. Sense: Unaligned write command
sd 0:0:0:0: [sda] tag#12 CDB: Read(10) 28 00 00 00 10 00 00 00 08 00
I/O error, dev sda, sector 4096 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
Fix this by removing the ATA_DRDY entry from the stat_table array so
that we default to always returning ABORTED COMMAND without any
additional sense code, since we do not know any better. The entry 0x08
(ATA_DRQ) is also removed since signaling ABORTED COMMAND with a parity
error is also misleading (as a parity error would likely be signaled
through a bus error). So for this case, also default to returning
ABORTED COMMAND without any additional sense code. With this, the
previous example error case becomes:
sd 0:0:0:0: [sda] tag#17 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s
sd 0:0:0:0: [sda] tag#17 Sense Key : Aborted Command [current]
sd 0:0:0:0: [sda] tag#17 Add. Sense: No additional sense information
sd 0:0:0:0: [sda] tag#17 CDB: Read(10) 28 00 00 00 10 00 00 00 08 00
I/O error, dev sda, sector 4096 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
Together with these fixes, refactor stat_table to make it more readable
by putting the entries comments in front of the entries and using the
defined status bits macros instead of hardcoded values.
Reported-by: Lorenz Brun <lorenz@brun.one>
Reported-by: Brandon Schwartz <Brandon.Schwartz@wdc.com>
Fixes: 8ae720449fca ("libata: whitespace fixes in ata_to_sense_error()")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/libata-scsi.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -770,18 +770,14 @@ static void ata_to_sense_error(unsigned
{0xFF, 0xFF, 0xFF, 0xFF}, // END mark
};
static const unsigned char stat_table[][4] = {
- /* Must be first because BUSY means no other bits valid */
- {0x80, ABORTED_COMMAND, 0x47, 0x00},
- // Busy, fake parity for now
- {0x40, ILLEGAL_REQUEST, 0x21, 0x04},
- // Device ready, unaligned write command
- {0x20, HARDWARE_ERROR, 0x44, 0x00},
- // Device fault, internal target failure
- {0x08, ABORTED_COMMAND, 0x47, 0x00},
- // Timed out in xfer, fake parity for now
- {0x04, RECOVERED_ERROR, 0x11, 0x00},
- // Recovered ECC error Medium error, recovered
- {0xFF, 0xFF, 0xFF, 0xFF}, // END mark
+ /* Busy: must be first because BUSY means no other bits valid */
+ { ATA_BUSY, ABORTED_COMMAND, 0x00, 0x00 },
+ /* Device fault: INTERNAL TARGET FAILURE */
+ { ATA_DF, HARDWARE_ERROR, 0x44, 0x00 },
+ /* Corrected data error */
+ { ATA_CORR, RECOVERED_ERROR, 0x00, 0x00 },
+
+ { 0xFF, 0xFF, 0xFF, 0xFF }, /* END mark */
};
/*
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 475/644] zynq_fpga: use sgtable-based scatterlist wrappers
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 474/644] ata: libata-scsi: Fix ata_to_sense_error() status handling Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 476/644] wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() Greg Kroah-Hartman
` (174 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Jason Gunthorpe,
Xu Yilun, Xu Yilun
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit 37e00703228ab44d0aacc32a97809a4f6f58df1b upstream.
Use common wrappers operating directly on the struct sg_table objects to
fix incorrect use of statterlists related calls. dma_unmap_sg() function
has to be called with the number of elements originally passed to the
dma_map_sg() function, not the one returned in sgtable's nents.
CC: stable@vger.kernel.org
Fixes: 425902f5c8e3 ("fpga zynq: Use the scatterlist interface")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Xu Yilun <yilun.xu@intel.com>
Link: https://lore.kernel.org/r/20250616120932.1090614-1-m.szyprowski@samsung.com
Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/fpga/zynq-fpga.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/fpga/zynq-fpga.c
+++ b/drivers/fpga/zynq-fpga.c
@@ -406,7 +406,7 @@ static int zynq_fpga_ops_write(struct fp
}
priv->dma_nelms =
- dma_map_sg(mgr->dev.parent, sgt->sgl, sgt->nents, DMA_TO_DEVICE);
+ dma_map_sgtable(mgr->dev.parent, sgt, DMA_TO_DEVICE, 0);
if (priv->dma_nelms == 0) {
dev_err(&mgr->dev, "Unable to DMA map (TO_DEVICE)\n");
return -ENOMEM;
@@ -478,7 +478,7 @@ out_clk:
clk_disable(priv->clk);
out_free:
- dma_unmap_sg(mgr->dev.parent, sgt->sgl, sgt->nents, DMA_TO_DEVICE);
+ dma_unmap_sgtable(mgr->dev.parent, sgt, DMA_TO_DEVICE, 0);
return err;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 476/644] wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 475/644] zynq_fpga: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 477/644] wifi: ath11k: fix source ring-buffer corruption Greg Kroah-Hartman
` (173 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Johannes Berg,
Arend van Spriel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 81284e86bf8849f8e98e8ead3ff5811926b2107f upstream.
A new warning in clang [1] complains that diq_start in
wlc_lcnphy_tx_iqlo_cal() is passed uninitialized as a const pointer to
wlc_lcnphy_common_read_table():
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c:2728:13: error: variable 'diq_start' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer]
2728 | &diq_start, 1, 16, 69);
| ^~~~~~~~~
The table pointer passed to wlc_lcnphy_common_read_table() should not be
considered constant, as wlc_phy_read_table() is ultimately going to
update it. Remove the const qualifier from the tbl_ptr to clear up the
warning.
Cc: stable@vger.kernel.org
Closes: https://github.com/ClangBuiltLinux/linux/issues/2108
Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers")
Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>>
Link: https://patch.msgid.link/20250715-brcmsmac-fix-uninit-const-pointer-v1-1-16e6a51a8ef4@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c
@@ -919,7 +919,7 @@ void wlc_lcnphy_read_table(struct brcms_
static void
wlc_lcnphy_common_read_table(struct brcms_phy *pi, u32 tbl_id,
- const u16 *tbl_ptr, u32 tbl_len,
+ u16 *tbl_ptr, u32 tbl_len,
u32 tbl_width, u32 tbl_offset)
{
struct phytbl_info tab;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 477/644] wifi: ath11k: fix source ring-buffer corruption
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 476/644] wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 478/644] pwm: imx-tpm: Reset counter if CMOD is 0 Greg Kroah-Hartman
` (172 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Baochen Qiang,
Jeff Johnson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 6efa0df54022c6c9fd4d294b87622c7fcdc418c8 upstream.
Add the missing memory barrier to make sure that LMAC source ring
descriptors are written before updating the head pointer to avoid
passing stale data to the firmware on weakly ordered architectures like
aarch64.
Note that non-LMAC rings use MMIO write accessors which have the
required write memory barrier.
Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Cc: stable@vger.kernel.org # 5.6
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
Link: https://patch.msgid.link/20250604143457.26032-5-johan+linaro@kernel.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/hal.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath11k/hal.c
+++ b/drivers/net/wireless/ath/ath11k/hal.c
@@ -797,7 +797,11 @@ void ath11k_hal_srng_access_end(struct a
if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
srng->u.src_ring.last_tp =
*(volatile u32 *)srng->u.src_ring.tp_addr;
- *srng->u.src_ring.hp_addr = srng->u.src_ring.hp;
+ /* Make sure descriptor is written before updating the
+ * head pointer.
+ */
+ dma_wmb();
+ WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp);
} else {
srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
*srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp;
@@ -806,6 +810,10 @@ void ath11k_hal_srng_access_end(struct a
if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
srng->u.src_ring.last_tp =
*(volatile u32 *)srng->u.src_ring.tp_addr;
+ /* Assume implementation use an MMIO write accessor
+ * which has the required wmb() so that the descriptor
+ * is written before the updating the head pointer.
+ */
ath11k_hif_write32(ab,
(unsigned long)srng->u.src_ring.hp_addr -
(unsigned long)ab->mem,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 478/644] pwm: imx-tpm: Reset counter if CMOD is 0
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 477/644] wifi: ath11k: fix source ring-buffer corruption Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 479/644] hwmon: (gsc-hwmon) fix fan pwm setpoint show functions Greg Kroah-Hartman
` (171 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurentiu Mihalcea,
Uwe Kleine-König
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurentiu Mihalcea <laurentiu.mihalcea@nxp.com>
commit 65c6f742ab14ab1a2679fba72b82dcc0289d96f1 upstream.
As per the i.MX93 TRM, section 67.3.2.1 "MOD register update", the value
of the TPM counter does NOT get updated when writing MOD.MOD unless
SC.CMOD != 0. Therefore, with the current code, assuming the following
sequence:
1) pwm_disable()
2) pwm_apply_might_sleep() /* period is changed here */
3) pwm_enable()
and assuming only one channel is active, if CNT.COUNT is higher than the
MOD.MOD value written during the pwm_apply_might_sleep() call then, when
re-enabling the PWM during pwm_enable(), the counter will end up resetting
after UINT32_MAX - CNT.COUNT + MOD.MOD cycles instead of MOD.MOD cycles as
normally expected.
Fix this problem by forcing a reset of the TPM counter before MOD.MOD is
written.
Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support")
Cc: stable@vger.kernel.org
Signed-off-by: Laurentiu Mihalcea <laurentiu.mihalcea@nxp.com>
Link: https://lore.kernel.org/r/20250728194144.22884-1-laurentiumihalcea111@gmail.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-imx-tpm.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/pwm/pwm-imx-tpm.c
+++ b/drivers/pwm/pwm-imx-tpm.c
@@ -203,6 +203,15 @@ static int pwm_imx_tpm_apply_hw(struct p
writel(val, tpm->base + PWM_IMX_TPM_SC);
/*
+ * if the counter is disabled (CMOD == 0), programming the new
+ * period length (MOD) will not reset the counter (CNT). If
+ * CNT.COUNT happens to be bigger than the new MOD value then
+ * the counter will end up being reset way too late. Therefore,
+ * manually reset it to 0.
+ */
+ if (!cmod)
+ writel(0x0, tpm->base + PWM_IMX_TPM_CNT);
+ /*
* set period count:
* if the PWM is disabled (CMOD[1:0] = 2b00), then MOD register
* is updated when MOD register is written.
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 479/644] hwmon: (gsc-hwmon) fix fan pwm setpoint show functions
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 478/644] pwm: imx-tpm: Reset counter if CMOD is 0 Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 480/644] mtd: spinand: propagate spinand_wait() errors from spinand_write_page() Greg Kroah-Hartman
` (170 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tim Harvey, Guenter Roeck
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Harvey <tharvey@gateworks.com>
commit 9c62e2282900332c8b711d9f9e37af369a8ef71b upstream.
The Linux hwmon sysfs API values for pwmX_auto_pointY_pwm represent an
integer value between 0 (0%) to 255 (100%) and the pwmX_auto_pointY_temp
represent millidegrees Celcius.
Commit a6d80df47ee2 ("hwmon: (gsc-hwmon) fix fan pwm temperature
scaling") properly addressed the incorrect scaling in the
pwm_auto_point_temp_store implementation but erroneously scaled
the pwm_auto_point_pwm_show (pwm value) instead of the
pwm_auto_point_temp_show (temp value) resulting in:
# cat /sys/class/hwmon/hwmon0/pwm1_auto_point6_pwm
25500
# cat /sys/class/hwmon/hwmon0/pwm1_auto_point6_temp
4500
Fix the scaling of these attributes:
# cat /sys/class/hwmon/hwmon0/pwm1_auto_point6_pwm
255
# cat /sys/class/hwmon/hwmon0/pwm1_auto_point6_temp
45000
Fixes: a6d80df47ee2 ("hwmon: (gsc-hwmon) fix fan pwm temperature scaling")
Cc: stable@vger.kernel.org
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Link: https://lore.kernel.org/r/20250718200259.1840792-1-tharvey@gateworks.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/gsc-hwmon.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/hwmon/gsc-hwmon.c
+++ b/drivers/hwmon/gsc-hwmon.c
@@ -65,7 +65,7 @@ static ssize_t pwm_auto_point_temp_show(
return ret;
ret = regs[0] | regs[1] << 8;
- return sprintf(buf, "%d\n", ret * 10);
+ return sprintf(buf, "%d\n", ret * 100);
}
static ssize_t pwm_auto_point_temp_store(struct device *dev,
@@ -100,7 +100,7 @@ static ssize_t pwm_auto_point_pwm_show(s
{
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
- return sprintf(buf, "%d\n", 255 * (50 + (attr->index * 10)));
+ return sprintf(buf, "%d\n", 255 * (50 + (attr->index * 10)) / 100);
}
static SENSOR_DEVICE_ATTR_RO(pwm1_auto_point1_pwm, pwm_auto_point_pwm, 0);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 480/644] mtd: spinand: propagate spinand_wait() errors from spinand_write_page()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 479/644] hwmon: (gsc-hwmon) fix fan pwm setpoint show functions Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 481/644] mtd: rawnand: fsmc: Add missing check after DMA map Greg Kroah-Hartman
` (169 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Miquel Raynal
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
commit 091d9e35b85b0f8f7e1c73535299f91364a5c73a upstream.
Since commit 3d1f08b032dc ("mtd: spinand: Use the external ECC engine
logic") the spinand_write_page() function ignores the errors returned
by spinand_wait(). Change the code to propagate those up to the stack
as it was done before the offending change.
Cc: stable@vger.kernel.org
Fixes: 3d1f08b032dc ("mtd: spinand: Use the external ECC engine logic")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/spi/core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -618,7 +618,10 @@ static int spinand_write_page(struct spi
SPINAND_WRITE_INITIAL_DELAY_US,
SPINAND_WRITE_POLL_DELAY_US,
&status);
- if (!ret && (status & STATUS_PROG_FAILED))
+ if (ret)
+ return ret;
+
+ if (status & STATUS_PROG_FAILED)
return -EIO;
return nand_ecc_finish_io_req(nand, (struct nand_page_io_req *)req);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 481/644] mtd: rawnand: fsmc: Add missing check after DMA map
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 480/644] mtd: spinand: propagate spinand_wait() errors from spinand_write_page() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 482/644] PCI: endpoint: Fix configfs group list head handling Greg Kroah-Hartman
` (168 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Miquel Raynal
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 6c4dab38431fee3d39a841d66ba6f2890b31b005 upstream.
The DMA map functions can fail and should be tested for errors.
Fixes: 4774fb0a48aa ("mtd: nand/fsmc: Add DMA support")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Rule: add
Link: https://lore.kernel.org/stable/20250702065806.20983-2-fourier.thomas%40gmail.com
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/fsmc_nand.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mtd/nand/raw/fsmc_nand.c
+++ b/drivers/mtd/nand/raw/fsmc_nand.c
@@ -503,6 +503,8 @@ static int dma_xfer(struct fsmc_nand_dat
dma_dev = chan->device;
dma_addr = dma_map_single(dma_dev->dev, buffer, len, direction);
+ if (dma_mapping_error(dma_dev->dev, dma_addr))
+ return -EINVAL;
if (direction == DMA_TO_DEVICE) {
dma_src = dma_addr;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 482/644] PCI: endpoint: Fix configfs group list head handling
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 481/644] mtd: rawnand: fsmc: Add missing check after DMA map Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 483/644] PCI: endpoint: Fix configfs group removal on driver teardown Greg Kroah-Hartman
` (167 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal,
Manivannan Sadhasivam, Niklas Cassel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit d79123d79a8154b4318529b7b2ff7e15806f480b upstream.
Doing a list_del() on the epf_group field of struct pci_epf_driver in
pci_epf_remove_cfs() is not correct as this field is a list head, not
a list entry. This list_del() call triggers a KASAN warning when an
endpoint function driver which has a configfs attribute group is torn
down:
==================================================================
BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198
Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319
CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE
Hardware name: Radxa ROCK 5B (DT)
Call trace:
show_stack+0x2c/0x84 (C)
dump_stack_lvl+0x70/0x98
print_report+0x17c/0x538
kasan_report+0xb8/0x190
__asan_report_store8_noabort+0x20/0x2c
pci_epf_remove_cfs+0x17c/0x198
pci_epf_unregister_driver+0x18/0x30
nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]
__arm64_sys_delete_module+0x264/0x424
invoke_syscall+0x70/0x260
el0_svc_common.constprop.0+0xac/0x230
do_el0_svc+0x40/0x58
el0_svc+0x48/0xdc
el0t_64_sync_handler+0x10c/0x138
el0t_64_sync+0x198/0x19c
...
Remove this incorrect list_del() call from pci_epf_remove_cfs().
Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250624114544.342159-2-dlemoal@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/endpoint/pci-epf-core.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/pci/endpoint/pci-epf-core.c
+++ b/drivers/pci/endpoint/pci-epf-core.c
@@ -343,7 +343,6 @@ static void pci_epf_remove_cfs(struct pc
mutex_lock(&pci_epf_mutex);
list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
pci_ep_cfs_remove_epf_group(group);
- list_del(&driver->epf_group);
mutex_unlock(&pci_epf_mutex);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 483/644] PCI: endpoint: Fix configfs group removal on driver teardown
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 482/644] PCI: endpoint: Fix configfs group list head handling Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 484/644] jbd2: prevent softlockup in jbd2_log_do_checkpoint() Greg Kroah-Hartman
` (166 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal,
Manivannan Sadhasivam, Niklas Cassel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit 910bdb8197f9322790c738bb32feaa11dba26909 upstream.
An endpoint driver configfs attributes group is added to the
epf_group list of struct pci_epf_driver by pci_epf_add_cfs() but an
added group is not removed from this list when the attribute group is
unregistered with pci_ep_cfs_remove_epf_group().
Add the missing list_del() call in pci_ep_cfs_remove_epf_group()
to correctly remove the attribute group from the driver list.
With this change, once the loop over all attribute groups in
pci_epf_remove_cfs() completes, the driver epf_group list should be
empty. Add a WARN_ON() to make sure of that.
Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250624114544.342159-3-dlemoal@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/endpoint/pci-ep-cfs.c | 1 +
drivers/pci/endpoint/pci-epf-core.c | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/pci/endpoint/pci-ep-cfs.c
+++ b/drivers/pci/endpoint/pci-ep-cfs.c
@@ -658,6 +658,7 @@ void pci_ep_cfs_remove_epf_group(struct
if (IS_ERR_OR_NULL(group))
return;
+ list_del(&group->group_entry);
configfs_unregister_default_group(group);
}
EXPORT_SYMBOL(pci_ep_cfs_remove_epf_group);
--- a/drivers/pci/endpoint/pci-epf-core.c
+++ b/drivers/pci/endpoint/pci-epf-core.c
@@ -343,6 +343,7 @@ static void pci_epf_remove_cfs(struct pc
mutex_lock(&pci_epf_mutex);
list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
pci_ep_cfs_remove_epf_group(group);
+ WARN_ON(!list_empty(&driver->epf_group));
mutex_unlock(&pci_epf_mutex);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 484/644] jbd2: prevent softlockup in jbd2_log_do_checkpoint()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 483/644] PCI: endpoint: Fix configfs group removal on driver teardown Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 485/644] soc/tegra: pmc: Ensure power-domains are in a known state Greg Kroah-Hartman
` (165 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Baokun Li, Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 9d98cf4632258720f18265a058e62fde120c0151 upstream.
Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list()
periodically release j_list_lock after processing a batch of buffers to
avoid long hold times on the j_list_lock. However, since both functions
contend for j_list_lock, the combined time spent waiting and processing
can be significant.
jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when
need_resched() is true to avoid softlockups during prolonged operations.
But jbd2_log_do_checkpoint() only exits its loop when need_resched() is
true, relying on potentially sleeping functions like __flush_batch() or
wait_on_buffer() to trigger rescheduling. If those functions do not sleep,
the kernel may hit a softlockup.
watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373]
CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10
Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017
Workqueue: writeback wb_workfn (flush-7:2)
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : native_queued_spin_lock_slowpath+0x358/0x418
lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]
Call trace:
native_queued_spin_lock_slowpath+0x358/0x418
jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]
__jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2]
add_transaction_credits+0x3bc/0x418 [jbd2]
start_this_handle+0xf8/0x560 [jbd2]
jbd2__journal_start+0x118/0x228 [jbd2]
__ext4_journal_start_sb+0x110/0x188 [ext4]
ext4_do_writepages+0x3dc/0x740 [ext4]
ext4_writepages+0xa4/0x190 [ext4]
do_writepages+0x94/0x228
__writeback_single_inode+0x48/0x318
writeback_sb_inodes+0x204/0x590
__writeback_inodes_wb+0x54/0xf8
wb_writeback+0x2cc/0x3d8
wb_do_writeback+0x2e0/0x2f8
wb_workfn+0x80/0x2a8
process_one_work+0x178/0x3e8
worker_thread+0x234/0x3b8
kthread+0xf0/0x108
ret_from_fork+0x10/0x20
So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid
softlockup.
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Link: https://patch.msgid.link/20250812063752.912130-1-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/checkpoint.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/jbd2/checkpoint.c
+++ b/fs/jbd2/checkpoint.c
@@ -297,6 +297,7 @@ restart:
retry:
if (batch_count)
__flush_batch(journal, &batch_count);
+ cond_resched();
spin_lock(&journal->j_list_lock);
goto restart;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 485/644] soc/tegra: pmc: Ensure power-domains are in a known state
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 484/644] jbd2: prevent softlockup in jbd2_log_do_checkpoint() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 486/644] media: gspca: Add bounds checking to firmware parser Greg Kroah-Hartman
` (164 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jon Hunter, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jon Hunter <jonathanh@nvidia.com>
commit b6bcbce3359619d05bf387d4f5cc3af63668dbaa upstream.
After commit 13a4b7fb6260 ("pmdomain: core: Leave powered-on genpds on
until late_initcall_sync") was applied, the Tegra210 Jetson TX1 board
failed to boot. Looking into this issue, before this commit was applied,
if any of the Tegra power-domains were in 'on' state when the kernel
booted, they were being turned off by the genpd core before any driver
had chance to request them. This was purely by luck and a consequence of
the power-domains being turned off earlier during boot. After this
commit was applied, any power-domains in the 'on' state are kept on for
longer during boot and therefore, may never transitioned to the off
state before they are requested/used. The hang on the Tegra210 Jetson
TX1 is caused because devices in some power-domains are accessed without
the power-domain being turned off and on, indicating that the
power-domain is not in a completely on state.
>From reviewing the Tegra PMC driver code, if a power-domain is in the
'on' state there is no guarantee that all the necessary clocks
associated with the power-domain are on and even if they are they would
not have been requested via the clock framework and so could be turned
off later. Some power-domains also have a 'clamping' register that needs
to be configured as well. In short, if a power-domain is already 'on' it
is difficult to know if it has been configured correctly. Given that the
power-domains happened to be switched off during boot previously, to
ensure that they are in a good known state on boot, fix this by
switching off any power-domains that are on initially when registering
the power-domains with the genpd framework.
Note that commit 05cfb988a4d0 ("soc/tegra: pmc: Initialise resets
associated with a power partition") updated the
tegra_powergate_of_get_resets() function to pass the 'off' to ensure
that the resets for the power-domain are in the correct state on boot.
However, now that we may power off a domain on boot, if it is on, it is
better to move this logic into the tegra_powergate_add() function so
that there is a single place where we are handling the initial state of
the power-domain.
Fixes: a38045121bf4 ("soc/tegra: pmc: Add generic PM domain support")
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250731121832.213671-1-jonathanh@nvidia.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/tegra/pmc.c | 51 +++++++++++++++++++++++++++---------------------
1 file changed, 29 insertions(+), 22 deletions(-)
--- a/drivers/soc/tegra/pmc.c
+++ b/drivers/soc/tegra/pmc.c
@@ -1174,7 +1174,7 @@ err:
}
static int tegra_powergate_of_get_resets(struct tegra_powergate *pg,
- struct device_node *np, bool off)
+ struct device_node *np)
{
struct device *dev = pg->pmc->dev;
int err;
@@ -1189,22 +1189,6 @@ static int tegra_powergate_of_get_resets
err = reset_control_acquire(pg->reset);
if (err < 0) {
pr_err("failed to acquire resets: %d\n", err);
- goto out;
- }
-
- if (off) {
- err = reset_control_assert(pg->reset);
- } else {
- err = reset_control_deassert(pg->reset);
- if (err < 0)
- goto out;
-
- reset_control_release(pg->reset);
- }
-
-out:
- if (err) {
- reset_control_release(pg->reset);
reset_control_put(pg->reset);
}
@@ -1249,20 +1233,43 @@ static int tegra_powergate_add(struct te
goto set_available;
}
- err = tegra_powergate_of_get_resets(pg, np, off);
+ err = tegra_powergate_of_get_resets(pg, np);
if (err < 0) {
dev_err(dev, "failed to get resets for %pOFn: %d\n", np, err);
goto remove_clks;
}
- if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) {
- if (off)
- WARN_ON(tegra_powergate_power_up(pg, true));
+ /*
+ * If the power-domain is off, then ensure the resets are asserted.
+ * If the power-domain is on, then power down to ensure that when is
+ * it turned on the power-domain, clocks and resets are all in the
+ * expected state.
+ */
+ if (off) {
+ err = reset_control_assert(pg->reset);
+ if (err) {
+ pr_err("failed to assert resets: %d\n", err);
+ goto remove_resets;
+ }
+ } else {
+ err = tegra_powergate_power_down(pg);
+ if (err) {
+ dev_err(dev, "failed to turn off PM domain %s: %d\n",
+ pg->genpd.name, err);
+ goto remove_resets;
+ }
+ }
+ /*
+ * If PM_GENERIC_DOMAINS is not enabled, power-on
+ * the domain and skip the genpd registration.
+ */
+ if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) {
+ WARN_ON(tegra_powergate_power_up(pg, true));
goto remove_resets;
}
- err = pm_genpd_init(&pg->genpd, NULL, off);
+ err = pm_genpd_init(&pg->genpd, NULL, true);
if (err < 0) {
dev_err(dev, "failed to initialise PM domain %pOFn: %d\n", np,
err);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 486/644] media: gspca: Add bounds checking to firmware parser
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 485/644] soc/tegra: pmc: Ensure power-domains are in a known state Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 487/644] media: hi556: correct the test pattern configuration Greg Kroah-Hartman
` (163 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit aef89c0b2417da79cb2062a95476288f9f203ab0 upstream.
This sd_init() function reads the firmware. The firmware data holds a
series of records and the function reads each record and sends the data
to the device. The request_ihex_firmware() function
calls ihex_validate_fw() which ensures that the total length of all the
records won't read out of bounds of the fw->data[].
However, a potential issue is if there is a single very large
record (larger than PAGE_SIZE) and that would result in memory
corruption. Generally we trust the firmware, but it's always better to
double check.
Fixes: 49b61ec9b5af ("[media] gspca: Add new vicam subdriver")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/gspca/vicam.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/media/usb/gspca/vicam.c
+++ b/drivers/media/usb/gspca/vicam.c
@@ -227,6 +227,7 @@ static int sd_init(struct gspca_dev *gsp
const struct ihex_binrec *rec;
const struct firmware *fw;
u8 *firmware_buf;
+ int len;
ret = request_ihex_firmware(&fw, VICAM_FIRMWARE,
&gspca_dev->dev->dev);
@@ -241,9 +242,14 @@ static int sd_init(struct gspca_dev *gsp
goto exit;
}
for (rec = (void *)fw->data; rec; rec = ihex_next_binrec(rec)) {
- memcpy(firmware_buf, rec->data, be16_to_cpu(rec->len));
+ len = be16_to_cpu(rec->len);
+ if (len > PAGE_SIZE) {
+ ret = -EINVAL;
+ break;
+ }
+ memcpy(firmware_buf, rec->data, len);
ret = vicam_control_msg(gspca_dev, 0xff, 0, 0, firmware_buf,
- be16_to_cpu(rec->len));
+ len);
if (ret < 0)
break;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 487/644] media: hi556: correct the test pattern configuration
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (485 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 486/644] media: gspca: Add bounds checking to firmware parser Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 488/644] media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() Greg Kroah-Hartman
` (162 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bingbu Cao, Sakari Ailus,
Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bingbu Cao <bingbu.cao@intel.com>
commit 020f602b068c9ce18d5056d02c8302199377d98d upstream.
Hynix hi556 support 8 test pattern modes:
hi556_test_pattern_menu[] = {
{
"Disabled",
"Solid Colour",
"100% Colour Bars",
"Fade To Grey Colour Bars",
"PN9",
"Gradient Horizontal",
"Gradient Vertical",
"Check Board",
"Slant Pattern",
}
The test pattern is set by a 8-bit register according to the
specification.
+--------+-------------------------------+
| BIT[0] | Solid color |
+--------+-------------------------------+
| BIT[1] | Color bar |
+--------+-------------------------------+
| BIT[2] | Fade to grey color bar |
+--------+-------------------------------+
| BIT[3] | PN9 |
+--------+-------------------------------+
| BIT[4] | Gradient horizontal |
+--------+-------------------------------+
| BIT[5] | Gradient vertical |
+--------+-------------------------------+
| BIT[6] | Check board |
+--------+-------------------------------+
| BIT[7] | Slant pattern |
+--------+-------------------------------+
Based on function above, current test pattern programming is wrong.
This patch fixes it by 'BIT(pattern - 1)'. If pattern is 0, driver
will disable the test pattern generation and set the pattern to 0.
Fixes: e62138403a84 ("media: hi556: Add support for Hi-556 sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Bingbu Cao <bingbu.cao@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/hi556.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
--- a/drivers/media/i2c/hi556.c
+++ b/drivers/media/i2c/hi556.c
@@ -602,21 +602,23 @@ static int hi556_test_pattern(struct hi5
int ret;
u32 val;
- if (pattern) {
- ret = hi556_read_reg(hi556, HI556_REG_ISP,
- HI556_REG_VALUE_08BIT, &val);
- if (ret)
- return ret;
-
- ret = hi556_write_reg(hi556, HI556_REG_ISP,
- HI556_REG_VALUE_08BIT,
- val | HI556_REG_ISP_TPG_EN);
- if (ret)
- return ret;
- }
+ ret = hi556_read_reg(hi556, HI556_REG_ISP,
+ HI556_REG_VALUE_08BIT, &val);
+ if (ret)
+ return ret;
+
+ val = pattern ? (val | HI556_REG_ISP_TPG_EN) :
+ (val & ~HI556_REG_ISP_TPG_EN);
+
+ ret = hi556_write_reg(hi556, HI556_REG_ISP,
+ HI556_REG_VALUE_08BIT, val);
+ if (ret)
+ return ret;
+
+ val = pattern ? BIT(pattern - 1) : 0;
return hi556_write_reg(hi556, HI556_REG_TEST_PATTERN,
- HI556_REG_VALUE_08BIT, pattern);
+ HI556_REG_VALUE_08BIT, val);
}
static int hi556_set_ctrl(struct v4l2_ctrl *ctrl)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 488/644] media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (486 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 487/644] media: hi556: correct the test pattern configuration Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 489/644] media: v4l2-ctrls: Dont reset handlers error in v4l2_ctrl_handler_free() Greg Kroah-Hartman
` (161 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Dan Carpenter,
Nicolas Dufresne, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit fc5f8aec77704373ee804b5dba0e0e5029c0f180 upstream.
Add video_device_release() in label 'err_m2m' to release the memory
allocated by video_device_alloc() and prevent potential memory leaks.
Remove the reduntant code in label 'err_m2m'.
Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/media/imx/imx-media-csc-scaler.c
+++ b/drivers/staging/media/imx/imx-media-csc-scaler.c
@@ -914,7 +914,7 @@ imx_media_csc_scaler_device_init(struct
return &priv->vdev;
err_m2m:
- video_set_drvdata(vfd, NULL);
+ video_device_release(vfd);
err_vfd:
kfree(priv);
return ERR_PTR(ret);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 489/644] media: v4l2-ctrls: Dont reset handlers error in v4l2_ctrl_handler_free()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (487 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 488/644] media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 490/644] media: usbtv: Lock resolution while streaming Greg Kroah-Hartman
` (160 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Hans Verkuil,
Laurent Pinchart
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
commit 5a0400aca5fa7c6b8ba456c311a460e733571c88 upstream.
It's a common pattern in drivers to free the control handler's resources
and then return the handler's error code on drivers' error handling paths.
Alas, the v4l2_ctrl_handler_free() function also zeroes the error field,
effectively indicating successful return to the caller.
There's no apparent need to touch the error field while releasing the
control handler's resources and cleaning up stale pointers. Not touching
the handler's error field is a more certain way to address this problem
than changing all the users, in which case the pattern would be likely to
re-emerge in new drivers.
Do just that, don't touch the control handler's error field in
v4l2_ctrl_handler_free().
Fixes: 0996517cf8ea ("V4L/DVB: v4l2: Add new control handling framework")
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Hans Verkuil <hverkuil@xs4all.nl>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/v4l2-core/v4l2-ctrls-core.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c
+++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c
@@ -992,7 +992,6 @@ void v4l2_ctrl_handler_free(struct v4l2_
kvfree(hdl->buckets);
hdl->buckets = NULL;
hdl->cached = NULL;
- hdl->error = 0;
mutex_unlock(hdl->lock);
mutex_destroy(&hdl->_lock);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 490/644] media: usbtv: Lock resolution while streaming
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (488 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 489/644] media: v4l2-ctrls: Dont reset handlers error in v4l2_ctrl_handler_free() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 491/644] media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() Greg Kroah-Hartman
` (159 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ludwig Disterhof, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ludwig Disterhof <ludwig@disterhof.eu>
commit 7e40e0bb778907b2441bff68d73c3eb6b6cd319f upstream.
When an program is streaming (ffplay) and another program (qv4l2)
changes the TV standard from NTSC to PAL, the kernel crashes due to trying
to copy to unmapped memory.
Changing from NTSC to PAL increases the resolution in the usbtv struct,
but the video plane buffer isn't adjusted, so it overflows.
Fixes: 0e0fe3958fdd13d ("[media] usbtv: Add support for PAL video source")
Cc: stable@vger.kernel.org
Signed-off-by: Ludwig Disterhof <ludwig@disterhof.eu>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
[hverkuil: call vb2_is_busy instead of vb2_is_streaming]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/usbtv/usbtv-video.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/media/usb/usbtv/usbtv-video.c
+++ b/drivers/media/usb/usbtv/usbtv-video.c
@@ -73,6 +73,10 @@ static int usbtv_configure_for_norm(stru
}
if (params) {
+ if (vb2_is_busy(&usbtv->vb2q) &&
+ (usbtv->width != params->cap_width ||
+ usbtv->height != params->cap_height))
+ return -EBUSY;
usbtv->width = params->cap_width;
usbtv->height = params->cap_height;
usbtv->n_chunks = usbtv->width * usbtv->height
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 491/644] media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (489 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 490/644] media: usbtv: Lock resolution while streaming Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 492/644] media: ov2659: Fix memory leaks in ov2659_probe() Greg Kroah-Hartman
` (158 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
commit 7af160aea26c7dc9e6734d19306128cce156ec40 upstream.
In the interrupt handler rain_interrupt(), the buffer full check on
rain->buf_len is performed before acquiring rain->buf_lock. This
creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as
rain->buf_len is concurrently accessed and modified in the work
handler rain_irq_work_handler() under the same lock.
Multiple interrupt invocations can race, with each reading buf_len
before it becomes full and then proceeding. This can lead to both
interrupts attempting to write to the buffer, incrementing buf_len
beyond its capacity (DATA_SIZE) and causing a buffer overflow.
Fix this bug by moving the spin_lock() to before the buffer full
check. This ensures that the check and the subsequent buffer modification
are performed atomically, preventing the race condition. An corresponding
spin_unlock() is added to the overflow path to correctly release the
lock.
This possible bug was found by an experimental static analysis tool
developed by our team.
Fixes: 0f314f6c2e77 ("[media] rainshadow-cec: new RainShadow Tech HDMI CEC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/cec/usb/rainshadow/rainshadow-cec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/media/cec/usb/rainshadow/rainshadow-cec.c
+++ b/drivers/media/cec/usb/rainshadow/rainshadow-cec.c
@@ -171,11 +171,12 @@ static irqreturn_t rain_interrupt(struct
{
struct rain *rain = serio_get_drvdata(serio);
+ spin_lock(&rain->buf_lock);
if (rain->buf_len == DATA_SIZE) {
+ spin_unlock(&rain->buf_lock);
dev_warn_once(rain->dev, "buffer overflow\n");
return IRQ_HANDLED;
}
- spin_lock(&rain->buf_lock);
rain->buf_len++;
rain->buf[rain->buf_wr_idx] = data;
rain->buf_wr_idx = (rain->buf_wr_idx + 1) & 0xff;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 492/644] media: ov2659: Fix memory leaks in ov2659_probe()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (490 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 491/644] media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 493/644] media: venus: Add a check for packet size after reading from shared memory Greg Kroah-Hartman
` (157 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Shurong, Sakari Ailus,
Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Shurong <zhang_shurong@foxmail.com>
commit 76142b137b968d47b35cdd8d1dc924677d319c8b upstream.
ov2659_probe() doesn't properly free control handler resources in failure
paths, causing memory leaks. Add v4l2_ctrl_handler_free() to prevent these
memory leaks and reorder the ctrl_handler assignment for better code flow.
Fixes: c4c0283ab3cd ("[media] media: i2c: add support for omnivision's ov2659 sensor")
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov2659.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/media/i2c/ov2659.c
+++ b/drivers/media/i2c/ov2659.c
@@ -1479,14 +1479,15 @@ static int ov2659_probe(struct i2c_clien
V4L2_CID_TEST_PATTERN,
ARRAY_SIZE(ov2659_test_pattern_menu) - 1,
0, 0, ov2659_test_pattern_menu);
- ov2659->sd.ctrl_handler = &ov2659->ctrls;
if (ov2659->ctrls.error) {
dev_err(&client->dev, "%s: control initialization error %d\n",
__func__, ov2659->ctrls.error);
+ v4l2_ctrl_handler_free(&ov2659->ctrls);
return ov2659->ctrls.error;
}
+ ov2659->sd.ctrl_handler = &ov2659->ctrls;
sd = &ov2659->sd;
client->flags |= I2C_CLIENT_SCCB;
#ifdef CONFIG_VIDEO_V4L2_SUBDEV_API
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 493/644] media: venus: Add a check for packet size after reading from shared memory
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (491 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 492/644] media: ov2659: Fix memory leaks in ov2659_probe() Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 494/644] media: venus: hfi: explicitly release IRQ during teardown Greg Kroah-Hartman
` (156 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vedang Nagar, Dikshita Agarwal,
Bryan ODonoghue, Bryan ODonoghue, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vedang Nagar <quic_vnagar@quicinc.com>
commit 49befc830daa743e051a65468c05c2ff9e8580e6 upstream.
Add a check to ensure that the packet size does not exceed the number of
available words after reading the packet header from shared memory. This
ensures that the size provided by the firmware is safe to process and
prevent potential out-of-bounds memory access.
Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
Cc: stable@vger.kernel.org
Signed-off-by: Vedang Nagar <quic_vnagar@quicinc.com>
Co-developed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_venus.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -239,6 +239,7 @@ static int venus_write_queue(struct venu
static int venus_read_queue(struct venus_hfi_device *hdev,
struct iface_queue *queue, void *pkt, u32 *tx_req)
{
+ struct hfi_pkt_hdr *pkt_hdr = NULL;
struct hfi_queue_header *qhdr;
u32 dwords, new_rd_idx;
u32 rd_idx, wr_idx, type, qsize;
@@ -304,6 +305,9 @@ static int venus_read_queue(struct venus
memcpy(pkt, rd_ptr, len);
memcpy(pkt + len, queue->qmem.kva, new_rd_idx << 2);
}
+ pkt_hdr = (struct hfi_pkt_hdr *)(pkt);
+ if ((pkt_hdr->size >> 2) != dwords)
+ return -EINVAL;
} else {
/* bad packet received, dropping */
new_rd_idx = qhdr->write_idx;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 494/644] media: venus: hfi: explicitly release IRQ during teardown
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (492 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 493/644] media: venus: Add a check for packet size after reading from shared memory Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 495/644] media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 Greg Kroah-Hartman
` (155 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jorge Ramirez-Ortiz,
Dikshita Agarwal, Bryan ODonoghue, Bryan ODonoghue, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
commit 640803003cd903cea73dc6a86bf6963e238e2b3f upstream.
Ensure the IRQ is disabled - and all pending handlers completed - before
dismantling the interrupt routing and clearing related pointers.
This prevents any possibility of the interrupt triggering after the
handler context has been invalidated.
Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
Cc: stable@vger.kernel.org
Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Dikshita Agarwal <quic_dikshita@quicinc.com> # RB5
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/hfi_venus.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/qcom/venus/hfi_venus.c
+++ b/drivers/media/platform/qcom/venus/hfi_venus.c
@@ -1679,6 +1679,7 @@ void venus_hfi_destroy(struct venus_core
venus_interface_queues_release(hdev);
mutex_destroy(&hdev->lock);
kfree(hdev);
+ disable_irq(core->irq);
core->ops = NULL;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 495/644] media: venus: vdec: Clamp param smaller than 1fps and bigger than 240.
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (493 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 494/644] media: venus: hfi: explicitly release IRQ during teardown Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 496/644] media: venus: venc: " Greg Kroah-Hartman
` (154 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans Verkuil, Bryan ODonoghue,
Ricardo Ribalda, Bryan ODonoghue
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit 377dc500d253f0b26732b2cb062e89668aef890a upstream.
The driver uses "whole" fps in all its calculations (e.g. in
load_per_instance()). Those calculation expect an fps bigger than 1, and
not big enough to overflow.
Clamp the value if the user provides a param that will result in an invalid
fps.
Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
Closes: https://lore.kernel.org/linux-media/f11653a7-bc49-48cd-9cdb-1659147453e4@xs4all.nl/T/#m91cd962ac942834654f94c92206e2f85ff7d97f0
Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files")
Cc: stable@vger.kernel.org
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # qrb5615-rb5
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
[bod: Change "parm" to "param"]
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/core.h | 2 ++
drivers/media/platform/qcom/venus/vdec.c | 5 ++---
2 files changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/media/platform/qcom/venus/core.h
+++ b/drivers/media/platform/qcom/venus/core.h
@@ -26,6 +26,8 @@
#define VIDC_PMDOMAINS_NUM_MAX 3
#define VIDC_RESETS_NUM_MAX 2
+#define VENUS_MAX_FPS 240
+
extern int venus_fw_debug;
struct freq_tbl {
--- a/drivers/media/platform/qcom/venus/vdec.c
+++ b/drivers/media/platform/qcom/venus/vdec.c
@@ -430,11 +430,10 @@ static int vdec_s_parm(struct file *file
us_per_frame = timeperframe->numerator * (u64)USEC_PER_SEC;
do_div(us_per_frame, timeperframe->denominator);
- if (!us_per_frame)
- return -EINVAL;
-
+ us_per_frame = clamp(us_per_frame, 1, USEC_PER_SEC);
fps = (u64)USEC_PER_SEC;
do_div(fps, us_per_frame);
+ fps = min(VENUS_MAX_FPS, fps);
inst->fps = fps;
inst->timeperframe = *timeperframe;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 496/644] media: venus: venc: Clamp param smaller than 1fps and bigger than 240
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (494 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 495/644] media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 497/644] drm/amd: Restore cached power limit during resume Greg Kroah-Hartman
` (153 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans Verkuil, Ricardo Ribalda,
Bryan ODonoghue
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ricardo Ribalda <ribalda@chromium.org>
commit 417c01b92ec278a1118a05c6ad8a796eaa0c9c52 upstream.
The driver uses "whole" fps in all its calculations (e.g. in
load_per_instance()). Those calculation expect an fps bigger than 1, and
not big enough to overflow.
Clamp the param if the user provides a value that will result in an invalid
fps.
Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
Closes: https://lore.kernel.org/linux-media/f11653a7-bc49-48cd-9cdb-1659147453e4@xs4all.nl/T/#m91cd962ac942834654f94c92206e2f85ff7d97f0
Fixes: aaaa93eda64b ("[media] media: venus: venc: add video encoder files")
Cc: stable@vger.kernel.org
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
[bod: Change "parm" to "param"]
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/venc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/media/platform/qcom/venus/venc.c
+++ b/drivers/media/platform/qcom/venus/venc.c
@@ -408,11 +408,10 @@ static int venc_s_parm(struct file *file
us_per_frame = timeperframe->numerator * (u64)USEC_PER_SEC;
do_div(us_per_frame, timeperframe->denominator);
- if (!us_per_frame)
- return -EINVAL;
-
+ us_per_frame = clamp(us_per_frame, 1, USEC_PER_SEC);
fps = (u64)USEC_PER_SEC;
do_div(fps, us_per_frame);
+ fps = min(VENUS_MAX_FPS, fps);
inst->timeperframe = *timeperframe;
inst->fps = fps;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 497/644] drm/amd: Restore cached power limit during resume
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (495 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 496/644] media: venus: venc: " Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 498/644] drm/amd/display: Dont overwrite dce60_clk_mgr Greg Kroah-Hartman
` (152 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alex Deucher, Mario Limonciello
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit ed4efe426a49729952b3dc05d20e33b94409bdd1 upstream.
The power limit will be cached in smu->current_power_limit but
if the ASIC goes into S3 this value won't be restored.
Restore the value during SMU resume.
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Link: https://lore.kernel.org/r/20250725031222.3015095-2-superm1@kernel.org
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 26a609e053a6fc494403e95403bc6a2470383bec)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
@@ -1573,6 +1573,12 @@ static int smu_resume(void *handle)
adev->pm.dpm_enabled = true;
+ if (smu->current_power_limit) {
+ ret = smu_set_power_limit(smu, smu->current_power_limit);
+ if (ret && ret != -EOPNOTSUPP)
+ return ret;
+ }
+
dev_info(adev->dev, "SMU is resumed successfully!\n");
return 0;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 498/644] drm/amd/display: Dont overwrite dce60_clk_mgr
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (496 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 497/644] drm/amd: Restore cached power limit during resume Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 499/644] net, hsr: reject HSR frame if skb cant hold tag Greg Kroah-Hartman
` (151 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Siqueira, Alex Deucher,
Timur Kristóf
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit 4db9cd554883e051df1840d4d58d636043101034 upstream.
dc_clk_mgr_create accidentally overwrites the dce60_clk_mgr
with the dce_clk_mgr, causing incorrect behaviour on DCE6.
Fix it by removing the extra dce_clk_mgr_construct.
Fixes: 62eab49faae7 ("drm/amd/display: hide VGH asic specific structs")
Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit bbddcbe36a686af03e91341b9bbfcca94bd45fb6)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c
@@ -146,7 +146,6 @@ struct clk_mgr *dc_clk_mgr_create(struct
return NULL;
}
dce60_clk_mgr_construct(ctx, clk_mgr);
- dce_clk_mgr_construct(ctx, clk_mgr);
return &clk_mgr->base;
}
#endif
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 499/644] net, hsr: reject HSR frame if skb cant hold tag
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (497 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 498/644] drm/amd/display: Dont overwrite dce60_clk_mgr Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 500/644] ipv6: sr: Fix MAC comparison to be constant-time Greg Kroah-Hartman
` (150 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+a81f2759d022496b40ab,
Jakub Acs, Eric Dumazet, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Acs <acsjakub@amazon.de>
commit 7af76e9d18a9fd6f8611b3313c86c190f9b6a5a7 upstream.
Receiving HSR frame with insufficient space to hold HSR tag in the skb
can result in a crash (kernel BUG):
[ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bridge_slave_1
[ 45.392559] ------------[ cut here ]------------
[ 45.392912] kernel BUG at net/core/skbuff.c:211!
[ 45.393276] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
[ 45.393809] CPU: 1 UID: 0 PID: 2496 Comm: reproducer Not tainted 6.15.0 #12 PREEMPT(undef)
[ 45.394433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 45.395273] RIP: 0010:skb_panic+0x15b/0x1d0
<snip registers, remove unreliable trace>
[ 45.402911] Call Trace:
[ 45.403105] <IRQ>
[ 45.404470] skb_push+0xcd/0xf0
[ 45.404726] br_dev_queue_push_xmit+0x7c/0x6c0
[ 45.406513] br_forward_finish+0x128/0x260
[ 45.408483] __br_forward+0x42d/0x590
[ 45.409464] maybe_deliver+0x2eb/0x420
[ 45.409763] br_flood+0x174/0x4a0
[ 45.410030] br_handle_frame_finish+0xc7c/0x1bc0
[ 45.411618] br_handle_frame+0xac3/0x1230
[ 45.413674] __netif_receive_skb_core.constprop.0+0x808/0x3df0
[ 45.422966] __netif_receive_skb_one_core+0xb4/0x1f0
[ 45.424478] __netif_receive_skb+0x22/0x170
[ 45.424806] process_backlog+0x242/0x6d0
[ 45.425116] __napi_poll+0xbb/0x630
[ 45.425394] net_rx_action+0x4d1/0xcc0
[ 45.427613] handle_softirqs+0x1a4/0x580
[ 45.427926] do_softirq+0x74/0x90
[ 45.428196] </IRQ>
This issue was found by syzkaller.
The panic happens in br_dev_queue_push_xmit() once it receives a
corrupted skb with ETH header already pushed in linear data. When it
attempts the skb_push() call, there's not enough headroom and
skb_push() panics.
The corrupted skb is put on the queue by HSR layer, which makes a
sequence of unintended transformations when it receives a specific
corrupted HSR frame (with incomplete TAG).
Fix it by dropping and consuming frames that are not long enough to
contain both ethernet and hsr headers.
Alternative fix would be to check for enough headroom before skb_push()
in br_dev_queue_push_xmit().
In the reproducer, this is injected via AF_PACKET, but I don't easily
see why it couldn't be sent over the wire from adjacent network.
Further Details:
In the reproducer, the following network interface chain is set up:
┌────────────────┐ ┌────────────────┐
│ veth0_to_hsr ├───┤ hsr_slave0 ┼───┐
└────────────────┘ └────────────────┘ │
│ ┌──────┐
├─┤ hsr0 ├───┐
│ └──────┘ │
┌────────────────┐ ┌────────────────┐ │ │┌────────┐
│ veth1_to_hsr ┼───┤ hsr_slave1 ├───┘ └┤ │
└────────────────┘ └────────────────┘ ┌┼ bridge │
││ │
│└────────┘
│
┌───────┐ │
│ ... ├──────┘
└───────┘
To trigger the events leading up to crash, reproducer sends a corrupted
HSR frame with incomplete TAG, via AF_PACKET socket on 'veth0_to_hsr'.
The first HSR-layer function to process this frame is
hsr_handle_frame(). It and then checks if the
protocol is ETH_P_PRP or ETH_P_HSR. If it is, it calls
skb_set_network_header(skb, ETH_HLEN + HSR_HLEN), without checking that
the skb is long enough. For the crashing frame it is not, and hence the
skb->network_header and skb->mac_len fields are set incorrectly,
pointing after the end of the linear buffer.
I will call this a BUG#1 and it is what is addressed by this patch. In
the crashing scenario before the fix, the skb continues to go down the
hsr path as follows.
hsr_handle_frame() then calls this sequence
hsr_forward_skb()
fill_frame_info()
hsr->proto_ops->fill_frame_info()
hsr_fill_frame_info()
hsr_fill_frame_info() contains a check that intends to check whether the
skb actually contains the HSR header. But the check relies on the
skb->mac_len field which was erroneously setup due to BUG#1, so the
check passes and the execution continues back in the hsr_forward_skb():
hsr_forward_skb()
hsr_forward_do()
hsr->proto_ops->get_untagged_frame()
hsr_get_untagged_frame()
create_stripped_skb_hsr()
In create_stripped_skb_hsr(), a copy of the skb is created and is
further corrupted by operation that attempts to strip the HSR tag in a
call to __pskb_copy().
The skb enters create_stripped_skb_hsr() with ethernet header pushed in
linear buffer. The skb_pull(skb_in, HSR_HLEN) thus pulls 6 bytes of
ethernet header into the headroom, creating skb_in with a headroom of
size 8. The subsequent __pskb_copy() then creates an skb with headroom
of just 2 and skb->len of just 12, this is how it looks after the copy:
gdb) p skb->len
$10 = 12
(gdb) p skb->data
$11 = (unsigned char *) 0xffff888041e45382 "\252\252\252\252\252!\210\373",
(gdb) p skb->head
$12 = (unsigned char *) 0xffff888041e45380 ""
It seems create_stripped_skb_hsr() assumes that ETH header is pulled
in the headroom when it's entered, because it just pulls HSR header on
top. But that is not the case in our code-path and we end up with the
corrupted skb instead. I will call this BUG#2
*I got confused here because it seems that under no conditions can
create_stripped_skb_hsr() work well, the assumption it makes is not true
during the processing of hsr frames - since the skb_push() in
hsr_handle_frame to skb_pull in hsr_deliver_master(). I wonder whether I
missed something here.*
Next, the execution arrives in hsr_deliver_master(). It calls
skb_pull(ETH_HLEN), which just returns NULL - the SKB does not have
enough space for the pull (as it only has 12 bytes in total at this
point).
*The skb_pull() here further suggests that ethernet header is meant
to be pushed through the whole hsr processing and
create_stripped_skb_hsr() should pull it before doing the HSR header
pull.*
hsr_deliver_master() then puts the corrupted skb on the queue, it is
then picked up from there by bridge frame handling layer and finally
lands in br_dev_queue_push_xmit where it panics.
Cc: stable@kernel.org
Fixes: 48b491a5cc74 ("net: hsr: fix mac_len checks")
Reported-by: syzbot+a81f2759d022496b40ab@syzkaller.appspotmail.com
Signed-off-by: Jakub Acs <acsjakub@amazon.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250819082842.94378-1-acsjakub@amazon.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/hsr/hsr_slave.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/net/hsr/hsr_slave.c
+++ b/net/hsr/hsr_slave.c
@@ -62,8 +62,14 @@ static rx_handler_result_t hsr_handle_fr
skb_push(skb, ETH_HLEN);
skb_reset_mac_header(skb);
if ((!hsr->prot_version && protocol == htons(ETH_P_PRP)) ||
- protocol == htons(ETH_P_HSR))
+ protocol == htons(ETH_P_HSR)) {
+ if (!pskb_may_pull(skb, ETH_HLEN + HSR_HLEN)) {
+ kfree_skb(skb);
+ goto finish_consume;
+ }
+
skb_set_network_header(skb, ETH_HLEN + HSR_HLEN);
+ }
skb_reset_mac_len(skb);
hsr_forward_skb(skb, port);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 500/644] ipv6: sr: Fix MAC comparison to be constant-time
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (498 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 499/644] net, hsr: reject HSR frame if skb cant hold tag Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 501/644] mptcp: drop skb if MPTCP skb extension allocation fails Greg Kroah-Hartman
` (149 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Andrea Mayer,
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit a458b2902115b26a25d67393b12ddd57d1216aaa upstream.
To prevent timing attacks, MACs need to be compared in constant time.
Use the appropriate helper function for this.
Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Andrea Mayer <andrea.mayer@uniroma2.it>
Link: https://patch.msgid.link/20250818202724.15713-1-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/seg6_hmac.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv6/seg6_hmac.c
+++ b/net/ipv6/seg6_hmac.c
@@ -35,6 +35,7 @@
#include <net/xfrm.h>
#include <crypto/hash.h>
+#include <crypto/algapi.h>
#include <net/seg6.h>
#include <net/genetlink.h>
#include <net/seg6_hmac.h>
@@ -269,7 +270,7 @@ bool seg6_hmac_validate_skb(struct sk_bu
if (seg6_hmac_compute(hinfo, srh, &ipv6_hdr(skb)->saddr, hmac_output))
return false;
- if (memcmp(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN) != 0)
+ if (crypto_memneq(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN))
return false;
return true;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 501/644] mptcp: drop skb if MPTCP skb extension allocation fails
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (499 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 500/644] ipv6: sr: Fix MAC comparison to be constant-time Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 502/644] mptcp: pm: kernel: flush: do not reset ADD_ADDR limit Greg Kroah-Hartman
` (148 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Paasch,
Matthieu Baerts (NGI0), Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Paasch <cpaasch@openai.com>
commit ccab044697980c6c01ab51f43f48f13b8a3e5c33 upstream.
When skb_ext_add(skb, SKB_EXT_MPTCP) fails in mptcp_incoming_options(),
we used to return true, letting the segment proceed through the TCP
receive path without a DSS mapping. Such segments can leave inconsistent
mapping state and trigger a mid-stream fallback to TCP, which in testing
collapsed (by artificially forcing failures in skb_ext_add) throughput
to zero.
Return false instead so the TCP input path drops the skb (see
tcp_data_queue() and step-7 processing). This is the safer choice
under memory pressure: it preserves MPTCP correctness and provides
backpressure to the sender.
Control packets remain unaffected: ACK updates and DATA_FIN handling
happen before attempting the extension allocation, and tcp_reset()
continues to ignore the return value.
With this change, MPTCP continues to work at high throughput if we
artificially inject failures into skb_ext_add.
Fixes: 6787b7e350d3 ("mptcp: avoid processing packet if a subflow reset")
Cc: stable@vger.kernel.org
Signed-off-by: Christoph Paasch <cpaasch@openai.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-1-521fe9957892@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/options.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -1074,7 +1074,9 @@ static bool add_addr_hmac_valid(struct m
return hmac == mp_opt->ahmac;
}
-/* Return false if a subflow has been reset, else return true */
+/* Return false in case of error (or subflow has been reset),
+ * else return true.
+ */
bool mptcp_incoming_options(struct sock *sk, struct sk_buff *skb)
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
@@ -1170,7 +1172,7 @@ bool mptcp_incoming_options(struct sock
mpext = skb_ext_add(skb, SKB_EXT_MPTCP);
if (!mpext)
- return true;
+ return false;
memset(mpext, 0, sizeof(*mpext));
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 502/644] mptcp: pm: kernel: flush: do not reset ADD_ADDR limit
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (500 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 501/644] mptcp: drop skb if MPTCP skb extension allocation fails Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 503/644] sch_htb: make htb_qlen_notify() idempotent Greg Kroah-Hartman
` (147 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Dreibholz, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 68fc0f4b0d25692940cdc85c68e366cae63e1757 upstream.
A flush of the MPTCP endpoints should not affect the MPTCP limits. In
other words, 'ip mptcp endpoint flush' should not change 'ip mptcp
limits'.
But it was the case: the MPTCP_PM_ATTR_RCV_ADD_ADDRS (add_addr_accepted)
limit was reset by accident. Removing the reset of this counter during a
flush fixes this issue.
Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
Cc: stable@vger.kernel.org
Reported-by: Thomas Dreibholz <dreibh@simula.no>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/579
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-2-521fe9957892@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 1 -
1 file changed, 1 deletion(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1582,7 +1582,6 @@ static void __flush_addrs(struct list_he
static void __reset_counters(struct pm_nl_pernet *pernet)
{
WRITE_ONCE(pernet->add_addr_signal_max, 0);
- WRITE_ONCE(pernet->add_addr_accept_max, 0);
WRITE_ONCE(pernet->local_addr_max, 0);
pernet->addrs = 0;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 503/644] sch_htb: make htb_qlen_notify() idempotent
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (501 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 502/644] mptcp: pm: kernel: flush: do not reset ADD_ADDR limit Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 504/644] sch_hfsc: make hfsc_qlen_notify() idempotent Greg Kroah-Hartman
` (146 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Cong Wang, Simon Horman,
Jamal Hadi Salim, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit 5ba8b837b522d7051ef81bacf3d95383ff8edce5 upstream.
htb_qlen_notify() always deactivates the HTB class and in fact could
trigger a warning if it is already deactivated. Therefore, it is not
idempotent and not friendly to its callers, like fq_codel_dequeue().
Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers'
life.
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250403211033.166059-2-xiyou.wangcong@gmail.com
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_htb.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -1506,6 +1506,8 @@ static void htb_qlen_notify(struct Qdisc
{
struct htb_class *cl = (struct htb_class *)arg;
+ if (!cl->prio_activity)
+ return;
htb_deactivate(qdisc_priv(sch), cl);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 504/644] sch_hfsc: make hfsc_qlen_notify() idempotent
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (502 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 503/644] sch_htb: make htb_qlen_notify() idempotent Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 505/644] sch_qfq: make qfq_qlen_notify() idempotent Greg Kroah-Hartman
` (145 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Cong Wang, Simon Horman,
Jamal Hadi Salim, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb upstream.
hfsc_qlen_notify() is not idempotent either and not friendly
to its callers, like fq_codel_dequeue(). Let's make it idempotent
to ease qdisc_tree_reduce_backlog() callers' life:
1. update_vf() decreases cl->cl_nactive, so we can check whether it is
non-zero before calling it.
2. eltree_remove() always removes RB node cl->el_node, but we can use
RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe.
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250403211033.166059-4-xiyou.wangcong@gmail.com
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_hfsc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -209,7 +209,10 @@ eltree_insert(struct hfsc_class *cl)
static inline void
eltree_remove(struct hfsc_class *cl)
{
- rb_erase(&cl->el_node, &cl->sched->eligible);
+ if (!RB_EMPTY_NODE(&cl->el_node)) {
+ rb_erase(&cl->el_node, &cl->sched->eligible);
+ RB_CLEAR_NODE(&cl->el_node);
+ }
}
static inline void
@@ -1231,7 +1234,8 @@ hfsc_qlen_notify(struct Qdisc *sch, unsi
/* vttree is now handled in update_vf() so that update_vf(cl, 0, 0)
* needs to be called explicitly to remove a class from vttree.
*/
- update_vf(cl, 0, 0);
+ if (cl->cl_nactive)
+ update_vf(cl, 0, 0);
if (cl->cl_flags & HFSC_RSC)
eltree_remove(cl);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 505/644] sch_qfq: make qfq_qlen_notify() idempotent
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (503 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 504/644] sch_hfsc: make hfsc_qlen_notify() idempotent Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 506/644] mm: drop the assumption that VM_SHARED always implies writable Greg Kroah-Hartman
` (144 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Cong Wang, Simon Horman,
Jamal Hadi Salim, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit 55f9eca4bfe30a15d8656f915922e8c98b7f0728 upstream.
qfq_qlen_notify() always deletes its class from its active list
with list_del_init() _and_ calls qfq_deactivate_agg() when the whole list
becomes empty.
To make it idempotent, just skip everything when it is not in the active
list.
Also change other list_del()'s to list_del_init() just to be extra safe.
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250403211033.166059-5-xiyou.wangcong@gmail.com
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_qfq.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -354,7 +354,7 @@ static void qfq_deactivate_class(struct
struct qfq_aggregate *agg = cl->agg;
- list_del(&cl->alist); /* remove from RR queue of the aggregate */
+ list_del_init(&cl->alist); /* remove from RR queue of the aggregate */
if (list_empty(&agg->active)) /* agg is now inactive */
qfq_deactivate_agg(q, agg);
}
@@ -486,6 +486,7 @@ static int qfq_change_class(struct Qdisc
cl->common.classid = classid;
cl->deficit = lmax;
+ INIT_LIST_HEAD(&cl->alist);
cl->qdisc = qdisc_create_dflt(sch->dev_queue, &pfifo_qdisc_ops,
classid, NULL);
@@ -1006,7 +1007,7 @@ static struct sk_buff *agg_dequeue(struc
cl->deficit -= (int) len;
if (cl->qdisc->q.qlen == 0) /* no more packets, remove from list */
- list_del(&cl->alist);
+ list_del_init(&cl->alist);
else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) {
cl->deficit += agg->lmax;
list_move_tail(&cl->alist, &agg->active);
@@ -1438,6 +1439,8 @@ static void qfq_qlen_notify(struct Qdisc
struct qfq_sched *q = qdisc_priv(sch);
struct qfq_class *cl = (struct qfq_class *)arg;
+ if (list_empty(&cl->alist))
+ return;
qfq_deactivate_class(q, cl);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 506/644] mm: drop the assumption that VM_SHARED always implies writable
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (504 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 505/644] sch_qfq: make qfq_qlen_notify() idempotent Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 507/644] mm: update memfd seal write check to include F_SEAL_WRITE Greg Kroah-Hartman
` (143 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes, Andy Lutomirski,
Jan Kara, Alexander Viro, Christian Brauner, Hugh Dickins,
Matthew Wilcox (Oracle), Mike Kravetz, Muchun Song, Andrew Morton,
Isaac J. Manjarres
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lstoakes@gmail.com>
[ Upstream commit e8e17ee90eaf650c855adb0a3e5e965fd6692ff1 ]
Patch series "permit write-sealed memfd read-only shared mappings", v4.
The man page for fcntl() describing memfd file seals states the following
about F_SEAL_WRITE:-
Furthermore, trying to create new shared, writable memory-mappings via
mmap(2) will also fail with EPERM.
With emphasis on 'writable'. In turns out in fact that currently the
kernel simply disallows all new shared memory mappings for a memfd with
F_SEAL_WRITE applied, rendering this documentation inaccurate.
This matters because users are therefore unable to obtain a shared mapping
to a memfd after write sealing altogether, which limits their usefulness.
This was reported in the discussion thread [1] originating from a bug
report [2].
This is a product of both using the struct address_space->i_mmap_writable
atomic counter to determine whether writing may be permitted, and the
kernel adjusting this counter when any VM_SHARED mapping is performed and
more generally implicitly assuming VM_SHARED implies writable.
It seems sensible that we should only update this mapping if VM_MAYWRITE
is specified, i.e. whether it is possible that this mapping could at any
point be written to.
If we do so then all we need to do to permit write seals to function as
documented is to clear VM_MAYWRITE when mapping read-only. It turns out
this functionality already exists for F_SEAL_FUTURE_WRITE - we can
therefore simply adapt this logic to do the same for F_SEAL_WRITE.
We then hit a chicken and egg situation in mmap_region() where the check
for VM_MAYWRITE occurs before we are able to clear this flag. To work
around this, perform this check after we invoke call_mmap(), with careful
consideration of error paths.
Thanks to Andy Lutomirski for the suggestion!
[1]:https://lore.kernel.org/all/20230324133646.16101dfa666f253c4715d965@linux-foundation.org/
[2]:https://bugzilla.kernel.org/show_bug.cgi?id=217238
This patch (of 3):
There is a general assumption that VMAs with the VM_SHARED flag set are
writable. If the VM_MAYWRITE flag is not set, then this is simply not the
case.
Update those checks which affect the struct address_space->i_mmap_writable
field to explicitly test for this by introducing
[vma_]is_shared_maywrite() helper functions.
This remains entirely conservative, as the lack of VM_MAYWRITE guarantees
that the VMA cannot be written to.
Link: https://lkml.kernel.org/r/cover.1697116581.git.lstoakes@gmail.com
Link: https://lkml.kernel.org/r/d978aefefa83ec42d18dfa964ad180dbcde34795.1697116581.git.lstoakes@gmail.com
Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com>
Suggested-by: Andy Lutomirski <luto@kernel.org>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Muchun Song <muchun.song@linux.dev>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
[isaacmanjarres: resolved merge conflicts due to
due to refactoring that happened in upstream commit
5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour")]
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/fs.h | 4 ++--
include/linux/mm.h | 11 +++++++++++
kernel/fork.c | 2 +-
mm/filemap.c | 2 +-
mm/madvise.c | 2 +-
mm/mmap.c | 6 +++---
6 files changed, 19 insertions(+), 8 deletions(-)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -444,7 +444,7 @@ int pagecache_write_end(struct file *, s
* It is also used to block modification of page cache contents through
* memory mappings.
* @gfp_mask: Memory allocation flags to use for allocating pages.
- * @i_mmap_writable: Number of VM_SHARED mappings.
+ * @i_mmap_writable: Number of VM_SHARED, VM_MAYWRITE mappings.
* @nr_thps: Number of THPs in the pagecache (non-shmem only).
* @i_mmap: Tree of private and shared mappings.
* @i_mmap_rwsem: Protects @i_mmap and @i_mmap_writable.
@@ -542,7 +542,7 @@ static inline int mapping_mapped(struct
/*
* Might pages of this file have been modified in userspace?
- * Note that i_mmap_writable counts all VM_SHARED vmas: do_mmap
+ * Note that i_mmap_writable counts all VM_SHARED, VM_MAYWRITE vmas: do_mmap
* marks vma as VM_SHARED if it is shared, and the file was opened for
* writing i.e. vma may be mprotected writable even if now readonly.
*
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -706,6 +706,17 @@ static inline bool vma_is_accessible(str
return vma->vm_flags & VM_ACCESS_FLAGS;
}
+static inline bool is_shared_maywrite(vm_flags_t vm_flags)
+{
+ return (vm_flags & (VM_SHARED | VM_MAYWRITE)) ==
+ (VM_SHARED | VM_MAYWRITE);
+}
+
+static inline bool vma_is_shared_maywrite(struct vm_area_struct *vma)
+{
+ return is_shared_maywrite(vma->vm_flags);
+}
+
#ifdef CONFIG_SHMEM
/*
* The vma_is_shmem is not inline because it is used only by slow
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -580,7 +580,7 @@ static __latent_entropy int dup_mmap(str
get_file(file);
i_mmap_lock_write(mapping);
- if (tmp->vm_flags & VM_SHARED)
+ if (vma_is_shared_maywrite(tmp))
mapping_allow_writable(mapping);
flush_dcache_mmap_lock(mapping);
/* insert tmp into the share list, just after mpnt */
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3408,7 +3408,7 @@ int generic_file_mmap(struct file *file,
*/
int generic_file_readonly_mmap(struct file *file, struct vm_area_struct *vma)
{
- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_MAYWRITE))
+ if (vma_is_shared_maywrite(vma))
return -EINVAL;
return generic_file_mmap(file, vma);
}
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -908,7 +908,7 @@ static long madvise_remove(struct vm_are
return -EINVAL;
}
- if ((vma->vm_flags & (VM_SHARED|VM_WRITE)) != (VM_SHARED|VM_WRITE))
+ if (!vma_is_shared_maywrite(vma))
return -EACCES;
offset = (loff_t)(start - vma->vm_start)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -148,7 +148,7 @@ void vma_set_page_prot(struct vm_area_st
static void __remove_shared_vm_struct(struct vm_area_struct *vma,
struct file *file, struct address_space *mapping)
{
- if (vma->vm_flags & VM_SHARED)
+ if (vma_is_shared_maywrite(vma))
mapping_unmap_writable(mapping);
flush_dcache_mmap_lock(mapping);
@@ -664,7 +664,7 @@ static void __vma_link_file(struct vm_ar
if (file) {
struct address_space *mapping = file->f_mapping;
- if (vma->vm_flags & VM_SHARED)
+ if (vma_is_shared_maywrite(vma))
mapping_allow_writable(mapping);
flush_dcache_mmap_lock(mapping);
@@ -2918,7 +2918,7 @@ unsigned long mmap_region(struct file *f
return -EINVAL;
/* Map writable and ensure this isn't a sealed memfd. */
- if (file && (vm_flags & VM_SHARED)) {
+ if (file && is_shared_maywrite(vm_flags)) {
int error = mapping_map_writable(file->f_mapping);
if (error)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 507/644] mm: update memfd seal write check to include F_SEAL_WRITE
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (505 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 506/644] mm: drop the assumption that VM_SHARED always implies writable Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 508/644] mm: reinstate ability to map write-sealed memfd mappings read-only Greg Kroah-Hartman
` (142 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes, Jan Kara,
Alexander Viro, Andy Lutomirski, Christian Brauner, Hugh Dickins,
Matthew Wilcox (Oracle), Mike Kravetz, Muchun Song, Andrew Morton,
Isaac J. Manjarres
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lstoakes@gmail.com>
[ Upstream commit 28464bbb2ddc199433383994bcb9600c8034afa1 ]
The seal_check_future_write() function is called by shmem_mmap() or
hugetlbfs_file_mmap() to disallow any future writable mappings of an memfd
sealed this way.
The F_SEAL_WRITE flag is not checked here, as that is handled via the
mapping->i_mmap_writable mechanism and so any attempt at a mapping would
fail before this could be run.
However we intend to change this, meaning this check can be performed for
F_SEAL_WRITE mappings also.
The logic here is equally applicable to both flags, so update this
function to accommodate both and rename it accordingly.
Link: https://lkml.kernel.org/r/913628168ce6cce77df7d13a63970bae06a526e0.1697116581.git.lstoakes@gmail.com
Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Muchun Song <muchun.song@linux.dev>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hugetlbfs/inode.c | 2 +-
include/linux/mm.h | 15 ++++++++-------
mm/shmem.c | 2 +-
3 files changed, 10 insertions(+), 9 deletions(-)
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -148,7 +148,7 @@ static int hugetlbfs_file_mmap(struct fi
vma->vm_flags |= VM_HUGETLB | VM_DONTEXPAND;
vma->vm_ops = &hugetlb_vm_ops;
- ret = seal_check_future_write(info->seals, vma);
+ ret = seal_check_write(info->seals, vma);
if (ret)
return ret;
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3287,25 +3287,26 @@ static inline void mem_dump_obj(void *ob
#endif
/**
- * seal_check_future_write - Check for F_SEAL_FUTURE_WRITE flag and handle it
+ * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
+ * handle them.
* @seals: the seals to check
* @vma: the vma to operate on
*
- * Check whether F_SEAL_FUTURE_WRITE is set; if so, do proper check/handling on
- * the vma flags. Return 0 if check pass, or <0 for errors.
+ * Check whether F_SEAL_WRITE or F_SEAL_FUTURE_WRITE are set; if so, do proper
+ * check/handling on the vma flags. Return 0 if check pass, or <0 for errors.
*/
-static inline int seal_check_future_write(int seals, struct vm_area_struct *vma)
+static inline int seal_check_write(int seals, struct vm_area_struct *vma)
{
- if (seals & F_SEAL_FUTURE_WRITE) {
+ if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
/*
* New PROT_WRITE and MAP_SHARED mmaps are not allowed when
- * "future write" seal active.
+ * write seals are active.
*/
if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
return -EPERM;
/*
- * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as
+ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
* MAP_SHARED and read-only, take care to not allow mprotect to
* revert protections on such mappings. Do this only for shared
* mappings. For private mappings, don't need to mask
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2262,7 +2262,7 @@ static int shmem_mmap(struct file *file,
struct shmem_inode_info *info = SHMEM_I(file_inode(file));
int ret;
- ret = seal_check_future_write(info->seals, vma);
+ ret = seal_check_write(info->seals, vma);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 508/644] mm: reinstate ability to map write-sealed memfd mappings read-only
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (506 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 507/644] mm: update memfd seal write check to include F_SEAL_WRITE Greg Kroah-Hartman
@ 2025-08-26 11:09 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 509/644] selftests/memfd: add test for mapping write-sealed memfd read-only Greg Kroah-Hartman
` (141 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes, Julian Orth,
Jann Horn, Liam R. Howlett, Linus Torvalds, Shuah Khan,
Vlastimil Babka, Andrew Morton, Isaac J. Manjarres
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
[ Upstream commit 8ec396d05d1b737c87311fb7311f753b02c2a6b1 ]
Patch series "mm: reinstate ability to map write-sealed memfd mappings
read-only".
In commit 158978945f31 ("mm: perform the mapping_map_writable() check
after call_mmap()") (and preceding changes in the same series) it became
possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
behaviour") unintentionally undid this logic by moving the
mapping_map_writable() check before the shmem_mmap() hook is invoked,
thereby regressing this change.
This series reworks how we both permit write-sealed mappings being mapped
read-only and disallow mprotect() from undoing the write-seal, fixing this
regression.
We also add a regression test to ensure that we do not accidentally
regress this in future.
Thanks to Julian Orth for reporting this regression.
This patch (of 2):
In commit 158978945f31 ("mm: perform the mapping_map_writable() check
after call_mmap()") (and preceding changes in the same series) it became
possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
This was previously unnecessarily disallowed, despite the man page
documentation indicating that it would be, thereby limiting the usefulness
of F_SEAL_WRITE logic.
We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE
seal (one which disallows future writes to the memfd) to also be used for
F_SEAL_WRITE.
For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a
read-only mapping to disallow mprotect() from overriding the seal - an
operation performed by seal_check_write(), invoked from shmem_mmap(), the
f_op->mmap() hook used by shmem mappings.
By extending this to F_SEAL_WRITE and critically - checking
mapping_map_writable() to determine if we may map the memfd AFTER we
invoke shmem_mmap() - the desired logic becomes possible. This is because
mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will
have cleared.
Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
behaviour") unintentionally undid this logic by moving the
mapping_map_writable() check before the shmem_mmap() hook is invoked,
thereby regressing this change.
We reinstate this functionality by moving the check out of shmem_mmap()
and instead performing it in do_mmap() at the point at which VMA flags are
being determined, which seems in any case to be a more appropriate place
in which to make this determination.
In order to achieve this we rework memfd seal logic to allow us access to
this information using existing logic and eliminate the clearing of
VM_MAYWRITE from seal_check_write() which we are performing in do_mmap()
instead.
Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.1732804776.git.lorenzo.stoakes@oracle.com
Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reported-by: Julian Orth <ju.orth@gmail.com>
Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZxrYpQ@mail.gmail.com/
Cc: Jann Horn <jannh@google.com>
Cc: Liam R. Howlett <Liam.Howlett@Oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/memfd.h | 14 ++++++++++++
include/linux/mm.h | 58 ++++++++++++++++++++++++++++++++++----------------
mm/memfd.c | 2 -
mm/mmap.c | 4 +++
4 files changed, 59 insertions(+), 19 deletions(-)
--- a/include/linux/memfd.h
+++ b/include/linux/memfd.h
@@ -6,11 +6,25 @@
#ifdef CONFIG_MEMFD_CREATE
extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned long arg);
+unsigned int *memfd_file_seals_ptr(struct file *file);
#else
static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned long a)
{
return -EINVAL;
}
+
+static inline unsigned int *memfd_file_seals_ptr(struct file *file)
+{
+ return NULL;
+}
#endif
+/* Retrieve memfd seals associated with the file, if any. */
+static inline unsigned int memfd_file_seals(struct file *file)
+{
+ unsigned int *sealsp = memfd_file_seals_ptr(file);
+
+ return sealsp ? *sealsp : 0;
+}
+
#endif /* __LINUX_MEMFD_H */
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3286,6 +3286,37 @@ void mem_dump_obj(void *object);
static inline void mem_dump_obj(void *object) {}
#endif
+static inline bool is_write_sealed(int seals)
+{
+ return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE);
+}
+
+/**
+ * is_readonly_sealed - Checks whether write-sealed but mapped read-only,
+ * in which case writes should be disallowing moving
+ * forwards.
+ * @seals: the seals to check
+ * @vm_flags: the VMA flags to check
+ *
+ * Returns whether readonly sealed, in which case writess should be disallowed
+ * going forward.
+ */
+static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags)
+{
+ /*
+ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
+ * MAP_SHARED and read-only, take care to not allow mprotect to
+ * revert protections on such mappings. Do this only for shared
+ * mappings. For private mappings, don't need to mask
+ * VM_MAYWRITE as we still want them to be COW-writable.
+ */
+ if (is_write_sealed(seals) &&
+ ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED))
+ return true;
+
+ return false;
+}
+
/**
* seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
* handle them.
@@ -3297,24 +3328,15 @@ static inline void mem_dump_obj(void *ob
*/
static inline int seal_check_write(int seals, struct vm_area_struct *vma)
{
- if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
- /*
- * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
- * write seals are active.
- */
- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
- return -EPERM;
-
- /*
- * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
- * MAP_SHARED and read-only, take care to not allow mprotect to
- * revert protections on such mappings. Do this only for shared
- * mappings. For private mappings, don't need to mask
- * VM_MAYWRITE as we still want them to be COW-writable.
- */
- if (vma->vm_flags & VM_SHARED)
- vma->vm_flags &= ~(VM_MAYWRITE);
- }
+ if (!is_write_sealed(seals))
+ return 0;
+
+ /*
+ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+ * write seals are active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+ return -EPERM;
return 0;
}
--- a/mm/memfd.c
+++ b/mm/memfd.c
@@ -133,7 +133,7 @@ static int memfd_wait_for_pins(struct ad
return error;
}
-static unsigned int *memfd_file_seals_ptr(struct file *file)
+unsigned int *memfd_file_seals_ptr(struct file *file)
{
if (shmem_file(file))
return &SHMEM_I(file_inode(file))->seals;
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -47,6 +47,7 @@
#include <linux/pkeys.h>
#include <linux/oom.h>
#include <linux/sched/mm.h>
+#include <linux/memfd.h>
#include <linux/uaccess.h>
#include <asm/cacheflush.h>
@@ -1486,6 +1487,7 @@ unsigned long do_mmap(struct file *file,
if (file) {
struct inode *inode = file_inode(file);
+ unsigned int seals = memfd_file_seals(file);
unsigned long flags_mask;
if (!file_mmap_ok(file, inode, pgoff, len))
@@ -1524,6 +1526,8 @@ unsigned long do_mmap(struct file *file,
vm_flags |= VM_SHARED | VM_MAYSHARE;
if (!(file->f_mode & FMODE_WRITE))
vm_flags &= ~(VM_MAYWRITE | VM_SHARED);
+ else if (is_readonly_sealed(seals, vm_flags))
+ vm_flags &= ~VM_MAYWRITE;
fallthrough;
case MAP_PRIVATE:
if (!(file->f_mode & FMODE_READ))
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 509/644] selftests/memfd: add test for mapping write-sealed memfd read-only
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (507 preceding siblings ...)
2025-08-26 11:09 ` [PATCH 5.15 508/644] mm: reinstate ability to map write-sealed memfd mappings read-only Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 510/644] ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Greg Kroah-Hartman
` (140 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes, Jann Horn,
Julian Orth, Liam R. Howlett, Linus Torvalds, Shuah Khan,
Vlastimil Babka, Andrew Morton, Isaac J. Manjarres
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
[ Upstream commit ea0916e01d0b0f2cce1369ac1494239a79827270 ]
Now we have reinstated the ability to map F_SEAL_WRITE mappings read-only,
assert that we are able to do this in a test to ensure that we do not
regress this again.
Link: https://lkml.kernel.org/r/a6377ec470b14c0539b4600cf8fa24bf2e4858ae.1732804776.git.lorenzo.stoakes@oracle.com
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Jann Horn <jannh@google.com>
Cc: Julian Orth <ju.orth@gmail.com>
Cc: Liam R. Howlett <Liam.Howlett@Oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/memfd/memfd_test.c | 43 +++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
--- a/tools/testing/selftests/memfd/memfd_test.c
+++ b/tools/testing/selftests/memfd/memfd_test.c
@@ -186,6 +186,24 @@ static void *mfd_assert_mmap_shared(int
return p;
}
+static void *mfd_assert_mmap_read_shared(int fd)
+{
+ void *p;
+
+ p = mmap(NULL,
+ mfd_def_size,
+ PROT_READ,
+ MAP_SHARED,
+ fd,
+ 0);
+ if (p == MAP_FAILED) {
+ printf("mmap() failed: %m\n");
+ abort();
+ }
+
+ return p;
+}
+
static void *mfd_assert_mmap_private(int fd)
{
void *p;
@@ -802,6 +820,30 @@ static void test_seal_future_write(void)
close(fd);
}
+static void test_seal_write_map_read_shared(void)
+{
+ int fd;
+ void *p;
+
+ printf("%s SEAL-WRITE-MAP-READ\n", memfd_str);
+
+ fd = mfd_assert_new("kern_memfd_seal_write_map_read",
+ mfd_def_size,
+ MFD_CLOEXEC | MFD_ALLOW_SEALING);
+
+ mfd_assert_add_seals(fd, F_SEAL_WRITE);
+ mfd_assert_has_seals(fd, F_SEAL_WRITE);
+
+ p = mfd_assert_mmap_read_shared(fd);
+
+ mfd_assert_read(fd);
+ mfd_assert_read_shared(fd);
+ mfd_fail_write(fd);
+
+ munmap(p, mfd_def_size);
+ close(fd);
+}
+
/*
* Test SEAL_SHRINK
* Test whether SEAL_SHRINK actually prevents shrinking
@@ -1056,6 +1098,7 @@ int main(int argc, char **argv)
test_seal_write();
test_seal_future_write();
+ test_seal_write_map_read_shared();
test_seal_shrink();
test_seal_grow();
test_seal_resize();
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 510/644] ice: Fix a null pointer dereference in ice_copy_and_init_pkg()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (508 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 509/644] selftests/memfd: add test for mapping write-sealed memfd read-only Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 511/644] drm/sched: Remove optimization that causes hang when killing dependent jobs Greg Kroah-Hartman
` (139 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Michal Swiatkowski,
Aleksandr Loktionov, Simon Horman, Tony Nguyen, Sasha Levin,
Rinitha S
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
[ Upstream commit 4ff12d82dac119b4b99b5a78b5af3bf2474c0a36 ]
Add check for the return value of devm_kmemdup()
to prevent potential null pointer dereference.
Fixes: c76488109616 ("ice: Implement Dynamic Device Personalization (DDP) download")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
[ applied the patch to ice_flex_pipe.c instead of ice_ddp.c ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_flex_pipe.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
+++ b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
@@ -1448,6 +1448,8 @@ enum ice_status ice_copy_and_init_pkg(st
return ICE_ERR_PARAM;
buf_copy = devm_kmemdup(ice_hw_to_dev(hw), buf, len, GFP_KERNEL);
+ if (!buf_copy)
+ return ICE_ERR_NO_MEMORY;
status = ice_init_pkg(hw, buf_copy, len);
if (status) {
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 511/644] drm/sched: Remove optimization that causes hang when killing dependent jobs
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (509 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 510/644] ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 512/644] arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() Greg Kroah-Hartman
` (138 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin.Cao, Christian König,
Philipp Stanner, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Lin.Cao" <lincao12@amd.com>
[ Upstream commit 15f77764e90a713ee3916ca424757688e4f565b9 ]
When application A submits jobs and application B submits a job with a
dependency on A's fence, the normal flow wakes up the scheduler after
processing each job. However, the optimization in
drm_sched_entity_add_dependency_cb() uses a callback that only clears
dependencies without waking up the scheduler.
When application A is killed before its jobs can run, the callback gets
triggered but only clears the dependency without waking up the scheduler,
causing the scheduler to enter sleep state and application B to hang.
Remove the optimization by deleting drm_sched_entity_clear_dep() and its
usage, ensuring the scheduler is always woken up when dependencies are
cleared.
Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler")
Cc: stable@vger.kernel.org # v4.6+
Signed-off-by: Lin.Cao <lincao12@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Philipp Stanner <phasta@kernel.org>
Link: https://lore.kernel.org/r/20250717084453.921097-1-lincao12@amd.com
[ Changed drm_sched_wakeup_if_can_queue() calls to drm_sched_wakeup() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/scheduler/sched_entity.c | 27 ++++-----------------------
1 file changed, 4 insertions(+), 23 deletions(-)
--- a/drivers/gpu/drm/scheduler/sched_entity.c
+++ b/drivers/gpu/drm/scheduler/sched_entity.c
@@ -317,21 +317,8 @@ void drm_sched_entity_destroy(struct drm
EXPORT_SYMBOL(drm_sched_entity_destroy);
/*
- * drm_sched_entity_clear_dep - callback to clear the entities dependency
- */
-static void drm_sched_entity_clear_dep(struct dma_fence *f,
- struct dma_fence_cb *cb)
-{
- struct drm_sched_entity *entity =
- container_of(cb, struct drm_sched_entity, cb);
-
- entity->dependency = NULL;
- dma_fence_put(f);
-}
-
-/*
- * drm_sched_entity_clear_dep - callback to clear the entities dependency and
- * wake up scheduler
+ * drm_sched_entity_wakeup - callback to clear the entity's dependency and
+ * wake up the scheduler
*/
static void drm_sched_entity_wakeup(struct dma_fence *f,
struct dma_fence_cb *cb)
@@ -339,7 +326,8 @@ static void drm_sched_entity_wakeup(stru
struct drm_sched_entity *entity =
container_of(cb, struct drm_sched_entity, cb);
- drm_sched_entity_clear_dep(f, cb);
+ entity->dependency = NULL;
+ dma_fence_put(f);
drm_sched_wakeup(entity->rq->sched);
}
@@ -395,13 +383,6 @@ static bool drm_sched_entity_add_depende
fence = dma_fence_get(&s_fence->scheduled);
dma_fence_put(entity->dependency);
entity->dependency = fence;
- if (!dma_fence_add_callback(fence, &entity->cb,
- drm_sched_entity_clear_dep))
- return true;
-
- /* Ignore it when it is already scheduled */
- dma_fence_put(fence);
- return false;
}
if (!dma_fence_add_callback(entity->dependency, &entity->cb,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 512/644] arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (510 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 511/644] drm/sched: Remove optimization that causes hang when killing dependent jobs Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 513/644] ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS Greg Kroah-Hartman
` (137 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ada Couprie Diaz, Cristian Prundeanu,
Will Deacon, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
[ Upstream commit d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb ]
`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change
to different stacks along with the Shadow Call Stack if it is enabled.
Those two stack changes cannot be done atomically and both functions
can be interrupted by SErrors or Debug Exceptions which, though unlikely,
is very much broken : if interrupted, we can end up with mismatched stacks
and Shadow Call Stack leading to clobbered stacks.
In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,
but x18 stills points to the old task's SCS. When the interrupt handler
tries to save the task's SCS pointer, it will save the old task
SCS pointer (x18) into the new task struct (pointed to by SP_EL0),
clobbering it.
In `call_on_irq_stack()`, it can happen when switching from the task stack
to the IRQ stack and when switching back. In both cases, we can be
interrupted when the SCS pointer points to the IRQ SCS, but SP points to
the task stack. The nested interrupt handler pushes its return addresses
on the IRQ SCS. It then detects that SP points to the task stack,
calls `call_on_irq_stack()` and clobbers the task SCS pointer with
the IRQ SCS pointer, which it will also use !
This leads to tasks returning to addresses on the wrong SCS,
or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK
or FPAC if enabled.
This is possible on a default config, but unlikely.
However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and
instead the GIC is responsible for filtering what interrupts the CPU
should receive based on priority.
Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU
even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*
frequently depending on the system configuration and workload, leading
to unpredictable kernel panics.
Completely mask DAIF in `cpu_switch_to()` and restore it when returning.
Do the same in `call_on_irq_stack()`, but restore and mask around
the branch.
Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency
of behaviour between all configurations.
Introduce and use an assembly macro for saving and masking DAIF,
as the existing one saves but only masks IF.
Cc: <stable@vger.kernel.org>
Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
Reported-by: Cristian Prundeanu <cpru@amazon.com>
Fixes: 59b37fe52f49 ("arm64: Stash shadow stack pointer in the task struct on interrupt")
Tested-by: Cristian Prundeanu <cpru@amazon.com>
Acked-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20250718142814.133329-1-ada.coupriediaz@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
[ removed duplicate save_and_disable_daif macro ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/entry.S | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -833,6 +833,7 @@ SYM_CODE_END(__bp_harden_el1_vectors)
*
*/
SYM_FUNC_START(cpu_switch_to)
+ save_and_disable_daif x11
mov x10, #THREAD_CPU_CONTEXT
add x8, x0, x10
mov x9, sp
@@ -856,6 +857,7 @@ SYM_FUNC_START(cpu_switch_to)
ptrauth_keys_install_kernel x1, x8, x9, x10
scs_save x0
scs_load_current
+ restore_irq x11
ret
SYM_FUNC_END(cpu_switch_to)
NOKPROBE(cpu_switch_to)
@@ -882,6 +884,7 @@ NOKPROBE(ret_from_fork)
* Calls func(regs) using this CPU's irq stack and shadow irq stack.
*/
SYM_FUNC_START(call_on_irq_stack)
+ save_and_disable_daif x9
#ifdef CONFIG_SHADOW_CALL_STACK
get_current_task x16
scs_save x16
@@ -896,8 +899,10 @@ SYM_FUNC_START(call_on_irq_stack)
/* Move to the new stack and call the function there */
add sp, x16, #IRQ_STACK_SIZE
+ restore_irq x9
blr x1
+ save_and_disable_daif x9
/*
* Restore the SP from the FP, and restore the FP and LR from the frame
* record.
@@ -905,6 +910,7 @@ SYM_FUNC_START(call_on_irq_stack)
mov sp, x29
ldp x29, x30, [sp], #16
scs_load_current
+ restore_irq x9
ret
SYM_FUNC_END(call_on_irq_stack)
NOKPROBE(call_on_irq_stack)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 513/644] ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (511 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 512/644] arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 514/644] f2fs: fix to do sanity check on ino and xnid Greg Kroah-Hartman
` (136 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, KernelCI bot, Masahiro Yamada,
Nathan Chancellor, Russell King (Oracle), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 87c4e1459e80bf65066f864c762ef4dc932fad4b ]
After commit d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper
flags and language target"), which updated as-instr to use the
'assembler-with-cpp' language option, the Kbuild version of as-instr
always fails internally for arch/arm with
<command-line>: fatal error: asm/unified.h: No such file or directory
compilation terminated.
because '-include' flags are now taken into account by the compiler
driver and as-instr does not have '$(LINUXINCLUDE)', so unified.h is not
found.
This went unnoticed at the time of the Kbuild change because the last
use of as-instr in Kbuild that arch/arm could reach was removed in 5.7
by commit 541ad0150ca4 ("arm: Remove 32bit KVM host support") but a
stable backport of the Kbuild change to before that point exposed this
potential issue if one were to be reintroduced.
Follow the general pattern of '-include' paths throughout the tree and
make unified.h absolute using '$(srctree)' to ensure KBUILD_AFLAGS can
be used independently.
Closes: https://lore.kernel.org/CACo-S-1qbCX4WAVFA63dWfHtrRHZBTyyr2js8Lx=Az03XHTTHg@mail.gmail.com/
Cc: stable@vger.kernel.org
Fixes: d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper flags and language target")
Reported-by: KernelCI bot <bot@kernelci.org>
Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
[ adapted to missing -Wa ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/Makefile
+++ b/arch/arm/Makefile
@@ -126,7 +126,7 @@ endif
# Need -Uarm for gcc < 3.x
KBUILD_CFLAGS +=$(CFLAGS_ABI) $(CFLAGS_ISA) $(arch-y) $(tune-y) $(call cc-option,-mshort-load-bytes,$(call cc-option,-malignment-traps,)) -msoft-float -Uarm
-KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include asm/unified.h -msoft-float
+KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include $(srctree)/arch/arm/include/asm/unified.h -msoft-float
CHECKFLAGS += -D__arm__
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 514/644] f2fs: fix to do sanity check on ino and xnid
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (512 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 513/644] ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 515/644] iio: hid-sensor-prox: Restore lost scale assignments Greg Kroah-Hartman
` (135 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+cc448dcdc7ae0b4e4ffa, Chao Yu,
Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 061cf3a84bde038708eb0f1d065b31b7c2456533 ]
syzbot reported a f2fs bug as below:
INFO: task syz-executor140:5308 blocked for more than 143 seconds.
Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5378 [inline]
__schedule+0x190e/0x4c90 kernel/sched/core.c:6765
__schedule_loop kernel/sched/core.c:6842 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6857
io_schedule+0x8d/0x110 kernel/sched/core.c:7690
folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317
__folio_lock mm/filemap.c:1664 [inline]
folio_lock include/linux/pagemap.h:1163 [inline]
__filemap_get_folio+0x147/0xb40 mm/filemap.c:1917
pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87
find_get_page_flags include/linux/pagemap.h:842 [inline]
f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776
__get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463
read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306
lookup_all_xattrs fs/f2fs/xattr.c:355 [inline]
f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533
__f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179
f2fs_acl_create fs/f2fs/acl.c:375 [inline]
f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418
f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539
f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666
f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765
f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808
f2fs_add_link fs/f2fs/f2fs.h:3616 [inline]
f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766
vfs_mknod+0x36d/0x3b0 fs/namei.c:4191
unix_bind_bsd net/unix/af_unix.c:1286 [inline]
unix_bind+0x563/0xe30 net/unix/af_unix.c:1379
__sys_bind_socket net/socket.c:1817 [inline]
__sys_bind+0x1e4/0x290 net/socket.c:1848
__do_sys_bind net/socket.c:1853 [inline]
__se_sys_bind net/socket.c:1851 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1851
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Let's dump and check metadata of corrupted inode, it shows its xattr_nid
is the same to its i_ino.
dump.f2fs -i 3 chaseyu.img.raw
i_xattr_nid [0x 3 : 3]
So that, during mknod in the corrupted directory, it tries to get and
lock inode page twice, result in deadlock.
- f2fs_mknod
- f2fs_add_inline_entry
- f2fs_get_inode_page --- lock dir's inode page
- f2fs_init_acl
- f2fs_acl_create(dir,..)
- __f2fs_get_acl
- f2fs_getxattr
- lookup_all_xattrs
- __get_node_page --- try to lock dir's inode page
In order to fix this, let's add sanity check on ino and xnid.
Cc: stable@vger.kernel.org
Reported-by: syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ add set_sbi_flag(sbi, SBI_NEED_FSCK) to match error handling pattern ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inode.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -226,6 +226,13 @@ static bool sanity_check_inode(struct in
return false;
}
+ if (ino_of_node(node_page) == fi->i_xattr_nid) {
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.",
+ __func__, inode->i_ino, fi->i_xattr_nid);
+ return false;
+ }
+
if (f2fs_sb_has_flexible_inline_xattr(sbi)
&& !f2fs_has_extra_attr(inode)) {
set_sbi_flag(sbi, SBI_NEED_FSCK);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 515/644] iio: hid-sensor-prox: Restore lost scale assignments
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (513 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 514/644] f2fs: fix to do sanity check on ino and xnid Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 516/644] iio: hid-sensor-prox: Fix incorrect OFFSET calculation Greg Kroah-Hartman
` (134 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Lixu, Srinivas Pandruvada,
Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Lixu <lixu.zhang@intel.com>
[ Upstream commit 83ded7cfaccccd2f4041769c313b58b4c9e265ad ]
The variables `scale_pre_decml`, `scale_post_decml`, and `scale_precision`
were assigned in commit d68c592e02f6 ("iio: hid-sensor-prox: Fix scale not
correct issue"), but due to a merge conflict in
commit 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of
https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next"),
these assignments were lost.
Add back lost assignments and replace `st->prox_attr` with
`st->prox_attr[0]` because commit 596ef5cf654b ("iio: hid-sensor-prox: Add
support for more channels") changed `prox_attr` to an array.
Cc: stable@vger.kernel.org # 5.13+
Fixes: 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next")
Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://patch.msgid.link/20250331055022.1149736-2-lixu.zhang@intel.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ changed st->prox_attr[0] array access to st->prox_attr single struct member ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/hid-sensor-prox.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/iio/light/hid-sensor-prox.c
+++ b/drivers/iio/light/hid-sensor-prox.c
@@ -222,6 +222,11 @@ static int prox_parse_report(struct plat
dev_dbg(&pdev->dev, "prox %x:%x\n", st->prox_attr.index,
st->prox_attr.report_id);
+ st->scale_precision = hid_sensor_format_scale(hsdev->usage,
+ &st->prox_attr,
+ &st->scale_pre_decml,
+ &st->scale_post_decml);
+
return ret;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 516/644] iio: hid-sensor-prox: Fix incorrect OFFSET calculation
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (514 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 515/644] iio: hid-sensor-prox: Restore lost scale assignments Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 517/644] x86/mce/amd: Add default names for MCA banks and blocks Greg Kroah-Hartman
` (133 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Lixu, Srinivas Pandruvada,
Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Lixu <lixu.zhang@intel.com>
[ Upstream commit 79dabbd505210e41c88060806c92c052496dd61c ]
The OFFSET calculation in the prox_read_raw() was incorrectly using the
unit exponent, which is intended for SCALE calculations.
Remove the incorrect OFFSET calculation and set it to a fixed value of 0.
Cc: stable@vger.kernel.org
Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver")
Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ adapted prox_attr array access to single structure member access ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/hid-sensor-prox.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iio/light/hid-sensor-prox.c
+++ b/drivers/iio/light/hid-sensor-prox.c
@@ -103,8 +103,7 @@ static int prox_read_raw(struct iio_dev
ret_type = prox_state->scale_precision;
break;
case IIO_CHAN_INFO_OFFSET:
- *val = hid_sensor_convert_exponent(
- prox_state->prox_attr.unit_expo);
+ *val = 0;
ret_type = IIO_VAL_INT;
break;
case IIO_CHAN_INFO_SAMP_FREQ:
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 517/644] x86/mce/amd: Add default names for MCA banks and blocks
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (515 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 516/644] iio: hid-sensor-prox: Fix incorrect OFFSET calculation Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 518/644] usb: hub: avoid warm port reset during USB3 disconnect Greg Kroah-Hartman
` (132 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yazen Ghannam, Borislav Petkov (AMD),
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yazen Ghannam <yazen.ghannam@amd.com>
[ Upstream commit d66e1e90b16055d2f0ee76e5384e3f119c3c2773 ]
Ensure that sysfs init doesn't fail for new/unrecognized bank types or if
a bank has additional blocks available.
Most MCA banks have a single thresholding block, so the block takes the same
name as the bank.
Unified Memory Controllers (UMCs) are a special case where there are two
blocks and each has a unique name.
However, the microarchitecture allows for five blocks. Any new MCA bank types
with more than one block will be missing names for the extra blocks. The MCE
sysfs will fail to initialize in this case.
Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems")
Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/mce/amd.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/cpu/mce/amd.c
+++ b/arch/x86/kernel/cpu/mce/amd.c
@@ -1228,13 +1228,20 @@ static const char *get_name(unsigned int
}
bank_type = smca_get_bank_type(bank);
- if (bank_type >= N_SMCA_BANK_TYPES)
- return NULL;
if (b && bank_type == SMCA_UMC) {
if (b->block < ARRAY_SIZE(smca_umc_block_names))
return smca_umc_block_names[b->block];
- return NULL;
+ }
+
+ if (b && b->block) {
+ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block);
+ return buf_mcatype;
+ }
+
+ if (bank_type >= N_SMCA_BANK_TYPES) {
+ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank);
+ return buf_mcatype;
}
if (smca_banks[bank].hwid->count == 1)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 518/644] usb: hub: avoid warm port reset during USB3 disconnect
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (516 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 517/644] x86/mce/amd: Add default names for MCA banks and blocks Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 519/644] usb: hub: Dont try to recover devices lost during warm reset Greg Kroah-Hartman
` (131 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Pearson, Mathias Nyman,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
[ Upstream commit f59f93cd1d720809466c7fd5aa16a236156c672b ]
During disconnect USB-3 ports often go via SS.Inactive link error state
before the missing terminations are noticed, and link finally goes to
RxDetect state
Avoid immediately warm-resetting ports in SS.Inactive state.
Let ports settle for a while and re-read the link status a few times 20ms
apart to see if the ports transitions out of SS.Inactive.
According to USB 3.x spec 7.5.2, a port in SS.Inactive should
automatically check for missing far-end receiver termination every
12 ms (SSInactiveQuietTimeout)
The futile multiple warm reset retries of a disconnected device takes
a lot of time, also the resetting of a removed devices has caused cases
where the reset bit got stuck for a long time on xHCI roothub.
This lead to issues in detecting new devices connected to the same port
shortly after.
Tested-by: Mark Pearson <markpearson@lenovo.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20211210111653.1378381-1-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 2521106fc732 ("usb: hub: Don't try to recover devices lost during warm reset.")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2857,6 +2857,8 @@ static unsigned hub_is_wusb(struct usb_h
#define PORT_INIT_TRIES 4
#endif /* CONFIG_USB_FEW_INIT_RETRIES */
+#define DETECT_DISCONNECT_TRIES 5
+
#define HUB_ROOT_RESET_TIME 60 /* times are in msec */
#define HUB_SHORT_RESET_TIME 10
#define HUB_BH_RESET_TIME 50
@@ -5681,6 +5683,7 @@ static void port_event(struct usb_hub *h
struct usb_device *udev = port_dev->child;
struct usb_device *hdev = hub->hdev;
u16 portstatus, portchange;
+ int i = 0;
connect_change = test_bit(port1, hub->change_bits);
clear_bit(port1, hub->event_bits);
@@ -5757,17 +5760,27 @@ static void port_event(struct usb_hub *h
connect_change = 1;
/*
- * Warm reset a USB3 protocol port if it's in
- * SS.Inactive state.
- */
- if (hub_port_warm_reset_required(hub, port1, portstatus)) {
- dev_dbg(&port_dev->dev, "do warm reset\n");
- if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION)
+ * Avoid trying to recover a USB3 SS.Inactive port with a warm reset if
+ * the device was disconnected. A 12ms disconnect detect timer in
+ * SS.Inactive state transitions the port to RxDetect automatically.
+ * SS.Inactive link error state is common during device disconnect.
+ */
+ while (hub_port_warm_reset_required(hub, port1, portstatus)) {
+ if ((i++ < DETECT_DISCONNECT_TRIES) && udev) {
+ u16 unused;
+
+ msleep(20);
+ hub_port_status(hub, port1, &portstatus, &unused);
+ dev_dbg(&port_dev->dev, "Wait for inactive link disconnect detect\n");
+ continue;
+ } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION)
|| udev->state == USB_STATE_NOTATTACHED) {
+ dev_dbg(&port_dev->dev, "do warm reset, port only\n");
if (hub_port_reset(hub, port1, NULL,
HUB_BH_RESET_TIME, true) < 0)
hub_port_disable(hub, port1, 1);
} else {
+ dev_dbg(&port_dev->dev, "do warm reset, full device\n");
usb_unlock_port(port_dev);
usb_lock_device(udev);
usb_reset_device(udev);
@@ -5775,6 +5788,7 @@ static void port_event(struct usb_hub *h
usb_lock_port(port_dev);
connect_change = 0;
}
+ break;
}
if (connect_change)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 519/644] usb: hub: Dont try to recover devices lost during warm reset.
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (517 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 518/644] usb: hub: avoid warm port reset during USB3 disconnect Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 520/644] smb: client: fix use-after-free in crypt_message when using async crypto Greg Kroah-Hartman
` (130 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Łukasz Bartosik, Mathias Nyman,
Alan Stern, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
[ Upstream commit 2521106fc732b0b75fd3555c689b1ed1d29d273c ]
Hub driver warm-resets ports in SS.Inactive or Compliance mode to
recover a possible connected device. The port reset code correctly
detects if a connection is lost during reset, but hub driver
port_event() fails to take this into account in some cases.
port_event() ends up using stale values and assumes there is a
connected device, and will try all means to recover it, including
power-cycling the port.
Details:
This case was triggered when xHC host was suspended with DbC (Debug
Capability) enabled and connected. DbC turns one xHC port into a simple
usb debug device, allowing debugging a system with an A-to-A USB debug
cable.
xhci DbC code disables DbC when xHC is system suspended to D3, and
enables it back during resume.
We essentially end up with two hosts connected to each other during
suspend, and, for a short while during resume, until DbC is enabled back.
The suspended xHC host notices some activity on the roothub port, but
can't train the link due to being suspended, so xHC hardware sets a CAS
(Cold Attach Status) flag for this port to inform xhci host driver that
the port needs to be warm reset once xHC resumes.
CAS is xHCI specific, and not part of USB specification, so xhci driver
tells usb core that the port has a connection and link is in compliance
mode. Recovery from complinace mode is similar to CAS recovery.
xhci CAS driver support that fakes a compliance mode connection was added
in commit 8bea2bd37df0 ("usb: Add support for root hub port status CAS")
Once xHCI resumes and DbC is enabled back, all activity on the xHC
roothub host side port disappears. The hub driver will anyway think
port has a connection and link is in compliance mode, and hub driver
will try to recover it.
The port power-cycle during recovery seems to cause issues to the active
DbC connection.
Fix this by clearing connect_change flag if hub_port_reset() returns
-ENOTCONN, thus avoiding the whole unnecessary port recovery and
initialization attempt.
Cc: stable@vger.kernel.org
Fixes: 8bea2bd37df0 ("usb: Add support for root hub port status CAS")
Tested-by: Łukasz Bartosik <ukaszb@chromium.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20250623133947.3144608-1-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hub.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5684,6 +5684,7 @@ static void port_event(struct usb_hub *h
struct usb_device *hdev = hub->hdev;
u16 portstatus, portchange;
int i = 0;
+ int err;
connect_change = test_bit(port1, hub->change_bits);
clear_bit(port1, hub->event_bits);
@@ -5776,8 +5777,11 @@ static void port_event(struct usb_hub *h
} else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION)
|| udev->state == USB_STATE_NOTATTACHED) {
dev_dbg(&port_dev->dev, "do warm reset, port only\n");
- if (hub_port_reset(hub, port1, NULL,
- HUB_BH_RESET_TIME, true) < 0)
+ err = hub_port_reset(hub, port1, NULL,
+ HUB_BH_RESET_TIME, true);
+ if (!udev && err == -ENOTCONN)
+ connect_change = 0;
+ else if (err < 0)
hub_port_disable(hub, port1, 1);
} else {
dev_dbg(&port_dev->dev, "do warm reset, full device\n");
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 520/644] smb: client: fix use-after-free in crypt_message when using async crypto
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (518 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 519/644] usb: hub: Dont try to recover devices lost during warm reset Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 521/644] x86/fpu: Delay instruction pointer fixup until after warning Greg Kroah-Hartman
` (129 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Wang Zhaolong, Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
[ Upstream commit b220bed63330c0e1733dc06ea8e75d5b9962b6b6 ]
The CVE-2024-50047 fix removed asynchronous crypto handling from
crypt_message(), assuming all crypto operations are synchronous.
However, when hardware crypto accelerators are used, this can cause
use-after-free crashes:
crypt_message()
// Allocate the creq buffer containing the req
creq = smb2_get_aead_req(..., &req);
// Async encryption returns -EINPROGRESS immediately
rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
// Free creq while async operation is still in progress
kvfree_sensitive(creq, ...);
Hardware crypto modules often implement async AEAD operations for
performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS,
the operation completes asynchronously. Without crypto_wait_req(),
the function immediately frees the request buffer, leading to crashes
when the driver later accesses the freed memory.
This results in a use-after-free condition when the hardware crypto
driver later accesses the freed request structure, leading to kernel
crashes with NULL pointer dereferences.
The issue occurs because crypto_alloc_aead() with mask=0 doesn't
guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in
the mask, async implementations can be selected.
Fix by restoring the async crypto handling:
- DECLARE_CRYPTO_WAIT(wait) for completion tracking
- aead_request_set_callback() for async completion notification
- crypto_wait_req() to wait for operation completion
This ensures the request buffer isn't freed until the crypto operation
completes, whether synchronous or asynchronous, while preserving the
CVE-2024-50047 fix.
Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption")
Link: https://lore.kernel.org/all/8b784a13-87b0-4131-9ff9-7a8993538749@huaweicloud.com/
Cc: stable@vger.kernel.org
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/smb2ops.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -4552,6 +4552,7 @@ crypt_message(struct TCP_Server_Info *se
u8 key[SMB3_ENC_DEC_KEY_SIZE];
struct aead_request *req;
u8 *iv;
+ DECLARE_CRYPTO_WAIT(wait);
unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
void *creq;
@@ -4600,7 +4601,11 @@ crypt_message(struct TCP_Server_Info *se
aead_request_set_crypt(req, sg, sg, crypt_len, iv);
aead_request_set_ad(req, assoc_data_len);
- rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
+ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
+ crypto_req_done, &wait);
+
+ rc = crypto_wait_req(enc ? crypto_aead_encrypt(req)
+ : crypto_aead_decrypt(req), &wait);
if (!rc && enc)
memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 521/644] x86/fpu: Delay instruction pointer fixup until after warning
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (519 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 520/644] smb: client: fix use-after-free in crypt_message when using async crypto Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 522/644] ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() Greg Kroah-Hartman
` (128 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Hansen, Chao Gao,
Alison Schofield, Peter Zijlstra (Intel), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Hansen <dave.hansen@linux.intel.com>
[ Upstream commit 1cec9ac2d071cfd2da562241aab0ef701355762a ]
Right now, if XRSTOR fails a console message like this is be printed:
Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers.
However, the text location (...+0x9a in this case) is the instruction
*AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump
also points one instruction late.
The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and
keep on running after returning from the #GP handler. But it does this
fixup before warning.
The resulting warning output is nonsensical because it looks like the
non-FPU-related instruction is #GP'ing.
Do not fix up RIP until after printing the warning. Do this by using
the more generic and standard ex_handler_default().
Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails")
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Acked-by: Alison Schofield <alison.schofield@intel.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc:stable@vger.kernel.org
Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.intel.com
[ Replace fpu_reset_from_exception_fixup() with __restore_fpregs_from_fpstate() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/mm/extable.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/arch/x86/mm/extable.c
+++ b/arch/x86/mm/extable.c
@@ -60,13 +60,12 @@ static bool ex_handler_fault(const struc
static bool ex_handler_fprestore(const struct exception_table_entry *fixup,
struct pt_regs *regs)
{
- regs->ip = ex_fixup_addr(fixup);
-
WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.",
(void *)instruction_pointer(regs));
__restore_fpregs_from_fpstate(&init_fpstate, xfeatures_mask_fpstate());
- return true;
+
+ return ex_handler_default(fixup, regs);
}
static bool ex_handler_uaccess(const struct exception_table_entry *fixup,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 522/644] ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (520 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 521/644] x86/fpu: Delay instruction pointer fixup until after warning Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 523/644] smb: server: Fix extension string in ksmbd_extract_shortname() Greg Kroah-Hartman
` (127 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geoffrey D. Bennett, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Geoffrey D. Bennett" <g@b4.vu>
[ Upstream commit 8a15ca0ca51399b652b1bbb23b590b220cf03d62 ]
During communication with Focusrite Scarlett Gen 2/3/4 USB audio
interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(),
snd_usb_ctl_msg() which can cause initialisation and control
operations to fail intermittently.
This patch adds up to 5 retries in scarlett2_usb(), with a delay
starting at 5ms and doubling each time. This follows the same approach
as the fix for usb_set_interface() in endpoint.c (commit f406005e162b
("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")),
which resolved similar -EPROTO issues during device initialisation,
and is the same approach as in fcp.c:fcp_usb().
Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface")
Closes: https://github.com/geoffreybennett/linux-fcp/issues/41
Cc: stable@vger.kernel.org
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[ Applied patch to the older file name mixer_scarlett_gen2.c instead of mixer_scarlett2.c. ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer_scarlett_gen2.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/sound/usb/mixer_scarlett_gen2.c
+++ b/sound/usb/mixer_scarlett_gen2.c
@@ -125,6 +125,7 @@
#include <linux/slab.h>
#include <linux/usb.h>
#include <linux/moduleparam.h>
+#include <linux/delay.h>
#include <sound/control.h>
#include <sound/tlv.h>
@@ -1064,6 +1065,8 @@ static int scarlett2_usb(
u16 req_buf_size = sizeof(struct scarlett2_usb_packet) + req_size;
u16 resp_buf_size = sizeof(struct scarlett2_usb_packet) + resp_size;
struct scarlett2_usb_packet *req, *resp = NULL;
+ int retries = 0;
+ const int max_retries = 5;
int err;
req = kmalloc(req_buf_size, GFP_KERNEL);
@@ -1087,10 +1090,15 @@ static int scarlett2_usb(
if (req_size)
memcpy(req->data, req_data, req_size);
+retry:
err = scarlett2_usb_tx(dev, private->bInterfaceNumber,
req, req_buf_size);
if (err != req_buf_size) {
+ if (err == -EPROTO && ++retries <= max_retries) {
+ msleep(5 * (1 << (retries - 1)));
+ goto retry;
+ }
usb_audio_err(
mixer->chip,
"Scarlett Gen 2/3 USB request result cmd %x was %d\n",
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 523/644] smb: server: Fix extension string in ksmbd_extract_shortname()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (521 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 522/644] ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 524/644] hv_netvsc: Fix panic during namespace deletion with VF Greg Kroah-Hartman
` (126 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Namjae Jeon,
Steve French, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit 8e7d178d06e8937454b6d2f2811fa6a15656a214 ]
In ksmbd_extract_shortname(), strscpy() is incorrectly called with the
length of the source string (excluding the NUL terminator) rather than
the size of the destination buffer. This results in "__" being copied
to 'extension' rather than "___" (two underscores instead of three).
Use the destination buffer size instead to ensure that the string "___"
(three underscores) is copied correctly.
Cc: stable@vger.kernel.org
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/smb_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ksmbd/smb_common.c
+++ b/fs/ksmbd/smb_common.c
@@ -508,7 +508,7 @@ int ksmbd_extract_shortname(struct ksmbd
p = strrchr(longname, '.');
if (p == longname) { /*name starts with a dot*/
- strscpy(extension, "___", strlen("___"));
+ strscpy(extension, "___", sizeof(extension));
} else {
if (p) {
p++;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 524/644] hv_netvsc: Fix panic during namespace deletion with VF
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (522 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 523/644] smb: server: Fix extension string in ksmbd_extract_shortname() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 525/644] usb: typec: fusb302: cache PD RX state Greg Kroah-Hartman
` (125 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haiyang Zhang <haiyangz@microsoft.com>
[ Upstream commit 33caa208dba6fa639e8a92fd0c8320b652e5550c ]
The existing code move the VF NIC to new namespace when NETDEV_REGISTER is
received on netvsc NIC. During deletion of the namespace,
default_device_exit_batch() >> default_device_exit_net() is called. When
netvsc NIC is moved back and registered to the default namespace, it
automatically brings VF NIC back to the default namespace. This will cause
the default_device_exit_net() >> for_each_netdev_safe loop unable to detect
the list end, and hit NULL ptr:
[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0
[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ 231.450246] #PF: supervisor read access in kernel mode
[ 231.450579] #PF: error_code(0x0000) - not-present page
[ 231.450916] PGD 17b8a8067 P4D 0
[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI
[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY
[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024
[ 231.452692] Workqueue: netns cleanup_net
[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0
[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00
[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246
[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb
[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564
[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000
[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340
[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340
[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000
[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0
[ 231.458434] Call Trace:
[ 231.458600] <TASK>
[ 231.458777] ops_undo_list+0x100/0x220
[ 231.459015] cleanup_net+0x1b8/0x300
[ 231.459285] process_one_work+0x184/0x340
To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid
changing the netdev list when default_device_exit_net() is using it.
Cc: stable@vger.kernel.org
Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event")
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/hyperv/hyperv_net.h | 3 +++
drivers/net/hyperv/netvsc_drv.c | 29 ++++++++++++++++++++++++++++-
2 files changed, 31 insertions(+), 1 deletion(-)
--- a/drivers/net/hyperv/hyperv_net.h
+++ b/drivers/net/hyperv/hyperv_net.h
@@ -1032,6 +1032,7 @@ struct net_device_context {
struct net_device __rcu *vf_netdev;
struct netvsc_vf_pcpu_stats __percpu *vf_stats;
struct delayed_work vf_takeover;
+ struct delayed_work vfns_work;
/* 1: allocated, serial number is valid. 0: not allocated */
u32 vf_alloc;
@@ -1046,6 +1047,8 @@ struct net_device_context {
struct netvsc_device_info *saved_netvsc_dev_info;
};
+void netvsc_vfns_work(struct work_struct *w);
+
/* Per channel data */
struct netvsc_channel {
struct vmbus_channel *channel;
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -2565,6 +2565,7 @@ static int netvsc_probe(struct hv_device
spin_lock_init(&net_device_ctx->lock);
INIT_LIST_HEAD(&net_device_ctx->reconfig_events);
INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup);
+ INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work);
net_device_ctx->vf_stats
= netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats);
@@ -2703,6 +2704,8 @@ static int netvsc_remove(struct hv_devic
cancel_delayed_work_sync(&ndev_ctx->dwork);
rtnl_lock();
+ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
+
nvdev = rtnl_dereference(ndev_ctx->nvdev);
if (nvdev) {
cancel_work_sync(&nvdev->subchan_work);
@@ -2745,6 +2748,7 @@ static int netvsc_suspend(struct hv_devi
cancel_delayed_work_sync(&ndev_ctx->dwork);
rtnl_lock();
+ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
nvdev = rtnl_dereference(ndev_ctx->nvdev);
if (nvdev == NULL) {
@@ -2838,6 +2842,27 @@ static void netvsc_event_set_vf_ns(struc
}
}
+void netvsc_vfns_work(struct work_struct *w)
+{
+ struct net_device_context *ndev_ctx =
+ container_of(w, struct net_device_context, vfns_work.work);
+ struct net_device *ndev;
+
+ if (!rtnl_trylock()) {
+ schedule_delayed_work(&ndev_ctx->vfns_work, 1);
+ return;
+ }
+
+ ndev = hv_get_drvdata(ndev_ctx->device_ctx);
+ if (!ndev)
+ goto out;
+
+ netvsc_event_set_vf_ns(ndev);
+
+out:
+ rtnl_unlock();
+}
+
/*
* On Hyper-V, every VF interface is matched with a corresponding
* synthetic interface. The synthetic interface is presented first
@@ -2848,10 +2873,12 @@ static int netvsc_netdev_event(struct no
unsigned long event, void *ptr)
{
struct net_device *event_dev = netdev_notifier_info_to_dev(ptr);
+ struct net_device_context *ndev_ctx;
int ret = 0;
if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) {
- netvsc_event_set_vf_ns(event_dev);
+ ndev_ctx = netdev_priv(event_dev);
+ schedule_delayed_work(&ndev_ctx->vfns_work, 0);
return NOTIFY_DONE;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 525/644] usb: typec: fusb302: cache PD RX state
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (523 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 524/644] hv_netvsc: Fix panic during namespace deletion with VF Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 526/644] PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports Greg Kroah-Hartman
` (124 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Sebastian Reichel,
Heikki Krogerus, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sebastian.reichel@collabora.com>
[ Upstream commit 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 ]
This patch fixes a race condition communication error, which ends up in
PD hard resets when losing the race. Some systems, like the Radxa ROCK
5B are powered through USB-C without any backup power source and use a
FUSB302 chip to do the PD negotiation. This means it is quite important
to avoid hard resets, since that effectively kills the system's
power-supply.
I've found the following race condition while debugging unplanned power
loss during booting the board every now and then:
1. lots of TCPM/FUSB302/PD initialization stuff
2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here)
3. the remote PD source does not send anything, so TCPM does a SOFT RESET
4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time
(tcpm_set_pd_rx is enabled again, even though it is still on)
At this point I've seen broken CRC good messages being send by the
FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like
messages are being lost and things generally going haywire with one of
the two sides doing a hard reset once a broken CRC good message was send
to the bus.
I think the system is running into a race condition, that the FIFOs are
being cleared and/or the automatic good CRC message generation flag is
being updated while a message is already arriving.
Let's avoid this by caching the PD RX enabled state, as we have already
processed anything in the FIFOs and are in a good state. As a side
effect that this also optimizes I2C bus usage :)
As far as I can tell the problem theoretically also exists when TCPM
enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less
critical for the following reason:
On devices like the ROCK 5B, which are powered through a TCPM backed
USB-C port, the bootloader must have done some prior PD communication
(initial communication must happen within 5 seconds after plugging the
USB-C plug). This means the first time the kernel TCPM state machine
reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages
actively. On other devices a hard reset simply adds some extra delay and
things should be good afterwards.
Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0e27a@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ replaced str_on_off(on) with ternary operator ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/fusb302.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/typec/tcpm/fusb302.c
+++ b/drivers/usb/typec/tcpm/fusb302.c
@@ -103,6 +103,7 @@ struct fusb302_chip {
bool vconn_on;
bool vbus_on;
bool charge_on;
+ bool pd_rx_on;
bool vbus_present;
enum typec_cc_polarity cc_polarity;
enum typec_cc_status cc1;
@@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_de
int ret = 0;
mutex_lock(&chip->lock);
+ if (chip->pd_rx_on == on) {
+ fusb302_log(chip, "pd is already %s", on ? "on" : "off");
+ goto done;
+ }
+
ret = fusb302_pd_rx_flush(chip);
if (ret < 0) {
fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret);
@@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_de
on ? "on" : "off", ret);
goto done;
}
+
+ chip->pd_rx_on = on;
fusb302_log(chip, "pd := %s", on ? "on" : "off");
done:
mutex_unlock(&chip->lock);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 526/644] PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (524 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 525/644] usb: typec: fusb302: cache PD RX state Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 527/644] block: Make REQ_OP_ZONE_FINISH a write operation Greg Kroah-Hartman
` (123 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Bigonville,
Mario Limonciello, Lukas Wunner, Bjorn Helgaas, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
[ Upstream commit 6cff20ce3b92ffbf2fc5eb9e5a030b3672aa414a ]
pci_bridge_d3_possible() is called from both pcie_portdrv_probe() and
pcie_portdrv_remove() to determine whether runtime power management shall
be enabled (on probe) or disabled (on remove) on a PCIe port.
The underlying assumption is that pci_bridge_d3_possible() always returns
the same value, else a runtime PM reference imbalance would occur. That
assumption is not given if the PCIe port is inaccessible on remove due to
hot-unplug: pci_bridge_d3_possible() calls pciehp_is_native(), which
accesses Config Space to determine whether the port is Hot-Plug Capable.
An inaccessible port returns "all ones", which is converted to "all
zeroes" by pcie_capability_read_dword(). Hence the port no longer seems
Hot-Plug Capable on remove even though it was on probe.
The resulting runtime PM ref imbalance causes warning messages such as:
pcieport 0000:02:04.0: Runtime PM usage count underflow!
Avoid the Config Space access (and thus the runtime PM ref imbalance) by
caching the Hot-Plug Capable bit in struct pci_dev.
The struct already contains an "is_hotplug_bridge" flag, which however is
not only set on Hot-Plug Capable PCIe ports, but also Conventional PCI
Hot-Plug bridges and ACPI slots. The flag identifies bridges which are
allocated additional MMIO and bus number resources to allow for hierarchy
expansion.
The kernel is somewhat sloppily using "is_hotplug_bridge" in a number of
places to identify Hot-Plug Capable PCIe ports, even though the flag
encompasses other devices. Subsequent commits replace these occurrences
with the new flag to clearly delineate Hot-Plug Capable PCIe ports from
other kinds of hotplug bridges.
Document the existing "is_hotplug_bridge" and the new "is_pciehp" flag
and document the (non-obvious) requirement that pci_bridge_d3_possible()
always returns the same value across the entire lifetime of a bridge,
including its hot-removal.
Fixes: 5352a44a561d ("PCI: pciehp: Make pciehp_is_native() stricter")
Reported-by: Laurent Bigonville <bigon@bigon.be>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220216
Reported-by: Mario Limonciello <mario.limonciello@amd.com>
Closes: https://lore.kernel.org/r/20250609020223.269407-3-superm1@kernel.org/
Link: https://lore.kernel.org/all/20250620025535.3425049-3-superm1@kernel.org/T/#u
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Rafael J. Wysocki <rafael@kernel.org>
Cc: stable@vger.kernel.org # v4.18+
Link: https://patch.msgid.link/fe5dcc3b2e62ee1df7905d746bde161eb1b3291c.1752390101.git.lukas@wunner.de
[ changed "recent enough PCIe ports" comment to "some PCIe ports" ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci-acpi.c | 4 +---
drivers/pci/pci.c | 8 ++++++--
drivers/pci/probe.c | 2 +-
include/linux/pci.h | 10 +++++++++-
4 files changed, 17 insertions(+), 7 deletions(-)
--- a/drivers/pci/pci-acpi.c
+++ b/drivers/pci/pci-acpi.c
@@ -792,13 +792,11 @@ int pci_acpi_program_hp_params(struct pc
bool pciehp_is_native(struct pci_dev *bridge)
{
const struct pci_host_bridge *host;
- u32 slot_cap;
if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE))
return false;
- pcie_capability_read_dword(bridge, PCI_EXP_SLTCAP, &slot_cap);
- if (!(slot_cap & PCI_EXP_SLTCAP_HPC))
+ if (!bridge->is_pciehp)
return false;
if (pcie_ports_native)
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -2921,8 +2921,12 @@ static const struct dmi_system_id bridge
* pci_bridge_d3_possible - Is it possible to put the bridge into D3
* @bridge: Bridge to check
*
- * This function checks if it is possible to move the bridge to D3.
- * Currently we only allow D3 for recent enough PCIe ports and Thunderbolt.
+ * Currently we only allow D3 for some PCIe ports and for Thunderbolt.
+ *
+ * Return: Whether it is possible to move the bridge to D3.
+ *
+ * The return value is guaranteed to be constant across the entire lifetime
+ * of the bridge, including its hot-removal.
*/
bool pci_bridge_d3_possible(struct pci_dev *bridge)
{
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1590,7 +1590,7 @@ void set_pcie_hotplug_bridge(struct pci_
pcie_capability_read_dword(pdev, PCI_EXP_SLTCAP, ®32);
if (reg32 & PCI_EXP_SLTCAP_HPC)
- pdev->is_hotplug_bridge = 1;
+ pdev->is_hotplug_bridge = pdev->is_pciehp = 1;
}
static void set_pcie_thunderbolt(struct pci_dev *dev)
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -317,7 +317,14 @@ struct pci_sriov;
struct pci_p2pdma;
struct rcec_ea;
-/* The pci_dev structure describes PCI devices */
+/* struct pci_dev - describes a PCI device
+ *
+ * @is_hotplug_bridge: Hotplug bridge of any kind (e.g. PCIe Hot-Plug Capable,
+ * Conventional PCI Hot-Plug, ACPI slot).
+ * Such bridges are allocated additional MMIO and bus
+ * number resources to allow for hierarchy expansion.
+ * @is_pciehp: PCIe Hot-Plug Capable bridge.
+ */
struct pci_dev {
struct list_head bus_list; /* Node in per-bus list */
struct pci_bus *bus; /* Bus this device is on */
@@ -440,6 +447,7 @@ struct pci_dev {
unsigned int is_physfn:1;
unsigned int is_virtfn:1;
unsigned int is_hotplug_bridge:1;
+ unsigned int is_pciehp:1;
unsigned int shpc_managed:1; /* SHPC owned by shpchp */
unsigned int is_thunderbolt:1; /* Thunderbolt controller */
/*
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 527/644] block: Make REQ_OP_ZONE_FINISH a write operation
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (525 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 526/644] PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 528/644] net: enetc: fix device and OF node leak at probe Greg Kroah-Hartman
` (122 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Bart Van Assche,
Johannes Thumshirn, Christoph Hellwig, Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit 3f66ccbaaef3a0c5bd844eab04e3207b4061c546 ]
REQ_OP_ZONE_FINISH is defined as "12", which makes
op_is_write(REQ_OP_ZONE_FINISH) return false, despite the fact that a
zone finish operation is an operation that modifies a zone (transition
it to full) and so should be considered as a write operation (albeit
one that does not transfer any data to the device).
Fix this by redefining REQ_OP_ZONE_FINISH to be an odd number (13), and
redefine REQ_OP_ZONE_RESET and REQ_OP_ZONE_RESET_ALL using sequential
odd numbers from that new value.
Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250625093327.548866-2-dlemoal@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[ More renumbering... ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/blk_types.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/include/linux/blk_types.h
+++ b/include/linux/blk_types.h
@@ -341,13 +341,13 @@ enum req_opf {
/* Close a zone */
REQ_OP_ZONE_CLOSE = 11,
/* Transition a zone to full */
- REQ_OP_ZONE_FINISH = 12,
+ REQ_OP_ZONE_FINISH = 13,
/* write data at the current zone write pointer */
- REQ_OP_ZONE_APPEND = 13,
+ REQ_OP_ZONE_APPEND = 15,
/* reset a zone write pointer */
- REQ_OP_ZONE_RESET = 15,
+ REQ_OP_ZONE_RESET = 17,
/* reset all the zone present on the device */
- REQ_OP_ZONE_RESET_ALL = 17,
+ REQ_OP_ZONE_RESET_ALL = 19,
/* Driver private requests */
REQ_OP_DRV_IN = 34,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 528/644] net: enetc: fix device and OF node leak at probe
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (526 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 527/644] block: Make REQ_OP_ZONE_FINISH a write operation Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 529/644] NFS: Create an nfs4_server_set_init_caps() function Greg Kroah-Hartman
` (121 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Johan Hovold,
Simon Horman, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed ]
Make sure to drop the references to the IERB OF node and platform device
taken by of_parse_phandle() and of_find_device_by_node() during probe.
Fixes: e7d48e5fbf30 ("net: enetc: add a mini driver for the Integrated Endpoint Register Block")
Cc: stable@vger.kernel.org # 5.13
Cc: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250725171213.880-3-johan@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
@@ -1206,6 +1206,7 @@ static int enetc_pf_register_with_ierb(s
struct device_node *node = pdev->dev.of_node;
struct platform_device *ierb_pdev;
struct device_node *ierb_node;
+ int ret;
/* Don't register with the IERB if the PF itself is disabled */
if (!node || !of_device_is_available(node))
@@ -1213,16 +1214,25 @@ static int enetc_pf_register_with_ierb(s
ierb_node = of_find_compatible_node(NULL, NULL,
"fsl,ls1028a-enetc-ierb");
- if (!ierb_node || !of_device_is_available(ierb_node))
+ if (!ierb_node)
return -ENODEV;
+ if (!of_device_is_available(ierb_node)) {
+ of_node_put(ierb_node);
+ return -ENODEV;
+ }
+
ierb_pdev = of_find_device_by_node(ierb_node);
of_node_put(ierb_node);
if (!ierb_pdev)
return -EPROBE_DEFER;
- return enetc_ierb_register_pf(ierb_pdev, pdev);
+ ret = enetc_ierb_register_pf(ierb_pdev, pdev);
+
+ put_device(&ierb_pdev->dev);
+
+ return ret;
}
static int enetc_pf_probe(struct pci_dev *pdev,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 529/644] NFS: Create an nfs4_server_set_init_caps() function
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (527 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 528/644] net: enetc: fix device and OF node leak at probe Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 530/644] NFS: Fix the setting of capabilities when automounting a new filesystem Greg Kroah-Hartman
` (120 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anna Schumaker, Trond Myklebust,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anna Schumaker <Anna.Schumaker@Netapp.com>
[ Upstream commit 01dde76e471229e3437a2686c572f4980b2c483e ]
And call it before doing an FSINFO probe to reset to the baseline
capabilities before probing.
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/internal.h | 1 +
fs/nfs/nfs4client.c | 33 +++++++++++++++++++--------------
fs/nfs/nfs4proc.c | 2 ++
3 files changed, 22 insertions(+), 14 deletions(-)
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -219,6 +219,7 @@ extern struct nfs_client *
nfs4_find_client_sessionid(struct net *, const struct sockaddr *,
struct nfs4_sessionid *, u32);
extern struct nfs_server *nfs_create_server(struct fs_context *);
+extern void nfs4_server_set_init_caps(struct nfs_server *);
extern struct nfs_server *nfs4_create_server(struct fs_context *);
extern struct nfs_server *nfs4_create_referral_server(struct fs_context *);
extern int nfs4_update_server(struct nfs_server *server, const char *hostname,
--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -1065,6 +1065,24 @@ static void nfs4_session_limit_xasize(st
#endif
}
+void nfs4_server_set_init_caps(struct nfs_server *server)
+{
+ /* Set the basic capabilities */
+ server->caps |= server->nfs_client->cl_mvops->init_caps;
+ if (server->flags & NFS_MOUNT_NORDIRPLUS)
+ server->caps &= ~NFS_CAP_READDIRPLUS;
+ if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
+ server->caps &= ~NFS_CAP_READ_PLUS;
+
+ /*
+ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
+ * authentication.
+ */
+ if (nfs4_disable_idmapping &&
+ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
+ server->caps |= NFS_CAP_UIDGID_NOMAP;
+}
+
static int nfs4_server_common_setup(struct nfs_server *server,
struct nfs_fh *mntfh, bool auth_probe)
{
@@ -1084,20 +1102,7 @@ static int nfs4_server_common_setup(stru
if (error < 0)
goto out;
- /* Set the basic capabilities */
- server->caps |= server->nfs_client->cl_mvops->init_caps;
- if (server->flags & NFS_MOUNT_NORDIRPLUS)
- server->caps &= ~NFS_CAP_READDIRPLUS;
- if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
- server->caps &= ~NFS_CAP_READ_PLUS;
- /*
- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
- * authentication.
- */
- if (nfs4_disable_idmapping &&
- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
- server->caps |= NFS_CAP_UIDGID_NOMAP;
-
+ nfs4_server_set_init_caps(server);
/* Probe the root fh to retrieve its FSID and filehandle */
error = nfs4_get_rootfh(server, mntfh, auth_probe);
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3968,6 +3968,8 @@ int nfs4_server_capabilities(struct nfs_
.interruptible = true,
};
int err;
+
+ nfs4_server_set_init_caps(server);
do {
err = nfs4_handle_exception(server,
_nfs4_server_capabilities(server, fhandle),
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 530/644] NFS: Fix the setting of capabilities when automounting a new filesystem
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (528 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 529/644] NFS: Create an nfs4_server_set_init_caps() function Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 531/644] mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Greg Kroah-Hartman
` (119 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Coddington, Trond Myklebust,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit b01f21cacde9f2878492cf318fee61bf4ccad323 ]
Capabilities cannot be inherited when we cross into a new filesystem.
They need to be reset to the minimal defaults, and then probed for
again.
Fixes: 54ceac451598 ("NFS: Share NFS superblocks per-protocol per-server per-FSID")
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/client.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
fs/nfs/internal.h | 2 +-
fs/nfs/nfs4client.c | 20 +-------------------
fs/nfs/nfs4proc.c | 2 +-
4 files changed, 45 insertions(+), 23 deletions(-)
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -661,6 +661,44 @@ struct nfs_client *nfs_init_client(struc
}
EXPORT_SYMBOL_GPL(nfs_init_client);
+static void nfs4_server_set_init_caps(struct nfs_server *server)
+{
+#if IS_ENABLED(CONFIG_NFS_V4)
+ /* Set the basic capabilities */
+ server->caps = server->nfs_client->cl_mvops->init_caps;
+ if (server->flags & NFS_MOUNT_NORDIRPLUS)
+ server->caps &= ~NFS_CAP_READDIRPLUS;
+ if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
+ server->caps &= ~NFS_CAP_READ_PLUS;
+
+ /*
+ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
+ * authentication.
+ */
+ if (nfs4_disable_idmapping &&
+ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
+ server->caps |= NFS_CAP_UIDGID_NOMAP;
+#endif
+}
+
+void nfs_server_set_init_caps(struct nfs_server *server)
+{
+ switch (server->nfs_client->rpc_ops->version) {
+ case 2:
+ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
+ break;
+ case 3:
+ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
+ if (!(server->flags & NFS_MOUNT_NORDIRPLUS))
+ server->caps |= NFS_CAP_READDIRPLUS;
+ break;
+ default:
+ nfs4_server_set_init_caps(server);
+ break;
+ }
+}
+EXPORT_SYMBOL_GPL(nfs_server_set_init_caps);
+
/*
* Create a version 2 or 3 client
*/
@@ -699,7 +737,6 @@ static int nfs_init_server(struct nfs_se
/* Initialise the client representation from the mount data */
server->flags = ctx->flags;
server->options = ctx->options;
- server->caps |= NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
switch (clp->rpc_ops->version) {
case 2:
@@ -735,6 +772,8 @@ static int nfs_init_server(struct nfs_se
if (error < 0)
goto error;
+ nfs_server_set_init_caps(server);
+
/* Preserve the values of mount_server-related mount options */
if (ctx->mount_server.addrlen) {
memcpy(&server->mountd_address, &ctx->mount_server.address,
@@ -884,7 +923,6 @@ void nfs_server_copy_userdata(struct nfs
target->acregmax = source->acregmax;
target->acdirmin = source->acdirmin;
target->acdirmax = source->acdirmax;
- target->caps = source->caps;
target->options = source->options;
target->auth_info = source->auth_info;
target->port = source->port;
@@ -1095,6 +1133,8 @@ struct nfs_server *nfs_clone_server(stru
if (error < 0)
goto out_free_server;
+ nfs_server_set_init_caps(server);
+
/* probe the filesystem info for this server filesystem */
error = nfs_probe_fsinfo(server, fh, fattr_fsinfo);
if (error < 0)
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -219,7 +219,7 @@ extern struct nfs_client *
nfs4_find_client_sessionid(struct net *, const struct sockaddr *,
struct nfs4_sessionid *, u32);
extern struct nfs_server *nfs_create_server(struct fs_context *);
-extern void nfs4_server_set_init_caps(struct nfs_server *);
+extern void nfs_server_set_init_caps(struct nfs_server *);
extern struct nfs_server *nfs4_create_server(struct fs_context *);
extern struct nfs_server *nfs4_create_referral_server(struct fs_context *);
extern int nfs4_update_server(struct nfs_server *server, const char *hostname,
--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -1065,24 +1065,6 @@ static void nfs4_session_limit_xasize(st
#endif
}
-void nfs4_server_set_init_caps(struct nfs_server *server)
-{
- /* Set the basic capabilities */
- server->caps |= server->nfs_client->cl_mvops->init_caps;
- if (server->flags & NFS_MOUNT_NORDIRPLUS)
- server->caps &= ~NFS_CAP_READDIRPLUS;
- if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
- server->caps &= ~NFS_CAP_READ_PLUS;
-
- /*
- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
- * authentication.
- */
- if (nfs4_disable_idmapping &&
- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
- server->caps |= NFS_CAP_UIDGID_NOMAP;
-}
-
static int nfs4_server_common_setup(struct nfs_server *server,
struct nfs_fh *mntfh, bool auth_probe)
{
@@ -1102,7 +1084,7 @@ static int nfs4_server_common_setup(stru
if (error < 0)
goto out;
- nfs4_server_set_init_caps(server);
+ nfs_server_set_init_caps(server);
/* Probe the root fh to retrieve its FSID and filehandle */
error = nfs4_get_rootfh(server, mntfh, auth_probe);
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3969,7 +3969,7 @@ int nfs4_server_capabilities(struct nfs_
};
int err;
- nfs4_server_set_init_caps(server);
+ nfs_server_set_init_caps(server);
do {
err = nfs4_handle_exception(server,
_nfs4_server_capabilities(server, fhandle),
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 531/644] mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (529 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 530/644] NFS: Fix the setting of capabilities when automounting a new filesystem Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 532/644] usb: musb: omap2430: Convert to platform remove callback returning void Greg Kroah-Hartman
` (118 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anshuman Khandual, David Hildenbrand,
Dev Jain, Catalin Marinas, Will Deacon, Ryan Roberts,
Paul Walmsley, Palmer Dabbelt, Alexander Gordeev, Gerald Schaefer,
Heiko Carstens, Vasily Gorbik, Christian Borntraeger,
Sven Schnelle, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anshuman Khandual <anshuman.khandual@arm.com>
[ Upstream commit 59305202c67fea50378dcad0cc199dbc13a0e99a ]
Memory hot remove unmaps and tears down various kernel page table regions
as required. The ptdump code can race with concurrent modifications of
the kernel page tables. When leaf entries are modified concurrently, the
dump code may log stale or inconsistent information for a VA range, but
this is otherwise not harmful.
But when intermediate levels of kernel page table are freed, the dump code
will continue to use memory that has been freed and potentially
reallocated for another purpose. In such cases, the ptdump code may
dereference bogus addresses, leading to a number of potential problems.
To avoid the above mentioned race condition, platforms such as arm64,
riscv and s390 take memory hotplug lock, while dumping kernel page table
via the sysfs interface /sys/kernel/debug/kernel_page_tables.
Similar race condition exists while checking for pages that might have
been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages
which in turn calls ptdump_check_wx(). Instead of solving this race
condition again, let's just move the memory hotplug lock inside generic
ptdump_check_wx() which will benefit both the scenarios.
Drop get_online_mems() and put_online_mems() combination from all existing
platform ptdump code paths.
Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com
Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove")
Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Dev Jain <dev.jain@arm.com>
Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> [s390]
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/mm/ptdump_debugfs.c | 3 ---
arch/s390/mm/dump_pagetables.c | 2 --
mm/ptdump.c | 2 ++
3 files changed, 2 insertions(+), 5 deletions(-)
--- a/arch/arm64/mm/ptdump_debugfs.c
+++ b/arch/arm64/mm/ptdump_debugfs.c
@@ -1,6 +1,5 @@
// SPDX-License-Identifier: GPL-2.0
#include <linux/debugfs.h>
-#include <linux/memory_hotplug.h>
#include <linux/seq_file.h>
#include <asm/ptdump.h>
@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file *
{
struct ptdump_info *info = m->private;
- get_online_mems();
ptdump_walk(m, info);
- put_online_mems();
return 0;
}
DEFINE_SHOW_ATTRIBUTE(ptdump);
--- a/arch/s390/mm/dump_pagetables.c
+++ b/arch/s390/mm/dump_pagetables.c
@@ -227,11 +227,9 @@ static int ptdump_show(struct seq_file *
.marker = address_markers,
};
- get_online_mems();
mutex_lock(&cpa_mutex);
ptdump_walk_pgd(&st.ptdump, &init_mm, NULL);
mutex_unlock(&cpa_mutex);
- put_online_mems();
return 0;
}
DEFINE_SHOW_ATTRIBUTE(ptdump);
--- a/mm/ptdump.c
+++ b/mm/ptdump.c
@@ -144,6 +144,7 @@ void ptdump_walk_pgd(struct ptdump_state
{
const struct ptdump_range *range = st->range;
+ get_online_mems();
mmap_write_lock(mm);
while (range->start != range->end) {
walk_page_range_novma(mm, range->start, range->end,
@@ -151,6 +152,7 @@ void ptdump_walk_pgd(struct ptdump_state
range++;
}
mmap_write_unlock(mm);
+ put_online_mems();
/* Flush out the last page */
st->note_page(st, 0, -1, 0);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 532/644] usb: musb: omap2430: Convert to platform remove callback returning void
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (530 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 531/644] mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 533/644] usb: musb: omap2430: fix device leak at unbind Greg Kroah-Hartman
` (117 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit cb020bf52253327fe382e10bcae02a4f1da33c04 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20230405141009.3400693-8-u.kleine-koenig@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 1473e9e7679b ("usb: musb: omap2430: fix device leak at unbind")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/musb/omap2430.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/usb/musb/omap2430.c
+++ b/drivers/usb/musb/omap2430.c
@@ -435,14 +435,12 @@ err0:
return ret;
}
-static int omap2430_remove(struct platform_device *pdev)
+static void omap2430_remove(struct platform_device *pdev)
{
struct omap2430_glue *glue = platform_get_drvdata(pdev);
platform_device_unregister(glue->musb);
pm_runtime_disable(glue->dev);
-
- return 0;
}
#ifdef CONFIG_PM
@@ -574,7 +572,7 @@ MODULE_DEVICE_TABLE(of, omap2430_id_tabl
static struct platform_driver omap2430_driver = {
.probe = omap2430_probe,
- .remove = omap2430_remove,
+ .remove_new = omap2430_remove,
.driver = {
.name = "musb-omap2430",
.pm = DEV_PM_OPS,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 533/644] usb: musb: omap2430: fix device leak at unbind
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (531 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 532/644] usb: musb: omap2430: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 534/644] ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig Greg Kroah-Hartman
` (116 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roger Quadros, Johan Hovold,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 1473e9e7679bd4f5a62d1abccae894fb86de280f ]
Make sure to drop the reference to the control device taken by
of_find_device_by_node() during probe when the driver is unbound.
Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()")
Cc: stable@vger.kernel.org # 3.13
Cc: Roger Quadros <rogerq@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20250724091910.21092-5-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Removed populate_irqs-related goto changes ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/musb/omap2430.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/usb/musb/omap2430.c
+++ b/drivers/usb/musb/omap2430.c
@@ -406,13 +406,13 @@ static int omap2430_probe(struct platfor
ARRAY_SIZE(musb_resources));
if (ret) {
dev_err(&pdev->dev, "failed to add resources\n");
- goto err2;
+ goto err_put_control_otghs;
}
ret = platform_device_add_data(musb, pdata, sizeof(*pdata));
if (ret) {
dev_err(&pdev->dev, "failed to add platform_data\n");
- goto err2;
+ goto err_put_control_otghs;
}
pm_runtime_enable(glue->dev);
@@ -427,7 +427,9 @@ static int omap2430_probe(struct platfor
err3:
pm_runtime_disable(glue->dev);
-
+err_put_control_otghs:
+ if (!IS_ERR(glue->control_otghs))
+ put_device(glue->control_otghs);
err2:
platform_device_put(musb);
@@ -441,6 +443,8 @@ static void omap2430_remove(struct platf
platform_device_unregister(glue->musb);
pm_runtime_disable(glue->dev);
+ if (!IS_ERR(glue->control_otghs))
+ put_device(glue->control_otghs);
}
#ifdef CONFIG_PM
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 534/644] ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (532 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 533/644] usb: musb: omap2430: fix device leak at unbind Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 535/644] bus: mhi: host: Detect events pointing to unexpected TREs Greg Kroah-Hartman
` (115 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Hannes Reinecke,
Niklas Cassel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit ed62a62a18bc144f73eadf866ae46842e8f6606e ]
Improve the description of the possible default SATA link power
management policies and add the missing description for policy 5.
No functional changes.
Fixes: a5ec5a7bfd1f ("ata: ahci: Support state with min power but Partial low power state")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/Kconfig | 33 +++++++++++++++++++++++++--------
1 file changed, 25 insertions(+), 8 deletions(-)
--- a/drivers/ata/Kconfig
+++ b/drivers/ata/Kconfig
@@ -117,22 +117,39 @@ config SATA_AHCI
config SATA_MOBILE_LPM_POLICY
int "Default SATA Link Power Management policy for mobile chipsets"
- range 0 4
+ range 0 5
default 0
depends on SATA_AHCI
help
Select the Default SATA Link Power Management (LPM) policy to use
for mobile / laptop variants of chipsets / "South Bridges".
- The value set has the following meanings:
+ Each policy combines power saving states and features:
+ - Partial: The Phy logic is powered but is in a reduced power
+ state. The exit latency from this state is no longer than
+ 10us).
+ - Slumber: The Phy logic is powered but is in an even lower power
+ state. The exit latency from this state is potentially
+ longer, but no longer than 10ms.
+ - DevSleep: The Phy logic may be powered down. The exit latency from
+ this state is no longer than 20 ms, unless otherwise
+ specified by DETO in the device Identify Device Data log.
+ - HIPM: Host Initiated Power Management (host automatically
+ transitions to partial and slumber).
+ - DIPM: Device Initiated Power Management (device automatically
+ transitions to partial and slumber).
+
+ The possible values for the default SATA link power management
+ policies are:
0 => Keep firmware settings
- 1 => Maximum performance
- 2 => Medium power
- 3 => Medium power with Device Initiated PM enabled
- 4 => Minimum power
+ 1 => No power savings (maximum performance)
+ 2 => HIPM (Partial)
+ 3 => HIPM (Partial) and DIPM (Partial and Slumber)
+ 4 => HIPM (Partial and DevSleep) and DIPM (Partial and Slumber)
+ 5 => HIPM (Slumber and DevSleep) and DIPM (Partial and Slumber)
- Note "Minimum power" is known to cause issues, including disk
- corruption, with some disks and should not be used.
+ Excluding the value 0, higher values represent policies with higher
+ power savings.
config SATA_AHCI_PLATFORM
tristate "Platform AHCI SATA support"
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 535/644] bus: mhi: host: Detect events pointing to unexpected TREs
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (533 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 534/644] ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 536/644] usb: dwc3: imx8mp: fix device leak at unbind Greg Kroah-Hartman
` (114 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Youssef Samir, Manivannan Sadhasivam,
Jeff Hugo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Youssef Samir <quic_yabdulra@quicinc.com>
[ Upstream commit 5bd398e20f0833ae8a1267d4f343591a2dd20185 ]
When a remote device sends a completion event to the host, it contains a
pointer to the consumed TRE. The host uses this pointer to process all of
the TREs between it and the host's local copy of the ring's read pointer.
This works when processing completion for chained transactions, but can
lead to nasty results if the device sends an event for a single-element
transaction with a read pointer that is multiple elements ahead of the
host's read pointer.
For instance, if the host accesses an event ring while the device is
updating it, the pointer inside of the event might still point to an old
TRE. If the host uses the channel's xfer_cb() to directly free the buffer
pointed to by the TRE, the buffer will be double-freed.
This behavior was observed on an ep that used upstream EP stack without
'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer
is written")'. Where the device updated the events ring pointer before
updating the event contents, so it left a window where the host was able to
access the stale data the event pointed to, before the device had the
chance to update them. The usual pattern was that the host received an
event pointing to a TRE that is not immediately after the last processed
one, so it got treated as if it was a chained transaction, processing all
of the TREs in between the two read pointers.
This commit aims to harden the host by ensuring transactions where the
event points to a TRE that isn't local_rp + 1 are chained.
Fixes: 1d3173a3bae7 ("bus: mhi: core: Add support for processing events from client device")
Signed-off-by: Youssef Samir <quic_yabdulra@quicinc.com>
[mani: added stable tag and reworded commit message]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20250714163039.3438985-1-quic_yabdulra@quicinc.com
[ Replaced missing MHI_TRE_DATA_GET_CHAIN macro with direct bit 0 check on dword[1]. ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bus/mhi/host/main.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/drivers/bus/mhi/host/main.c
+++ b/drivers/bus/mhi/host/main.c
@@ -594,7 +594,7 @@ static int parse_xfer_event(struct mhi_c
{
dma_addr_t ptr = MHI_TRE_GET_EV_PTR(event);
struct mhi_ring_element *local_rp, *ev_tre;
- void *dev_rp;
+ void *dev_rp, *next_rp;
struct mhi_buf_info *buf_info;
u16 xfer_len;
@@ -613,6 +613,19 @@ static int parse_xfer_event(struct mhi_c
result.dir = mhi_chan->dir;
local_rp = tre_ring->rp;
+
+ next_rp = local_rp + 1;
+ if (next_rp >= tre_ring->base + tre_ring->len)
+ next_rp = tre_ring->base;
+ /* Check if the event points to an unexpected TRE.
+ * Chain flag is bit 0 of dword[1] in the TRE.
+ */
+ if (dev_rp != next_rp && !(le32_to_cpu(local_rp->dword[1]) & 0x1)) {
+ dev_err(&mhi_cntrl->mhi_dev->dev,
+ "Event element points to an unexpected TRE\n");
+ break;
+ }
+
while (local_rp != dev_rp) {
buf_info = buf_ring->rp;
/* If it's the last TRE, get length from the event */
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 536/644] usb: dwc3: imx8mp: fix device leak at unbind
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (534 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 535/644] bus: mhi: host: Detect events pointing to unexpected TREs Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 537/644] platform/chrome: cros_ec: Make cros_ec_unregister() return void Greg Kroah-Hartman
` (113 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Jun, Johan Hovold, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 086a0e516f7b3844e6328a5c69e2708b66b0ce18 ]
Make sure to drop the reference to the dwc3 device taken by
of_find_device_by_node() on probe errors and on driver unbind.
Fixes: 6dd2565989b4 ("usb: dwc3: add imx8mp dwc3 glue layer driver")
Cc: stable@vger.kernel.org # 5.12
Cc: Li Jun <jun.li@nxp.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20250724091910.21092-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-imx8mp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc3/dwc3-imx8mp.c
+++ b/drivers/usb/dwc3/dwc3-imx8mp.c
@@ -183,7 +183,7 @@ static int dwc3_imx8mp_probe(struct plat
IRQF_ONESHOT, dev_name(dev), dwc3_imx);
if (err) {
dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err);
- goto depopulate;
+ goto put_dwc3;
}
device_set_wakeup_capable(dev, true);
@@ -191,6 +191,8 @@ static int dwc3_imx8mp_probe(struct plat
return 0;
+put_dwc3:
+ put_device(&dwc3_imx->dwc3->dev);
depopulate:
of_platform_depopulate(dev);
err_node_put:
@@ -211,6 +213,8 @@ static int dwc3_imx8mp_remove(struct pla
struct dwc3_imx8mp *dwc3_imx = platform_get_drvdata(pdev);
struct device *dev = &pdev->dev;
+ put_device(&dwc3_imx->dwc3->dev);
+
pm_runtime_get_sync(dev);
of_platform_depopulate(dev);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 537/644] platform/chrome: cros_ec: Make cros_ec_unregister() return void
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (535 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 536/644] usb: dwc3: imx8mp: fix device leak at unbind Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 538/644] platform/chrome: cros_ec: Use per-device lockdep key Greg Kroah-Hartman
` (112 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Uwe Kleine-König,
Lee Jones, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit afb0a80e63d67e957b5d0eb4ade301aff6e13c8c ]
Up to now cros_ec_unregister() returns zero unconditionally. Make it
return void instead which makes it easier to see in the callers that
there is no error to handle.
Also the return value of i2c, platform and spi remove callbacks is
ignored anyway.
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Link: https://lore.kernel.org/r/20211020071753.wltjslmimb6wtlp5@pengutronix.de
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Lee Jones <lee.jones@linaro.org>
Link: https://lore.kernel.org/r/20220123175201.34839-5-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_ec.c | 4 +---
drivers/platform/chrome/cros_ec.h | 2 +-
drivers/platform/chrome/cros_ec_i2c.c | 4 +++-
drivers/platform/chrome/cros_ec_lpc.c | 4 +++-
drivers/platform/chrome/cros_ec_spi.c | 4 +++-
5 files changed, 11 insertions(+), 7 deletions(-)
--- a/drivers/platform/chrome/cros_ec.c
+++ b/drivers/platform/chrome/cros_ec.c
@@ -306,13 +306,11 @@ EXPORT_SYMBOL(cros_ec_register);
*
* Return: 0 on success or negative error code.
*/
-int cros_ec_unregister(struct cros_ec_device *ec_dev)
+void cros_ec_unregister(struct cros_ec_device *ec_dev)
{
if (ec_dev->pd)
platform_device_unregister(ec_dev->pd);
platform_device_unregister(ec_dev->ec);
-
- return 0;
}
EXPORT_SYMBOL(cros_ec_unregister);
--- a/drivers/platform/chrome/cros_ec.h
+++ b/drivers/platform/chrome/cros_ec.h
@@ -11,7 +11,7 @@
#include <linux/interrupt.h>
int cros_ec_register(struct cros_ec_device *ec_dev);
-int cros_ec_unregister(struct cros_ec_device *ec_dev);
+void cros_ec_unregister(struct cros_ec_device *ec_dev);
int cros_ec_suspend(struct cros_ec_device *ec_dev);
int cros_ec_resume(struct cros_ec_device *ec_dev);
--- a/drivers/platform/chrome/cros_ec_i2c.c
+++ b/drivers/platform/chrome/cros_ec_i2c.c
@@ -313,7 +313,9 @@ static int cros_ec_i2c_remove(struct i2c
{
struct cros_ec_device *ec_dev = i2c_get_clientdata(client);
- return cros_ec_unregister(ec_dev);
+ cros_ec_unregister(ec_dev);
+
+ return 0;
}
#ifdef CONFIG_PM_SLEEP
--- a/drivers/platform/chrome/cros_ec_lpc.c
+++ b/drivers/platform/chrome/cros_ec_lpc.c
@@ -439,7 +439,9 @@ static int cros_ec_lpc_remove(struct pla
acpi_remove_notify_handler(adev->handle, ACPI_ALL_NOTIFY,
cros_ec_lpc_acpi_notify);
- return cros_ec_unregister(ec_dev);
+ cros_ec_unregister(ec_dev);
+
+ return 0;
}
static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = {
--- a/drivers/platform/chrome/cros_ec_spi.c
+++ b/drivers/platform/chrome/cros_ec_spi.c
@@ -790,7 +790,9 @@ static int cros_ec_spi_remove(struct spi
{
struct cros_ec_device *ec_dev = spi_get_drvdata(spi);
- return cros_ec_unregister(ec_dev);
+ cros_ec_unregister(ec_dev);
+
+ return 0;
}
#ifdef CONFIG_PM_SLEEP
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 538/644] platform/chrome: cros_ec: Use per-device lockdep key
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (536 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 537/644] platform/chrome: cros_ec: Make cros_ec_unregister() return void Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 539/644] platform/chrome: cros_ec: remove unneeded label and if-condition Greg Kroah-Hartman
` (111 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai, Tzung-Bi Shih,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
[ Upstream commit 961a325becd9a142ae5c8b258e5c2f221f8bfac8 ]
Lockdep reports a bogus possible deadlock on MT8192 Chromebooks due to
the following lock sequences:
1. lock(i2c_register_adapter) [1]; lock(&ec_dev->lock)
2. lock(&ec_dev->lock); lock(prepare_lock);
The actual dependency chains are much longer. The shortened version
looks somewhat like:
1. cros-ec-rpmsg on mtk-scp
ec_dev->lock -> prepare_lock
2. In rt5682_i2c_probe() on native I2C bus:
prepare_lock -> regmap->lock -> (possibly) i2c_adapter->bus_lock
3. In rt5682_i2c_probe() on native I2C bus:
regmap->lock -> i2c_adapter->bus_lock
4. In sbs_probe() on i2c-cros-ec-tunnel I2C bus attached on cros-ec:
i2c_adapter->bus_lock -> ec_dev->lock
While lockdep is correct that the shared lockdep classes have a circular
dependency, it is bogus because
a) 2+3 happen on a native I2C bus
b) 4 happens on the actual EC on ChromeOS devices
c) 1 happens on the SCP coprocessor on MediaTek Chromebooks that just
happens to expose a cros-ec interface, but does not have an
i2c-cros-ec-tunnel I2C bus
In short, the "dependencies" are actually on different devices.
Setup a per-device lockdep key for cros_ec devices so lockdep can tell
the two instances apart. This helps with getting rid of the bogus
lockdep warning. For ChromeOS devices that only have one cros-ec
instance this doesn't change anything.
Also add a missing mutex_destroy, just to make the teardown complete.
[1] This is likely the per I2C bus lock with shared lockdep class
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://lore.kernel.org/r/20230111074146.2624496-1-wenst@chromium.org
Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_ec.c | 14 +++++++++++---
include/linux/platform_data/cros_ec_proto.h | 4 ++++
2 files changed, 15 insertions(+), 3 deletions(-)
--- a/drivers/platform/chrome/cros_ec.c
+++ b/drivers/platform/chrome/cros_ec.c
@@ -200,12 +200,14 @@ int cros_ec_register(struct cros_ec_devi
if (!ec_dev->dout)
return -ENOMEM;
+ lockdep_register_key(&ec_dev->lockdep_key);
mutex_init(&ec_dev->lock);
+ lockdep_set_class(&ec_dev->lock, &ec_dev->lockdep_key);
err = cros_ec_query_all(ec_dev);
if (err) {
dev_err(dev, "Cannot identify the EC: error %d\n", err);
- return err;
+ goto destroy_mutex;
}
if (ec_dev->irq > 0) {
@@ -217,7 +219,7 @@ int cros_ec_register(struct cros_ec_devi
if (err) {
dev_err(dev, "Failed to request IRQ %d: %d",
ec_dev->irq, err);
- return err;
+ goto destroy_mutex;
}
}
@@ -228,7 +230,8 @@ int cros_ec_register(struct cros_ec_devi
if (IS_ERR(ec_dev->ec)) {
dev_err(ec_dev->dev,
"Failed to create CrOS EC platform device\n");
- return PTR_ERR(ec_dev->ec);
+ err = PTR_ERR(ec_dev->ec);
+ goto destroy_mutex;
}
if (ec_dev->max_passthru) {
@@ -294,6 +297,9 @@ int cros_ec_register(struct cros_ec_devi
exit:
platform_device_unregister(ec_dev->ec);
platform_device_unregister(ec_dev->pd);
+destroy_mutex:
+ mutex_destroy(&ec_dev->lock);
+ lockdep_unregister_key(&ec_dev->lockdep_key);
return err;
}
EXPORT_SYMBOL(cros_ec_register);
@@ -311,6 +317,8 @@ void cros_ec_unregister(struct cros_ec_d
if (ec_dev->pd)
platform_device_unregister(ec_dev->pd);
platform_device_unregister(ec_dev->ec);
+ mutex_destroy(&ec_dev->lock);
+ lockdep_unregister_key(&ec_dev->lockdep_key);
}
EXPORT_SYMBOL(cros_ec_unregister);
--- a/include/linux/platform_data/cros_ec_proto.h
+++ b/include/linux/platform_data/cros_ec_proto.h
@@ -9,6 +9,7 @@
#define __LINUX_CROS_EC_PROTO_H
#include <linux/device.h>
+#include <linux/lockdep_types.h>
#include <linux/mutex.h>
#include <linux/notifier.h>
@@ -114,6 +115,8 @@ struct cros_ec_command {
* command. The caller should check msg.result for the EC's result
* code.
* @pkt_xfer: Send packet to EC and get response.
+ * @lockdep_key: Lockdep class for each instance. Unused if CONFIG_LOCKDEP is
+ * not enabled.
* @lock: One transaction at a time.
* @mkbp_event_supported: 0 if MKBP not supported. Otherwise its value is
* the maximum supported version of the MKBP host event
@@ -159,6 +162,7 @@ struct cros_ec_device {
struct cros_ec_command *msg);
int (*pkt_xfer)(struct cros_ec_device *ec,
struct cros_ec_command *msg);
+ struct lock_class_key lockdep_key;
struct mutex lock;
u8 mkbp_event_supported;
bool host_sleep_v1;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 539/644] platform/chrome: cros_ec: remove unneeded label and if-condition
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (537 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 538/644] platform/chrome: cros_ec: Use per-device lockdep key Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 540/644] platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() Greg Kroah-Hartman
` (110 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tzung-Bi Shih, Guenter Roeck,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
[ Upstream commit 554ec02c97254962bbb0a8776c3160d294fc7e51 ]
Both `ec_dev->ec` and `ec_dev->pd` are initialized to NULL at the
beginning of cros_ec_register(). Also, platform_device_unregister()
takes care if the given platform_device is NULL.
Remove the unneeded goto-label and if-condition.
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Link: https://lore.kernel.org/r/20230308031247.2866401-1-tzungbi@kernel.org
Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_ec.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/platform/chrome/cros_ec.c
+++ b/drivers/platform/chrome/cros_ec.c
@@ -207,7 +207,7 @@ int cros_ec_register(struct cros_ec_devi
err = cros_ec_query_all(ec_dev);
if (err) {
dev_err(dev, "Cannot identify the EC: error %d\n", err);
- goto destroy_mutex;
+ goto exit;
}
if (ec_dev->irq > 0) {
@@ -219,7 +219,7 @@ int cros_ec_register(struct cros_ec_devi
if (err) {
dev_err(dev, "Failed to request IRQ %d: %d",
ec_dev->irq, err);
- goto destroy_mutex;
+ goto exit;
}
}
@@ -231,7 +231,7 @@ int cros_ec_register(struct cros_ec_devi
dev_err(ec_dev->dev,
"Failed to create CrOS EC platform device\n");
err = PTR_ERR(ec_dev->ec);
- goto destroy_mutex;
+ goto exit;
}
if (ec_dev->max_passthru) {
@@ -297,7 +297,6 @@ int cros_ec_register(struct cros_ec_devi
exit:
platform_device_unregister(ec_dev->ec);
platform_device_unregister(ec_dev->pd);
-destroy_mutex:
mutex_destroy(&ec_dev->lock);
lockdep_unregister_key(&ec_dev->lockdep_key);
return err;
@@ -314,8 +313,7 @@ EXPORT_SYMBOL(cros_ec_register);
*/
void cros_ec_unregister(struct cros_ec_device *ec_dev)
{
- if (ec_dev->pd)
- platform_device_unregister(ec_dev->pd);
+ platform_device_unregister(ec_dev->pd);
platform_device_unregister(ec_dev->ec);
mutex_destroy(&ec_dev->lock);
lockdep_unregister_key(&ec_dev->lockdep_key);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 540/644] platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (538 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 539/644] platform/chrome: cros_ec: remove unneeded label and if-condition Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 541/644] net/sched: sch_ets: properly init all active DRR list handles Greg Kroah-Hartman
` (109 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benson Leung, Tzung-Bi Shih,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
[ Upstream commit e2374953461947eee49f69b3e3204ff080ef31b1 ]
The blocking notifier is registered in cros_ec_register(); however, it
isn't unregistered in cros_ec_unregister().
Fix it.
Fixes: 42cd0ab476e2 ("platform/chrome: cros_ec: Query EC protocol version if EC transitions between RO/RW")
Cc: stable@vger.kernel.org
Reviewed-by: Benson Leung <bleung@chromium.org>
Link: https://lore.kernel.org/r/20250722120513.234031-1-tzungbi@kernel.org
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_ec.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/platform/chrome/cros_ec.c
+++ b/drivers/platform/chrome/cros_ec.c
@@ -313,6 +313,9 @@ EXPORT_SYMBOL(cros_ec_register);
*/
void cros_ec_unregister(struct cros_ec_device *ec_dev)
{
+ if (ec_dev->mkbp_event_supported)
+ blocking_notifier_chain_unregister(&ec_dev->event_notifier,
+ &ec_dev->notifier_ready);
platform_device_unregister(ec_dev->pd);
platform_device_unregister(ec_dev->ec);
mutex_destroy(&ec_dev->lock);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 541/644] net/sched: sch_ets: properly init all active DRR list handles
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (539 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 540/644] platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 542/644] net_sched: sch_ets: implement lockless ets_dump() Greg Kroah-Hartman
` (108 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cong Wang, Davide Caratti,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Caratti <dcaratti@redhat.com>
[ Upstream commit 454d3e1ae057a1e09a15905b06b860f60d6c14d0 ]
leaf classes of ETS qdiscs are served in strict priority or deficit round
robin (DRR), depending on the value of 'nstrict'. Since this value can be
changed while traffic is running, we need to be sure that the active list
of DRR classes can be updated at any time, so:
1) call INIT_LIST_HEAD(&alist) on all leaf classes in .init(), before the
first packet hits any of them.
2) ensure that 'alist' is not overwritten with zeros when a leaf class is
no more strict priority nor DRR (i.e. array elements beyond 'nbands').
Link: https://lore.kernel.org/netdev/YS%2FoZ+f0Nr8eQkzH@dcaratti.users.ipa.redhat.com
Suggested-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_ets.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -666,7 +666,6 @@ static int ets_qdisc_change(struct Qdisc
q->nbands = nbands;
for (i = nstrict; i < q->nstrict; i++) {
- INIT_LIST_HEAD(&q->classes[i].alist);
if (q->classes[i].qdisc->q.qlen) {
list_add_tail(&q->classes[i].alist, &q->active);
q->classes[i].deficit = quanta[i];
@@ -694,7 +693,11 @@ static int ets_qdisc_change(struct Qdisc
ets_offload_change(sch);
for (i = q->nbands; i < oldbands; i++) {
qdisc_put(q->classes[i].qdisc);
- memset(&q->classes[i], 0, sizeof(q->classes[i]));
+ q->classes[i].qdisc = NULL;
+ q->classes[i].quantum = 0;
+ q->classes[i].deficit = 0;
+ memset(&q->classes[i].bstats, 0, sizeof(q->classes[i].bstats));
+ memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
}
return 0;
}
@@ -703,7 +706,7 @@ static int ets_qdisc_init(struct Qdisc *
struct netlink_ext_ack *extack)
{
struct ets_sched *q = qdisc_priv(sch);
- int err;
+ int err, i;
if (!opt)
return -EINVAL;
@@ -713,6 +716,9 @@ static int ets_qdisc_init(struct Qdisc *
return err;
INIT_LIST_HEAD(&q->active);
+ for (i = 0; i < TCQ_ETS_MAX_BANDS; i++)
+ INIT_LIST_HEAD(&q->classes[i].alist);
+
return ets_qdisc_change(sch, opt, extack);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 542/644] net_sched: sch_ets: implement lockless ets_dump()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (540 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 541/644] net/sched: sch_ets: properly init all active DRR list handles Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 543/644] net/sched: ets: use old nbands while purging unused classes Greg Kroah-Hartman
` (107 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Simon Horman,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c5f1dde7f731e7bf2e7c169ca42cb4989fc2f8b9 ]
Instead of relying on RTNL, ets_dump() can use READ_ONCE()
annotations, paired with WRITE_ONCE() ones in ets_change().
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_ets.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -664,7 +664,7 @@ static int ets_qdisc_change(struct Qdisc
sch_tree_lock(sch);
- q->nbands = nbands;
+ WRITE_ONCE(q->nbands, nbands);
for (i = nstrict; i < q->nstrict; i++) {
if (q->classes[i].qdisc->q.qlen) {
list_add_tail(&q->classes[i].alist, &q->active);
@@ -676,11 +676,11 @@ static int ets_qdisc_change(struct Qdisc
list_del_init(&q->classes[i].alist);
qdisc_purge_queue(q->classes[i].qdisc);
}
- q->nstrict = nstrict;
+ WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
for (i = 0; i < q->nbands; i++)
- q->classes[i].quantum = quanta[i];
+ WRITE_ONCE(q->classes[i].quantum, quanta[i]);
for (i = oldbands; i < q->nbands; i++) {
q->classes[i].qdisc = queues[i];
@@ -694,7 +694,7 @@ static int ets_qdisc_change(struct Qdisc
for (i = q->nbands; i < oldbands; i++) {
qdisc_put(q->classes[i].qdisc);
q->classes[i].qdisc = NULL;
- q->classes[i].quantum = 0;
+ WRITE_ONCE(q->classes[i].quantum, 0);
q->classes[i].deficit = 0;
memset(&q->classes[i].bstats, 0, sizeof(q->classes[i].bstats));
memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
@@ -751,6 +751,7 @@ static int ets_qdisc_dump(struct Qdisc *
struct ets_sched *q = qdisc_priv(sch);
struct nlattr *opts;
struct nlattr *nest;
+ u8 nbands, nstrict;
int band;
int prio;
int err;
@@ -763,21 +764,22 @@ static int ets_qdisc_dump(struct Qdisc *
if (!opts)
goto nla_err;
- if (nla_put_u8(skb, TCA_ETS_NBANDS, q->nbands))
+ nbands = READ_ONCE(q->nbands);
+ if (nla_put_u8(skb, TCA_ETS_NBANDS, nbands))
goto nla_err;
- if (q->nstrict &&
- nla_put_u8(skb, TCA_ETS_NSTRICT, q->nstrict))
+ nstrict = READ_ONCE(q->nstrict);
+ if (nstrict && nla_put_u8(skb, TCA_ETS_NSTRICT, nstrict))
goto nla_err;
- if (q->nbands > q->nstrict) {
+ if (nbands > nstrict) {
nest = nla_nest_start(skb, TCA_ETS_QUANTA);
if (!nest)
goto nla_err;
- for (band = q->nstrict; band < q->nbands; band++) {
+ for (band = nstrict; band < nbands; band++) {
if (nla_put_u32(skb, TCA_ETS_QUANTA_BAND,
- q->classes[band].quantum))
+ READ_ONCE(q->classes[band].quantum)))
goto nla_err;
}
@@ -789,7 +791,8 @@ static int ets_qdisc_dump(struct Qdisc *
goto nla_err;
for (prio = 0; prio <= TC_PRIO_MAX; prio++) {
- if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND, q->prio2band[prio]))
+ if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND,
+ READ_ONCE(q->prio2band[prio])))
goto nla_err;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 543/644] net/sched: ets: use old nbands while purging unused classes
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (541 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 542/644] net_sched: sch_ets: implement lockless ets_dump() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 544/644] KVM: VMX: Flush shadow VMCS on emergency reboot Greg Kroah-Hartman
` (106 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Shuang, Petr Machata, Ivan Vecera,
Davide Caratti, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Davide Caratti <dcaratti@redhat.com>
[ Upstream commit 87c6efc5ce9c126ae4a781bc04504b83780e3650 ]
Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()
after recent changes from Lion [2]. The problem is: in ets_qdisc_change()
we purge unused DWRR queues; the value of 'q->nbands' is the new one, and
the cleanup should be done with the old one. The problem is here since my
first attempts to fix ets_qdisc_change(), but it surfaced again after the
recent qdisc len accounting fixes. Fix it purging idle DWRR queues before
assigning a new value of 'q->nbands', so that all purge operations find a
consistent configuration:
- old 'q->nbands' because it's needed by ets_class_find()
- old 'q->nstrict' because it's needed by ets_class_is_strict()
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)
Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021
RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80
Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab
RSP: 0018:ffffba186009f400 EFLAGS: 00010202
RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004
RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004
R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000
R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000
FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
ets_class_qlen_notify+0x65/0x90 [sch_ets]
qdisc_tree_reduce_backlog+0x74/0x110
ets_qdisc_change+0x630/0xa40 [sch_ets]
__tc_modify_qdisc.constprop.0+0x216/0x7f0
tc_modify_qdisc+0x7c/0x120
rtnetlink_rcv_msg+0x145/0x3f0
netlink_rcv_skb+0x53/0x100
netlink_unicast+0x245/0x390
netlink_sendmsg+0x21b/0x470
____sys_sendmsg+0x39d/0x3d0
___sys_sendmsg+0x9a/0xe0
__sys_sendmsg+0x7a/0xd0
do_syscall_64+0x7d/0x160
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f2155114084
Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084
RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003
RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f
R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0
R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0
</TASK>
[1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/
[2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
Cc: stable@vger.kernel.org
Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty")
Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list")
Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc")
Reported-by: Li Shuang <shuali@redhat.com>
Closes: https://issues.redhat.com/browse/RHEL-108026
Reviewed-by: Petr Machata <petrm@nvidia.com>
Co-developed-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.1755016081.git.dcaratti@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_ets.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -664,6 +664,12 @@ static int ets_qdisc_change(struct Qdisc
sch_tree_lock(sch);
+ for (i = nbands; i < oldbands; i++) {
+ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
+ list_del_init(&q->classes[i].alist);
+ qdisc_purge_queue(q->classes[i].qdisc);
+ }
+
WRITE_ONCE(q->nbands, nbands);
for (i = nstrict; i < q->nstrict; i++) {
if (q->classes[i].qdisc->q.qlen) {
@@ -671,11 +677,6 @@ static int ets_qdisc_change(struct Qdisc
q->classes[i].deficit = quanta[i];
}
}
- for (i = q->nbands; i < oldbands; i++) {
- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
- list_del_init(&q->classes[i].alist);
- qdisc_purge_queue(q->classes[i].qdisc);
- }
WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 544/644] KVM: VMX: Flush shadow VMCS on emergency reboot
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (542 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 543/644] net/sched: ets: use old nbands while purging unused classes Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 545/644] btrfs: populate otime when logging an inode item Greg Kroah-Hartman
` (105 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Gao, Kai Huang,
Sean Christopherson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Gao <chao.gao@intel.com>
[ Upstream commit a0ee1d5faff135e28810f29e0f06328c66f89852 ]
Ensure the shadow VMCS cache is evicted during an emergency reboot to
prevent potential memory corruption if the cache is evicted after reboot.
This issue was identified through code inspection, as __loaded_vmcs_clear()
flushes both the normal VMCS and the shadow VMCS.
Avoid checking the "launched" state during an emergency reboot, unlike the
behavior in __loaded_vmcs_clear(). This is important because reboot NMIs
can interfere with operations like copy_shadow_to_vmcs12(), where shadow
VMCSes are loaded directly using VMPTRLD. In such cases, if NMIs occur
right after the VMCS load, the shadow VMCSes will be active but the
"launched" state may not be set.
Fixes: 16f5b9034b69 ("KVM: nVMX: Copy processor-specific shadow-vmcs to VMCS12")
Cc: stable@vger.kernel.org
Signed-off-by: Chao Gao <chao.gao@intel.com>
Reviewed-by: Kai Huang <kai.huang@intel.com>
Link: https://lore.kernel.org/r/20250324140849.2099723-1-chao.gao@intel.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[ adjusted context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/vmx.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -681,8 +681,11 @@ static void crash_vmclear_local_loaded_v
struct loaded_vmcs *v;
list_for_each_entry(v, &per_cpu(loaded_vmcss_on_cpu, cpu),
- loaded_vmcss_on_cpu_link)
+ loaded_vmcss_on_cpu_link) {
vmcs_clear(v->vmcs);
+ if (v->shadow_vmcs)
+ vmcs_clear(v->shadow_vmcs);
+ }
}
#endif /* CONFIG_KEXEC_CORE */
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 545/644] btrfs: populate otime when logging an inode item
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (543 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 544/644] KVM: VMX: Flush shadow VMCS on emergency reboot Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 546/644] sch_drr: make drr_qlen_notify() idempotent Greg Kroah-Hartman
` (104 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo,
David Sterba, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 1ef94169db0958d6de39f9ea6e063ce887342e2d ]
[TEST FAILURE WITH EXPERIMENTAL FEATURES]
When running test case generic/508, the test case will fail with the new
btrfs shutdown support:
generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad)
# --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930
# +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930
# @@ -1,2 +1,6 @@
# QA output created by 508
# Silence is golden
# +Before:
# +After : stat.btime = Thu Jan 1 09:30:00 1970
# +Before:
# +After : stat.btime = Wed Jul 2 14:53:22 2025
# ...
# (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff)
Ran: generic/508
Failures: generic/508
Failed 1 of 1 tests
Please note that the test case requires shutdown support, thus the test
case will be skipped using the current upstream kernel, as it doesn't
have shutdown ioctl support.
[CAUSE]
The direct cause the 0 time stamp in the log tree:
leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG
leaf 30507008 flags 0x1(WRITTEN) backref revision 1
checksum stored e522548d
checksum calced e522548d
fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0
chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398
item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160
generation 9 transid 9 size 0 nbytes 0
block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0
sequence 1 flags 0x0(none)
atime 1751432947.492000000 (2025-07-02 14:39:07)
ctime 1751432947.492000000 (2025-07-02 14:39:07)
mtime 1751432947.492000000 (2025-07-02 14:39:07)
otime 0.0 (1970-01-01 09:30:00) <<<
But the old fs tree has all the correct time stamp:
btrfs-progs v6.12
fs tree key (FS_TREE ROOT_ITEM 0)
leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE
leaf 30425088 flags 0x1(WRITTEN) backref revision 1
checksum stored 48f6c57e
checksum calced 48f6c57e
fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0
chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398
item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
generation 3 transid 0 size 0 nbytes 16384
block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0
sequence 0 flags 0x0(none)
atime 1751432947.0 (2025-07-02 14:39:07)
ctime 1751432947.0 (2025-07-02 14:39:07)
mtime 1751432947.0 (2025-07-02 14:39:07)
otime 1751432947.0 (2025-07-02 14:39:07) <<<
The root cause is that fill_inode_item() in tree-log.c is only
populating a/c/m time, not the otime (or btime in statx output).
Part of the reason is that, the vfs inode only has a/c/m time, no native
btime support yet.
[FIX]
Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and
btrfs_inode::i_otime_nsec.
So what we really need is just fill the otime time stamp in
fill_inode_item() of tree-log.c
There is another fill_inode_item() in inode.c, which is doing the proper
otime population.
Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing")
CC: stable@vger.kernel.org
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[ timespec changes in older tree ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-log.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -4000,6 +4000,11 @@ static void fill_inode_item(struct btrfs
btrfs_set_token_timespec_nsec(&token, &item->ctime,
inode->i_ctime.tv_nsec);
+ btrfs_set_token_timespec_sec(&token, &item->otime,
+ BTRFS_I(inode)->i_otime.tv_sec);
+ btrfs_set_token_timespec_nsec(&token, &item->otime,
+ BTRFS_I(inode)->i_otime.tv_nsec);
+
/*
* We do not need to set the nbytes field, in fact during a fast fsync
* its value may not even be correct, since a fast fsync does not wait
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 546/644] sch_drr: make drr_qlen_notify() idempotent
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (544 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 545/644] btrfs: populate otime when logging an inode item Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 547/644] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
` (103 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Cong Wang, Simon Horman,
Jamal Hadi Salim, Paolo Abeni, Siddh Raman Pant
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit df008598b3a00be02a8051fde89ca0fbc416bd55 upstream.
drr_qlen_notify() always deletes the DRR class from its active list
with list_del(), therefore, it is not idempotent and not friendly
to its callers, like fq_codel_dequeue().
Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers'
life. Also change other list_del()'s to list_del_init() just to be
extra safe.
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250403211033.166059-3-xiyou.wangcong@gmail.com
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_drr.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/net/sched/sch_drr.c
+++ b/net/sched/sch_drr.c
@@ -111,6 +111,7 @@ static int drr_change_class(struct Qdisc
if (cl == NULL)
return -ENOBUFS;
+ INIT_LIST_HEAD(&cl->alist);
cl->common.classid = classid;
cl->quantum = quantum;
cl->qdisc = qdisc_create_dflt(sch->dev_queue,
@@ -235,7 +236,7 @@ static void drr_qlen_notify(struct Qdisc
{
struct drr_class *cl = (struct drr_class *)arg;
- list_del(&cl->alist);
+ list_del_init(&cl->alist);
}
static int drr_dump_class(struct Qdisc *sch, unsigned long arg,
@@ -402,7 +403,7 @@ static struct sk_buff *drr_dequeue(struc
if (unlikely(skb == NULL))
goto out;
if (cl->qdisc->q.qlen == 0)
- list_del(&cl->alist);
+ list_del_init(&cl->alist);
bstats_update(&cl->bstats, skb);
qdisc_bstats_update(sch, skb);
@@ -443,7 +444,7 @@ static void drr_reset_qdisc(struct Qdisc
for (i = 0; i < q->clhash.hashsize; i++) {
hlist_for_each_entry(cl, &q->clhash.hash[i], common.hnode) {
if (cl->qdisc->q.qlen)
- list_del(&cl->alist);
+ list_del_init(&cl->alist);
qdisc_reset(cl->qdisc);
}
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 547/644] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (545 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 546/644] sch_drr: make drr_qlen_notify() idempotent Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 548/644] sch_htb: make htb_deactivate() idempotent Greg Kroah-Hartman
` (102 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerrard Tai, Cong Wang, Simon Horman,
Jamal Hadi Salim, Paolo Abeni, Siddh Raman Pant
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit 342debc12183b51773b3345ba267e9263bdfaaef upstream.
After making all ->qlen_notify() callbacks idempotent, now it is safe to
remove the check of qlen!=0 from both fq_codel_dequeue() and
codel_qdisc_dequeue().
Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM")
Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250403211636.166257-1-xiyou.wangcong@gmail.com
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_codel.c | 5 +----
net/sched/sch_fq_codel.c | 6 ++----
2 files changed, 3 insertions(+), 8 deletions(-)
--- a/net/sched/sch_codel.c
+++ b/net/sched/sch_codel.c
@@ -95,10 +95,7 @@ static struct sk_buff *codel_qdisc_deque
&q->stats, qdisc_pkt_len, codel_get_enqueue_time,
drop_func, dequeue_func);
- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0,
- * or HTB crashes. Defer it for next round.
- */
- if (q->stats.drop_count && sch->q.qlen) {
+ if (q->stats.drop_count) {
qdisc_tree_reduce_backlog(sch, q->stats.drop_count, q->stats.drop_len);
q->stats.drop_count = 0;
q->stats.drop_len = 0;
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -314,10 +314,8 @@ begin:
}
qdisc_bstats_update(sch, skb);
flow->deficit -= qdisc_pkt_len(skb);
- /* We cant call qdisc_tree_reduce_backlog() if our qlen is 0,
- * or HTB crashes. Defer it for next round.
- */
- if (q->cstats.drop_count && sch->q.qlen) {
+
+ if (q->cstats.drop_count) {
qdisc_tree_reduce_backlog(sch, q->cstats.drop_count,
q->cstats.drop_len);
q->cstats.drop_count = 0;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 548/644] sch_htb: make htb_deactivate() idempotent
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (546 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 547/644] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 549/644] PCI: vmd: Assign VMD IRQ domain before enumeration Greg Kroah-Hartman
` (101 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan J. Wylie, Cong Wang,
Jakub Kicinski, Siddh Raman Pant
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit 3769478610135e82b262640252d90f6efb05be71 upstream.
Alan reported a NULL pointer dereference in htb_next_rb_node()
after we made htb_qlen_notify() idempotent.
It turns out in the following case it introduced some regression:
htb_dequeue_tree():
|-> fq_codel_dequeue()
|-> qdisc_tree_reduce_backlog()
|-> htb_qlen_notify()
|-> htb_deactivate()
|-> htb_next_rb_node()
|-> htb_deactivate()
For htb_next_rb_node(), after calling the 1st htb_deactivate(), the
clprio[prio]->ptr could be already set to NULL, which means
htb_next_rb_node() is vulnerable here.
For htb_deactivate(), although we checked qlen before calling it, in
case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again
which triggers the warning inside.
To fix the issues here, we need to:
1) Make htb_deactivate() idempotent, that is, simply return if we
already call it before.
2) Make htb_next_rb_node() safe against ptr==NULL.
Many thanks to Alan for testing and for the reproducer.
Fixes: 5ba8b837b522 ("sch_htb: make htb_qlen_notify() idempotent")
Reported-by: Alan J. Wylie <alan@wylie.me.uk>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Link: https://patch.msgid.link/20250428232955.1740419-2-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Siddh Raman Pant <siddh.raman.pant@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_htb.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -345,7 +345,8 @@ static void htb_add_to_wait_tree(struct
*/
static inline void htb_next_rb_node(struct rb_node **n)
{
- *n = rb_next(*n);
+ if (*n)
+ *n = rb_next(*n);
}
/**
@@ -606,8 +607,8 @@ static inline void htb_activate(struct h
*/
static inline void htb_deactivate(struct htb_sched *q, struct htb_class *cl)
{
- WARN_ON(!cl->prio_activity);
-
+ if (!cl->prio_activity)
+ return;
htb_deactivate_prios(q, cl);
cl->prio_activity = 0;
}
@@ -1506,8 +1507,6 @@ static void htb_qlen_notify(struct Qdisc
{
struct htb_class *cl = (struct htb_class *)arg;
- if (!cl->prio_activity)
- return;
htb_deactivate(qdisc_priv(sch), cl);
}
@@ -1762,8 +1761,7 @@ static int htb_delete(struct Qdisc *sch,
if (cl->parent)
cl->parent->children--;
- if (cl->prio_activity)
- htb_deactivate(q, cl);
+ htb_deactivate(q, cl);
if (cl->cmode != HTB_CAN_SEND)
htb_safe_rb_erase(&cl->pq_node,
@@ -1975,8 +1973,7 @@ static int htb_change_class(struct Qdisc
/* turn parent into inner node */
qdisc_purge_queue(parent->leaf.q);
parent_qdisc = parent->leaf.q;
- if (parent->prio_activity)
- htb_deactivate(q, parent);
+ htb_deactivate(q, parent);
/* remove from evt list because of level change */
if (parent->cmode != HTB_CAN_SEND) {
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 549/644] PCI: vmd: Assign VMD IRQ domain before enumeration
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (547 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 548/644] sch_htb: make htb_deactivate() idempotent Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 550/644] ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value Greg Kroah-Hartman
` (100 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nirmal Patel, Lorenzo Pieralisi,
Artur Piechocki
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nirmal Patel <nirmal.patel@linux.intel.com>
commit 886e67100b904cb1b106ed1dfa8a60696aff519a upstream.
During the boot process all the PCI devices are assigned default PCI-MSI
IRQ domain including VMD endpoint devices. If interrupt-remapping is
enabled by IOMMU, the PCI devices except VMD get new INTEL-IR-MSI IRQ
domain. And VMD is supposed to create and assign a separate VMD-MSI IRQ
domain for its child devices in order to support MSI-X remapping
capabilities.
Now when MSI-X remapping in VMD is disabled in order to improve
performance, VMD skips VMD-MSI IRQ domain assignment process to its
child devices. Thus the devices behind VMD get default PCI-MSI IRQ
domain instead of INTEL-IR-MSI IRQ domain when VMD creates root bus and
configures child devices.
As a result host OS fails to boot and DMAR errors were observed when
interrupt remapping was enabled on Intel Icelake CPUs. For instance:
DMAR: DRHD: handling fault status reg 2
DMAR: [INTR-REMAP] Request device [0xe2:0x00.0] fault index 0xa00 [fault reason 0x25] Blocked a compatibility format interrupt request
To fix this issue, dev_msi_info struct in dev struct maintains correct
value of IRQ domain. VMD will use this information to assign proper IRQ
domain to its child devices when it doesn't create a separate IRQ domain.
Link: https://lore.kernel.org/r/20220511095707.25403-2-nirmal.patel@linux.intel.com
Signed-off-by: Nirmal Patel <nirmal.patel@linux.intel.com>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
[ This patch has already been backported to the Ubuntu 5.15 kernel
and fixes boot issues on Intel platforms with VMD rev 04,
confirmed on version 5.15.189. ]
Signed-off-by: Artur Piechocki <artur.piechocki@open-e.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/vmd.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/pci/controller/vmd.c
+++ b/drivers/pci/controller/vmd.c
@@ -799,6 +799,9 @@ static int vmd_enable_domain(struct vmd_
vmd_attach_resources(vmd);
if (vmd->irq_domain)
dev_set_msi_domain(&vmd->bus->dev, vmd->irq_domain);
+ else
+ dev_set_msi_domain(&vmd->bus->dev,
+ dev_get_msi_domain(&vmd->dev->dev));
WARN(sysfs_create_link(&vmd->dev->dev.kobj, &vmd->bus->dev.kobj,
"domain"), "Can't create symlink to domain\n");
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 550/644] ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (548 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 549/644] PCI: vmd: Assign VMD IRQ domain before enumeration Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 551/644] kbuild: userprogs: use correct linker when mixing clang and GNU ld Greg Kroah-Hartman
` (99 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Zhong, Rafael J. Wysocki,
Teddy Astie, Yann Sionneau, Dillon C
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Zhong <floridsleeves@gmail.com>
commit 2437513a814b3e93bd02879740a8a06e52e2cf7d upstream.
The return value of acpi_fetch_acpi_dev() could be NULL, which would
cause a NULL pointer dereference to occur in acpi_device_hid().
Signed-off-by: Li Zhong <floridsleeves@gmail.com>
[ rjw: Subject and changelog edits, added empty line after if () ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
Signed-off-by: Yann Sionneau <yann.sionneau@vates.tech>
Reported-by: Dillon C <dchan@dchan.tech>
Tested-by: Dillon C <dchan@dchan.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/processor_idle.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/acpi/processor_idle.c
+++ b/drivers/acpi/processor_idle.c
@@ -1125,7 +1125,9 @@ static int acpi_processor_get_lpi_info(s
status = acpi_get_parent(handle, &pr_ahandle);
while (ACPI_SUCCESS(status)) {
- acpi_bus_get_device(pr_ahandle, &d);
+ if (acpi_bus_get_device(pr_ahandle, &d))
+ break;
+
handle = pr_ahandle;
if (strcmp(acpi_device_hid(d), ACPI_PROCESSOR_CONTAINER_HID))
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 551/644] kbuild: userprogs: use correct linker when mixing clang and GNU ld
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (549 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 550/644] ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 552/644] selftests: mptcp: make sendfile selftest work Greg Kroah-Hartman
` (98 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Nathan Chancellor, Masahiro Yamada
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
commit 936599ca514973d44a766b7376c6bbdc96b6a8cc upstream.
The userprogs infrastructure does not expect clang being used with GNU ld
and in that case uses /usr/bin/ld for linking, not the configured $(LD).
This fallback is problematic as it will break when cross-compiling.
Mixing clang and GNU ld is used for example when building for SPARC64,
as ld.lld is not sufficient; see Documentation/kbuild/llvm.rst.
Relax the check around --ld-path so it gets used for all linkers.
Fixes: dfc1b168a8c4 ("kbuild: userprogs: use correct lld when linking through clang")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
[nathan: Work around wrapping '--ld-path' in cc-option in older stable
branches due to older minimum LLVM version]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Makefile
+++ b/Makefile
@@ -1130,7 +1130,7 @@ KBUILD_USERCFLAGS += $(filter -m32 -m64
KBUILD_USERLDFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS))
# userspace programs are linked via the compiler, use the correct linker
-ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_LD_IS_LLD),yy)
+ifdef CONFIG_CC_IS_CLANG
KBUILD_USERLDFLAGS += $(call cc-option, --ld-path=$(LD))
endif
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 552/644] selftests: mptcp: make sendfile selftest work
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (550 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 551/644] kbuild: userprogs: use correct linker when mixing clang and GNU ld Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 553/644] selftests: mptcp: connect: also cover alt modes Greg Kroah-Hartman
` (97 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiumei Mu, Mat Martineau,
Florian Westphal, David S. Miller, Matthieu Baerts (NGI0)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit df9e03aec3b14970df05b72d54f8ac9da3ab29e1 upstream.
When the selftest got added, sendfile() on mptcp sockets returned
-EOPNOTSUPP, so running 'mptcp_connect.sh -m sendfile' failed
immediately.
This is no longer the case, but the script fails anyway due to timeout.
Let the receiver know once the sender has sent all data, just like
with '-m mmap' mode.
v2: need to respect cfg_wait too, as pm_userspace.sh relied
on -m sendfile to keep the connection open (Mat Martineau)
Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp")
Reported-by: Xiumei Mu <xmu@redhat.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_connect.c | 26 ++++++++++++++--------
1 file changed, 17 insertions(+), 9 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
+++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
@@ -451,6 +451,18 @@ static void set_nonblock(int fd)
fcntl(fd, F_SETFL, flags | O_NONBLOCK);
}
+static void shut_wr(int fd)
+{
+ /* Close our write side, ev. give some time
+ * for address notification and/or checking
+ * the current status
+ */
+ if (cfg_wait)
+ usleep(cfg_wait);
+
+ shutdown(fd, SHUT_WR);
+}
+
static int copyfd_io_poll(int infd, int peerfd, int outfd, bool *in_closed_after_out)
{
struct pollfd fds = {
@@ -528,14 +540,7 @@ static int copyfd_io_poll(int infd, int
/* ... and peer also closed already */
break;
- /* ... but we still receive.
- * Close our write side, ev. give some time
- * for address notification and/or checking
- * the current status
- */
- if (cfg_wait)
- usleep(cfg_wait);
- shutdown(peerfd, SHUT_WR);
+ shut_wr(peerfd);
} else {
if (errno == EINTR)
continue;
@@ -666,7 +671,7 @@ static int copyfd_io_mmap(int infd, int
if (err)
return err;
- shutdown(peerfd, SHUT_WR);
+ shut_wr(peerfd);
err = do_recvfile(peerfd, outfd);
*in_closed_after_out = true;
@@ -690,6 +695,9 @@ static int copyfd_io_sendfile(int infd,
err = do_sendfile(infd, peerfd, size);
if (err)
return err;
+
+ shut_wr(peerfd);
+
err = do_recvfile(peerfd, outfd);
*in_closed_after_out = true;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 553/644] selftests: mptcp: connect: also cover alt modes
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (551 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 552/644] selftests: mptcp: make sendfile selftest work Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 554/644] selftests: mptcp: connect: also cover checksum Greg Kroah-Hartman
` (96 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Matthieu Baerts (NGI0),
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 37848a456fc38c191aedfe41f662cc24db8c23d9 ]
The "mmap" and "sendfile" alternate modes for mptcp_connect.sh/.c are
available from the beginning, but only tested when mptcp_connect.sh is
manually launched with "-m mmap" or "-m sendfile", not via the
kselftests helpers.
The MPTCP CI was manually running "mptcp_connect.sh -m mmap", but not
"-m sendfile". Plus other CIs, especially the ones validating the stable
releases, were not validating these alternate modes.
To make sure these modes are validated by these CIs, add two new test
programs executing mptcp_connect.sh with the alternate modes.
Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp")
Cc: stable@vger.kernel.org
Reviewed-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250715-net-mptcp-sft-connect-alt-v2-1-8230ddd82454@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Drop userspace_pm.sh from TEST_PROGS ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/Makefile | 3 ++-
tools/testing/selftests/net/mptcp/mptcp_connect_mmap.sh | 5 +++++
tools/testing/selftests/net/mptcp/mptcp_connect_sendfile.sh | 5 +++++
3 files changed, 12 insertions(+), 1 deletion(-)
create mode 100755 tools/testing/selftests/net/mptcp/mptcp_connect_mmap.sh
create mode 100755 tools/testing/selftests/net/mptcp/mptcp_connect_sendfile.sh
--- a/tools/testing/selftests/net/mptcp/Makefile
+++ b/tools/testing/selftests/net/mptcp/Makefile
@@ -5,7 +5,8 @@ KSFT_KHDR_INSTALL := 1
CFLAGS = -Wall -Wl,--no-as-needed -O2 -g -I$(top_srcdir)/usr/include
-TEST_PROGS := mptcp_connect.sh pm_netlink.sh mptcp_join.sh diag.sh \
+TEST_PROGS := mptcp_connect.sh mptcp_connect_mmap.sh mptcp_connect_sendfile.sh \
+ pm_netlink.sh mptcp_join.sh diag.sh \
simult_flows.sh mptcp_sockopt.sh
TEST_GEN_FILES = mptcp_connect pm_nl_ctl
--- /dev/null
+++ b/tools/testing/selftests/net/mptcp/mptcp_connect_mmap.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+
+MPTCP_LIB_KSFT_TEST="$(basename "${0}" .sh)" \
+ "$(dirname "${0}")/mptcp_connect.sh" -m mmap "${@}"
--- /dev/null
+++ b/tools/testing/selftests/net/mptcp/mptcp_connect_sendfile.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+
+MPTCP_LIB_KSFT_TEST="$(basename "${0}" .sh)" \
+ "$(dirname "${0}")/mptcp_connect.sh" -m sendfile "${@}"
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 554/644] selftests: mptcp: connect: also cover checksum
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (552 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 553/644] selftests: mptcp: connect: also cover alt modes Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 555/644] selftests: mptcp: add missing join check Greg Kroah-Hartman
` (95 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Matthieu Baerts (NGI0),
Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
commit fdf0f60a2bb02ba581d9e71d583e69dd0714a521 upstream.
The checksum mode has been added a while ago, but it is only validated
when manually launching mptcp_connect.sh with "-C".
The different CIs were then not validating these MPTCP Connect tests
with checksum enabled. To make sure they do, add a new test program
executing mptcp_connect.sh with the checksum mode.
Fixes: 94d66ba1d8e4 ("selftests: mptcp: enable checksum in mptcp_connect.sh")
Cc: stable@vger.kernel.org
Reviewed-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250715-net-mptcp-sft-connect-alt-v2-2-8230ddd82454@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflict in Makefile, in the context, because userspace_pm.sh test
has been introduced later, in commit 3ddabc433670 ("selftests: mptcp:
validate userspace PM tests by default"), which is not in this
version. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/Makefile | 2 +-
tools/testing/selftests/net/mptcp/mptcp_connect_checksum.sh | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
create mode 100755 tools/testing/selftests/net/mptcp/mptcp_connect_checksum.sh
--- a/tools/testing/selftests/net/mptcp/Makefile
+++ b/tools/testing/selftests/net/mptcp/Makefile
@@ -6,7 +6,7 @@ KSFT_KHDR_INSTALL := 1
CFLAGS = -Wall -Wl,--no-as-needed -O2 -g -I$(top_srcdir)/usr/include
TEST_PROGS := mptcp_connect.sh mptcp_connect_mmap.sh mptcp_connect_sendfile.sh \
- pm_netlink.sh mptcp_join.sh diag.sh \
+ mptcp_connect_checksum.sh pm_netlink.sh mptcp_join.sh diag.sh \
simult_flows.sh mptcp_sockopt.sh
TEST_GEN_FILES = mptcp_connect pm_nl_ctl
--- /dev/null
+++ b/tools/testing/selftests/net/mptcp/mptcp_connect_checksum.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+
+MPTCP_LIB_KSFT_TEST="$(basename "${0}" .sh)" \
+ "$(dirname "${0}")/mptcp_connect.sh" -C "${@}"
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 555/644] selftests: mptcp: add missing join check
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (553 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 554/644] selftests: mptcp: connect: also cover checksum Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 556/644] mptcp: fix error mibs accounting Greg Kroah-Hartman
` (94 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts,
Mat Martineau, Jakub Kicinski, Matthieu Baerts (NGI0)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts <matthieu.baerts@tessares.net>
commit 857898eb4b28daf3faca3ae334c78b2bb141475e upstream.
This function also writes the name of the test with its ID, making clear
a new test has been executed.
Without that, the ADD_ADDR results from this test was appended at the
end of the previous test causing confusions. Especially when the second
test was failing, we had:
17 signal invalid addresses syn[ ok ] - synack[ ok ] - ack[ ok ]
add[ ok ] - echo [ ok ]
add[fail] got 2 ADD_ADDR[s] expected 3
In fact, this 17th test was OK but not the 18th one.
Now we have:
17 signal invalid addresses syn[ ok ] - synack[ ok ] - ack[ ok ]
add[ ok ] - echo [ ok ]
18 signal addresses race test syn[fail] got 2 JOIN[s] syn expected 3
- synack[fail] got 2 JOIN[s] synack expected
- ack[fail] got 2 JOIN[s] ack expected 3
add[fail] got 2 ADD_ADDR[s] expected 3
Fixes: 33c563ad28e3 ("selftests: mptcp: add_addr and echo race test")
Reported-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflict in mptcp_join.sh, because commit 86e39e04482b ("mptcp: keep
track of local endpoint still available for each msk") is not in this
version and changed the context. The same line can still be applied at
the same place. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 1 +
1 file changed, 1 insertion(+)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -1138,6 +1138,7 @@ signal_address_tests()
ip netns exec $ns2 ./pm_nl_ctl add 10.0.3.2 flags signal
ip netns exec $ns2 ./pm_nl_ctl add 10.0.4.2 flags signal
run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr "signal addresses race test" 3 3 3
chk_add_nr 4 4
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 556/644] mptcp: fix error mibs accounting
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (554 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 555/644] selftests: mptcp: add missing join check Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 557/644] mptcp: introduce MAPPING_BAD_CSUM Greg Kroah-Hartman
` (93 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Mat Martineau,
Jakub Kicinski, Matthieu Baerts (NGI0)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 0c1f78a49af721490a5ad70b73e8b4d382465dae upstream.
The current accounting for MP_FAIL and FASTCLOSE is not very
accurate: both can be increased even when the related option is
not really sent. Move the accounting into the correct place.
Fixes: eb7f33654dc1 ("mptcp: add the mibs for MP_FAIL")
Fixes: 1e75629cb964 ("mptcp: add the mibs for MP_FASTCLOSE")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts, because commit f284c0c77321 ("mptcp: implement fastclose
xmit path") is not in this version. That's OK, the new helper added
by this commit doesn't need to be modified. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/options.c | 1 +
net/mptcp/subflow.c | 4 +---
2 files changed, 2 insertions(+), 3 deletions(-)
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -793,6 +793,7 @@ static bool mptcp_established_options_mp
opts->fail_seq = subflow->map_seq;
pr_debug("MP_FAIL fail_seq=%llu\n", opts->fail_seq);
+ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_MPFAILTX);
return true;
}
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -963,10 +963,8 @@ static enum mapping_status validate_data
subflow->map_data_csum);
if (unlikely(csum)) {
MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DATACSUMERR);
- if (subflow->mp_join || subflow->valid_csum_seen) {
+ if (subflow->mp_join || subflow->valid_csum_seen)
subflow->send_mp_fail = 1;
- MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_MPFAILTX);
- }
return subflow->mp_join ? MAPPING_INVALID : MAPPING_DUMMY;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 557/644] mptcp: introduce MAPPING_BAD_CSUM
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (555 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 556/644] mptcp: fix error mibs accounting Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 558/644] selftests: mptcp: Initialize variables to quiet gcc 12 warnings Greg Kroah-Hartman
` (92 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Mat Martineau,
Jakub Kicinski, Matthieu Baerts (NGI0)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 31bf11de146c3f8892093ff39f8f9b3069d6a852 upstream.
This allow moving a couple of conditional out of the fast path,
making the code more easy to follow and will simplify the next
patch.
Fixes: ae66fb2ba6c3 ("mptcp: Do TCP fallback on early DSS checksum failure")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts in subflow.c, because commit 0348c690ed37 ("mptcp: add the
fallback check") is not in this version. This commit is linked to a
new feature, changing the context around. The new condition can still
be added at the same place. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -848,7 +848,8 @@ enum mapping_status {
MAPPING_INVALID,
MAPPING_EMPTY,
MAPPING_DATA_FIN,
- MAPPING_DUMMY
+ MAPPING_DUMMY,
+ MAPPING_BAD_CSUM
};
static void dbg_bad_map(struct mptcp_subflow_context *subflow, u32 ssn)
@@ -963,9 +964,7 @@ static enum mapping_status validate_data
subflow->map_data_csum);
if (unlikely(csum)) {
MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DATACSUMERR);
- if (subflow->mp_join || subflow->valid_csum_seen)
- subflow->send_mp_fail = 1;
- return subflow->mp_join ? MAPPING_INVALID : MAPPING_DUMMY;
+ return MAPPING_BAD_CSUM;
}
subflow->valid_csum_seen = 1;
@@ -1188,10 +1187,8 @@ static bool subflow_check_data_avail(str
status = get_mapping_status(ssk, msk);
trace_subflow_check_data_avail(status, skb_peek(&ssk->sk_receive_queue));
- if (unlikely(status == MAPPING_INVALID))
- goto fallback;
-
- if (unlikely(status == MAPPING_DUMMY))
+ if (unlikely(status == MAPPING_INVALID || status == MAPPING_DUMMY ||
+ status == MAPPING_BAD_CSUM))
goto fallback;
if (status != MAPPING_OK)
@@ -1232,7 +1229,10 @@ no_data:
fallback:
/* RFC 8684 section 3.7. */
- if (subflow->send_mp_fail) {
+ if (status == MAPPING_BAD_CSUM &&
+ (subflow->mp_join || subflow->valid_csum_seen)) {
+ subflow->send_mp_fail = 1;
+
if (mptcp_has_another_subflow(ssk) ||
!READ_ONCE(msk->allow_infinite_fallback)) {
while ((skb = skb_peek(&ssk->sk_receive_queue)))
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 558/644] selftests: mptcp: Initialize variables to quiet gcc 12 warnings
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (556 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 557/644] mptcp: introduce MAPPING_BAD_CSUM Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 559/644] mptcp: drop unused sk in mptcp_push_release Greg Kroah-Hartman
` (91 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Mat Martineau,
Jakub Kicinski, Matthieu Baerts (NGI0)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mat Martineau <mathew.j.martineau@linux.intel.com>
commit fd37c2ecb21f7aee04ccca5f561469f07d00063c upstream.
In a few MPTCP selftest tools, gcc 12 complains that the 'sock' variable
might be used uninitialized. This is a false positive because the only
code path that could lead to uninitialized access is where getaddrinfo()
fails, but the local xgetaddrinfo() wrapper exits if such a failure
occurs.
Initialize the 'sock' variable anyway to allow the tools to build with
gcc 12.
Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp")
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ mptcp_inq.c and mptcp_sockopt.c are not in this version. The fix can
still be applied in mptcp_connect.c without conflicts. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_connect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
+++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
@@ -188,7 +188,7 @@ static void set_mark(int fd, uint32_t ma
static int sock_listen_mptcp(const char * const listenaddr,
const char * const port)
{
- int sock;
+ int sock = -1;
struct addrinfo hints = {
.ai_protocol = IPPROTO_TCP,
.ai_socktype = SOCK_STREAM,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 559/644] mptcp: drop unused sk in mptcp_push_release
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (557 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 558/644] selftests: mptcp: Initialize variables to quiet gcc 12 warnings Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 560/644] mptcp: do not queue data on closed subflows Greg Kroah-Hartman
` (90 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts, Geliang Tang,
Mat Martineau, Jakub Kicinski, Matthieu Baerts (NGI0)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geliang Tang <geliang.tang@suse.com>
commit b8e0def397d7753206b1290e32f73b299a59984c upstream.
Since mptcp_set_timeout() had removed from mptcp_push_release() in
commit 33d41c9cd74c5 ("mptcp: more accurate timeout"), the argument
sk in mptcp_push_release() became useless. Let's drop it.
Fixes: 33d41c9cd74c5 ("mptcp: more accurate timeout")
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Geliang Tang <geliang.tang@suse.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: c886d70286bf ("mptcp: do not queue data on closed subflows")
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -1568,8 +1568,7 @@ static struct sock *mptcp_subflow_get_se
return NULL;
}
-static void mptcp_push_release(struct sock *sk, struct sock *ssk,
- struct mptcp_sendmsg_info *info)
+static void mptcp_push_release(struct sock *ssk, struct mptcp_sendmsg_info *info)
{
tcp_push(ssk, 0, info->mss_now, tcp_sk(ssk)->nonagle, info->size_goal);
release_sock(ssk);
@@ -1626,7 +1625,7 @@ void __mptcp_push_pending(struct sock *s
* the last round, release prev_ssk
*/
if (ssk != prev_ssk && prev_ssk)
- mptcp_push_release(sk, prev_ssk, &info);
+ mptcp_push_release(prev_ssk, &info);
if (!ssk)
goto out;
@@ -1639,7 +1638,7 @@ void __mptcp_push_pending(struct sock *s
ret = mptcp_sendmsg_frag(sk, ssk, dfrag, &info);
if (ret <= 0) {
- mptcp_push_release(sk, ssk, &info);
+ mptcp_push_release(ssk, &info);
goto out;
}
@@ -1654,7 +1653,7 @@ void __mptcp_push_pending(struct sock *s
/* at this point we held the socket lock for the last subflow we used */
if (ssk)
- mptcp_push_release(sk, ssk, &info);
+ mptcp_push_release(ssk, &info);
out:
/* ensure the rtx timer is running */
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 560/644] mptcp: do not queue data on closed subflows
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (558 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 559/644] mptcp: drop unused sk in mptcp_push_release Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 561/644] scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers Greg Kroah-Hartman
` (89 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dipanjan Das, Mat Martineau,
Paolo Abeni, David S. Miller, Matthieu Baerts (NGI0)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit c886d70286bf3ad411eb3d689328a67f7102c6ae upstream.
Dipanjan reported a syzbot splat at close time:
WARNING: CPU: 1 PID: 10818 at net/ipv4/af_inet.c:153
inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153
Modules linked in: uio_ivshmem(OE) uio(E)
CPU: 1 PID: 10818 Comm: kworker/1:16 Tainted: G OE
5.19.0-rc6-g2eae0556bb9d #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153
Code: 21 02 00 00 41 8b 9c 24 28 02 00 00 e9 07 ff ff ff e8 34 4d 91
f9 89 ee 4c 89 e7 e8 4a 47 60 ff e9 a6 fc ff ff e8 20 4d 91 f9 <0f> 0b
e9 84 fe ff ff e8 14 4d 91 f9 0f 0b e9 d4 fd ff ff e8 08 4d
RSP: 0018:ffffc9001b35fa78 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000002879d0 RCX: ffff8881326f3b00
RDX: 0000000000000000 RSI: ffff8881326f3b00 RDI: 0000000000000002
RBP: ffff888179662674 R08: ffffffff87e983a0 R09: 0000000000000000
R10: 0000000000000005 R11: 00000000000004ea R12: ffff888179662400
R13: ffff888179662428 R14: 0000000000000001 R15: ffff88817e38e258
FS: 0000000000000000(0000) GS:ffff8881f5f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020007bc0 CR3: 0000000179592000 CR4: 0000000000150ee0
Call Trace:
<TASK>
__sk_destruct+0x4f/0x8e0 net/core/sock.c:2067
sk_destruct+0xbd/0xe0 net/core/sock.c:2112
__sk_free+0xef/0x3d0 net/core/sock.c:2123
sk_free+0x78/0xa0 net/core/sock.c:2134
sock_put include/net/sock.h:1927 [inline]
__mptcp_close_ssk+0x50f/0x780 net/mptcp/protocol.c:2351
__mptcp_destroy_sock+0x332/0x760 net/mptcp/protocol.c:2828
mptcp_worker+0x5d2/0xc90 net/mptcp/protocol.c:2586
process_one_work+0x9cc/0x1650 kernel/workqueue.c:2289
worker_thread+0x623/0x1070 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
</TASK>
The root cause of the problem is that an mptcp-level (re)transmit can
race with mptcp_close() and the packet scheduler checks the subflow
state before acquiring the socket lock: we can try to (re)transmit on
an already closed ssk.
Fix the issue checking again the subflow socket status under the
subflow socket lock protection. Additionally add the missing check
for the fallback-to-tcp case.
Fixes: d5f49190def6 ("mptcp: allow picking different xmit subflows")
Reported-by: Dipanjan Das <mail.dipanjan.das@gmail.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 8 +++++++-
net/mptcp/protocol.h | 11 +++++++----
2 files changed, 14 insertions(+), 5 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -1350,6 +1350,9 @@ static int mptcp_sendmsg_frag(struct soc
info->limit > dfrag->data_len))
return 0;
+ if (unlikely(!__tcp_can_send(ssk)))
+ return -EAGAIN;
+
/* compute send limit */
info->mss_now = tcp_send_mss(ssk, &info->size_goal, info->flags);
copy = info->size_goal;
@@ -1512,7 +1515,8 @@ static struct sock *mptcp_subflow_get_se
if (__mptcp_check_fallback(msk)) {
if (!msk->first)
return NULL;
- return sk_stream_memory_free(msk->first) ? msk->first : NULL;
+ return __tcp_can_send(msk->first) &&
+ sk_stream_memory_free(msk->first) ? msk->first : NULL;
}
/* re-use last subflow, if the burst allow that */
@@ -1638,6 +1642,8 @@ void __mptcp_push_pending(struct sock *s
ret = mptcp_sendmsg_frag(sk, ssk, dfrag, &info);
if (ret <= 0) {
+ if (ret == -EAGAIN)
+ continue;
mptcp_push_release(ssk, &info);
goto out;
}
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -599,16 +599,19 @@ void mptcp_info2sockaddr(const struct mp
struct sockaddr_storage *addr,
unsigned short family);
-static inline bool __mptcp_subflow_active(struct mptcp_subflow_context *subflow)
+static inline bool __tcp_can_send(const struct sock *ssk)
{
- struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
+ /* only send if our side has not closed yet */
+ return ((1 << inet_sk_state_load(ssk)) & (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT));
+}
+static inline bool __mptcp_subflow_active(struct mptcp_subflow_context *subflow)
+{
/* can't send if JOIN hasn't completed yet (i.e. is usable for mptcp) */
if (subflow->request_join && !subflow->fully_established)
return false;
- /* only send if our side has not closed yet */
- return ((1 << ssk->sk_state) & (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT));
+ return __tcp_can_send(mptcp_subflow_tcp_sock(subflow));
}
void mptcp_subflow_set_active(struct mptcp_subflow_context *subflow);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 561/644] scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (559 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 560/644] mptcp: do not queue data on closed subflows Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 562/644] scsi: ufs: ufs-pci: Fix default runtime and system PM levels Greg Kroah-Hartman
` (88 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Archana Patni, Bart Van Assche,
Martin K. Petersen, Adrian Hunter
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Archana Patni <archana.patni@intel.com>
commit 4428ddea832cfdb63e476eb2e5c8feb5d36057fe upstream.
UFSHCD core disables the UIC completion interrupt when issuing UIC
hibernation commands, and re-enables it afterwards if it was enabled to
start with, refer ufshcd_uic_pwr_ctrl(). For Intel MTL-like host
controllers, accessing the register to re-enable the interrupt disrupts
the state transition.
Use hibern8_notify variant operation to disable the interrupt during the
entire hibernation, thereby preventing the disruption.
Fixes: 4049f7acef3e ("scsi: ufs: ufs-pci: Add support for Intel MTL")
Cc: stable@vger.kernel.org
Signed-off-by: Archana Patni <archana.patni@intel.com>
Link: https://lore.kernel.org/r/20250723165856.145750-2-adrian.hunter@intel.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/ufs/ufshcd-pci.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
--- a/drivers/scsi/ufs/ufshcd-pci.c
+++ b/drivers/scsi/ufs/ufshcd-pci.c
@@ -203,6 +203,32 @@ out:
return ret;
}
+static void ufs_intel_ctrl_uic_compl(struct ufs_hba *hba, bool enable)
+{
+ u32 set = ufshcd_readl(hba, REG_INTERRUPT_ENABLE);
+
+ if (enable)
+ set |= UIC_COMMAND_COMPL;
+ else
+ set &= ~UIC_COMMAND_COMPL;
+ ufshcd_writel(hba, set, REG_INTERRUPT_ENABLE);
+}
+
+static void ufs_intel_mtl_h8_notify(struct ufs_hba *hba,
+ enum uic_cmd_dme cmd,
+ enum ufs_notify_change_status status)
+{
+ /*
+ * Disable UIC COMPL INTR to prevent access to UFSHCI after
+ * checking HCS.UPMCRS
+ */
+ if (status == PRE_CHANGE && cmd == UIC_CMD_DME_HIBER_ENTER)
+ ufs_intel_ctrl_uic_compl(hba, false);
+
+ if (status == POST_CHANGE && cmd == UIC_CMD_DME_HIBER_EXIT)
+ ufs_intel_ctrl_uic_compl(hba, true);
+}
+
#define INTEL_ACTIVELTR 0x804
#define INTEL_IDLELTR 0x808
@@ -476,6 +502,7 @@ static struct ufs_hba_variant_ops ufs_in
.init = ufs_intel_mtl_init,
.exit = ufs_intel_common_exit,
.hce_enable_notify = ufs_intel_hce_enable_notify,
+ .hibern8_notify = ufs_intel_mtl_h8_notify,
.link_startup_notify = ufs_intel_link_startup_notify,
.resume = ufs_intel_resume,
.device_reset = ufs_intel_device_reset,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 562/644] scsi: ufs: ufs-pci: Fix default runtime and system PM levels
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (560 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 561/644] scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 563/644] KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix Greg Kroah-Hartman
` (87 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Bart Van Assche,
Martin K. Petersen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit 6de7435e6b81fe52c0ab4c7e181f6b5decd18eb1 upstream.
Intel MTL-like host controllers support auto-hibernate. Using
auto-hibernate with manual (driver initiated) hibernate produces more
complex operation. For example, the host controller will have to exit
auto-hibernate simply to allow the driver to enter hibernate state
manually. That is not recommended.
The default rpm_lvl and spm_lvl is 3, which includes manual hibernate.
Change the default values to 2, which does not.
Note, to be simpler to backport to stable kernels, utilize the UFS PCI
driver's ->late_init() call back. Recent commits have made it possible
to set up a controller-specific default in the regular ->init() call
back, but not all stable kernels have those changes.
Fixes: 4049f7acef3e ("scsi: ufs: ufs-pci: Add support for Intel MTL")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20250723165856.145750-3-adrian.hunter@intel.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/ufs/ufshcd-pci.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/drivers/scsi/ufs/ufshcd-pci.c
+++ b/drivers/scsi/ufs/ufshcd-pci.c
@@ -454,10 +454,23 @@ static int ufs_intel_adl_init(struct ufs
return ufs_intel_common_init(hba);
}
+static void ufs_intel_mtl_late_init(struct ufs_hba *hba)
+{
+ hba->rpm_lvl = UFS_PM_LVL_2;
+ hba->spm_lvl = UFS_PM_LVL_2;
+}
+
static int ufs_intel_mtl_init(struct ufs_hba *hba)
{
+ struct ufs_host *ufs_host;
+ int err;
+
hba->caps |= UFSHCD_CAP_CRYPTO | UFSHCD_CAP_WB_EN;
- return ufs_intel_common_init(hba);
+ err = ufs_intel_common_init(hba);
+ /* Get variant after it is set in ufs_intel_common_init() */
+ ufs_host = ufshcd_get_variant(hba);
+ ufs_host->late_init = ufs_intel_mtl_late_init;
+ return err;
}
static struct ufs_hba_variant_ops ufs_intel_cnl_hba_vops = {
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 563/644] KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (561 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 562/644] scsi: ufs: ufs-pci: Fix default runtime and system PM levels Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 564/644] memstick: Fix deadlock by moving removing flag earlier Greg Kroah-Hartman
` (86 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Lee Jones,
Sasha Levin, Mark Rutland, Fuad Tabba, Marc Zyngier, Will Deacon
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will@kernel.org>
Upstream commit fbc7e61195e2 ("KVM: arm64: Unconditionally save+flush
host FPSIMD/SVE/SME state") relies on interrupts being disabled during
fpsimd_save_and_flush_cpu_state() so that a softirq cannot be taken
while the host floating point context is being saved and potentially try
to use kernel-mode NEON.
Unfortunately, stable kernels without 9b19700e623f ("arm64: fpsimd: Drop
unneeded 'busy' flag") leave interrupts enabled in
fpsimd_save_and_flush_cpu_state() and so the BUG_ON(!may_use_simd()) in
kernel_neon_begin() has been observed to trigger in real-world usage:
| kernel BUG at arch/arm64/kernel/fpsimd.c:1904!
| Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
|
| Call trace:
| kernel_neon_begin+0xdc/0x12c
| ...
| crypto_aead_decrypt+0x5c/0x6c
| seqiv_aead_decrypt+0x88/0x9c
| crypto_aead_decrypt+0x5c/0x6c
| esp_input+0x280/0x364
| xfrm_input+0x6ac/0x16f8
| ...
| net_rx_action+0x13c/0x31c
| handle_softirqs+0x124/0x3d0
| __do_softirq+0x14/0x20
| ____do_softirq+0x10/0x20
| call_on_irq_stack+0x3c/0x74
| do_softirq_own_stack+0x1c/0x2c
| __irq_exit_rcu+0x54/0xb4
| irq_exit_rcu+0x10/0x1c
| el1_interrupt+0x38/0x58
| el1h_64_irq_handler+0x18/0x24
| el1h_64_irq+0x68/0x6c
| fpsimd_save+0xe4/0x130
| kvm_arch_vcpu_load_fp+0x2c/0x58
| kvm_arch_vcpu_load+0x88/0x26c
| kvm_sched_in+0x2c/0x3c
Given that 9b19700e623f ("arm64: fpsimd: Drop unneeded 'busy' flag") is
not a fix in its own right, has non-trivial dependencies and is a
reasonably invasive change to the in-kernel use of fpsimd, opt instead
for a simple fix to use the softirq-safe {get,put}_cpu_fpsimd_context()
helpers in fpsimd_save_and_flush_cpu_state().
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Lee Jones <lee@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Fuad Tabba <tabba@google.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: <stable@vger.kernel.org> # 5.15.y, 6.1.y and 6.6.y
Fixes: 806d5c1e1d2e ("KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state") # 6.6.y
Fixes: 04c50cc23a49 ("KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state") # 6.1.y
Fixes: 5289ac43b69c ("KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state") # 5.15.y
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/fpsimd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm64/kernel/fpsimd.c
+++ b/arch/arm64/kernel/fpsimd.c
@@ -1303,10 +1303,10 @@ void fpsimd_save_and_flush_cpu_state(voi
if (!system_supports_fpsimd())
return;
WARN_ON(preemptible());
- __get_cpu_fpsimd_context();
+ get_cpu_fpsimd_context();
fpsimd_save();
fpsimd_flush_cpu_state();
- __put_cpu_fpsimd_context();
+ put_cpu_fpsimd_context();
}
#ifdef CONFIG_KERNEL_MODE_NEON
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 564/644] memstick: Fix deadlock by moving removing flag earlier
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (562 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 563/644] KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 565/644] mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency Greg Kroah-Hartman
` (85 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiayi Li, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayi Li <lijiayi@kylinos.cn>
commit 99d7ab8db9d8230b243f5ed20ba0229e54cc0dfa upstream.
The existing memstick core patch: commit 62c59a8786e6 ("memstick: Skip
allocating card when removing host") sets host->removing in
memstick_remove_host(),but still exists a critical time window where
memstick_check can run after host->eject is set but before removing is set.
In the rtsx_usb_ms driver, the problematic sequence is:
rtsx_usb_ms_drv_remove: memstick_check:
host->eject = true
cancel_work_sync(handle_req) if(!host->removing)
... memstick_alloc_card()
memstick_set_rw_addr()
memstick_new_req()
rtsx_usb_ms_request()
if(!host->eject)
skip schedule_work
wait_for_completion()
memstick_remove_host: [blocks indefinitely]
host->removing = true
flush_workqueue()
[block]
1. rtsx_usb_ms_drv_remove sets host->eject = true
2. cancel_work_sync(&host->handle_req) runs
3. memstick_check work may be executed here <-- danger window
4. memstick_remove_host sets removing = 1
During this window (step 3), memstick_check calls memstick_alloc_card,
which may indefinitely waiting for mrq_complete completion that will
never occur because rtsx_usb_ms_request sees eject=true and skips
scheduling work, memstick_set_rw_addr waits forever for completion.
This causes a deadlock when memstick_remove_host tries to flush_workqueue,
waiting for memstick_check to complete, while memstick_check is blocked
waiting for mrq_complete completion.
Fix this by setting removing=true at the start of rtsx_usb_ms_drv_remove,
before any work cancellation. This ensures memstick_check will see the
removing flag immediately and exit early, avoiding the deadlock.
Fixes: 62c59a8786e6 ("memstick: Skip allocating card when removing host")
Signed-off-by: Jiayi Li <lijiayi@kylinos.cn>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250804013604.1311218-1-lijiayi@kylinos.cn
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memstick/core/memstick.c | 1 -
drivers/memstick/host/rtsx_usb_ms.c | 1 +
2 files changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/memstick/core/memstick.c
+++ b/drivers/memstick/core/memstick.c
@@ -548,7 +548,6 @@ EXPORT_SYMBOL(memstick_add_host);
*/
void memstick_remove_host(struct memstick_host *host)
{
- host->removing = 1;
flush_workqueue(workqueue);
mutex_lock(&host->lock);
if (host->card)
--- a/drivers/memstick/host/rtsx_usb_ms.c
+++ b/drivers/memstick/host/rtsx_usb_ms.c
@@ -812,6 +812,7 @@ static int rtsx_usb_ms_drv_remove(struct
int err;
host->eject = true;
+ msh->removing = true;
cancel_work_sync(&host->handle_req);
cancel_delayed_work_sync(&host->poll_card);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 565/644] mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (563 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 564/644] memstick: Fix deadlock by moving removing flag earlier Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 566/644] squashfs: fix memory leak in squashfs_fill_super Greg Kroah-Hartman
` (84 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Victor Shih, Adrian Hunter,
Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Shih <victor.shih@genesyslogic.com.tw>
commit 293ed0f5f34e1e9df888456af4b0a021f57b5f54 upstream.
In preparation to fix replay timer timeout, rename the
gli_set_gl9763e() to gl9763e_hw_setting() for consistency.
Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
Fixes: 1ae1d2d6e555 ("mmc: sdhci-pci-gli: Add Genesys Logic GL9763E support")
Cc: stable@vger.kernel.org
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20250731065752.450231-3-victorshihgli@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-pci-gli.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/mmc/host/sdhci-pci-gli.c
+++ b/drivers/mmc/host/sdhci-pci-gli.c
@@ -860,7 +860,7 @@ static void sdhci_gl9763e_reset(struct s
sdhci_reset(host, mask);
}
-static void gli_set_gl9763e(struct sdhci_pci_slot *slot)
+static void gl9763e_hw_setting(struct sdhci_pci_slot *slot)
{
struct pci_dev *pdev = slot->chip->pdev;
u32 value;
@@ -918,7 +918,7 @@ static int gli_probe_slot_gl9763e(struct
gli_pcie_enable_msi(slot);
host->mmc_host_ops.hs400_enhanced_strobe =
gl9763e_hs400_enhanced_strobe;
- gli_set_gl9763e(slot);
+ gl9763e_hw_setting(slot);
sdhci_enable_v4_mode(host);
return 0;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 566/644] squashfs: fix memory leak in squashfs_fill_super
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (564 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 565/644] mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 567/644] mm/debug_vm_pgtable: clear page table entries at destroy_args() Greg Kroah-Hartman
` (83 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phillip Lougher, Scott GUO,
Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phillip Lougher <phillip@squashfs.org.uk>
commit b64700d41bdc4e9f82f1346c15a3678ebb91a89c upstream.
If sb_min_blocksize returns 0, squashfs_fill_super exits without freeing
allocated memory (sb->s_fs_info).
Fix this by moving the call to sb_min_blocksize to before memory is
allocated.
Link: https://lkml.kernel.org/r/20250811223740.110392-1-phillip@squashfs.org.uk
Fixes: 734aa85390ea ("Squashfs: check return result of sb_min_blocksize")
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: Scott GUO <scottzhguo@tencent.com>
Closes: https://lore.kernel.org/all/20250811061921.3807353-1-scott_gzh@163.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/squashfs/super.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -122,10 +122,15 @@ static int squashfs_fill_super(struct su
unsigned short flags;
unsigned int fragments;
u64 lookup_table_start, xattr_id_table_start, next_table;
- int err;
+ int err, devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
TRACE("Entered squashfs_fill_superblock\n");
+ if (!devblksize) {
+ errorf(fc, "squashfs: unable to set blocksize\n");
+ return -EINVAL;
+ }
+
sb->s_fs_info = kzalloc(sizeof(*msblk), GFP_KERNEL);
if (sb->s_fs_info == NULL) {
ERROR("Failed to allocate squashfs_sb_info\n");
@@ -135,12 +140,7 @@ static int squashfs_fill_super(struct su
msblk->panic_on_errors = (opts->errors == Opt_errors_panic);
- msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
- if (!msblk->devblksize) {
- errorf(fc, "squashfs: unable to set blocksize\n");
- return -EINVAL;
- }
-
+ msblk->devblksize = devblksize;
msblk->devblksize_log2 = ffz(~msblk->devblksize);
mutex_init(&msblk->meta_index_mutex);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 567/644] mm/debug_vm_pgtable: clear page table entries at destroy_args()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (565 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 566/644] squashfs: fix memory leak in squashfs_fill_super Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 568/644] ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 Greg Kroah-Hartman
` (82 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Herton R. Krzesinski,
Anshuman Khandual, Christophe Leroy, Gavin Shan, Gerald Schaefer,
Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herton R. Krzesinski <herton@redhat.com>
commit dde30854bddfb5d69f30022b53c5955a41088b33 upstream.
The mm/debug_vm_pagetable test allocates manually page table entries for
the tests it runs, using also its manually allocated mm_struct. That in
itself is ok, but when it exits, at destroy_args() it fails to clear those
entries with the *_clear functions.
The problem is that leaves stale entries. If another process allocates an
mm_struct with a pgd at the same address, it may end up running into the
stale entry. This is happening in practice on a debug kernel with
CONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra
debugging I added (it prints a warning trace if pgtables_bytes goes
negative, in addition to the warning at check_mm() function):
[ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000
[ 2.539366] kmem_cache info
[ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508
[ 2.539447] debug_vm_pgtable: [init_args ]: args->mm is 0x000000002267cc9e
(...)
[ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0
[ 2.552816] Modules linked in:
[ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY
[ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries
[ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90
[ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug)
[ 2.552899] MSR: 800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 24002822 XER: 0000000a
[ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0
[ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001
[ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff
[ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000
[ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb
[ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0
[ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000
[ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001
[ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760
[ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0
[ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0
[ 2.553199] Call Trace:
[ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable)
[ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0
[ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570
[ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650
[ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290
[ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0
[ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870
[ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150
[ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50
[ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0
[ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec
(...)
[ 2.558892] ---[ end trace 0000000000000000 ]---
[ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1
[ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144
Here the modprobe process ended up with an allocated mm_struct from the
mm_struct slab that was used before by the debug_vm_pgtable test. That is
not a problem, since the mm_struct is initialized again etc., however, if
it ends up using the same pgd table, it bumps into the old stale entry
when clearing/freeing the page table entries, so it tries to free an entry
already gone (that one which was allocated by the debug_vm_pgtable test),
which also explains the negative pgtables_bytes since it's accounting for
not allocated entries in the current process.
As far as I looked pgd_{alloc,free} etc. does not clear entries, and
clearing of the entries is explicitly done in the free_pgtables->
free_pgd_range->free_p4d_range->free_pud_range->free_pmd_range->
free_pte_range path. However, the debug_vm_pgtable test does not call
free_pgtables, since it allocates mm_struct and entries manually for its
test and eg. not goes through page faults. So it also should clear
manually the entries before exit at destroy_args().
This problem was noticed on a reboot X number of times test being done on
a powerpc host, with a debug kernel with CONFIG_DEBUG_VM_PGTABLE enabled.
Depends on the system, but on a 100 times reboot loop the problem could
manifest once or twice, if a process ends up getting the right mm->pgd
entry with the stale entries used by mm/debug_vm_pagetable. After using
this patch, I couldn't reproduce/experience the problems anymore. I was
able to reproduce the problem as well on latest upstream kernel (6.16).
I also modified destroy_args() to use mmput() instead of mmdrop(), there
is no reason to hold mm_users reference and not release the mm_struct
entirely, and in the output above with my debugging prints I already had
patched it to use mmput, it did not fix the problem, but helped in the
debugging as well.
Link: https://lkml.kernel.org/r/20250731214051.4115182-1-herton@redhat.com
Fixes: 3c9b84f044a9 ("mm/debug_vm_pgtable: introduce struct pgtable_debug_args")
Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
Cc: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Gavin Shan <gshan@redhat.com>
Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/debug_vm_pgtable.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/mm/debug_vm_pgtable.c
+++ b/mm/debug_vm_pgtable.c
@@ -1050,29 +1050,34 @@ static void __init destroy_args(struct p
/* Free page table entries */
if (args->start_ptep) {
+ pmd_clear(args->pmdp);
pte_free(args->mm, args->start_ptep);
mm_dec_nr_ptes(args->mm);
}
if (args->start_pmdp) {
+ pud_clear(args->pudp);
pmd_free(args->mm, args->start_pmdp);
mm_dec_nr_pmds(args->mm);
}
if (args->start_pudp) {
+ p4d_clear(args->p4dp);
pud_free(args->mm, args->start_pudp);
mm_dec_nr_puds(args->mm);
}
- if (args->start_p4dp)
+ if (args->start_p4dp) {
+ pgd_clear(args->pgdp);
p4d_free(args->mm, args->start_p4dp);
+ }
/* Free vma and mm struct */
if (args->vma)
vm_area_free(args->vma);
if (args->mm)
- mmdrop(args->mm);
+ mmput(args->mm);
}
static struct page * __init
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 568/644] ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (566 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 567/644] mm/debug_vm_pgtable: clear page table entries at destroy_args() Greg Kroah-Hartman
@ 2025-08-26 11:10 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 569/644] drm/amd/display: Avoid a NULL pointer dereference Greg Kroah-Hartman
` (81 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Evgeniy Harchenko, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Evgeniy Harchenko <evgeniyharchenko.dev@gmail.com>
commit eafae0fdd115a71b3a200ef1a31f86da04bac77f upstream.
The HP EliteBook x360 830 G6 and HP EliteBook 830 G6 have
Realtek HDA codec ALC215. It needs the ALC285_FIXUP_HP_GPIO_LED
quirk to enable the mute LED.
Cc: <stable@vger.kernel.org>
Signed-off-by: Evgeniy Harchenko <evgeniyharchenko.dev@gmail.com>
Link: https://patch.msgid.link/20250815095814.75845-1-evgeniyharchenko.dev@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9319,6 +9319,8 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360),
SND_PCI_QUIRK(0x103c, 0x8537, "HP ProBook 440 G6", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8548, "HP EliteBook x360 830 G6", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x854a, "HP EliteBook 830 G6", ALC285_FIXUP_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x85c6, "HP Pavilion x360 Convertible 14-dy1xxx", ALC295_FIXUP_HP_MUTE_LED_COEFBIT11),
SND_PCI_QUIRK(0x103c, 0x85de, "HP Envy x360 13-ar0xxx", ALC285_FIXUP_HP_ENVY_X360),
SND_PCI_QUIRK(0x103c, 0x860f, "HP ZBook 15 G6", ALC285_FIXUP_HP_GPIO_AMP_INIT),
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 569/644] drm/amd/display: Avoid a NULL pointer dereference
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (567 preceding siblings ...)
2025-08-26 11:10 ` [PATCH 5.15 568/644] ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 570/644] drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 Greg Kroah-Hartman
` (80 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Harry Wentland, Alex Hung, Dan Wheeler
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 07b93a5704b0b72002f0c4bd1076214af67dc661 upstream.
[WHY]
Although unlikely drm_atomic_get_new_connector_state() or
drm_atomic_get_old_connector_state() can return NULL.
[HOW]
Check returns before dereference.
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -7105,6 +7105,9 @@ amdgpu_dm_connector_atomic_check(struct
struct drm_crtc_state *new_crtc_state;
int ret;
+ if (WARN_ON(unlikely(!old_con_state || !new_con_state)))
+ return -EINVAL;
+
trace_amdgpu_dm_connector_atomic_check(new_con_state);
if (!crtc)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 570/644] drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (568 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 569/644] drm/amd/display: Avoid a NULL pointer dereference Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 571/644] drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 Greg Kroah-Hartman
` (79 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Rodrigo Siqueira, Alex Hung
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit 10507478468f165ea681605d133991ed05cdff62 upstream.
For later VBIOS versions, the fractional feedback divider is
calculated as the remainder of dividing the feedback divider by
a factor, which is set to 1000000. For reference, see:
- calculate_fb_and_fractional_fb_divider
- calc_pll_max_vco_construct
However, in case of old VBIOS versions that have
set_pixel_clock_v3, they only have 1 byte available for the
fractional feedback divider, and it's expected to be set to the
remainder from dividing the feedback divider by 10.
For reference see the legacy display code:
- amdgpu_pll_compute
- amdgpu_atombios_crtc_program_pll
This commit fixes set_pixel_clock_v3 by dividing the fractional
feedback divider passed to the function by 100000.
Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 027e7acc7e17802ebf28e1edb88a404836ad50d6)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/bios/command_table.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/bios/command_table.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/command_table.c
@@ -992,7 +992,7 @@ static enum bp_result set_pixel_clock_v3
allocation.sPCLKInput.usFbDiv =
cpu_to_le16((uint16_t)bp_params->feedback_divider);
allocation.sPCLKInput.ucFracFbDiv =
- (uint8_t)bp_params->fractional_feedback_divider;
+ (uint8_t)(bp_params->fractional_feedback_divider / 100000);
allocation.sPCLKInput.ucPostDiv =
(uint8_t)bp_params->pixel_clock_post_divider;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 571/644] drm/amd/display: Fix DP audio DTO1 clock source on DCE 6.
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (569 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 570/644] drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 572/644] drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs Greg Kroah-Hartman
` (78 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Rodrigo Siqueira,
Timur Kristóf
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit 297a4833a68aac3316eb808b4123eb016ef242d7 upstream.
On DCE 6, DP audio was not working. However, it worked when an
HDMI monitor was also plugged in.
Looking at dce_aud_wall_dto_setup it seems that the main
difference is that we use DTO1 when only DP is plugged in.
When programming DTO1, it uses audio_dto_source_clock_in_khz
which is set from get_dp_ref_freq_khz
The dce60_get_dp_ref_freq_khz implementation looks incorrect,
because DENTIST_DISPCLK_CNTL seems to be always zero on DCE 6,
so it isn't usable.
I compared dce60_get_dp_ref_freq_khz to the legacy display code,
specifically dce_v6_0_audio_set_dto, and it turns out that in
case of DCE 6, it needs to use the display clock. With that,
DP audio started working on Pitcairn, Oland and Cape Verde.
However, it still didn't work on Tahiti. Despite having the
same DCE version, Tahiti seems to have a different audio device.
After some trial and error I realized that it works with the
default display clock as reported by the VBIOS, not the current
display clock.
The patch was tested on all four SI GPUs:
* Pitcairn (DCE 6.0)
* Oland (DCE 6.4)
* Cape Verde (DCE 6.0)
* Tahiti (DCE 6.0 but different)
The testing was done on Samsung Odyssey G7 LS28BG700EPXEN on
each of the above GPUs, at the following settings:
* 4K 60 Hz
* 1080p 60 Hz
* 1080p 144 Hz
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 645cc7863da5de700547d236697dffd6760cf051)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 21 +++--------
1 file changed, 6 insertions(+), 15 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
@@ -83,22 +83,13 @@ static const struct state_dependent_cloc
static int dce60_get_dp_ref_freq_khz(struct clk_mgr *clk_mgr_base)
{
struct clk_mgr_internal *clk_mgr = TO_CLK_MGR_INTERNAL(clk_mgr_base);
- int dprefclk_wdivider;
- int dp_ref_clk_khz;
- int target_div;
+ struct dc_context *ctx = clk_mgr_base->ctx;
+ int dp_ref_clk_khz = 0;
- /* DCE6 has no DPREFCLK_CNTL to read DP Reference Clock source */
-
- /* Read the mmDENTIST_DISPCLK_CNTL to get the currently
- * programmed DID DENTIST_DPREFCLK_WDIVIDER*/
- REG_GET(DENTIST_DISPCLK_CNTL, DENTIST_DPREFCLK_WDIVIDER, &dprefclk_wdivider);
-
- /* Convert DENTIST_DPREFCLK_WDIVIDERto actual divider*/
- target_div = dentist_get_divider_from_did(dprefclk_wdivider);
-
- /* Calculate the current DFS clock, in kHz.*/
- dp_ref_clk_khz = (DENTIST_DIVIDER_RANGE_SCALE_FACTOR
- * clk_mgr->base.dentist_vco_freq_khz) / target_div;
+ if (ASIC_REV_IS_TAHITI_P(ctx->asic_id.hw_internal_rev))
+ dp_ref_clk_khz = ctx->dc_bios->fw_info.default_display_engine_pll_frequency;
+ else
+ dp_ref_clk_khz = clk_mgr_base->clks.dispclk_khz;
return dce_adjust_dp_ref_freq_for_ss(clk_mgr, dp_ref_clk_khz);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 572/644] drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (570 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 571/644] drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 573/644] drm/amd/display: Fill display clock and vblank " Greg Kroah-Hartman
` (77 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Rodrigo Siqueira, Alex Hung
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit 669f73a26f6112eedbadac53a2f2707ac6d0b9c8 upstream.
dce110_fill_display_configs is shared between DCE 6-11, and
finding the first CRTC and its line time is relevant to DCE 6 too.
Move the code to find it from DCE 11 specific code.
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 4ab09785f8d5d03df052827af073d5c508ff5f63)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 30 ++++++----
1 file changed, 20 insertions(+), 10 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c
@@ -120,9 +120,12 @@ void dce110_fill_display_configs(
const struct dc_state *context,
struct dm_pp_display_configuration *pp_display_cfg)
{
+ struct dc *dc = context->clk_mgr->ctx->dc;
int j;
int num_cfgs = 0;
+ pp_display_cfg->crtc_index = dc->res_pool->res_cap->num_timing_generator;
+
for (j = 0; j < context->stream_count; j++) {
int k;
@@ -164,6 +167,23 @@ void dce110_fill_display_configs(
cfg->v_refresh /= stream->timing.h_total;
cfg->v_refresh = (cfg->v_refresh + stream->timing.v_total / 2)
/ stream->timing.v_total;
+
+ /* Find first CRTC index and calculate its line time.
+ * This is necessary for DPM on SI GPUs.
+ */
+ if (cfg->pipe_idx < pp_display_cfg->crtc_index) {
+ const struct dc_crtc_timing *timing =
+ &context->streams[0]->timing;
+
+ pp_display_cfg->crtc_index = cfg->pipe_idx;
+ pp_display_cfg->line_time_in_us =
+ timing->h_total * 10000 / timing->pix_clk_100hz;
+ }
+ }
+
+ if (!num_cfgs) {
+ pp_display_cfg->crtc_index = 0;
+ pp_display_cfg->line_time_in_us = 0;
}
pp_display_cfg->display_count = num_cfgs;
@@ -232,16 +252,6 @@ void dce11_pplib_apply_display_requireme
dce110_fill_display_configs(context, pp_display_cfg);
- /* TODO: is this still applicable?*/
- if (pp_display_cfg->display_count == 1) {
- const struct dc_crtc_timing *timing =
- &context->streams[0]->timing;
-
- pp_display_cfg->crtc_index =
- pp_display_cfg->disp_configs[0].pipe_idx;
- pp_display_cfg->line_time_in_us = timing->h_total * 10000 / timing->pix_clk_100hz;
- }
-
if (memcmp(&dc->current_state->pp_display_cfg, pp_display_cfg, sizeof(*pp_display_cfg)) != 0)
dm_pp_apply_display_requirements(dc->ctx, pp_display_cfg);
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 573/644] drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (571 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 572/644] drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 574/644] fs/buffer: fix use-after-free when call bh_read() helper Greg Kroah-Hartman
` (76 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Rodrigo Siqueira, Alex Hung
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
commit 7d07140d37f792f01cfdb8ca9a6a792ab1d29126 upstream.
Also needed by DCE 6.
This way the code that gathers this info can be shared between
different DCE versions and doesn't have to be repeated.
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8107432dff37db26fcb641b6cebeae8981cd73a0)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c | 2 --
drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 10 +++-------
drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 2 --
3 files changed, 3 insertions(+), 11 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c
@@ -384,8 +384,6 @@ static void dce_pplib_apply_display_requ
{
struct dm_pp_display_configuration *pp_display_cfg = &context->pp_display_cfg;
- pp_display_cfg->avail_mclk_switch_time_us = dce110_get_min_vblank_time_us(context);
-
dce110_fill_display_configs(context, pp_display_cfg);
if (memcmp(&dc->current_state->pp_display_cfg, pp_display_cfg, sizeof(*pp_display_cfg)) != 0)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c
@@ -124,6 +124,9 @@ void dce110_fill_display_configs(
int j;
int num_cfgs = 0;
+ pp_display_cfg->avail_mclk_switch_time_us = dce110_get_min_vblank_time_us(context);
+ pp_display_cfg->disp_clk_khz = dc->clk_mgr->clks.dispclk_khz;
+ pp_display_cfg->avail_mclk_switch_time_in_disp_active_us = 0;
pp_display_cfg->crtc_index = dc->res_pool->res_cap->num_timing_generator;
for (j = 0; j < context->stream_count; j++) {
@@ -243,13 +246,6 @@ void dce11_pplib_apply_display_requireme
pp_display_cfg->min_engine_clock_deep_sleep_khz
= context->bw_ctx.bw.dce.sclk_deep_sleep_khz;
- pp_display_cfg->avail_mclk_switch_time_us =
- dce110_get_min_vblank_time_us(context);
- /* TODO: dce11.2*/
- pp_display_cfg->avail_mclk_switch_time_in_disp_active_us = 0;
-
- pp_display_cfg->disp_clk_khz = dc->clk_mgr->clks.dispclk_khz;
-
dce110_fill_display_configs(context, pp_display_cfg);
if (memcmp(&dc->current_state->pp_display_cfg, pp_display_cfg, sizeof(*pp_display_cfg)) != 0)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
@@ -100,8 +100,6 @@ static void dce60_pplib_apply_display_re
{
struct dm_pp_display_configuration *pp_display_cfg = &context->pp_display_cfg;
- pp_display_cfg->avail_mclk_switch_time_us = dce110_get_min_vblank_time_us(context);
-
dce110_fill_display_configs(context, pp_display_cfg);
if (memcmp(&dc->current_state->pp_display_cfg, pp_display_cfg, sizeof(*pp_display_cfg)) != 0)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 574/644] fs/buffer: fix use-after-free when call bh_read() helper
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (572 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 573/644] drm/amd/display: Fill display clock and vblank " Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 575/644] use uniform permission checks for all mount propagation changes Greg Kroah-Hartman
` (75 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Matthew Wilcox (Oracle),
Christian Brauner, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 7375f22495e7cd1c5b3b5af9dcc4f6dffe34ce49 ]
There's issue as follows:
BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110
Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0
CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_address_description.constprop.0+0x2c/0x390
print_report+0xb4/0x270
kasan_report+0xb8/0xf0
end_buffer_read_sync+0xe3/0x110
end_bio_bh_io_sync+0x56/0x80
blk_update_request+0x30a/0x720
scsi_end_request+0x51/0x2b0
scsi_io_completion+0xe3/0x480
? scsi_device_unbusy+0x11e/0x160
blk_complete_reqs+0x7b/0x90
handle_softirqs+0xef/0x370
irq_exit_rcu+0xa5/0xd0
sysvec_apic_timer_interrupt+0x6e/0x90
</IRQ>
Above issue happens when do ntfs3 filesystem mount, issue may happens
as follows:
mount IRQ
ntfs_fill_super
read_cache_page
do_read_cache_folio
filemap_read_folio
mpage_read_folio
do_mpage_readpage
ntfs_get_block_vbo
bh_read
submit_bh
wait_on_buffer(bh);
blk_complete_reqs
scsi_io_completion
scsi_end_request
blk_update_request
end_bio_bh_io_sync
end_buffer_read_sync
__end_buffer_read_notouch
unlock_buffer
wait_on_buffer(bh);--> return will return to caller
put_bh
--> trigger stack-out-of-bounds
In the mpage_read_folio() function, the stack variable 'map_bh' is
passed to ntfs_get_block_vbo(). Once unlock_buffer() unlocks and
wait_on_buffer() returns to continue processing, the stack variable
is likely to be reclaimed. Consequently, during the end_buffer_read_sync()
process, calling put_bh() may result in stack overrun.
If the bh is not allocated on the stack, it belongs to a folio. Freeing
a buffer head which belongs to a folio is done by drop_buffers() which
will fail to free buffers which are still locked. So it is safe to call
put_bh() before __end_buffer_read_notouch().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Link: https://lore.kernel.org/20250811141830.343774-1-yebin@huaweicloud.com
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/buffer.c b/fs/buffer.c
index 1960e2d43ae2..87fcbb725241 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -156,8 +156,8 @@ static void __end_buffer_read_notouch(struct buffer_head *bh, int uptodate)
*/
void end_buffer_read_sync(struct buffer_head *bh, int uptodate)
{
- __end_buffer_read_notouch(bh, uptodate);
put_bh(bh);
+ __end_buffer_read_notouch(bh, uptodate);
}
EXPORT_SYMBOL(end_buffer_read_sync);
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 575/644] use uniform permission checks for all mount propagation changes
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (573 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 574/644] fs/buffer: fix use-after-free when call bh_read() helper Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 576/644] fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable() Greg Kroah-Hartman
` (74 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrei Vagin, Pavel Tikhomirov,
Christian Brauner, Al Viro, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit cffd0441872e7f6b1fce5e78fb1c99187a291330 ]
do_change_type() and do_set_group() are operating on different
aspects of the same thing - propagation graph. The latter
asks for mounts involved to be mounted in namespace(s) the caller
has CAP_SYS_ADMIN for. The former is a mess - originally it
didn't even check that mount *is* mounted. That got fixed,
but the resulting check turns out to be too strict for userland -
in effect, we check that mount is in our namespace, having already
checked that we have CAP_SYS_ADMIN there.
What we really need (in both cases) is
* only touch mounts that are mounted. That's a must-have
constraint - data corruption happens if it get violated.
* don't allow to mess with a namespace unless you already
have enough permissions to do so (i.e. CAP_SYS_ADMIN in its userns).
That's an equivalent of what do_set_group() does; let's extract that
into a helper (may_change_propagation()) and use it in both
do_set_group() and do_change_type().
Fixes: 12f147ddd6de "do_change_type(): refuse to operate on unmounted/not ours mounts"
Acked-by: Andrei Vagin <avagin@gmail.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Tested-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/namespace.c | 34 ++++++++++++++++++++--------------
1 file changed, 20 insertions(+), 14 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 9e1717692be3..35d63bb3b22d 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2296,6 +2296,19 @@ static int graft_tree(struct mount *mnt, struct mount *p, struct mountpoint *mp)
return attach_recursive_mnt(mnt, p, mp, false);
}
+static int may_change_propagation(const struct mount *m)
+{
+ struct mnt_namespace *ns = m->mnt_ns;
+
+ // it must be mounted in some namespace
+ if (IS_ERR_OR_NULL(ns)) // is_mounted()
+ return -EINVAL;
+ // and the caller must be admin in userns of that namespace
+ if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN))
+ return -EPERM;
+ return 0;
+}
+
/*
* Sanity check the flags to change_mnt_propagation.
*/
@@ -2332,10 +2345,10 @@ static int do_change_type(struct path *path, int ms_flags)
return -EINVAL;
namespace_lock();
- if (!check_mnt(mnt)) {
- err = -EINVAL;
+ err = may_change_propagation(mnt);
+ if (err)
goto out_unlock;
- }
+
if (type == MS_SHARED) {
err = invent_group_ids(mnt, recurse);
if (err)
@@ -2730,18 +2743,11 @@ static int do_set_group(struct path *from_path, struct path *to_path)
namespace_lock();
- err = -EINVAL;
- /* To and From must be mounted */
- if (!is_mounted(&from->mnt))
- goto out;
- if (!is_mounted(&to->mnt))
- goto out;
-
- err = -EPERM;
- /* We should be allowed to modify mount namespaces of both mounts */
- if (!ns_capable(from->mnt_ns->user_ns, CAP_SYS_ADMIN))
+ err = may_change_propagation(from);
+ if (err)
goto out;
- if (!ns_capable(to->mnt_ns->user_ns, CAP_SYS_ADMIN))
+ err = may_change_propagation(to);
+ if (err)
goto out;
err = -EINVAL;
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 576/644] fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (574 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 575/644] use uniform permission checks for all mount propagation changes Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 577/644] ftrace: Also allocate and copy hash for reading of filter files Greg Kroah-Hartman
` (73 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pavel Pisa, Jason Gunthorpe,
Marek Szyprowski, Xu Yilun
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yilun <yilun.xu@linux.intel.com>
commit 1ca61060de92a4320d73adfe5dc8d335653907ac upstream.
dma_map_sgtable() returns only 0 or the error code. Read sgt->nents to
get the number of mapped segments.
Fixes: 37e00703228a ("zynq_fpga: use sgtable-based scatterlist wrappers")
Reported-by: Pavel Pisa <pisa@fel.cvut.cz>
Closes: https://lore.kernel.org/linux-fpga/202508041548.22955.pisa@fel.cvut.cz/
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
Tested-by: Pavel Pisa <pisa@fel.cvut.cz>
Link: https://lore.kernel.org/r/20250806070605.1920909-2-yilun.xu@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/fpga/zynq-fpga.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/fpga/zynq-fpga.c
+++ b/drivers/fpga/zynq-fpga.c
@@ -405,12 +405,12 @@ static int zynq_fpga_ops_write(struct fp
}
}
- priv->dma_nelms =
- dma_map_sgtable(mgr->dev.parent, sgt, DMA_TO_DEVICE, 0);
- if (priv->dma_nelms == 0) {
+ err = dma_map_sgtable(mgr->dev.parent, sgt, DMA_TO_DEVICE, 0);
+ if (err) {
dev_err(&mgr->dev, "Unable to DMA map (TO_DEVICE)\n");
- return -ENOMEM;
+ return err;
}
+ priv->dma_nelms = sgt->nents;
/* enable clock */
err = clk_enable(priv->clk);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 577/644] ftrace: Also allocate and copy hash for reading of filter files
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (575 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 576/644] fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 578/644] iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() Greg Kroah-Hartman
` (72 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Nathan Chancellor, Linus Torvalds, Tengda Wu,
Steven Rostedt (Google)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit bfb336cf97df7b37b2b2edec0f69773e06d11955 upstream.
Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds
the pointer to the global tracer hash to its iterator. Unlike the writer
that allocates a copy of the hash, the reader keeps the pointer to the
filter hashes. This is problematic because this pointer is static across
function calls that release the locks that can update the global tracer
hashes. This can cause UAF and similar bugs.
Allocate and copy the hash for reading the filter files like it is done
for the writers. This not only fixes UAF bugs, but also makes the code a
bit simpler as it doesn't have to differentiate when to free the
iterator's hash between writers and readers.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/20250822183606.12962cc3@batman.local.home
Fixes: c20489dad156 ("ftrace: Assign iter->hash to filter or notrace hashes on seq read")
Closes: https://lore.kernel.org/all/20250813023044.2121943-1-wutengda@huaweicloud.com/
Closes: https://lore.kernel.org/all/20250822192437.GA458494@ax162/
Reported-by: Tengda Wu <wutengda@huaweicloud.com>
Tested-by: Tengda Wu <wutengda@huaweicloud.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ftrace.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -3825,13 +3825,17 @@ ftrace_regex_open(struct ftrace_ops *ops
} else {
iter->hash = alloc_and_copy_ftrace_hash(size_bits, hash);
}
+ } else {
+ if (hash)
+ iter->hash = alloc_and_copy_ftrace_hash(hash->size_bits, hash);
+ else
+ iter->hash = EMPTY_HASH;
+ }
- if (!iter->hash) {
- trace_parser_put(&iter->parser);
- goto out_unlock;
- }
- } else
- iter->hash = hash;
+ if (!iter->hash) {
+ trace_parser_put(&iter->parser);
+ goto out_unlock;
+ }
ret = 0;
@@ -5700,9 +5704,6 @@ int ftrace_regex_release(struct inode *i
ftrace_hash_move_and_update_ops(iter->ops, orig_hash,
iter->hash, filter_hash);
mutex_unlock(&ftrace_lock);
- } else {
- /* For read only, the hash is the ops hash */
- iter->hash = NULL;
}
mutex_unlock(&iter->ops->func_hash->regex_lock);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 578/644] iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (576 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 577/644] ftrace: Also allocate and copy hash for reading of filter files Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 579/644] iio: proximity: isl29501: fix buffered read on big-endian systems Greg Kroah-Hartman
` (71 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Salah Triki, David Lechner, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Salah Triki <salah.triki@gmail.com>
commit 43c0f6456f801181a80b73d95def0e0fd134e1cc upstream.
`devm_gpiod_get_optional()` may return non-NULL error pointer on failure.
Check its return value using `IS_ERR()` and propagate the error if
necessary.
Fixes: df6e71256c84 ("iio: pressure: bmp280: Explicitly mark GPIO optional")
Signed-off-by: Salah Triki <salah.triki@gmail.com>
Reviewed-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20250818092740.545379-2-salah.triki@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/pressure/bmp280-core.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/iio/pressure/bmp280-core.c
+++ b/drivers/iio/pressure/bmp280-core.c
@@ -1064,11 +1064,12 @@ int bmp280_common_probe(struct device *d
/* Bring chip out of reset if there is an assigned GPIO line */
gpiod = devm_gpiod_get_optional(dev, "reset", GPIOD_OUT_HIGH);
+ if (IS_ERR(gpiod))
+ return dev_err_probe(dev, PTR_ERR(gpiod), "failed to get reset GPIO\n");
+
/* Deassert the signal */
- if (gpiod) {
- dev_info(dev, "release reset\n");
- gpiod_set_value(gpiod, 0);
- }
+ dev_info(dev, "release reset\n");
+ gpiod_set_value(gpiod, 0);
data->regmap = regmap;
ret = regmap_read(regmap, BMP280_REG_ID, &chip_id);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 579/644] iio: proximity: isl29501: fix buffered read on big-endian systems
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (577 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 578/644] iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 580/644] most: core: Drop device reference after usage in get_channel() Greg Kroah-Hartman
` (70 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Lechner, Stable,
Jonathan Cameron
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
commit de18e978d0cda23e4c102e18092b63a5b0b3a800 upstream.
Fix passing a u32 value as a u16 buffer scan item. This works on little-
endian systems, but not on big-endian systems.
A new local variable is introduced for getting the register value and
the array is changed to a struct to make the data layout more explicit
rather than just changing the type and having to recalculate the proper
length needed for the timestamp.
Fixes: 1c28799257bc ("iio: light: isl29501: Add support for the ISL29501 ToF sensor.")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Link: https://patch.msgid.link/20250722-iio-use-more-iio_declare_buffer_with_ts-7-v2-1-d3ebeb001ed3@baylibre.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/proximity/isl29501.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/iio/proximity/isl29501.c
+++ b/drivers/iio/proximity/isl29501.c
@@ -938,12 +938,18 @@ static irqreturn_t isl29501_trigger_hand
struct iio_dev *indio_dev = pf->indio_dev;
struct isl29501_private *isl29501 = iio_priv(indio_dev);
const unsigned long *active_mask = indio_dev->active_scan_mask;
- u32 buffer[4] __aligned(8) = {}; /* 1x16-bit + naturally aligned ts */
+ u32 value;
+ struct {
+ u16 data;
+ aligned_s64 ts;
+ } scan = { };
- if (test_bit(ISL29501_DISTANCE_SCAN_INDEX, active_mask))
- isl29501_register_read(isl29501, REG_DISTANCE, buffer);
+ if (test_bit(ISL29501_DISTANCE_SCAN_INDEX, active_mask)) {
+ isl29501_register_read(isl29501, REG_DISTANCE, &value);
+ scan.data = value;
+ }
- iio_push_to_buffers_with_timestamp(indio_dev, buffer, pf->timestamp);
+ iio_push_to_buffers_with_timestamp(indio_dev, &scan, pf->timestamp);
iio_trigger_notify_done(indio_dev->trig);
return IRQ_HANDLED;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 580/644] most: core: Drop device reference after usage in get_channel()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (578 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 579/644] iio: proximity: isl29501: fix buffered read on big-endian systems Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 581/644] usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive Greg Kroah-Hartman
` (69 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Miaoqian Lin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit b47b493d6387ae437098112936f32be27f73516c upstream.
In get_channel(), the reference obtained by bus_find_device_by_name()
was dropped via put_device() before accessing the device's driver data
Move put_device() after usage to avoid potential issues.
Fixes: 2485055394be ("staging: most: core: drop device reference")
Cc: stable <stable@kernel.org>
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20250804082955.3621026-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/most/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/most/core.c
+++ b/drivers/most/core.c
@@ -538,8 +538,8 @@ static struct most_channel *get_channel(
dev = bus_find_device_by_name(&mostbus, NULL, mdev);
if (!dev)
return NULL;
- put_device(dev);
iface = dev_get_drvdata(dev);
+ put_device(dev);
list_for_each_entry_safe(c, tmp, &iface->p->channel_list, list) {
if (!strcmp(dev_name(&c->dev), mdev_ch))
return c;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 581/644] usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (579 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 580/644] most: core: Drop device reference after usage in get_channel() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 582/644] comedi: Make insn_rw_emulate_bits() do insn->n samples Greg Kroah-Hartman
` (68 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miao Li, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miao Li <limiao@kylinos.cn>
commit e664036cf36480414936cd91f4cfa2179a3d8367 upstream.
Another SanDisk 3.2Gen1 Flash Drive also need DELAY_INIT quick,
or it will randomly work incorrectly on Huawei hisi platforms
when doing reboot test.
Signed-off-by: Miao Li <limiao@kylinos.cn>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20250801082728.469406-1-limiao870622@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -368,6 +368,7 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x0781, 0x5591), .driver_info = USB_QUIRK_NO_LPM },
/* SanDisk Corp. SanDisk 3.2Gen1 */
+ { USB_DEVICE(0x0781, 0x5596), .driver_info = USB_QUIRK_DELAY_INIT },
{ USB_DEVICE(0x0781, 0x55a3), .driver_info = USB_QUIRK_DELAY_INIT },
/* SanDisk Extreme 55AE */
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 582/644] comedi: Make insn_rw_emulate_bits() do insn->n samples
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (580 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 581/644] usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 583/644] comedi: pcl726: Prevent invalid irq number Greg Kroah-Hartman
` (67 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Abbott, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 7afba9221f70d4cbce0f417c558879cba0eb5e66 upstream.
The `insn_rw_emulate_bits()` function is used as a default handler for
`INSN_READ` instructions for subdevices that have a handler for
`INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default
handler for `INSN_WRITE` instructions for subdevices that have a handler
for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the
`INSN_READ` or `INSN_WRITE` instruction handling with a constructed
`INSN_BITS` instruction. However, `INSN_READ` and `INSN_WRITE`
instructions are supposed to be able read or write multiple samples,
indicated by the `insn->n` value, but `insn_rw_emulate_bits()` currently
only handles a single sample. For `INSN_READ`, the comedi core will
copy `insn->n` samples back to user-space. (That triggered KASAN
kernel-infoleak errors when `insn->n` was greater than 1, but that is
being fixed more generally elsewhere in the comedi core.)
Make `insn_rw_emulate_bits()` either handle `insn->n` samples, or return
an error, to conform to the general expectation for `INSN_READ` and
`INSN_WRITE` handlers.
Fixes: ed9eccbe8970 ("Staging: add comedi core")
Cc: stable <stable@kernel.org> # 5.13+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250725141034.87297-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
--- a/drivers/comedi/drivers.c
+++ b/drivers/comedi/drivers.c
@@ -620,11 +620,9 @@ static int insn_rw_emulate_bits(struct c
unsigned int chan = CR_CHAN(insn->chanspec);
unsigned int base_chan = (chan < 32) ? 0 : chan;
unsigned int _data[2];
+ unsigned int i;
int ret;
- if (insn->n == 0)
- return 0;
-
memset(_data, 0, sizeof(_data));
memset(&_insn, 0, sizeof(_insn));
_insn.insn = INSN_BITS;
@@ -635,18 +633,21 @@ static int insn_rw_emulate_bits(struct c
if (insn->insn == INSN_WRITE) {
if (!(s->subdev_flags & SDF_WRITABLE))
return -EINVAL;
- _data[0] = 1U << (chan - base_chan); /* mask */
- _data[1] = data[0] ? (1U << (chan - base_chan)) : 0; /* bits */
+ _data[0] = 1U << (chan - base_chan); /* mask */
}
+ for (i = 0; i < insn->n; i++) {
+ if (insn->insn == INSN_WRITE)
+ _data[1] = data[i] ? _data[0] : 0; /* bits */
+
+ ret = s->insn_bits(dev, s, &_insn, _data);
+ if (ret < 0)
+ return ret;
- ret = s->insn_bits(dev, s, &_insn, _data);
- if (ret < 0)
- return ret;
-
- if (insn->insn == INSN_READ)
- data[0] = (_data[1] >> (chan - base_chan)) & 1;
+ if (insn->insn == INSN_READ)
+ data[i] = (_data[1] >> (chan - base_chan)) & 1;
+ }
- return 1;
+ return insn->n;
}
static int __comedi_device_postconfig_async(struct comedi_device *dev,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 583/644] comedi: pcl726: Prevent invalid irq number
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (581 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 582/644] comedi: Make insn_rw_emulate_bits() do insn->n samples Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 584/644] comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() Greg Kroah-Hartman
` (66 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5cd373521edd68bebcb3,
Edward Adam Davis, Ian Abbott, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit 96cb948408b3adb69df7e451ba7da9d21f814d00 upstream.
The reproducer passed in an irq number(0x80008000) that was too large,
which triggered the oob.
Added an interrupt number check to prevent users from passing in an irq
number that was too large.
If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid
because it shifts a 1-bit into the sign bit (which is UB in C).
Possible solutions include reducing the upper bound on the
`it->options[1]` value to 30 or lower, or using `1U << it->options[1]`.
The old code would just not attempt to request the IRQ if the
`options[1]` value were invalid. And it would still configure the
device without interrupts even if the call to `request_irq` returned an
error. So it would be better to combine this test with the test below.
Fixes: fff46207245c ("staging: comedi: pcl726: enable the interrupt support code")
Cc: stable <stable@kernel.org> # 5.13+
Reported-by: syzbot+5cd373521edd68bebcb3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5cd373521edd68bebcb3
Tested-by: syzbot+5cd373521edd68bebcb3@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/tencent_3C66983CC1369E962436264A50759176BF09@qq.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/pcl726.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/comedi/drivers/pcl726.c
+++ b/drivers/comedi/drivers/pcl726.c
@@ -329,7 +329,8 @@ static int pcl726_attach(struct comedi_d
* Hook up the external trigger source interrupt only if the
* user config option is valid and the board supports interrupts.
*/
- if (it->options[1] && (board->irq_mask & (1 << it->options[1]))) {
+ if (it->options[1] > 0 && it->options[1] < 16 &&
+ (board->irq_mask & (1U << it->options[1]))) {
ret = request_irq(it->options[1], pcl726_interrupt, 0,
dev->board_name, dev);
if (ret == 0) {
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 584/644] comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (582 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 583/644] comedi: pcl726: Prevent invalid irq number Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 585/644] usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test Greg Kroah-Hartman
` (65 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a5e45f768aab5892da5d,
syzbot+fb4362a104d45ab09cf9, Arnaud Lecomte, Ian Abbott, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 3cd212e895ca2d58963fdc6422502b10dd3966bb upstream.
syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel
buffer is allocated to hold `insn->n` samples (each of which is an
`unsigned int`). For some instruction types, `insn->n` samples are
copied back to user-space, unless an error code is being returned. The
problem is that not all the instruction handlers that need to return
data to userspace fill in the whole `insn->n` samples, so that there is
an information leak. There is a similar syzbot report for
`do_insnlist_ioctl()`, although it does not have a reproducer for it at
the time of writing.
One culprit is `insn_rw_emulate_bits()` which is used as the handler for
`INSN_READ` or `INSN_WRITE` instructions for subdevices that do not have
a specific handler for that instruction, but do have an `INSN_BITS`
handler. For `INSN_READ` it only fills in at most 1 sample, so if
`insn->n` is greater than 1, the remaining `insn->n - 1` samples copied
to userspace will be uninitialized kernel data.
Another culprit is `vm80xx_ai_insn_read()` in the "vm80xx" driver. It
never returns an error, even if it fails to fill the buffer.
Fix it in `do_insn_ioctl()` and `do_insnlist_ioctl()` by making sure
that uninitialized parts of the allocated buffer are zeroed before
handling each instruction.
Thanks to Arnaud Lecomte for their fix to `do_insn_ioctl()`. That fix
replaced the call to `kmalloc_array()` with `kcalloc()`, but it is not
always necessary to clear the whole buffer.
Fixes: ed9eccbe8970 ("Staging: add comedi core")
Reported-by: syzbot+a5e45f768aab5892da5d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a5e45f768aab5892da5d
Reported-by: syzbot+fb4362a104d45ab09cf9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fb4362a104d45ab09cf9
Cc: stable <stable@kernel.org> # 5.13+
Cc: Arnaud Lecomte <contact@arnaud-lcm.com>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250725125324.80276-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/comedi_fops.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1582,6 +1582,9 @@ static int do_insnlist_ioctl(struct come
memset(&data[n], 0, (MIN_SAMPLES - n) *
sizeof(unsigned int));
}
+ } else {
+ memset(data, 0, max_t(unsigned int, n, MIN_SAMPLES) *
+ sizeof(unsigned int));
}
ret = parse_insn(dev, insns + i, data, file);
if (ret < 0)
@@ -1665,6 +1668,8 @@ static int do_insn_ioctl(struct comedi_d
memset(&data[insn->n], 0,
(MIN_SAMPLES - insn->n) * sizeof(unsigned int));
}
+ } else {
+ memset(data, 0, n_data * sizeof(unsigned int));
}
ret = parse_insn(dev, insn, data, file);
if (ret < 0)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 585/644] usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (583 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 584/644] comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 586/644] usb: renesas-xhci: Fix External ROM access timeouts Greg Kroah-Hartman
` (64 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jun Li, Xu Yang, Alan Stern
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 8fe06185e11ae753414aa6117f0e798aa77567ff upstream.
The USB core will unmap urb->transfer_dma after SETUP stage completes.
Then the USB controller will access unmapped memory when it received
device descriptor. If iommu is equipped, the entire test can't be
completed due to the memory accessing is blocked.
Fix it by calling map_urb_for_dma() again for IN stage. To reduce
redundant map for urb->transfer_buffer, this will also set
URB_NO_TRANSFER_DMA_MAP flag before first map_urb_for_dma() to skip
dma map for urb->transfer_buffer and clear URB_NO_TRANSFER_DMA_MAP
flag before second map_urb_for_dma().
Fixes: 216e0e563d81 ("usb: core: hcd: use map_urb_for_dma for single step set feature urb")
Cc: stable <stable@kernel.org>
Reviewed-by: Jun Li <jun.li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20250806083955.3325299-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/hcd.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -2183,7 +2183,7 @@ static struct urb *request_single_step_s
urb->complete = usb_ehset_completion;
urb->status = -EINPROGRESS;
urb->actual_length = 0;
- urb->transfer_flags = URB_DIR_IN;
+ urb->transfer_flags = URB_DIR_IN | URB_NO_TRANSFER_DMA_MAP;
usb_get_urb(urb);
atomic_inc(&urb->use_count);
atomic_inc(&urb->dev->urbnum);
@@ -2247,9 +2247,15 @@ int ehset_single_step_set_feature(struct
/* Complete remaining DATA and STATUS stages using the same URB */
urb->status = -EINPROGRESS;
+ urb->transfer_flags &= ~URB_NO_TRANSFER_DMA_MAP;
usb_get_urb(urb);
atomic_inc(&urb->use_count);
atomic_inc(&urb->dev->urbnum);
+ if (map_urb_for_dma(hcd, urb, GFP_KERNEL)) {
+ usb_put_urb(urb);
+ goto out1;
+ }
+
retval = hcd->driver->submit_single_step_set_feature(hcd, urb, 0);
if (!retval && !wait_for_completion_timeout(&done,
msecs_to_jiffies(2000))) {
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 586/644] usb: renesas-xhci: Fix External ROM access timeouts
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (584 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 585/644] usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 587/644] USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera Greg Kroah-Hartman
` (63 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Marek Vasut
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut+renesas@mailbox.org>
commit f9420f4757752f056144896024d5ea89e5a611f1 upstream.
Increase the External ROM access timeouts to prevent failures during
programming of External SPI EEPROM chips. The current timeouts are
too short for some SPI EEPROMs used with uPD720201 controllers.
The current timeout for Chip Erase in renesas_rom_erase() is 100 ms ,
the current timeout for Sector Erase issued by the controller before
Page Program in renesas_fw_download_image() is also 100 ms. Neither
timeout is sufficient for e.g. the Macronix MX25L5121E or MX25V5126F.
MX25L5121E reference manual [1] page 35 section "ERASE AND PROGRAMMING
PERFORMANCE" and page 23 section "Table 8. AC CHARACTERISTICS (Temperature
= 0°C to 70°C for Commercial grade, VCC = 2.7V ~ 3.6V)" row "tCE" indicate
that the maximum time required for Chip Erase opcode to complete is 2 s,
and for Sector Erase it is 300 ms .
MX25V5126F reference manual [2] page 47 section "13. ERASE AND PROGRAMMING
PERFORMANCE (2.3V - 3.6V)" and page 42 section "Table 8. AC CHARACTERISTICS
(Temperature = -40°C to 85°C for Industrial grade, VCC = 2.3V - 3.6V)" row
"tCE" indicate that the maximum time required for Chip Erase opcode to
complete is 3.2 s, and for Sector Erase it is 400 ms .
Update the timeouts such, that Chip Erase timeout is set to 5 seconds,
and Sector Erase timeout is set to 500 ms. Such lengthy timeouts ought
to be sufficient for majority of SPI EEPROM chips.
[1] https://www.macronix.com/Lists/Datasheet/Attachments/8634/MX25L5121E,%203V,%20512Kb,%20v1.3.pdf
[2] https://www.macronix.com/Lists/Datasheet/Attachments/8750/MX25V5126F,%202.5V,%20512Kb,%20v1.1.pdf
Fixes: 2478be82de44 ("usb: renesas-xhci: Add ROM loader for uPD720201")
Cc: stable <stable@kernel.org>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Link: https://lore.kernel.org/r/20250802225526.25431-1-marek.vasut+renesas@mailbox.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-pci-renesas.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/usb/host/xhci-pci-renesas.c
+++ b/drivers/usb/host/xhci-pci-renesas.c
@@ -47,8 +47,9 @@
#define RENESAS_ROM_ERASE_MAGIC 0x5A65726F
#define RENESAS_ROM_WRITE_MAGIC 0x53524F4D
-#define RENESAS_RETRY 10000
-#define RENESAS_DELAY 10
+#define RENESAS_RETRY 50000 /* 50000 * RENESAS_DELAY ~= 500ms */
+#define RENESAS_CHIP_ERASE_RETRY 500000 /* 500000 * RENESAS_DELAY ~= 5s */
+#define RENESAS_DELAY 10
static int renesas_fw_download_image(struct pci_dev *dev,
const u32 *fw, size_t step, bool rom)
@@ -409,7 +410,7 @@ static void renesas_rom_erase(struct pci
/* sleep a bit while ROM is erased */
msleep(20);
- for (i = 0; i < RENESAS_RETRY; i++) {
+ for (i = 0; i < RENESAS_CHIP_ERASE_RETRY; i++) {
retval = pci_read_config_byte(pdev, RENESAS_ROM_STATUS,
&status);
status &= RENESAS_ROM_STATUS_ERASE;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 587/644] USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (585 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 586/644] usb: renesas-xhci: Fix External ROM access timeouts Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 588/644] usb: storage: realtek_cr: Use correct byte order for bcs->Residue Greg Kroah-Hartman
` (62 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mael GUERIN, stable, Alan Stern
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mael GUERIN <mael.guerin@murena.io>
commit 6ca8af3c8fb584f3424a827f554ff74f898c27cd upstream.
Add the US_FL_BULK_IGNORE_TAG quirk for Novatek NTK96550-based camera
to fix USB resets after sending SCSI vendor commands due to CBW and
CSW tags difference, leading to undesired slowness while communicating
with the device.
Please find below the copy of /sys/kernel/debug/usb/devices with my
device plugged in (listed as TechSys USB mass storage here, the
underlying chipset being the Novatek NTK96550-based camera):
T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=0603 ProdID=8611 Rev= 0.01
S: Manufacturer=TechSys
S: Product=USB Mass Storage
S: SerialNumber=966110000000100
C:* #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: Mael GUERIN <mael.guerin@murena.io>
Cc: stable <stable@kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20250806164406.43450-1-mael.guerin@murena.io
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_devs.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -934,6 +934,13 @@ UNUSUAL_DEV( 0x05e3, 0x0723, 0x9451, 0x
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_SANE_SENSE ),
+/* Added by Maël GUERIN <mael.guerin@murena.io> */
+UNUSUAL_DEV( 0x0603, 0x8611, 0x0000, 0xffff,
+ "Novatek",
+ "NTK96550-based camera",
+ USB_SC_SCSI, USB_PR_BULK, NULL,
+ US_FL_BULK_IGNORE_TAG ),
+
/*
* Reported by Hanno Boeck <hanno@gmx.de>
* Taken from the Lycoris Kernel
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 588/644] usb: storage: realtek_cr: Use correct byte order for bcs->Residue
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (586 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 587/644] USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 589/644] USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles Greg Kroah-Hartman
` (61 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alan Stern, Thorsten Blum
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 98da66a70ad2396e5a508c4245367797ebc052ce upstream.
Since 'bcs->Residue' has the data type '__le32', convert it to the
correct byte order of the CPU using this driver when assigning it to
the local variable 'residue'.
Cc: stable <stable@kernel.org>
Fixes: 50a6cb932d5c ("USB: usb_storage: add ums-realtek driver")
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://lore.kernel.org/r/20250813145247.184717-3-thorsten.blum@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/realtek_cr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/storage/realtek_cr.c
+++ b/drivers/usb/storage/realtek_cr.c
@@ -252,7 +252,7 @@ static int rts51x_bulk_transport(struct
return USB_STOR_TRANSPORT_ERROR;
}
- residue = bcs->Residue;
+ residue = le32_to_cpu(bcs->Residue);
if (bcs->Tag != us->tag)
return USB_STOR_TRANSPORT_ERROR;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 589/644] USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (587 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 588/644] usb: storage: realtek_cr: Use correct byte order for bcs->Residue Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 590/644] usb: dwc3: Ignore late xferNotReady event to prevent halt timeout Greg Kroah-Hartman
` (60 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Zenm Chen, Alan Stern
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zenm Chen <zenmchen@gmail.com>
commit a3dc32c635bae0ae569f489e00de0e8f015bfc25 upstream.
Many Realtek USB Wi-Fi dongles released in recent years have two modes:
one is driver CD mode which has Windows driver onboard, another one is
Wi-Fi mode. Add the US_FL_IGNORE_DEVICE quirk for these multi-mode devices.
Otherwise, usb_modeswitch may fail to switch them to Wi-Fi mode.
Currently there are only two USB IDs known to be used by these multi-mode
Wi-Fi dongles: 0bda:1a2b and 0bda:a192.
Information about Mercury MW310UH in /sys/kernel/debug/usb/devices.
T: Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 12 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=0bda ProdID=a192 Rev= 2.00
S: Manufacturer=Realtek
S: Product=DISK
C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Information about D-Link AX9U rev. A1 in /sys/kernel/debug/usb/devices.
T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 55 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=0bda ProdID=1a2b Rev= 0.00
S: Manufacturer=Realtek
S: Product=DISK
C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable <stable@kernel.org>
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20250813162415.2630-1-zenmchen@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_devs.h | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1490,6 +1490,28 @@ UNUSUAL_DEV( 0x0bc2, 0x3332, 0x0000, 0x9
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_NO_WP_DETECT ),
+/*
+ * Reported by Zenm Chen <zenmchen@gmail.com>
+ * Ignore driver CD mode, otherwise usb_modeswitch may fail to switch
+ * the device into Wi-Fi mode.
+ */
+UNUSUAL_DEV( 0x0bda, 0x1a2b, 0x0000, 0xffff,
+ "Realtek",
+ "DISK",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_IGNORE_DEVICE ),
+
+/*
+ * Reported by Zenm Chen <zenmchen@gmail.com>
+ * Ignore driver CD mode, otherwise usb_modeswitch may fail to switch
+ * the device into Wi-Fi mode.
+ */
+UNUSUAL_DEV( 0x0bda, 0xa192, 0x0000, 0xffff,
+ "Realtek",
+ "DISK",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_IGNORE_DEVICE ),
+
UNUSUAL_DEV( 0x0d49, 0x7310, 0x0000, 0x9999,
"Maxtor",
"USB to SATA",
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 590/644] usb: dwc3: Ignore late xferNotReady event to prevent halt timeout
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (588 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 589/644] USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 591/644] usb: dwc3: Remove WARN_ON for device endpoint command timeouts Greg Kroah-Hartman
` (59 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Kuen-Han Tsai, Thinh Nguyen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuen-Han Tsai <khtsai@google.com>
commit 58577118cc7cec9eb7c1836bf88f865ff2c5e3a3 upstream.
During a device-initiated disconnect, the End Transfer command resets
the event filter, allowing a new xferNotReady event to be generated
before the controller is fully halted. Processing this late event
incorrectly triggers a Start Transfer, which prevents the controller
from halting and results in a DSTS.DEVCTLHLT bit polling timeout.
Ignore the late xferNotReady event if the controller is already in a
disconnected state.
Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20250807090700.2397190-1-khtsai@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/gadget.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -3534,6 +3534,15 @@ static void dwc3_gadget_endpoint_transfe
static void dwc3_gadget_endpoint_transfer_not_ready(struct dwc3_ep *dep,
const struct dwc3_event_depevt *event)
{
+ /*
+ * During a device-initiated disconnect, a late xferNotReady event can
+ * be generated after the End Transfer command resets the event filter,
+ * but before the controller is halted. Ignore it to prevent a new
+ * transfer from starting.
+ */
+ if (!dep->dwc->connected)
+ return;
+
dwc3_gadget_endpoint_frame_from_event(dep, event);
/*
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 591/644] usb: dwc3: Remove WARN_ON for device endpoint command timeouts
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (589 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 590/644] usb: dwc3: Ignore late xferNotReady event to prevent halt timeout Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 592/644] drm/amd/display: Dont overclock DCE 6 by 15% Greg Kroah-Hartman
` (58 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Akash M, Selvarasu Ganesan,
Thinh Nguyen, Sebastian Andrzej Siewior
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Selvarasu Ganesan <selvarasu.g@samsung.com>
commit 45eae113dccaf8e502090ecf5b3d9e9b805add6f upstream.
This commit addresses a rarely observed endpoint command timeout
which causes kernel panic due to warn when 'panic_on_warn' is enabled
and unnecessary call trace prints when 'panic_on_warn' is disabled.
It is seen during fast software-controlled connect/disconnect testcases.
The following is one such endpoint command timeout that we observed:
1. Connect
=======
->dwc3_thread_interrupt
->dwc3_ep0_interrupt
->configfs_composite_setup
->composite_setup
->usb_ep_queue
->dwc3_gadget_ep0_queue
->__dwc3_gadget_ep0_queue
->__dwc3_ep0_do_control_data
->dwc3_send_gadget_ep_cmd
2. Disconnect
==========
->dwc3_thread_interrupt
->dwc3_gadget_disconnect_interrupt
->dwc3_ep0_reset_state
->dwc3_ep0_end_control_data
->dwc3_send_gadget_ep_cmd
In the issue scenario, in Exynos platforms, we observed that control
transfers for the previous connect have not yet been completed and end
transfer command sent as a part of the disconnect sequence and
processing of USB_ENDPOINT_HALT feature request from the host timeout.
This maybe an expected scenario since the controller is processing EP
commands sent as a part of the previous connect. It maybe better to
remove WARN_ON in all places where device endpoint commands are sent to
avoid unnecessary kernel panic due to warn.
Cc: stable <stable@kernel.org>
Co-developed-by: Akash M <akash.m5@samsung.com>
Signed-off-by: Akash M <akash.m5@samsung.com>
Signed-off-by: Selvarasu Ganesan <selvarasu.g@samsung.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://lore.kernel.org/r/20250808125315.1607-1-selvarasu.g@samsung.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/ep0.c | 20 ++++++++++++++++----
drivers/usb/dwc3/gadget.c | 10 ++++++++--
2 files changed, 24 insertions(+), 6 deletions(-)
--- a/drivers/usb/dwc3/ep0.c
+++ b/drivers/usb/dwc3/ep0.c
@@ -282,7 +282,9 @@ void dwc3_ep0_out_start(struct dwc3 *dwc
dwc3_ep0_prepare_one_trb(dep, dwc->ep0_trb_addr, 8,
DWC3_TRBCTL_CONTROL_SETUP, false);
ret = dwc3_ep0_start_trans(dep);
- WARN_ON(ret < 0);
+ if (ret < 0)
+ dev_err(dwc->dev, "ep0 out start transfer failed: %d\n", ret);
+
for (i = 2; i < DWC3_ENDPOINTS_NUM; i++) {
struct dwc3_ep *dwc3_ep;
@@ -1050,7 +1052,9 @@ static void __dwc3_ep0_do_control_data(s
ret = dwc3_ep0_start_trans(dep);
}
- WARN_ON(ret < 0);
+ if (ret < 0)
+ dev_err(dwc->dev,
+ "ep0 data phase start transfer failed: %d\n", ret);
}
static int dwc3_ep0_start_control_status(struct dwc3_ep *dep)
@@ -1067,7 +1071,12 @@ static int dwc3_ep0_start_control_status
static void __dwc3_ep0_do_control_status(struct dwc3 *dwc, struct dwc3_ep *dep)
{
- WARN_ON(dwc3_ep0_start_control_status(dep));
+ int ret;
+
+ ret = dwc3_ep0_start_control_status(dep);
+ if (ret)
+ dev_err(dwc->dev,
+ "ep0 status phase start transfer failed: %d\n", ret);
}
static void dwc3_ep0_do_control_status(struct dwc3 *dwc,
@@ -1109,7 +1118,10 @@ void dwc3_ep0_end_control_data(struct dw
cmd |= DWC3_DEPCMD_PARAM(dep->resource_index);
memset(¶ms, 0, sizeof(params));
ret = dwc3_send_gadget_ep_cmd(dep, cmd, ¶ms);
- WARN_ON_ONCE(ret);
+ if (ret)
+ dev_err_ratelimited(dwc->dev,
+ "ep0 data phase end transfer failed: %d\n", ret);
+
dep->resource_index = 0;
}
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1693,7 +1693,11 @@ static int __dwc3_stop_active_transfer(s
dep->flags |= DWC3_EP_DELAY_STOP;
return 0;
}
- WARN_ON_ONCE(ret);
+
+ if (ret)
+ dev_err_ratelimited(dep->dwc->dev,
+ "end transfer failed: %d\n", ret);
+
dep->resource_index = 0;
if (!interrupt) {
@@ -3835,7 +3839,9 @@ static void dwc3_clear_stall_all_ep(stru
dep->flags &= ~DWC3_EP_STALL;
ret = dwc3_send_clear_stall_ep_cmd(dep);
- WARN_ON_ONCE(ret);
+ if (ret)
+ dev_err_ratelimited(dwc->dev,
+ "failed to clear STALL on %s\n", dep->name);
}
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 592/644] drm/amd/display: Dont overclock DCE 6 by 15%
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (590 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 591/644] usb: dwc3: Remove WARN_ON for device endpoint command timeouts Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 593/644] mptcp: disable add_addr retransmission when timeout is 0 Greg Kroah-Hartman
` (57 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher,
Rodrigo Siqueira, Alex Hung, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Kristóf <timur.kristof@gmail.com>
[ Upstream commit cb7b7ae53b557d168b4af5cd8549f3eff920bfb5 ]
The extra 15% clock was added as a workaround for a Polaris issue
which uses DCE 11, and should not have been used on DCE 6 which
is already hardcoded to the highest possible display clock.
Unfortunately, the extra 15% was mistakenly copied and kept
even on code paths which don't affect Polaris.
This commit fixes that and also adds a check to make sure
not to exceed the maximum DCE 6 display clock.
Fixes: 8cd61c313d8b ("drm/amd/display: Raise dispclk value for Polaris")
Fixes: dc88b4a684d2 ("drm/amd/display: make clk mgr soc specific")
Fixes: 3ecb3b794e2c ("drm/amd/display: dc/clk_mgr: add support for SI parts (v2)")
Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 427980c1cbd22bb256b9385f5ce73c0937562408)
Cc: stable@vger.kernel.org
[ `MIN` => `min` ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
@@ -112,11 +112,9 @@ static void dce60_update_clocks(struct c
{
struct clk_mgr_internal *clk_mgr_dce = TO_CLK_MGR_INTERNAL(clk_mgr_base);
struct dm_pp_power_level_change_request level_change_req;
- int patched_disp_clk = context->bw_ctx.bw.dce.dispclk_khz;
-
- /*TODO: W/A for dal3 linux, investigate why this works */
- if (!clk_mgr_dce->dfs_bypass_active)
- patched_disp_clk = patched_disp_clk * 115 / 100;
+ const int max_disp_clk =
+ clk_mgr_dce->max_clks_by_state[DM_PP_CLOCKS_STATE_PERFORMANCE].display_clk_khz;
+ int patched_disp_clk = min(max_disp_clk, context->bw_ctx.bw.dce.dispclk_khz);
level_change_req.power_level = dce_get_required_clocks_state(clk_mgr_base, context);
/* get max clock state from PPLIB */
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 593/644] mptcp: disable add_addr retransmission when timeout is 0
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (591 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 592/644] drm/amd/display: Dont overclock DCE 6 by 15% Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 594/644] drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS Greg Kroah-Hartman
` (56 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts, Geliang Tang,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geliang Tang <tanggeliang@kylinos.cn>
[ Upstream commit f5ce0714623cffd00bf2a83e890d09c609b7f50a ]
When add_addr_timeout was set to 0, this caused the ADD_ADDR to be
retransmitted immediately, which looks like a buggy behaviour. Instead,
interpret 0 as "no retransmissions needed".
The documentation is updated to explicitly state that setting the timeout
to 0 disables retransmission.
Fixes: 93f323b9cccc ("mptcp: add a new sysctl add_addr_timeout")
Cc: stable@vger.kernel.org
Suggested-by: Matthieu Baerts <matttbe@kernel.org>
Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-5-521fe9957892@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ pm.c => pm_netlink.c , drop mptcp_pm_alloc_anno_list hunk ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/networking/mptcp-sysctl.rst | 2 ++
net/mptcp/pm_netlink.c | 13 ++++++++++---
2 files changed, 12 insertions(+), 3 deletions(-)
--- a/Documentation/networking/mptcp-sysctl.rst
+++ b/Documentation/networking/mptcp-sysctl.rst
@@ -20,6 +20,8 @@ add_addr_timeout - INTEGER (seconds)
resent to an MPTCP peer that has not acknowledged a previous
ADD_ADDR message.
+ Do not retransmit if set to 0.
+
The default value matches TCP_RTO_MAX. This is a per-namespace
sysctl.
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -316,6 +316,7 @@ static void mptcp_pm_add_timer(struct ti
struct mptcp_pm_add_entry *entry = from_timer(entry, timer, add_timer);
struct mptcp_sock *msk = entry->sock;
struct sock *sk = (struct sock *)msk;
+ unsigned int timeout;
pr_debug("msk=%p\n", msk);
@@ -333,6 +334,10 @@ static void mptcp_pm_add_timer(struct ti
goto out;
}
+ timeout = mptcp_get_add_addr_timeout(sock_net(sk));
+ if (!timeout)
+ goto out;
+
spin_lock_bh(&msk->pm.lock);
if (!mptcp_pm_should_add_signal_addr(msk)) {
@@ -344,7 +349,7 @@ static void mptcp_pm_add_timer(struct ti
if (entry->retrans_times < ADD_ADDR_RETRANS_MAX)
sk_reset_timer(sk, timer,
- jiffies + mptcp_get_add_addr_timeout(sock_net(sk)));
+ jiffies + timeout);
spin_unlock_bh(&msk->pm.lock);
@@ -386,6 +391,7 @@ static bool mptcp_pm_alloc_anno_list(str
struct mptcp_pm_add_entry *add_entry = NULL;
struct sock *sk = (struct sock *)msk;
struct net *net = sock_net(sk);
+ unsigned int timeout;
lockdep_assert_held(&msk->pm.lock);
@@ -403,8 +409,9 @@ static bool mptcp_pm_alloc_anno_list(str
add_entry->retrans_times = 0;
timer_setup(&add_entry->add_timer, mptcp_pm_add_timer, 0);
- sk_reset_timer(sk, &add_entry->add_timer,
- jiffies + mptcp_get_add_addr_timeout(net));
+ timeout = mptcp_get_add_addr_timeout(net);
+ if (timeout)
+ sk_reset_timer(sk, &add_entry->add_timer, jiffies + timeout);
return true;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 594/644] drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (592 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 593/644] mptcp: disable add_addr retransmission when timeout is 0 Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 595/644] f2fs: fix to avoid out-of-boundary access in dnode page Greg Kroah-Hartman
` (55 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä, Jani Nikula,
Jani Nikula, Imre Deak, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Imre Deak <imre.deak@intel.com>
[ Upstream commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f ]
Reading DPCD registers has side-effects in general. In particular
accessing registers outside of the link training register range
(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly
forbidden by the DP v2.1 Standard, see
3.6.5.1 DPTX AUX Transaction Handling Mandates
3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates
Based on my tests, accessing the DPCD_REV register during the link
training of an UHBR TBT DP tunnel sink leads to link training failures.
Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the
DPCD register access quirk.
Cc: <stable@vger.kernel.org>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Acked-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Imre Deak <imre.deak@intel.com>
Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com
[ call to drm_dp_dpcd_access() instead of drm_dp_dpcd_probe() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_dp_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_dp_helper.c
+++ b/drivers/gpu/drm/drm_dp_helper.c
@@ -336,7 +336,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a
* monitor doesn't power down exactly after the throw away read.
*/
if (!aux->is_remote) {
- ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_DPCD_REV,
+ ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_LANE0_1_STATUS,
buffer, 1);
if (ret != 1)
goto out;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 595/644] f2fs: fix to avoid out-of-boundary access in dnode page
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (593 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 594/644] drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 596/644] media: camss: Convert to platform remove callback returning void Greg Kroah-Hartman
` (54 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jiaming Zhang, Chao Yu,
Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 ]
As Jiaming Zhang reported:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x17e/0x800 mm/kasan/report.c:480
kasan_report+0x147/0x180 mm/kasan/report.c:593
data_blkaddr fs/f2fs/f2fs.h:3053 [inline]
f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]
f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855
f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195
prepare_write_begin fs/f2fs/data.c:3395 [inline]
f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594
generic_perform_write+0x2c7/0x910 mm/filemap.c:4112
f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]
f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x546/0xa90 fs/read_write.c:686
ksys_write+0x149/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The root cause is in the corrupted image, there is a dnode has the same
node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to
access block address in dnode at offset 934, however it parses the dnode
as inode node, so that get_dnode_addr() returns 360, then it tries to
access page address from 360 + 934 * 4 = 4096 w/ 4 bytes.
To fix this issue, let's add sanity check for node id of all direct nodes
during f2fs_get_dnode_of_data().
Cc: stable@kernel.org
Reported-by: Jiaming Zhang <r772577952@gmail.com>
Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ replaced f2fs_err_ratelimited() with f2fs_err() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/node.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -798,6 +798,16 @@ int f2fs_get_dnode_of_data(struct dnode_
for (i = 1; i <= level; i++) {
bool done = false;
+ if (nids[i] && nids[i] == dn->inode->i_ino) {
+ err = -EFSCORRUPTED;
+ f2fs_err(sbi,
+ "inode mapping table is corrupted, run fsck to fix it, "
+ "ino:%lu, nid:%u, level:%d, offset:%d",
+ dn->inode->i_ino, nids[i], level, offset[level]);
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ goto release_pages;
+ }
+
if (!nids[i] && mode == ALLOC_NODE) {
/* alloc new node */
if (!f2fs_alloc_nid(sbi, &(nids[i]))) {
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 596/644] media: camss: Convert to platform remove callback returning void
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (594 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 595/644] f2fs: fix to avoid out-of-boundary access in dnode page Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 597/644] media: qcom: camss: cleanup media device allocated resource on error path Greg Kroah-Hartman
` (53 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Hans Verkuil,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 428bbf4be4018aefa26e4d6531779fa8925ecaaf ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Stable-dep-of: 69080ec3d0da ("media: qcom: camss: cleanup media device allocated resource on error path")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/camss/camss.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/media/platform/qcom/camss/camss.c
+++ b/drivers/media/platform/qcom/camss/camss.c
@@ -1477,7 +1477,7 @@ void camss_delete(struct camss *camss)
*
* Always returns 0.
*/
-static int camss_remove(struct platform_device *pdev)
+static void camss_remove(struct platform_device *pdev)
{
struct camss *camss = platform_get_drvdata(pdev);
@@ -1487,8 +1487,6 @@ static int camss_remove(struct platform_
if (atomic_read(&camss->ref_count) == 0)
camss_delete(camss);
-
- return 0;
}
static const struct of_device_id camss_dt_match[] = {
@@ -1519,7 +1517,7 @@ static const struct dev_pm_ops camss_pm_
static struct platform_driver qcom_camss_driver = {
.probe = camss_probe,
- .remove = camss_remove,
+ .remove_new = camss_remove,
.driver = {
.name = "qcom-camss",
.of_match_table = camss_dt_match,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 597/644] media: qcom: camss: cleanup media device allocated resource on error path
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (595 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 596/644] media: camss: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 598/644] media: venus: Add support for SSR trigger using fault injection Greg Kroah-Hartman
` (52 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Zapolskiy, Bryan ODonoghue,
Bryan ODonoghue, Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sasha Levin <sashal@kernel.org>
[ Upstream commit 69080ec3d0daba8a894025476c98ab16b5a505a4 ]
A call to media_device_init() requires media_device_cleanup() counterpart
to complete cleanup and release any allocated resources.
This has been done in the driver .remove() right from the beginning, but
error paths on .probe() shall also be fixed.
Fixes: a1d7c116fcf7 ("media: camms: Add core files")
Cc: stable@vger.kernel.org
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
[ adapted error label from err_genpd_cleanup to err_cleanup ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/camss/camss.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/qcom/camss/camss.c
+++ b/drivers/media/platform/qcom/camss/camss.c
@@ -1396,7 +1396,7 @@ static int camss_probe(struct platform_d
ret = v4l2_device_register(camss->dev, &camss->v4l2_dev);
if (ret < 0) {
dev_err(dev, "Failed to register V4L2 device: %d\n", ret);
- goto err_cleanup;
+ goto err_media_cleanup;
}
ret = camss_register_entities(camss);
@@ -1438,6 +1438,8 @@ err_register_subdevs:
camss_unregister_entities(camss);
err_register_entities:
v4l2_device_unregister(&camss->v4l2_dev);
+err_media_cleanup:
+ media_device_cleanup(&camss->media_dev);
err_cleanup:
v4l2_async_notifier_cleanup(&camss->notifier);
err_free:
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 598/644] media: venus: Add support for SSR trigger using fault injection
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (596 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 597/644] media: qcom: camss: cleanup media device allocated resource on error path Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 599/644] media: venus: protect against spurious interrupts during probe Greg Kroah-Hartman
` (51 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanimir Varbanov, Dikshita Agarwal,
Stephen Boyd, Mauro Carvalho Chehab, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dikshita Agarwal <quic_dikshita@quicinc.com>
[ Upstream commit 748b080f21678f2988b0da2d2b396a6f928d9b2c ]
Here we introduce a new fault injection for SSR trigger.
To trigger the SSR:
echo 100 > /sys/kernel/debug/venus/fail_ssr/probability
echo 1 > /sys/kernel/debug/venus/fail_ssr/times
Co-developed-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Stable-dep-of: 3200144a2fa4 ("media: venus: protect against spurious interrupts during probe")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/core.c | 15 ++++++++++++++-
drivers/media/platform/qcom/venus/dbgfs.c | 9 +++++++++
drivers/media/platform/qcom/venus/dbgfs.h | 13 +++++++++++++
3 files changed, 36 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/qcom/venus/core.c
+++ b/drivers/media/platform/qcom/venus/core.c
@@ -263,6 +263,19 @@ static void venus_assign_register_offset
}
}
+static irqreturn_t venus_isr_thread(int irq, void *dev_id)
+{
+ struct venus_core *core = dev_id;
+ irqreturn_t ret;
+
+ ret = hfi_isr_thread(irq, dev_id);
+
+ if (ret == IRQ_HANDLED && venus_fault_inject_ssr())
+ hfi_core_trigger_ssr(core, HFI_TEST_SSR_SW_ERR_FATAL);
+
+ return ret;
+}
+
static int venus_probe(struct platform_device *pdev)
{
struct device *dev = &pdev->dev;
@@ -319,7 +332,7 @@ static int venus_probe(struct platform_d
mutex_init(&core->lock);
INIT_DELAYED_WORK(&core->work, venus_sys_error_handler);
- ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, hfi_isr_thread,
+ ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread,
IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
"venus", core);
if (ret)
--- a/drivers/media/platform/qcom/venus/dbgfs.c
+++ b/drivers/media/platform/qcom/venus/dbgfs.c
@@ -4,13 +4,22 @@
*/
#include <linux/debugfs.h>
+#include <linux/fault-inject.h>
#include "core.h"
+#ifdef CONFIG_FAULT_INJECTION
+DECLARE_FAULT_ATTR(venus_ssr_attr);
+#endif
+
void venus_dbgfs_init(struct venus_core *core)
{
core->root = debugfs_create_dir("venus", NULL);
debugfs_create_x32("fw_level", 0644, core->root, &venus_fw_debug);
+
+#ifdef CONFIG_FAULT_INJECTION
+ fault_create_debugfs_attr("fail_ssr", core->root, &venus_ssr_attr);
+#endif
}
void venus_dbgfs_deinit(struct venus_core *core)
--- a/drivers/media/platform/qcom/venus/dbgfs.h
+++ b/drivers/media/platform/qcom/venus/dbgfs.h
@@ -4,8 +4,21 @@
#ifndef __VENUS_DBGFS_H__
#define __VENUS_DBGFS_H__
+#include <linux/fault-inject.h>
+
struct venus_core;
+#ifdef CONFIG_FAULT_INJECTION
+extern struct fault_attr venus_ssr_attr;
+static inline bool venus_fault_inject_ssr(void)
+{
+ return should_fail(&venus_ssr_attr, 1);
+}
+#else
+static inline bool venus_fault_inject_ssr(void) { return false; }
+#endif
+
+
void venus_dbgfs_init(struct venus_core *core);
void venus_dbgfs_deinit(struct venus_core *core);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 599/644] media: venus: protect against spurious interrupts during probe
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (597 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 598/644] media: venus: Add support for SSR trigger using fault injection Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 600/644] locking/barriers, kcsan: Support generic instrumentation Greg Kroah-Hartman
` (50 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jorge Ramirez-Ortiz, Bryan ODonoghue,
Vikash Garodia, Dikshita Agarwal, Bryan ODonoghue, Hans Verkuil,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
[ Upstream commit 3200144a2fa4209dc084a19941b9b203b43580f0 ]
Make sure the interrupt handler is initialized before the interrupt is
registered.
If the IRQ is registered before hfi_create(), it's possible that an
interrupt fires before the handler setup is complete, leading to a NULL
dereference.
This error condition has been observed during system boot on Rb3Gen2.
Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions")
Cc: stable@vger.kernel.org
Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Dikshita Agarwal <quic_dikshita@quicinc.com> # RB5
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/core.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/media/platform/qcom/venus/core.c
+++ b/drivers/media/platform/qcom/venus/core.c
@@ -332,13 +332,13 @@ static int venus_probe(struct platform_d
mutex_init(&core->lock);
INIT_DELAYED_WORK(&core->work, venus_sys_error_handler);
- ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread,
- IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
- "venus", core);
+ ret = hfi_create(core, &venus_core_ops);
if (ret)
goto err_core_put;
- ret = hfi_create(core, &venus_core_ops);
+ ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread,
+ IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
+ "venus", core);
if (ret)
goto err_core_put;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 600/644] locking/barriers, kcsan: Support generic instrumentation
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (598 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 599/644] media: venus: protect against spurious interrupts during probe Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 601/644] asm-generic: Add memory barrier dma_mb() Greg Kroah-Hartman
` (49 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marco Elver, Paul E. McKenney,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marco Elver <elver@google.com>
[ Upstream commit 2505a51ac6f249956735e0a369e2404f96eebef0 ]
Thus far only smp_*() barriers had been defined by asm-generic/barrier.h
based on __smp_*() barriers, because the !SMP case is usually generic.
With the introduction of instrumentation, it also makes sense to have
asm-generic/barrier.h assist in the definition of instrumented versions
of mb(), rmb(), wmb(), dma_rmb(), and dma_wmb().
Because there is no requirement to distinguish the !SMP case, the
definition can be simpler: we can avoid also providing fallbacks for the
__ prefixed cases, and only check if `defined(__<barrier>)`, to finally
define the KCSAN-instrumented versions.
This also allows for the compiler to complain if an architecture
accidentally defines both the normal and __ prefixed variant.
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Stable-dep-of: aa6956150f82 ("wifi: ath11k: fix dest ring-buffer corruption when ring is full")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/asm-generic/barrier.h | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
--- a/include/asm-generic/barrier.h
+++ b/include/asm-generic/barrier.h
@@ -21,6 +21,31 @@
#endif
/*
+ * Architectures that want generic instrumentation can define __ prefixed
+ * variants of all barriers.
+ */
+
+#ifdef __mb
+#define mb() do { kcsan_mb(); __mb(); } while (0)
+#endif
+
+#ifdef __rmb
+#define rmb() do { kcsan_rmb(); __rmb(); } while (0)
+#endif
+
+#ifdef __wmb
+#define wmb() do { kcsan_wmb(); __wmb(); } while (0)
+#endif
+
+#ifdef __dma_rmb
+#define dma_rmb() do { kcsan_rmb(); __dma_rmb(); } while (0)
+#endif
+
+#ifdef __dma_wmb
+#define dma_wmb() do { kcsan_wmb(); __dma_wmb(); } while (0)
+#endif
+
+/*
* Force strict CPU ordering. And yes, this is required on UP too when we're
* talking to devices.
*
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 601/644] asm-generic: Add memory barrier dma_mb()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (599 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 600/644] locking/barriers, kcsan: Support generic instrumentation Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 602/644] wifi: ath11k: fix dest ring-buffer corruption when ring is full Greg Kroah-Hartman
` (48 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kefeng Wang, Marco Elver,
Will Deacon, Sasha Levin, Arnd Bergmann
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kefeng Wang <wangkefeng.wang@huawei.com>
[ Upstream commit ed59dfd9509d172e4920994ed9cbebf93b0050cc ]
The memory barrier dma_mb() is introduced by commit a76a37777f2c
("iommu/arm-smmu-v3: Ensure queue is read after updating prod pointer"),
which is used to ensure that prior (both reads and writes) accesses
to memory by a CPU are ordered w.r.t. a subsequent MMIO write.
Reviewed-by: Arnd Bergmann <arnd@arndb.de> # for asm-generic
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reviewed-by: Marco Elver <elver@google.com>
Link: https://lore.kernel.org/r/20220523113126.171714-2-wangkefeng.wang@huawei.com
Signed-off-by: Will Deacon <will@kernel.org>
Stable-dep-of: aa6956150f82 ("wifi: ath11k: fix dest ring-buffer corruption when ring is full")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/memory-barriers.txt | 11 ++++++-----
include/asm-generic/barrier.h | 8 ++++++++
2 files changed, 14 insertions(+), 5 deletions(-)
--- a/Documentation/memory-barriers.txt
+++ b/Documentation/memory-barriers.txt
@@ -1894,6 +1894,7 @@ There are some more advanced barrier fun
(*) dma_wmb();
(*) dma_rmb();
+ (*) dma_mb();
These are for use with consistent memory to guarantee the ordering
of writes or reads of shared memory accessible to both the CPU and a
@@ -1925,11 +1926,11 @@ There are some more advanced barrier fun
The dma_rmb() allows us guarantee the device has released ownership
before we read the data from the descriptor, and the dma_wmb() allows
us to guarantee the data is written to the descriptor before the device
- can see it now has ownership. Note that, when using writel(), a prior
- wmb() is not needed to guarantee that the cache coherent memory writes
- have completed before writing to the MMIO region. The cheaper
- writel_relaxed() does not provide this guarantee and must not be used
- here.
+ can see it now has ownership. The dma_mb() implies both a dma_rmb() and
+ a dma_wmb(). Note that, when using writel(), a prior wmb() is not needed
+ to guarantee that the cache coherent memory writes have completed before
+ writing to the MMIO region. The cheaper writel_relaxed() does not provide
+ this guarantee and must not be used here.
See the subsection "Kernel I/O barrier effects" for more information on
relaxed I/O accessors and the Documentation/core-api/dma-api.rst file for
--- a/include/asm-generic/barrier.h
+++ b/include/asm-generic/barrier.h
@@ -37,6 +37,10 @@
#define wmb() do { kcsan_wmb(); __wmb(); } while (0)
#endif
+#ifdef __dma_mb
+#define dma_mb() do { kcsan_mb(); __dma_mb(); } while (0)
+#endif
+
#ifdef __dma_rmb
#define dma_rmb() do { kcsan_rmb(); __dma_rmb(); } while (0)
#endif
@@ -64,6 +68,10 @@
#define wmb() mb()
#endif
+#ifndef dma_mb
+#define dma_mb() mb()
+#endif
+
#ifndef dma_rmb
#define dma_rmb() rmb()
#endif
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 602/644] wifi: ath11k: fix dest ring-buffer corruption when ring is full
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (600 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 601/644] asm-generic: Add memory barrier dma_mb() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 603/644] soc: qcom: mdt_loader: Ensure we dont read past the ELF header Greg Kroah-Hartman
` (47 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Baochen Qiang,
Jeff Johnson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
[ Upstream commit aa6956150f820e6a6deba44be325ddfcb5b10f88 ]
Add the missing memory barriers to make sure that destination ring
descriptors are read before updating the tail pointer (and passing
ownership to the device) to avoid memory corruption on weakly ordered
architectures like aarch64 when the ring is full.
Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Cc: stable@vger.kernel.org # 5.6
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
Link: https://patch.msgid.link/20250604143457.26032-6-johan+linaro@kernel.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/hal.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/ath/ath11k/hal.c
+++ b/drivers/net/wireless/ath/ath11k/hal.c
@@ -789,7 +789,6 @@ void ath11k_hal_srng_access_end(struct a
{
lockdep_assert_held(&srng->lock);
- /* TODO: See if we need a write memory barrier here */
if (srng->flags & HAL_SRNG_FLAGS_LMAC_RING) {
/* For LMAC rings, ring pointer updates are done through FW and
* hence written to a shared memory location that is read by FW
@@ -804,7 +803,11 @@ void ath11k_hal_srng_access_end(struct a
WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp);
} else {
srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
- *srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp;
+ /* Make sure descriptor is read before updating the
+ * tail pointer.
+ */
+ dma_mb();
+ WRITE_ONCE(*srng->u.dst_ring.tp_addr, srng->u.dst_ring.tp);
}
} else {
if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
@@ -820,6 +823,10 @@ void ath11k_hal_srng_access_end(struct a
srng->u.src_ring.hp);
} else {
srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
+ /* Make sure descriptor is read before updating the
+ * tail pointer.
+ */
+ mb();
ath11k_hif_write32(ab,
(unsigned long)srng->u.dst_ring.tp_addr -
(unsigned long)ab->mem,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 603/644] soc: qcom: mdt_loader: Ensure we dont read past the ELF header
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (601 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 602/644] wifi: ath11k: fix dest ring-buffer corruption when ring is full Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 604/644] iio: adc: ad_sigma_delta: change to buffer predisable Greg Kroah-Hartman
` (46 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Anderson, Bjorn Andersson,
Dmitry Baryshkov, Bjorn Andersson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
[ Upstream commit 9f9967fed9d066ed3dae9372b45ffa4f6fccfeef ]
When the MDT loader is used in remoteproc, the ELF header is sanitized
beforehand, but that's not necessary the case for other clients.
Validate the size of the firmware buffer to ensure that we don't read
past the end as we iterate over the header. e_phentsize and e_shentsize
are validated as well, to ensure that the assumptions about step size in
the traversal are valid.
Fixes: 2aad40d911ee ("remoteproc: Move qcom_mdt_loader into drivers/soc/qcom")
Cc: stable@vger.kernel.org
Reported-by: Doug Anderson <dianders@chromium.org>
Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-1-f7073e9ab899@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/mdt_loader.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
--- a/drivers/soc/qcom/mdt_loader.c
+++ b/drivers/soc/qcom/mdt_loader.c
@@ -12,11 +12,43 @@
#include <linux/firmware.h>
#include <linux/kernel.h>
#include <linux/module.h>
+#include <linux/overflow.h>
#include <linux/qcom_scm.h>
#include <linux/sizes.h>
#include <linux/slab.h>
#include <linux/soc/qcom/mdt_loader.h>
+static bool mdt_header_valid(const struct firmware *fw)
+{
+ const struct elf32_hdr *ehdr;
+ size_t phend;
+ size_t shend;
+
+ if (fw->size < sizeof(*ehdr))
+ return false;
+
+ ehdr = (struct elf32_hdr *)fw->data;
+
+ if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG))
+ return false;
+
+ if (ehdr->e_phentsize != sizeof(struct elf32_phdr))
+ return false;
+
+ phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff);
+ if (phend > fw->size)
+ return false;
+
+ if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
+ return false;
+
+ shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
+ if (shend > fw->size)
+ return false;
+
+ return true;
+}
+
static bool mdt_phdr_valid(const struct elf32_phdr *phdr)
{
if (phdr->p_type != PT_LOAD)
@@ -46,6 +78,9 @@ ssize_t qcom_mdt_get_size(const struct f
phys_addr_t max_addr = 0;
int i;
+ if (!mdt_header_valid(fw))
+ return -EINVAL;
+
ehdr = (struct elf32_hdr *)fw->data;
phdrs = (struct elf32_phdr *)(ehdr + 1);
@@ -92,6 +127,9 @@ void *qcom_mdt_read_metadata(const struc
size_t ehdr_size;
void *data;
+ if (!mdt_header_valid(fw))
+ return ERR_PTR(-EINVAL);
+
ehdr = (struct elf32_hdr *)fw->data;
phdrs = (struct elf32_phdr *)(ehdr + 1);
@@ -151,6 +189,9 @@ static int __qcom_mdt_load(struct device
if (!fw || !mem_region || !mem_phys || !mem_size)
return -EINVAL;
+ if (!mdt_header_valid(fw))
+ return -EINVAL;
+
ehdr = (struct elf32_hdr *)fw->data;
phdrs = (struct elf32_phdr *)(ehdr + 1);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 604/644] iio: adc: ad_sigma_delta: change to buffer predisable
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (602 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 603/644] soc: qcom: mdt_loader: Ensure we dont read past the ELF header Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 605/644] scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE Greg Kroah-Hartman
` (45 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Lechner, Nuno Sá,
Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner <dlechner@baylibre.com>
[ Upstream commit 66d4374d97f85516b5a22418c5e798aed2606dec ]
Change the buffer disable callback from postdisable to predisable.
This balances the existing posteanble callback. Using postdisable
with posteanble can be problematic, for example, if update_scan_mode
fails, it would call postdisable without ever having called posteanble,
so the drivers using this would be in an unexpected state when
postdisable was called.
Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices")
Signed-off-by: David Lechner <dlechner@baylibre.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20250703-iio-adc-ad_sigma_delta-buffer-predisable-v1-1-f2ab85138f1f@baylibre.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad_sigma_delta.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -371,7 +371,7 @@ err_unlock:
return ret;
}
-static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev)
+static int ad_sd_buffer_predisable(struct iio_dev *indio_dev)
{
struct ad_sigma_delta *sigma_delta = iio_device_get_drvdata(indio_dev);
@@ -432,7 +432,7 @@ static irqreturn_t ad_sd_trigger_handler
static const struct iio_buffer_setup_ops ad_sd_buffer_setup_ops = {
.postenable = &ad_sd_buffer_postenable,
- .postdisable = &ad_sd_buffer_postdisable,
+ .predisable = &ad_sd_buffer_predisable,
.validate_scan_mask = &iio_validate_scan_mask_onehot,
};
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 605/644] scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (603 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 604/644] iio: adc: ad_sigma_delta: change to buffer predisable Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 606/644] scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers Greg Kroah-Hartman
` (44 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, André Draszik, Bart Van Assche,
Peter Griffin, Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: André Draszik <andre.draszik@linaro.org>
[ Upstream commit 01aad16c2257ab8ff33b152b972c9f2e1af47912 ]
On Google gs101, the number of UTP transfer request slots (nutrs) is 32,
and in this case the driver ends up programming the UTRL_NEXUS_TYPE
incorrectly as 0.
This is because the left hand side of the shift is 1, which is of type
int, i.e. 31 bits wide. Shifting by more than that width results in
undefined behaviour.
Fix this by switching to the BIT() macro, which applies correct type
casting as required. This ensures the correct value is written to
UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift
warning:
UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21
shift exponent 32 is too large for 32-bit type 'int'
For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE
write.
Fixes: 55f4b1f73631 ("scsi: ufs: ufs-exynos: Add UFS host support for Exynos SoCs")
Cc: stable@vger.kernel.org
Signed-off-by: André Draszik <andre.draszik@linaro.org>
Link: https://lore.kernel.org/r/20250707-ufs-exynos-shift-v1-1-1418e161ae40@linaro.org
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ Adjusted path from drivers/ufs/host to drivers/scsi/ufs ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/ufs/ufs-exynos.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/scsi/ufs/ufs-exynos.c
+++ b/drivers/scsi/ufs/ufs-exynos.c
@@ -837,8 +837,8 @@ static int exynos_ufs_post_link(struct u
hci_writel(ufs, 0xa, HCI_DATA_REORDER);
hci_writel(ufs, PRDT_SET_SIZE(12), HCI_TXPRDT_ENTRY_SIZE);
hci_writel(ufs, PRDT_SET_SIZE(12), HCI_RXPRDT_ENTRY_SIZE);
- hci_writel(ufs, (1 << hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE);
- hci_writel(ufs, (1 << hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE);
+ hci_writel(ufs, BIT(hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE);
+ hci_writel(ufs, BIT(hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE);
hci_writel(ufs, 0xf, HCI_AXIDMA_RWDATA_BURST_LEN);
if (ufs->opts & EXYNOS_UFS_OPT_SKIP_CONNECTION_ESTAB)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 606/644] scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (604 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 605/644] scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 607/644] scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems Greg Kroah-Hartman
` (43 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit 6853885b21cb1d7157cc14c9d30cc17141565bae ]
The volatile qualifier is redundant for __iomem pointers.
Cleaned up usage in mpi3mr_writeq() and sysif_regs pointer as per
Upstream compliance.
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/r/20250627194539.48851-3-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Stable-dep-of: c91e140c82eb ("scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpi3mr/mpi3mr.h | 2 +-
drivers/scsi/mpi3mr/mpi3mr_fw.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/scsi/mpi3mr/mpi3mr.h
+++ b/drivers/scsi/mpi3mr/mpi3mr.h
@@ -714,7 +714,7 @@ struct mpi3mr_ioc {
char name[MPI3MR_NAME_LENGTH];
char driver_name[MPI3MR_NAME_LENGTH];
- volatile struct mpi3_sysif_registers __iomem *sysif_regs;
+ struct mpi3_sysif_registers __iomem *sysif_regs;
resource_size_t sysif_regs_phys;
int bars;
u64 dma_mask;
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -11,12 +11,12 @@
#include <linux/io-64-nonatomic-lo-hi.h>
#if defined(writeq) && defined(CONFIG_64BIT)
-static inline void mpi3mr_writeq(__u64 b, volatile void __iomem *addr)
+static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
{
writeq(b, addr);
}
#else
-static inline void mpi3mr_writeq(__u64 b, volatile void __iomem *addr)
+static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
{
__u64 data_out = b;
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 607/644] scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (605 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 606/644] scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 608/644] pwm: mediatek: Implement .apply() callback Greg Kroah-Hartman
` (42 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ranjan Kumar, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ranjan Kumar <ranjan.kumar@broadcom.com>
[ Upstream commit c91e140c82eb58724c435f623702e51cc7896646 ]
On 32-bit systems, 64-bit BAR writes to admin queue registers are
performed as two 32-bit writes. Without locking, this can cause partial
writes when accessed concurrently.
Updated per-queue spinlocks is used to serialize these writes and prevent
race conditions.
Fixes: 824a156633df ("scsi: mpi3mr: Base driver code")
Cc: stable@vger.kernel.org
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/r/20250627194539.48851-4-ranjan.kumar@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ Adapt context in struct mpi3mr_ioc ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpi3mr/mpi3mr.h | 4 ++++
drivers/scsi/mpi3mr/mpi3mr_fw.c | 15 +++++++++++----
drivers/scsi/mpi3mr/mpi3mr_os.c | 2 ++
3 files changed, 17 insertions(+), 4 deletions(-)
--- a/drivers/scsi/mpi3mr/mpi3mr.h
+++ b/drivers/scsi/mpi3mr/mpi3mr.h
@@ -701,6 +701,8 @@ struct scmd_priv {
* @driver_info: Driver, Kernel, OS information to firmware
* @change_count: Topology change count
* @op_reply_q_offset: Operational reply queue offset with MSIx
+ * @adm_req_q_bar_writeq_lock: Admin request queue lock
+ * @adm_reply_q_bar_writeq_lock: Admin reply queue lock
*/
struct mpi3mr_ioc {
struct list_head list;
@@ -828,6 +830,8 @@ struct mpi3mr_ioc {
struct mpi3_driver_info_layout driver_info;
u16 change_count;
u16 op_reply_q_offset;
+ spinlock_t adm_req_q_bar_writeq_lock;
+ spinlock_t adm_reply_q_bar_writeq_lock;
};
/**
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -11,17 +11,22 @@
#include <linux/io-64-nonatomic-lo-hi.h>
#if defined(writeq) && defined(CONFIG_64BIT)
-static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
+static inline void mpi3mr_writeq(__u64 b, void __iomem *addr,
+ spinlock_t *write_queue_lock)
{
writeq(b, addr);
}
#else
-static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
+static inline void mpi3mr_writeq(__u64 b, void __iomem *addr,
+ spinlock_t *write_queue_lock)
{
__u64 data_out = b;
+ unsigned long flags;
+ spin_lock_irqsave(write_queue_lock, flags);
writel((u32)(data_out), addr);
writel((u32)(data_out >> 32), (addr + 4));
+ spin_unlock_irqrestore(write_queue_lock, flags);
}
#endif
@@ -2183,9 +2188,11 @@ static int mpi3mr_setup_admin_qpair(stru
(mrioc->num_admin_req);
writel(num_admin_entries, &mrioc->sysif_regs->admin_queue_num_entries);
mpi3mr_writeq(mrioc->admin_req_dma,
- &mrioc->sysif_regs->admin_request_queue_address);
+ &mrioc->sysif_regs->admin_request_queue_address,
+ &mrioc->adm_req_q_bar_writeq_lock);
mpi3mr_writeq(mrioc->admin_reply_dma,
- &mrioc->sysif_regs->admin_reply_queue_address);
+ &mrioc->sysif_regs->admin_reply_queue_address,
+ &mrioc->adm_reply_q_bar_writeq_lock);
writel(mrioc->admin_req_pi, &mrioc->sysif_regs->admin_request_queue_pi);
writel(mrioc->admin_reply_ci, &mrioc->sysif_regs->admin_reply_queue_ci);
return retval;
--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
@@ -3796,6 +3796,8 @@ mpi3mr_probe(struct pci_dev *pdev, const
spin_lock_init(&mrioc->tgtdev_lock);
spin_lock_init(&mrioc->watchdog_lock);
spin_lock_init(&mrioc->chain_buf_lock);
+ spin_lock_init(&mrioc->adm_req_q_bar_writeq_lock);
+ spin_lock_init(&mrioc->adm_reply_q_bar_writeq_lock);
INIT_LIST_HEAD(&mrioc->fwevt_list);
INIT_LIST_HEAD(&mrioc->tgtdev_list);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 608/644] pwm: mediatek: Implement .apply() callback
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (606 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 607/644] scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 609/644] pwm: mediatek: Handle hardware enable and clock enable separately Greg Kroah-Hartman
` (41 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
AngeloGioacchino Del Regno, Thierry Reding, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 758de66f4bd2cac2b1d71db917c65c3d611d4e74 ]
To eventually get rid of all legacy drivers convert this driver to the
modern world implementing .apply().
This just pushed a variant of pwm_apply_legacy() into the driver that was
slightly simplified because the driver doesn't provide a .set_polarity()
callback.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-mediatek.c | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
--- a/drivers/pwm/pwm-mediatek.c
+++ b/drivers/pwm/pwm-mediatek.c
@@ -205,10 +205,33 @@ static void pwm_mediatek_disable(struct
pwm_mediatek_clk_disable(chip, pwm);
}
+static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+ const struct pwm_state *state)
+{
+ int err;
+
+ if (state->polarity != PWM_POLARITY_NORMAL)
+ return -EINVAL;
+
+ if (!state->enabled) {
+ if (pwm->state.enabled)
+ pwm_mediatek_disable(chip, pwm);
+
+ return 0;
+ }
+
+ err = pwm_mediatek_config(pwm->chip, pwm, state->duty_cycle, state->period);
+ if (err)
+ return err;
+
+ if (!pwm->state.enabled)
+ err = pwm_mediatek_enable(chip, pwm);
+
+ return err;
+}
+
static const struct pwm_ops pwm_mediatek_ops = {
- .config = pwm_mediatek_config,
- .enable = pwm_mediatek_enable,
- .disable = pwm_mediatek_disable,
+ .apply = pwm_mediatek_apply,
.owner = THIS_MODULE,
};
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 609/644] pwm: mediatek: Handle hardware enable and clock enable separately
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (607 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 608/644] pwm: mediatek: Implement .apply() callback Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 610/644] pwm: mediatek: Fix duty and period setting Greg Kroah-Hartman
` (40 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
AngeloGioacchino Del Regno, Uwe Kleine-König, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit 704d918341c378c5f9505dfdf32d315e256d3846 ]
Stop handling the clocks in pwm_mediatek_enable() and
pwm_mediatek_disable(). This is a preparing change for the next commit
that requires that clocks and the enable bit are handled separately.
Also move these two functions a bit further up in the source file to
make them usable in pwm_mediatek_config(), which is needed in the next
commit, too.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/55c94fe2917ece152ee1e998f4675642a7716f13.1753717973.git.u.kleine-koenig@baylibre.com
Cc: stable@vger.kernel.org
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-mediatek.c | 60 +++++++++++++++++++++------------------------
1 file changed, 28 insertions(+), 32 deletions(-)
--- a/drivers/pwm/pwm-mediatek.c
+++ b/drivers/pwm/pwm-mediatek.c
@@ -114,6 +114,26 @@ static inline void pwm_mediatek_writel(s
writel(value, chip->regs + pwm_mediatek_reg_offset[num] + offset);
}
+static void pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)
+{
+ struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
+ u32 value;
+
+ value = readl(pc->regs);
+ value |= BIT(pwm->hwpwm);
+ writel(value, pc->regs);
+}
+
+static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm)
+{
+ struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
+ u32 value;
+
+ value = readl(pc->regs);
+ value &= ~BIT(pwm->hwpwm);
+ writel(value, pc->regs);
+}
+
static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm,
int duty_ns, int period_ns)
{
@@ -176,35 +196,6 @@ out:
return ret;
}
-static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)
-{
- struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
- u32 value;
- int ret;
-
- ret = pwm_mediatek_clk_enable(chip, pwm);
- if (ret < 0)
- return ret;
-
- value = readl(pc->regs);
- value |= BIT(pwm->hwpwm);
- writel(value, pc->regs);
-
- return 0;
-}
-
-static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm)
-{
- struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
- u32 value;
-
- value = readl(pc->regs);
- value &= ~BIT(pwm->hwpwm);
- writel(value, pc->regs);
-
- pwm_mediatek_clk_disable(chip, pwm);
-}
-
static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm,
const struct pwm_state *state)
{
@@ -214,8 +205,10 @@ static int pwm_mediatek_apply(struct pwm
return -EINVAL;
if (!state->enabled) {
- if (pwm->state.enabled)
+ if (pwm->state.enabled) {
pwm_mediatek_disable(chip, pwm);
+ pwm_mediatek_clk_disable(chip, pwm);
+ }
return 0;
}
@@ -224,8 +217,11 @@ static int pwm_mediatek_apply(struct pwm
if (err)
return err;
- if (!pwm->state.enabled)
- err = pwm_mediatek_enable(chip, pwm);
+ if (!pwm->state.enabled) {
+ err = pwm_mediatek_clk_enable(chip, pwm);
+ if (!err)
+ pwm_mediatek_enable(chip, pwm);
+ }
return err;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 610/644] pwm: mediatek: Fix duty and period setting
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (608 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 609/644] pwm: mediatek: Handle hardware enable and clock enable separately Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 611/644] selftests: mptcp: pm: check flush doesnt reset limits Greg Kroah-Hartman
` (39 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
AngeloGioacchino Del Regno, Uwe Kleine-König, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit f21d136caf8171f94159d975ea4620c164431bd9 ]
The period generated by the hardware is
(PWMDWIDTH + 1) << CLKDIV) / freq
according to my tests with a signal analyser and also the documentation.
The current algorithm doesn't consider the `+ 1` part and so configures
slightly too high periods. The same issue exists for the duty cycle
setting. So subtract 1 from both the register values for period and
duty cycle. If period is 0, bail out, if duty_cycle is 0, just disable
the PWM which results in a constant low output.
Fixes: caf065f8fd58 ("pwm: Add MediaTek PWM support")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/6d1fa87a76f8020bfe3171529b8e19baffceab10.1753717973.git.u.kleine-koenig@baylibre.com
Cc: stable@vger.kernel.org
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pwm/pwm-mediatek.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
--- a/drivers/pwm/pwm-mediatek.c
+++ b/drivers/pwm/pwm-mediatek.c
@@ -163,7 +163,10 @@ static int pwm_mediatek_config(struct pw
do_div(resolution, clk_rate);
cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, resolution);
- while (cnt_period > 8191) {
+ if (!cnt_period)
+ return -EINVAL;
+
+ while (cnt_period > 8192) {
resolution *= 2;
clkdiv++;
cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000,
@@ -186,9 +189,16 @@ static int pwm_mediatek_config(struct pw
}
cnt_duty = DIV_ROUND_CLOSEST_ULL((u64)duty_ns * 1000, resolution);
+
pwm_mediatek_writel(pc, pwm->hwpwm, PWMCON, BIT(15) | clkdiv);
- pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period);
- pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty);
+ pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period - 1);
+
+ if (cnt_duty) {
+ pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty - 1);
+ pwm_mediatek_enable(chip, pwm);
+ } else {
+ pwm_mediatek_disable(chip, pwm);
+ }
out:
pwm_mediatek_clk_disable(chip, pwm);
@@ -217,11 +227,8 @@ static int pwm_mediatek_apply(struct pwm
if (err)
return err;
- if (!pwm->state.enabled) {
+ if (!pwm->state.enabled)
err = pwm_mediatek_clk_enable(chip, pwm);
- if (!err)
- pwm_mediatek_enable(chip, pwm);
- }
return err;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 611/644] selftests: mptcp: pm: check flush doesnt reset limits
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (609 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 610/644] pwm: mediatek: Fix duty and period setting Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 612/644] compiler: remove __ADDRESSABLE_ASM{_STR,}() again Greg Kroah-Hartman
` (38 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 452690be7de2f91cc0de68cb9e95252875b33503 upstream.
This modification is linked to the parent commit where the received
ADD_ADDR limit was accidentally reset when the endpoints were flushed.
To validate that, the test is now flushing endpoints after having set
new limits, and before checking them.
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it validates the previous fix for an issue introduced by this commit
ID.
Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-3-521fe9957892@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Conflicts in pm_netlink.sh, because some refactoring have been done
later on: commit 3188309c8ceb ("selftests: mptcp: netlink:
add 'limits' helpers") and commit c99d57d0007a ("selftests: mptcp: use
pm_nl endpoint ops") are not in this version. The same operation can
still be done at the same place, without using the new helper. ]
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/pm_netlink.sh | 1 +
1 file changed, 1 insertion(+)
--- a/tools/testing/selftests/net/mptcp/pm_netlink.sh
+++ b/tools/testing/selftests/net/mptcp/pm_netlink.sh
@@ -131,6 +131,7 @@ ip netns exec $ns1 ./pm_nl_ctl limits 1
check "ip netns exec $ns1 ./pm_nl_ctl limits" "$default_limits" "subflows above hard limit"
ip netns exec $ns1 ./pm_nl_ctl limits 8 8
+ip netns exec $ns1 ./pm_nl_ctl flush
check "ip netns exec $ns1 ./pm_nl_ctl limits" "accept 8
subflows 8" "set limits"
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 612/644] compiler: remove __ADDRESSABLE_ASM{_STR,}() again
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (610 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 611/644] selftests: mptcp: pm: check flush doesnt reset limits Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 613/644] usb: xhci: Fix slot_id resource race conflict Greg Kroah-Hartman
` (37 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Beulich, Josh Poimboeuf,
Juergen Gross, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <jbeulich@suse.com>
[ Upstream commit 8ea815399c3fcce1889bd951fec25b5b9a3979c1 ]
__ADDRESSABLE_ASM_STR() is where the necessary stringification happens.
As long as "sym" doesn't contain any odd characters, no quoting is
required for its use with .quad / .long. In fact the quotation gets in
the way with gas 2.25; it's only from 2.26 onwards that quoted symbols
are half-way properly supported.
However, assembly being different from C anyway, drop
__ADDRESSABLE_ASM_STR() and its helper macro altogether. A simple
.global directive will suffice to get the symbol "declared", i.e. into
the symbol table. While there also stop open-coding STATIC_CALL_TRAMP()
and STATIC_CALL_KEY().
Fixes: 0ef8047b737d ("x86/static-call: provide a way to do very early static-call updates")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <609d2c74-de13-4fae-ab1a-1ec44afb948d@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/xen/hypercall.h | 6 ++++--
include/linux/compiler.h | 8 --------
2 files changed, 4 insertions(+), 10 deletions(-)
--- a/arch/x86/include/asm/xen/hypercall.h
+++ b/arch/x86/include/asm/xen/hypercall.h
@@ -37,6 +37,7 @@
#include <linux/spinlock.h>
#include <linux/errno.h>
#include <linux/string.h>
+#include <linux/stringify.h>
#include <linux/types.h>
#include <linux/pgtable.h>
#include <linux/instrumentation.h>
@@ -94,12 +95,13 @@ DECLARE_STATIC_CALL(xen_hypercall, xen_h
#ifdef MODULE
#define __ADDRESSABLE_xen_hypercall
#else
-#define __ADDRESSABLE_xen_hypercall __ADDRESSABLE_ASM_STR(__SCK__xen_hypercall)
+#define __ADDRESSABLE_xen_hypercall \
+ __stringify(.global STATIC_CALL_KEY(xen_hypercall);)
#endif
#define __HYPERCALL \
__ADDRESSABLE_xen_hypercall \
- "call __SCT__xen_hypercall"
+ __stringify(call STATIC_CALL_TRAMP(xen_hypercall))
#define __HYPERCALL_ENTRY(x) "a" (x)
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -249,14 +249,6 @@ static inline void *offset_to_ptr(const
static void * __section(".discard.addressable") __used \
__UNIQUE_ID(__PASTE(__addressable_,sym)) = (void *)&sym;
-#define __ADDRESSABLE_ASM(sym) \
- .pushsection .discard.addressable,"aw"; \
- .align ARCH_SEL(8,4); \
- ARCH_SEL(.quad, .long) __stringify(sym); \
- .popsection;
-
-#define __ADDRESSABLE_ASM_STR(sym) __stringify(__ADDRESSABLE_ASM(sym))
-
/* &a[0] degrades to a pointer: a different type from an array */
#define __must_be_array(a) BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0]))
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 613/644] usb: xhci: Fix slot_id resource race conflict
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (611 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 612/644] compiler: remove __ADDRESSABLE_ASM{_STR,}() again Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 614/644] iio: imu: inv_icm42600: change invalid data error to -EBUSY Greg Kroah-Hartman
` (36 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Weitao Wang, Mathias Nyman,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
[ Upstream commit 2eb03376151bb8585caa23ed2673583107bb5193 ]
xHC controller may immediately reuse a slot_id after it's disabled,
giving it to a new enumerating device before the xhci driver freed
all resources related to the disabled device.
In such a scenario, device-A with slot_id equal to 1 is disconnecting
while device-B is enumerating, device-B will fail to enumerate in the
follow sequence.
1.[device-A] send disable slot command
2.[device-B] send enable slot command
3.[device-A] disable slot command completed and wakeup waiting thread
4.[device-B] enable slot command completed with slot_id equal to 1 and
wakeup waiting thread
5.[device-B] driver checks that slot_id is still in use (by device-A) in
xhci_alloc_virt_device, and fail to enumerate due to this
conflict
6.[device-A] xhci->devs[slot_id] set to NULL in xhci_free_virt_device
To fix driver's slot_id resources conflict, clear xhci->devs[slot_id] and
xhci->dcbba->dev_context_ptrs[slot_id] pointers in the interrupt context
when disable slot command completes successfully. Simultaneously, adjust
function xhci_free_virt_device to accurately handle device release.
[minor smatch warning and commit message fix -Mathias]
Cc: stable@vger.kernel.org
Fixes: 7faac1953ed1 ("xhci: avoid race between disable slot command and host runtime suspend")
Signed-off-by: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250819125844.2042452-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-hub.c | 3 +--
drivers/usb/host/xhci-mem.c | 22 +++++++++++-----------
drivers/usb/host/xhci-ring.c | 9 +++++++--
drivers/usb/host/xhci.c | 18 +++++++++++++-----
drivers/usb/host/xhci.h | 3 ++-
5 files changed, 34 insertions(+), 21 deletions(-)
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -716,8 +716,7 @@ static int xhci_enter_test_mode(struct x
if (!xhci->devs[i])
continue;
- retval = xhci_disable_slot(xhci, i);
- xhci_free_virt_device(xhci, i);
+ retval = xhci_disable_and_free_slot(xhci, i);
if (retval)
xhci_err(xhci, "Failed to disable slot %d, %d. Enter test mode anyway\n",
i, retval);
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -871,21 +871,20 @@ free_tts:
* will be manipulated by the configure endpoint, allocate device, or update
* hub functions while this function is removing the TT entries from the list.
*/
-void xhci_free_virt_device(struct xhci_hcd *xhci, int slot_id)
+void xhci_free_virt_device(struct xhci_hcd *xhci, struct xhci_virt_device *dev,
+ int slot_id)
{
- struct xhci_virt_device *dev;
int i;
int old_active_eps = 0;
/* Slot ID 0 is reserved */
- if (slot_id == 0 || !xhci->devs[slot_id])
+ if (slot_id == 0 || !dev)
return;
- dev = xhci->devs[slot_id];
-
- xhci->dcbaa->dev_context_ptrs[slot_id] = 0;
- if (!dev)
- return;
+ /* If device ctx array still points to _this_ device, clear it */
+ if (dev->out_ctx &&
+ xhci->dcbaa->dev_context_ptrs[slot_id] == cpu_to_le64(dev->out_ctx->dma))
+ xhci->dcbaa->dev_context_ptrs[slot_id] = 0;
trace_xhci_free_virt_device(dev);
@@ -924,8 +923,9 @@ void xhci_free_virt_device(struct xhci_h
if (dev->udev && dev->udev->slot_id)
dev->udev->slot_id = 0;
- kfree(xhci->devs[slot_id]);
- xhci->devs[slot_id] = NULL;
+ if (xhci->devs[slot_id] == dev)
+ xhci->devs[slot_id] = NULL;
+ kfree(dev);
}
/*
@@ -967,7 +967,7 @@ static void xhci_free_virt_devices_depth
out:
/* we are now at a leaf device */
xhci_debugfs_remove_slot(xhci, slot_id);
- xhci_free_virt_device(xhci, slot_id);
+ xhci_free_virt_device(xhci, vdev, slot_id);
}
int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id,
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1612,7 +1612,8 @@ static void xhci_handle_cmd_enable_slot(
command->slot_id = 0;
}
-static void xhci_handle_cmd_disable_slot(struct xhci_hcd *xhci, int slot_id)
+static void xhci_handle_cmd_disable_slot(struct xhci_hcd *xhci, int slot_id,
+ u32 cmd_comp_code)
{
struct xhci_virt_device *virt_dev;
struct xhci_slot_ctx *slot_ctx;
@@ -1627,6 +1628,10 @@ static void xhci_handle_cmd_disable_slot
if (xhci->quirks & XHCI_EP_LIMIT_QUIRK)
/* Delete default control endpoint resources */
xhci_free_device_endpoint_resources(xhci, virt_dev, true);
+ if (cmd_comp_code == COMP_SUCCESS) {
+ xhci->dcbaa->dev_context_ptrs[slot_id] = 0;
+ xhci->devs[slot_id] = NULL;
+ }
}
static void xhci_handle_cmd_config_ep(struct xhci_hcd *xhci, int slot_id,
@@ -1876,7 +1881,7 @@ static void handle_cmd_completion(struct
xhci_handle_cmd_enable_slot(xhci, slot_id, cmd, cmd_comp_code);
break;
case TRB_DISABLE_SLOT:
- xhci_handle_cmd_disable_slot(xhci, slot_id);
+ xhci_handle_cmd_disable_slot(xhci, slot_id, cmd_comp_code);
break;
case TRB_CONFIG_EP:
if (!cmd->completion)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -4032,7 +4032,7 @@ static void xhci_free_dev(struct usb_hcd
xhci_disable_slot(xhci, udev->slot_id);
spin_lock_irqsave(&xhci->lock, flags);
- xhci_free_virt_device(xhci, udev->slot_id);
+ xhci_free_virt_device(xhci, virt_dev, udev->slot_id);
spin_unlock_irqrestore(&xhci->lock, flags);
}
@@ -4081,6 +4081,16 @@ int xhci_disable_slot(struct xhci_hcd *x
return ret;
}
+int xhci_disable_and_free_slot(struct xhci_hcd *xhci, u32 slot_id)
+{
+ struct xhci_virt_device *vdev = xhci->devs[slot_id];
+ int ret;
+
+ ret = xhci_disable_slot(xhci, slot_id);
+ xhci_free_virt_device(xhci, vdev, slot_id);
+ return ret;
+}
+
/*
* Checks if we have enough host controller resources for the default control
* endpoint.
@@ -4186,8 +4196,7 @@ int xhci_alloc_dev(struct usb_hcd *hcd,
return 1;
disable_slot:
- xhci_disable_slot(xhci, udev->slot_id);
- xhci_free_virt_device(xhci, udev->slot_id);
+ xhci_disable_and_free_slot(xhci, udev->slot_id);
return 0;
}
@@ -4323,8 +4332,7 @@ static int xhci_setup_device(struct usb_
dev_warn(&udev->dev, "Device not responding to setup %s.\n", act);
mutex_unlock(&xhci->mutex);
- ret = xhci_disable_slot(xhci, udev->slot_id);
- xhci_free_virt_device(xhci, udev->slot_id);
+ ret = xhci_disable_and_free_slot(xhci, udev->slot_id);
if (!ret) {
if (xhci_alloc_dev(hcd, udev) == 1)
xhci_setup_addressable_virt_dev(xhci, udev);
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1782,7 +1782,7 @@ void xhci_dbg_trace(struct xhci_hcd *xhc
/* xHCI memory management */
void xhci_mem_cleanup(struct xhci_hcd *xhci);
int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags);
-void xhci_free_virt_device(struct xhci_hcd *xhci, int slot_id);
+void xhci_free_virt_device(struct xhci_hcd *xhci, struct xhci_virt_device *dev, int slot_id);
int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id, struct usb_device *udev, gfp_t flags);
int xhci_setup_addressable_virt_dev(struct xhci_hcd *xhci, struct usb_device *udev);
void xhci_copy_ep0_dequeue_into_input_ctx(struct xhci_hcd *xhci,
@@ -1874,6 +1874,7 @@ void xhci_reset_bandwidth(struct usb_hcd
int xhci_update_hub_device(struct usb_hcd *hcd, struct usb_device *hdev,
struct usb_tt *tt, gfp_t mem_flags);
int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id);
+int xhci_disable_and_free_slot(struct xhci_hcd *xhci, u32 slot_id);
int xhci_ext_cap_init(struct xhci_hcd *xhci);
int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 614/644] iio: imu: inv_icm42600: change invalid data error to -EBUSY
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (612 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 613/644] usb: xhci: Fix slot_id resource race conflict Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 615/644] tracing: Remove unneeded goto out logic Greg Kroah-Hartman
` (35 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jean-Baptiste Maneyrol,
Andy Shevchenko, Sean Nyekjaer, Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
[ Upstream commit dfdc31e7ccf3ac1d5ec01d5120c71e14745e3dd8 ]
Temperature sensor returns the temperature of the mechanical parts
of the chip. If both accel and gyro are off, the temperature sensor is
also automatically turned off and returns invalid data.
In this case, returning -EBUSY error code is better then -EINVAL and
indicates userspace that it needs to retry reading temperature in
another context.
Fixes: bc3eb0207fb5 ("iio: imu: inv_icm42600: add temperature sensor support")
Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
Cc: stable@vger.kernel.org
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Reviewed-by: Sean Nyekjaer <sean@geanix.com>
Link: https://patch.msgid.link/20250808-inv-icm42600-change-temperature-error-code-v1-1-986fbf63b77d@tdk.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c
+++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c
@@ -32,8 +32,12 @@ static int inv_icm42600_temp_read(struct
goto exit;
*temp = (int16_t)be16_to_cpup(raw);
+ /*
+ * Temperature data is invalid if both accel and gyro are off.
+ * Return -EBUSY in this case.
+ */
if (*temp == INV_ICM42600_DATA_INVALID)
- ret = -EINVAL;
+ ret = -EBUSY;
exit:
mutex_unlock(&st->lock);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 615/644] tracing: Remove unneeded goto out logic
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (613 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 614/644] iio: imu: inv_icm42600: change invalid data error to -EBUSY Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 616/644] tracing: Limit access to parser->buffer when trace_get_user failed Greg Kroah-Hartman
` (34 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mark Rutland,
Mathieu Desnoyers, Andrew Morton, Steven Rostedt (Google),
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
[ Upstream commit c89504a703fb779052213add0e8ed642f4a4f1c8 ]
Several places in the trace.c file there's a goto out where the out is
simply a return. There's no reason to jump to the out label if it's not
doing any more logic but simply returning from the function.
Replace the goto outs with a return and remove the out labels.
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Link: https://lore.kernel.org/20250801203857.538726745@kernel.org
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 37 ++++++++++++++-----------------------
1 file changed, 14 insertions(+), 23 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1605,7 +1605,7 @@ int trace_get_user(struct trace_parser *
ret = get_user(ch, ubuf++);
if (ret)
- goto out;
+ return ret;
read++;
cnt--;
@@ -1619,7 +1619,7 @@ int trace_get_user(struct trace_parser *
while (cnt && isspace(ch)) {
ret = get_user(ch, ubuf++);
if (ret)
- goto out;
+ return ret;
read++;
cnt--;
}
@@ -1629,8 +1629,7 @@ int trace_get_user(struct trace_parser *
/* only spaces were written */
if (isspace(ch) || !ch) {
*ppos += read;
- ret = read;
- goto out;
+ return read;
}
}
@@ -1638,13 +1637,12 @@ int trace_get_user(struct trace_parser *
while (cnt && !isspace(ch) && ch) {
if (parser->idx < parser->size - 1)
parser->buffer[parser->idx++] = ch;
- else {
- ret = -EINVAL;
- goto out;
- }
+ else
+ return -EINVAL;
+
ret = get_user(ch, ubuf++);
if (ret)
- goto out;
+ return ret;
read++;
cnt--;
}
@@ -1659,15 +1657,11 @@ int trace_get_user(struct trace_parser *
/* Make sure the parsed string always terminates with '\0'. */
parser->buffer[parser->idx] = 0;
} else {
- ret = -EINVAL;
- goto out;
+ return -EINVAL;
}
*ppos += read;
- ret = read;
-
-out:
- return ret;
+ return read;
}
/* TODO add a seq_buf_to_buffer() */
@@ -2136,10 +2130,10 @@ int __init register_tracer(struct tracer
mutex_unlock(&trace_types_lock);
if (ret || !default_bootup_tracer)
- goto out_unlock;
+ return ret;
if (strncmp(default_bootup_tracer, type->name, MAX_TRACER_SIZE))
- goto out_unlock;
+ return 0;
printk(KERN_INFO "Starting tracer '%s'\n", type->name);
/* Do we want this tracer to start on bootup? */
@@ -2151,8 +2145,7 @@ int __init register_tracer(struct tracer
/* disable other selftests, since this will break it. */
disable_tracing_selftest("running a tracer");
- out_unlock:
- return ret;
+ return 0;
}
static void tracing_reset_cpu(struct array_buffer *buf, int cpu)
@@ -8711,11 +8704,10 @@ ftrace_trace_snapshot_callback(struct tr
out_reg:
ret = tracing_alloc_snapshot_instance(tr);
if (ret < 0)
- goto out;
+ return ret;
ret = register_ftrace_function_probe(glob, tr, ops, count);
- out:
return ret < 0 ? ret : 0;
}
@@ -10231,7 +10223,7 @@ __init static int tracer_alloc_buffers(v
BUILD_BUG_ON(TRACE_ITER_LAST_BIT > TRACE_FLAGS_MAX_SIZE);
if (!alloc_cpumask_var(&tracing_buffer_mask, GFP_KERNEL))
- goto out;
+ return -ENOMEM;
if (!alloc_cpumask_var(&global_trace.tracing_cpumask, GFP_KERNEL))
goto out_free_buffer_mask;
@@ -10344,7 +10336,6 @@ out_free_cpumask:
free_cpumask_var(global_trace.tracing_cpumask);
out_free_buffer_mask:
free_cpumask_var(tracing_buffer_mask);
-out:
return ret;
}
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 616/644] tracing: Limit access to parser->buffer when trace_get_user failed
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (614 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 615/644] tracing: Remove unneeded goto out logic Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 617/644] iio: light: as73211: Ensure buffer holes are zeroed Greg Kroah-Hartman
` (33 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pu Lehui, Steven Rostedt (Google),
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pu Lehui <pulehui@huawei.com>
[ Upstream commit 6a909ea83f226803ea0e718f6e88613df9234d58 ]
When the length of the string written to set_ftrace_filter exceeds
FTRACE_BUFF_MAX, the following KASAN alarm will be triggered:
BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0
Read of size 1 at addr ffff0000d00bd5ba by task ash/165
CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirty
Hardware name: linux,dummy-virt (DT)
Call trace:
show_stack+0x34/0x50 (C)
dump_stack_lvl+0xa0/0x158
print_address_description.constprop.0+0x88/0x398
print_report+0xb0/0x280
kasan_report+0xa4/0xf0
__asan_report_load1_noabort+0x20/0x30
strsep+0x18c/0x1b0
ftrace_process_regex.isra.0+0x100/0x2d8
ftrace_regex_release+0x484/0x618
__fput+0x364/0xa58
____fput+0x28/0x40
task_work_run+0x154/0x278
do_notify_resume+0x1f0/0x220
el0_svc+0xec/0xf0
el0t_64_sync_handler+0xa0/0xe8
el0t_64_sync+0x1ac/0x1b0
The reason is that trace_get_user will fail when processing a string
longer than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0.
Then an OOB access will be triggered in ftrace_regex_release->
ftrace_process_regex->strsep->strpbrk. We can solve this problem by
limiting access to parser->buffer when trace_get_user failed.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/20250813040232.1344527-1-pulehui@huaweicloud.com
Fixes: 8c9af478c06b ("ftrace: Handle commands when closing set_ftrace_filter file")
Signed-off-by: Pu Lehui <pulehui@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 18 ++++++++++++------
kernel/trace/trace.h | 8 +++++++-
2 files changed, 19 insertions(+), 7 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1605,7 +1605,7 @@ int trace_get_user(struct trace_parser *
ret = get_user(ch, ubuf++);
if (ret)
- return ret;
+ goto fail;
read++;
cnt--;
@@ -1619,7 +1619,7 @@ int trace_get_user(struct trace_parser *
while (cnt && isspace(ch)) {
ret = get_user(ch, ubuf++);
if (ret)
- return ret;
+ goto fail;
read++;
cnt--;
}
@@ -1637,12 +1637,14 @@ int trace_get_user(struct trace_parser *
while (cnt && !isspace(ch) && ch) {
if (parser->idx < parser->size - 1)
parser->buffer[parser->idx++] = ch;
- else
- return -EINVAL;
+ else {
+ ret = -EINVAL;
+ goto fail;
+ }
ret = get_user(ch, ubuf++);
if (ret)
- return ret;
+ goto fail;
read++;
cnt--;
}
@@ -1657,11 +1659,15 @@ int trace_get_user(struct trace_parser *
/* Make sure the parsed string always terminates with '\0'. */
parser->buffer[parser->idx] = 0;
} else {
- return -EINVAL;
+ ret = -EINVAL;
+ goto fail;
}
*ppos += read;
return read;
+fail:
+ trace_parser_fail(parser);
+ return ret;
}
/* TODO add a seq_buf_to_buffer() */
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -1132,6 +1132,7 @@ bool ftrace_event_is_function(struct tra
*/
struct trace_parser {
bool cont;
+ bool fail;
char *buffer;
unsigned idx;
unsigned size;
@@ -1139,7 +1140,7 @@ struct trace_parser {
static inline bool trace_parser_loaded(struct trace_parser *parser)
{
- return (parser->idx != 0);
+ return !parser->fail && parser->idx != 0;
}
static inline bool trace_parser_cont(struct trace_parser *parser)
@@ -1153,6 +1154,11 @@ static inline void trace_parser_clear(st
parser->idx = 0;
}
+static inline void trace_parser_fail(struct trace_parser *parser)
+{
+ parser->fail = true;
+}
+
extern int trace_parser_get_init(struct trace_parser *parser, int size);
extern void trace_parser_put(struct trace_parser *parser);
extern int trace_get_user(struct trace_parser *parser, const char __user *ubuf,
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 617/644] iio: light: as73211: Ensure buffer holes are zeroed
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (615 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 616/644] tracing: Limit access to parser->buffer when trace_get_user failed Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 618/644] mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn Greg Kroah-Hartman
` (32 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matti Vaittinen, Andy Shevchenko,
Stable, Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Upstream commit 433b99e922943efdfd62b9a8e3ad1604838181f2 ]
Given that the buffer is copied to a kfifo that ultimately user space
can read, ensure we zero it.
Fixes: 403e5586b52e ("iio: light: as73211: New driver")
Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Link: https://patch.msgid.link/20250802164436.515988-2-jic23@kernel.org
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/as73211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/light/as73211.c
+++ b/drivers/iio/light/as73211.c
@@ -573,7 +573,7 @@ static irqreturn_t as73211_trigger_handl
struct {
__le16 chan[4];
s64 ts __aligned(8);
- } scan;
+ } scan = { };
int data_result, ret;
mutex_lock(&data->mutex);
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 618/644] mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (616 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 617/644] iio: light: as73211: Ensure buffer holes are zeroed Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 619/644] x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Greg Kroah-Hartman
` (31 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jinjiang Tu, David Hildenbrand,
Miaohe Lin, Jane Chu, Kefeng Wang, Naoya Horiguchi,
Oscar Salvador, Shuai Xue, Zi Yan, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjiang Tu <tujinjiang@huawei.com>
[ Upstream commit 2e6053fea379806269c4f7f5e36b523c9c0fb35c ]
When memory_failure() is called for a already hwpoisoned pfn,
kill_accessing_process() will be called to kill current task. However, if
the vma of the accessing vaddr is VM_PFNMAP, walk_page_range() will skip
the vma in walk_page_test() and return 0.
Before commit aaf99ac2ceb7 ("mm/hwpoison: do not send SIGBUS to processes
with recovered clean pages"), kill_accessing_process() will return EFAULT.
For x86, the current task will be killed in kill_me_maybe().
However, after this commit, kill_accessing_process() simplies return 0,
that means UCE is handled properly, but it doesn't actually. In such
case, the user task will trigger UCE infinitely.
To fix it, add .test_walk callback for hwpoison_walk_ops to scan all vmas.
Link: https://lkml.kernel.org/r/20250815073209.1984582-1-tujinjiang@huawei.com
Fixes: aaf99ac2ceb7 ("mm/hwpoison: do not send SIGBUS to processes with recovered clean pages")
Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Miaohe Lin <linmiaohe@huawei.com>
Reviewed-by: Jane Chu <jane.chu@oracle.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Shuai Xue <xueshuai@linux.alibaba.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory-failure.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -674,9 +674,17 @@ static int hwpoison_hugetlb_range(pte_t
#define hwpoison_hugetlb_range NULL
#endif
+static int hwpoison_test_walk(unsigned long start, unsigned long end,
+ struct mm_walk *walk)
+{
+ /* We also want to consider pages mapped into VM_PFNMAP. */
+ return 0;
+}
+
static struct mm_walk_ops hwp_walk_ops = {
.pmd_entry = hwpoison_pte_range,
.hugetlb_entry = hwpoison_hugetlb_range,
+ .test_walk = hwpoison_test_walk,
};
/*
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 619/644] x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (617 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 618/644] mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 620/644] mm/page_alloc: detect allocation forbidden by cpuset and bail out early Greg Kroah-Hartman
` (30 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tianxiang Peng,
Borislav Petkov (AMD), Hui Li, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tianxiang Peng <txpeng@tencent.com>
commit d8df126349dad855cdfedd6bbf315bad2e901c2f upstream.
Since
923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot")
resctrl_cpu_detect() has been moved from common CPU initialization code to
the vendor-specific BSP init helper, while Hygon didn't put that call in their
code.
This triggers a division by zero fault during early booting stage on our
machines with X86_FEATURE_CQM* supported, where get_rdt_mon_resources() tries
to calculate mon_l3_config with uninitialized boot_cpu_data.x86_cache_occ_scale.
Add the missing resctrl_cpu_detect() in the Hygon BSP init helper.
[ bp: Massage commit message. ]
Fixes: 923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot")
Signed-off-by: Tianxiang Peng <txpeng@tencent.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Hui Li <caelli@tencent.com>
Cc: <stable@kernel.org>
Link: https://lore.kernel.org/20250623093153.3016937-1-txpeng@tencent.com
Signed-off-by: Tianxiang Peng <txpeng@tencent.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/hygon.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kernel/cpu/hygon.c
+++ b/arch/x86/kernel/cpu/hygon.c
@@ -14,6 +14,7 @@
#include <asm/cacheinfo.h>
#include <asm/spec-ctrl.h>
#include <asm/delay.h>
+#include <asm/resctrl.h>
#include "cpu.h"
@@ -239,6 +240,8 @@ static void bsp_init_hygon(struct cpuinf
x86_amd_ls_cfg_ssbd_mask = 1ULL << 10;
}
}
+
+ resctrl_cpu_detect(c);
}
static void early_init_hygon(struct cpuinfo_x86 *c)
^ permalink raw reply [flat|nested] 651+ messages in thread
* [PATCH 5.15 620/644] mm/page_alloc: detect allocation forbidden by cpuset and bail out early
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (618 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 619/644] x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 621/644] cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key Greg Kroah-Hartman
` (29 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Feng Tang, Michal Hocko,
David Rientjes, Tejun Heo, Zefan Li, Johannes Weiner, Mel Gorman,
Vlastimil Babka, Andrew Morton, Linus Torvalds, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Feng Tang <feng.tang@intel.com>
[ Upstream commit 8ca1b5a49885f0c0c486544da46a9e0ac790831d ]
There was a report that starting an Ubuntu in docker while using cpuset
to bind it to movable nodes (a node only has movable zone, like a node
for hotplug or a Persistent Memory node in normal usage) will fail due
to memory allocation failure, and then OOM is involved and many other
innocent processes got killed.
It can be reproduced with command:
$ docker run -it --rm --cpuset-mems 4 ubuntu:latest bash -c "grep Mems_allowed /proc/self/status"
(where node 4 is a movable node)
runc:[2:INIT] invoked oom-killer: gfp_mask=0x500cc2(GFP_HIGHUSER|__GFP_ACCOUNT), order=0, oom_score_adj=0
CPU: 8 PID: 8291 Comm: runc:[2:INIT] Tainted: G W I E 5.8.2-0.g71b519a-default #1 openSUSE Tumbleweed (unreleased)
Hardware name: Dell Inc. PowerEdge R640/0PHYDR, BIOS 2.6.4 04/09/2020
Call Trace:
dump_stack+0x6b/0x88
dump_header+0x4a/0x1e2
oom_kill_process.cold+0xb/0x10
out_of_memory.part.0+0xaf/0x230
out_of_memory+0x3d/0x80
__alloc_pages_slowpath.constprop.0+0x954/0xa20
__alloc_pages_nodemask+0x2d3/0x300
pipe_write+0x322/0x590
new_sync_write+0x196/0x1b0
vfs_write+0x1c3/0x1f0
ksys_write+0xa7/0xe0
do_syscall_64+0x52/0xd0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Mem-Info:
active_anon:392832 inactive_anon:182 isolated_anon:0
active_file:68130 inactive_file:151527 isolated_file:0
unevictable:2701 dirty:0 writeback:7
slab_reclaimable:51418 slab_unreclaimable:116300
mapped:45825 shmem:735 pagetables:2540 bounce:0
free:159849484 free_pcp:73 free_cma:0
Node 4 active_anon:1448kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:0kB dirty:0kB writeback:0kB shmem:0kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 0kB writeback_tmp:0kB all_unreclaimable? no
Node 4 Movable free:130021408kB min:9140kB low:139160kB high:269180kB reserved_highatomic:0KB active_anon:1448kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:130023424kB managed:130023424kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:292kB local_pcp:84kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0 0
Node 4 Movable: 1*4kB (M) 0*8kB 0*16kB 1*32kB (M) 0*64kB 0*128kB 1*256kB (M) 1*512kB (M) 1*1024kB (M) 0*2048kB 31743*4096kB (M) = 130021156kB
oom-kill:constraint=CONSTRAINT_CPUSET,nodemask=(null),cpuset=docker-9976a269caec812c134fa317f27487ee36e1129beba7278a463dd53e5fb9997b.scope,mems_allowed=4,global_oom,task_memcg=/system.slice/containerd.service,task=containerd,pid=4100,uid=0
Out of memory: Killed process 4100 (containerd) total-vm:4077036kB, anon-rss:51184kB, file-rss:26016kB, shmem-rss:0kB, UID:0 pgtables:676kB oom_score_adj:0
oom_reaper: reaped process 8248 (docker), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
oom_reaper: reaped process 2054 (node_exporter), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
oom_reaper: reaped process 1452 (systemd-journal), now anon-rss:0kB, file-rss:8564kB, shmem-rss:4kB
oom_reaper: reaped process 2146 (munin-node), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
oom_reaper: reaped process 8291 (runc:[2:INIT]), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
The reason is that in this case, the target cpuset nodes only have
movable zone, while the creation of an OS in docker sometimes needs to
allocate memory in non-movable zones (dma/dma32/normal) like
GFP_HIGHUSER, and the cpuset limit forbids the allocation, then
out-of-memory killing is involved even when normal nodes and movable
nodes both have many free memory.
The OOM killer cannot help to resolve the situation as there is no
usable memory for the request in the cpuset scope. The only reasonable
measure to take is to fail the allocation right away and have the caller
to deal with it.
So add a check for cases like this in the slowpath of allocation, and
bail out early returning NULL for the allocation.
As page allocation is one of the hottest path in kernel, this check will
hurt all users with sane cpuset configuration, add a static branch check
and detect the abnormal config in cpuset memory binding setup so that
the extra check cost in page allocation is not paid by everyone.
[thanks to Micho Hocko and David Rientjes for suggesting not handling
it inside OOM code, adding cpuset check, refining comments]
Link: https://lkml.kernel.org/r/1632481657-68112-1-git-send-email-feng.tang@intel.com
Signed-off-by: Feng Tang <feng.tang@intel.com>
Suggested-by: Michal Hocko <mhocko@suse.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Zefan Li <lizefan.x@bytedance.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Stable-dep-of: 65f97cc81b0a ("cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/cpuset.h | 17 +++++++++++++++++
include/linux/mmzone.h | 22 ++++++++++++++++++++++
kernel/cgroup/cpuset.c | 23 +++++++++++++++++++++++
mm/page_alloc.c | 13 +++++++++++++
4 files changed, 75 insertions(+)
diff --git a/include/linux/cpuset.h b/include/linux/cpuset.h
index 82fb7e24d1cb..0348dba5680e 100644
--- a/include/linux/cpuset.h
+++ b/include/linux/cpuset.h
@@ -34,6 +34,8 @@
*/
extern struct static_key_false cpusets_pre_enable_key;
extern struct static_key_false cpusets_enabled_key;
+extern struct static_key_false cpusets_insane_config_key;
+
static inline bool cpusets_enabled(void)
{
return static_branch_unlikely(&cpusets_enabled_key);
@@ -51,6 +53,19 @@ static inline void cpuset_dec(void)
static_branch_dec_cpuslocked(&cpusets_pre_enable_key);
}
+/*
+ * This will get enabled whenever a cpuset configuration is considered
+ * unsupportable in general. E.g. movable only node which cannot satisfy
+ * any non movable allocations (see update_nodemask). Page allocator
+ * needs to make additional checks for those configurations and this
+ * check is meant to guard those checks without any overhead for sane
+ * configurations.
+ */
+static inline bool cpusets_insane_config(void)
+{
+ return static_branch_unlikely(&cpusets_insane_config_key);
+}
+
extern int cpuset_init(void);
extern void cpuset_init_smp(void);
extern void cpuset_force_rebuild(void);
@@ -169,6 +184,8 @@ static inline void set_mems_allowed(nodemask_t nodemask)
static inline bool cpusets_enabled(void) { return false; }
+static inline bool cpusets_insane_config(void) { return false; }
+
static inline int cpuset_init(void) { return 0; }
static inline void cpuset_init_smp(void) {}
diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
index 998f10249f13..34d02383023a 100644
--- a/include/linux/mmzone.h
+++ b/include/linux/mmzone.h
@@ -1229,6 +1229,28 @@ static inline struct zoneref *first_zones_zonelist(struct zonelist *zonelist,
#define for_each_zone_zonelist(zone, z, zlist, highidx) \
for_each_zone_zonelist_nodemask(zone, z, zlist, highidx, NULL)
+/* Whether the 'nodes' are all movable nodes */
+static inline bool movable_only_nodes(nodemask_t *nodes)
+{
+ struct zonelist *zonelist;
+ struct zoneref *z;
+ int nid;
+
+ if (nodes_empty(*nodes))
+ return false;
+
+ /*
+ * We can chose arbitrary node from the nodemask to get a
+ * zonelist as they are interlinked. We just need to find
+ * at least one zone that can satisfy kernel allocations.
+ */
+ nid = first_node(*nodes);
+ zonelist = &NODE_DATA(nid)->node_zonelists[ZONELIST_FALLBACK];
+ z = first_zones_zonelist(zonelist, ZONE_NORMAL, nodes);
+ return (!z->zone) ? true : false;
+}
+
+
#ifdef CONFIG_SPARSEMEM
#include <asm/sparsemem.h>
#endif
diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index d6e70aa7e151..b40f86a3f605 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -71,6 +71,13 @@
DEFINE_STATIC_KEY_FALSE(cpusets_pre_enable_key);
DEFINE_STATIC_KEY_FALSE(cpusets_enabled_key);
+/*
+ * There could be abnormal cpuset configurations for cpu or memory
+ * node binding, add this key to provide a quick low-cost judgement
+ * of the situation.
+ */
+DEFINE_STATIC_KEY_FALSE(cpusets_insane_config_key);
+
/* See "Frequency meter" comments, below. */
struct fmeter {
@@ -397,6 +404,17 @@ static DECLARE_WORK(cpuset_hotplug_work, cpuset_hotplug_workfn);
static DECLARE_WAIT_QUEUE_HEAD(cpuset_attach_wq);
+static inline void check_insane_mems_config(nodemask_t *nodes)
+{
+ if (!cpusets_insane_config() &&
+ movable_only_nodes(nodes)) {
+ static_branch_enable(&cpusets_insane_config_key);
+ pr_info("Unsupported (movable nodes only) cpuset configuration detected (nmask=%*pbl)!\n"
+ "Cpuset allocations might fail even with a lot of memory available.\n",
+ nodemask_pr_args(nodes));
+ }
+}
+
/*
* Cgroup v2 behavior is used on the "cpus" and "mems" control files when
* on default hierarchy or when the cpuset_v2_mode flag is set by mounting
@@ -1915,6 +1933,8 @@ static int update_nodemask(struct cpuset *cs, struct cpuset *trialcs,
if (retval < 0)
goto done;
+ check_insane_mems_config(&trialcs->mems_allowed);
+
spin_lock_irq(&callback_lock);
cs->mems_allowed = trialcs->mems_allowed;
spin_unlock_irq(&callback_lock);
@@ -3262,6 +3282,9 @@ static void cpuset_hotplug_update_tasks(struct cpuset *cs, struct tmpmasks *tmp)
cpus_updated = !cpumask_equal(&new_cpus, cs->effective_cpus);
mems_updated = !nodes_equal(new_mems, cs->effective_mems);
+ if (mems_updated)
+ check_insane_mems_config(&new_mems);
+
if (is_in_v2_mode())
hotplug_update_tasks(cs, &new_cpus, &new_mems,
cpus_updated, mems_updated);
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 8a1d1c1ca445..4279ece7eade 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -4990,6 +4990,19 @@ __alloc_pages_slowpath(gfp_t gfp_mask, unsigned int order,
if (!ac->preferred_zoneref->zone)
goto nopage;
+ /*
+ * Check for insane configurations where the cpuset doesn't contain
+ * any suitable zone to satisfy the request - e.g. non-movable
+ * GFP_HIGHUSER allocations from MOVABLE nodes only.
+ */
+ if (cpusets_insane_config() && (gfp_mask & __GFP_HARDWALL)) {
+ struct zoneref *z = first_zones_zonelist(ac->zonelist,
+ ac->highest_zoneidx,
+ &cpuset_current_mems_allowed);
+ if (!z->zone)
+ goto nopage;
+ }
+
if (alloc_flags & ALLOC_KSWAPD)
wake_all_kswapds(order, gfp_mask, ac);
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 621/644] cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (619 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 620/644] mm/page_alloc: detect allocation forbidden by cpuset and bail out early Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 622/644] RDMA/bnxt_re: Fix to initialize the PBL array Greg Kroah-Hartman
` (28 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Waiman Long, Juri Lelli, Tejun Heo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Waiman Long <longman@redhat.com>
[ Upstream commit 65f97cc81b0adc5f49cf6cff5d874be0058e3f41 ]
The following lockdep splat was observed.
[ 812.359086] ============================================
[ 812.359089] WARNING: possible recursive locking detected
[ 812.359097] --------------------------------------------
[ 812.359100] runtest.sh/30042 is trying to acquire lock:
[ 812.359105] ffffffffa7f27420 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_enable+0xe/0x20
[ 812.359131]
[ 812.359131] but task is already holding lock:
[ 812.359134] ffffffffa7f27420 (cpu_hotplug_lock){++++}-{0:0}, at: cpuset_write_resmask+0x98/0xa70
:
[ 812.359267] Call Trace:
[ 812.359272] <TASK>
[ 812.359367] cpus_read_lock+0x3c/0xe0
[ 812.359382] static_key_enable+0xe/0x20
[ 812.359389] check_insane_mems_config.part.0+0x11/0x30
[ 812.359398] cpuset_write_resmask+0x9f2/0xa70
[ 812.359411] cgroup_file_write+0x1c7/0x660
[ 812.359467] kernfs_fop_write_iter+0x358/0x530
[ 812.359479] vfs_write+0xabe/0x1250
[ 812.359529] ksys_write+0xf9/0x1d0
[ 812.359558] do_syscall_64+0x5f/0xe0
Since commit d74b27d63a8b ("cgroup/cpuset: Change cpuset_rwsem
and hotplug lock order"), the ordering of cpu hotplug lock
and cpuset_mutex had been reversed. That patch correctly
used the cpuslocked version of the static branch API to enable
cpusets_pre_enable_key and cpusets_enabled_key, but it didn't do the
same for cpusets_insane_config_key.
The cpusets_insane_config_key can be enabled in the
check_insane_mems_config() which is called from update_nodemask()
or cpuset_hotplug_update_tasks() with both cpu hotplug lock and
cpuset_mutex held. Deadlock can happen with a pending hotplug event that
tries to acquire the cpu hotplug write lock which will block further
cpus_read_lock() attempt from check_insane_mems_config(). Fix that by
switching to use static_branch_enable_cpuslocked().
Fixes: d74b27d63a8b ("cgroup/cpuset: Change cpuset_rwsem and hotplug lock order")
Signed-off-by: Waiman Long <longman@redhat.com>
Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/cpuset.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index b40f86a3f605..78c499021768 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -408,7 +408,7 @@ static inline void check_insane_mems_config(nodemask_t *nodes)
{
if (!cpusets_insane_config() &&
movable_only_nodes(nodes)) {
- static_branch_enable(&cpusets_insane_config_key);
+ static_branch_enable_cpuslocked(&cpusets_insane_config_key);
pr_info("Unsupported (movable nodes only) cpuset configuration detected (nmask=%*pbl)!\n"
"Cpuset allocations might fail even with a lot of memory available.\n",
nodemask_pr_args(nodes));
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 622/644] RDMA/bnxt_re: Fix to initialize the PBL array
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (620 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 621/644] cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 623/644] net: bridge: fix soft lockup in br_multicast_query_expired() Greg Kroah-Hartman
` (27 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anantha Prabhu, Saravanan Vajravel,
Selvin Xavier, Kalesh AP, Leon Romanovsky, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anantha Prabhu <anantha.prabhu@broadcom.com>
[ Upstream commit 806b9f494f62791ee6d68f515a8056c615a0e7b2 ]
memset the PBL page pointer and page map arrays before
populating the SGL addresses of the HWQ.
Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
Signed-off-by: Anantha Prabhu <anantha.prabhu@broadcom.com>
Reviewed-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Link: https://patch.msgid.link/20250805101000.233310-5-kalesh-anakkur.purayil@broadcom.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
index 401cb3e22f31..7585d5a55db2 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -121,6 +121,7 @@ static int __alloc_pbl(struct bnxt_qplib_res *res,
pbl->pg_arr = vmalloc(pages * sizeof(void *));
if (!pbl->pg_arr)
return -ENOMEM;
+ memset(pbl->pg_arr, 0, pages * sizeof(void *));
pbl->pg_map_arr = vmalloc(pages * sizeof(dma_addr_t));
if (!pbl->pg_map_arr) {
@@ -128,6 +129,7 @@ static int __alloc_pbl(struct bnxt_qplib_res *res,
pbl->pg_arr = NULL;
return -ENOMEM;
}
+ memset(pbl->pg_map_arr, 0, pages * sizeof(dma_addr_t));
pbl->pg_count = 0;
pbl->pg_size = sginfo->pgsize;
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 623/644] net: bridge: fix soft lockup in br_multicast_query_expired()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (621 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 622/644] RDMA/bnxt_re: Fix to initialize the PBL array Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 624/644] scsi: qla4xxx: Prevent a potential error pointer dereference Greg Kroah-Hartman
` (26 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Aleksandrov, Wang Liang,
Ido Schimmel, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Liang <wangliang74@huawei.com>
[ Upstream commit d1547bf460baec718b3398365f8de33d25c5f36f ]
When set multicast_query_interval to a large value, the local variable
'time' in br_multicast_send_query() may overflow. If the time is smaller
than jiffies, the timer will expire immediately, and then call mod_timer()
again, which creates a loop and may trigger the following soft lockup
issue.
watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66]
CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none)
Call Trace:
<IRQ>
__netdev_alloc_skb+0x2e/0x3a0
br_ip6_multicast_alloc_query+0x212/0x1b70
__br_multicast_send_query+0x376/0xac0
br_multicast_send_query+0x299/0x510
br_multicast_query_expired.constprop.0+0x16d/0x1b0
call_timer_fn+0x3b/0x2a0
__run_timers+0x619/0x950
run_timer_softirq+0x11c/0x220
handle_softirqs+0x18e/0x560
__irq_exit_rcu+0x158/0x1a0
sysvec_apic_timer_interrupt+0x76/0x90
</IRQ>
This issue can be reproduced with:
ip link add br0 type bridge
echo 1 > /sys/class/net/br0/bridge/multicast_querier
echo 0xffffffffffffffff >
/sys/class/net/br0/bridge/multicast_query_interval
ip link set dev br0 up
The multicast_startup_query_interval can also cause this issue. Similar to
the commit 99b40610956a ("net: bridge: mcast: add and enforce query
interval minimum"), add check for the query interval maximum to fix this
issue.
Link: https://lore.kernel.org/netdev/20250806094941.1285944-1-wangliang74@huawei.com/
Link: https://lore.kernel.org/netdev/20250812091818.542238-1-wangliang74@huawei.com/
Fixes: d902eee43f19 ("bridge: Add multicast count/interval sysfs entries")
Suggested-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20250813021054.1643649-1-wangliang74@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_multicast.c | 16 ++++++++++++++++
net/bridge/br_private.h | 2 ++
2 files changed, 18 insertions(+)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 085c9e706bc4..b8fb1e23b107 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -4608,6 +4608,14 @@ void br_multicast_set_query_intvl(struct net_bridge_mcast *brmctx,
intvl_jiffies = BR_MULTICAST_QUERY_INTVL_MIN;
}
+ if (intvl_jiffies > BR_MULTICAST_QUERY_INTVL_MAX) {
+ br_info(brmctx->br,
+ "trying to set multicast query interval above maximum, setting to %lu (%ums)\n",
+ jiffies_to_clock_t(BR_MULTICAST_QUERY_INTVL_MAX),
+ jiffies_to_msecs(BR_MULTICAST_QUERY_INTVL_MAX));
+ intvl_jiffies = BR_MULTICAST_QUERY_INTVL_MAX;
+ }
+
brmctx->multicast_query_interval = intvl_jiffies;
}
@@ -4624,6 +4632,14 @@ void br_multicast_set_startup_query_intvl(struct net_bridge_mcast *brmctx,
intvl_jiffies = BR_MULTICAST_STARTUP_QUERY_INTVL_MIN;
}
+ if (intvl_jiffies > BR_MULTICAST_STARTUP_QUERY_INTVL_MAX) {
+ br_info(brmctx->br,
+ "trying to set multicast startup query interval above maximum, setting to %lu (%ums)\n",
+ jiffies_to_clock_t(BR_MULTICAST_STARTUP_QUERY_INTVL_MAX),
+ jiffies_to_msecs(BR_MULTICAST_STARTUP_QUERY_INTVL_MAX));
+ intvl_jiffies = BR_MULTICAST_STARTUP_QUERY_INTVL_MAX;
+ }
+
brmctx->multicast_startup_query_interval = intvl_jiffies;
}
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 1718168bd927..8acb427ae6de 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -30,6 +30,8 @@
#define BR_MULTICAST_DEFAULT_HASH_MAX 4096
#define BR_MULTICAST_QUERY_INTVL_MIN msecs_to_jiffies(1000)
#define BR_MULTICAST_STARTUP_QUERY_INTVL_MIN BR_MULTICAST_QUERY_INTVL_MIN
+#define BR_MULTICAST_QUERY_INTVL_MAX msecs_to_jiffies(86400000) /* 24 hours */
+#define BR_MULTICAST_STARTUP_QUERY_INTVL_MAX BR_MULTICAST_QUERY_INTVL_MAX
#define BR_HWDOM_MAX BITS_PER_LONG
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 624/644] scsi: qla4xxx: Prevent a potential error pointer dereference
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (622 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 623/644] net: bridge: fix soft lockup in br_multicast_query_expired() Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 625/644] iommu/amd: Avoid stack buffer overflow from kernel cmdline Greg Kroah-Hartman
` (25 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Chris Leech,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 9dcf111dd3e7ed5fce82bb108e3a3fc001c07225 ]
The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error,
but qla4xxx_ep_connect() returns error pointers. Propagating the error
pointers will lead to an Oops in the caller, so change the error pointers
to NULL.
Fixes: 13483730a13b ("[SCSI] qla4xxx: fix flash/ddb support")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/aJwnVKS9tHsw1tEu@stanley.mountain
Reviewed-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla4xxx/ql4_os.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
index ab89f3171a09..da2ed81673c4 100644
--- a/drivers/scsi/qla4xxx/ql4_os.c
+++ b/drivers/scsi/qla4xxx/ql4_os.c
@@ -6607,6 +6607,8 @@ static struct iscsi_endpoint *qla4xxx_get_ep_fwdb(struct scsi_qla_host *ha,
ep = qla4xxx_ep_connect(ha->host, (struct sockaddr *)dst_addr, 0);
vfree(dst_addr);
+ if (IS_ERR(ep))
+ return NULL;
return ep;
}
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 625/644] iommu/amd: Avoid stack buffer overflow from kernel cmdline
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (623 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 624/644] scsi: qla4xxx: Prevent a potential error pointer dereference Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 626/644] mlxsw: spectrum: Forward packets with an IPv4 link-local source IP Greg Kroah-Hartman
` (24 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simcha Kosman, Kees Cook, Ankit Soni,
Joerg Roedel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 8503d0fcb1086a7cfe26df67ca4bd9bd9e99bdec ]
While the kernel command line is considered trusted in most environments,
avoid writing 1 byte past the end of "acpiid" if the "str" argument is
maximum length.
Reported-by: Simcha Kosman <simcha.kosman@cyberark.com>
Closes: https://lore.kernel.org/all/AS8P193MB2271C4B24BCEDA31830F37AE84A52@AS8P193MB2271.EURP193.PROD.OUTLOOK.COM
Fixes: b6b26d86c61c ("iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter")
Signed-off-by: Kees Cook <kees@kernel.org>
Reviewed-by: Ankit Soni <Ankit.Soni@amd.com>
Link: https://lore.kernel.org/r/20250804154023.work.970-kees@kernel.org
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/amd/init.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
index b6ee83b81d32..065d626d5905 100644
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -3286,7 +3286,7 @@ static int __init parse_ivrs_acpihid(char *str)
{
u32 seg = 0, bus, dev, fn;
char *hid, *uid, *p, *addr;
- char acpiid[ACPIID_LEN] = {0};
+ char acpiid[ACPIID_LEN + 1] = { }; /* size with NULL terminator */
int i;
addr = strchr(str, '@');
@@ -3312,7 +3312,7 @@ static int __init parse_ivrs_acpihid(char *str)
/* We have the '@', make it the terminator to get just the acpiid */
*addr++ = 0;
- if (strlen(str) > ACPIID_LEN + 1)
+ if (strlen(str) > ACPIID_LEN)
goto not_found;
if (sscanf(str, "=%s", acpiid) != 1)
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 626/644] mlxsw: spectrum: Forward packets with an IPv4 link-local source IP
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (624 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 625/644] iommu/amd: Avoid stack buffer overflow from kernel cmdline Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 627/644] drm/hisilicon/hibmc: fix the hibmc loaded failed bug Greg Kroah-Hartman
` (23 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zoey Mertes, Ido Schimmel,
Petr Machata, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit f604d3aaf64ff0d90cc875295474d3abf4155629 ]
By default, the device does not forward IPv4 packets with a link-local
source IP (i.e., 169.254.0.0/16). This behavior does not align with the
kernel which does forward them.
Fix by instructing the device to forward such packets instead of
dropping them.
Fixes: ca360db4b825 ("mlxsw: spectrum: Disable DIP_LINK_LOCAL check in hardware pipeline")
Reported-by: Zoey Mertes <zoey@cloudflare.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/6721e6b2c96feb80269e72ce8d0b426e2f32d99c.1755174341.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 2 ++
drivers/net/ethernet/mellanox/mlxsw/trap.h | 1 +
2 files changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
index 35908a8c640a..85353042a790 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c
@@ -2269,6 +2269,8 @@ static const struct mlxsw_listener mlxsw_sp_listener[] = {
ROUTER_EXP, false),
MLXSW_SP_RXL_NO_MARK(DISCARD_ING_ROUTER_DIP_LINK_LOCAL, FORWARD,
ROUTER_EXP, false),
+ MLXSW_SP_RXL_NO_MARK(DISCARD_ING_ROUTER_SIP_LINK_LOCAL, FORWARD,
+ ROUTER_EXP, false),
/* Multicast Router Traps */
MLXSW_SP_RXL_MARK(ACL1, TRAP_TO_CPU, MULTICAST, false),
MLXSW_SP_RXL_L3_MARK(ACL2, TRAP_TO_CPU, MULTICAST, false),
diff --git a/drivers/net/ethernet/mellanox/mlxsw/trap.h b/drivers/net/ethernet/mellanox/mlxsw/trap.h
index 9e070ab3ed76..eabaca6c240a 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/trap.h
+++ b/drivers/net/ethernet/mellanox/mlxsw/trap.h
@@ -93,6 +93,7 @@ enum {
MLXSW_TRAP_ID_DISCARD_ING_ROUTER_IPV4_SIP_BC = 0x16A,
MLXSW_TRAP_ID_DISCARD_ING_ROUTER_IPV4_DIP_LOCAL_NET = 0x16B,
MLXSW_TRAP_ID_DISCARD_ING_ROUTER_DIP_LINK_LOCAL = 0x16C,
+ MLXSW_TRAP_ID_DISCARD_ING_ROUTER_SIP_LINK_LOCAL = 0x16D,
MLXSW_TRAP_ID_DISCARD_ROUTER_IRIF_EN = 0x178,
MLXSW_TRAP_ID_DISCARD_ROUTER_ERIF_EN = 0x179,
MLXSW_TRAP_ID_DISCARD_ROUTER_LPM4 = 0x17B,
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 627/644] drm/hisilicon/hibmc: fix the hibmc loaded failed bug
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (625 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 626/644] mlxsw: spectrum: Forward packets with an IPv4 link-local source IP Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 628/644] ALSA: usb-audio: Fix size validation in convert_chmap_v3() Greg Kroah-Hartman
` (22 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baihan Li, Yongbang Shi,
Dmitry Baryshkov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baihan Li <libaihan@huawei.com>
[ Upstream commit 93a08f856fcc5aaeeecad01f71bef3088588216a ]
When hibmc loaded failed, the driver use hibmc_unload to free the
resource, but the mutexes in mode.config are not init, which will
access an NULL pointer. Just change goto statement to return, because
hibnc_hw_init() doesn't need to free anything.
Fixes: b3df5e65cc03 ("drm/hibmc: Drop drm_vblank_cleanup")
Signed-off-by: Baihan Li <libaihan@huawei.com>
Signed-off-by: Yongbang Shi <shiyongbang@huawei.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250813094238.3722345-5-shiyongbang@huawei.com
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c
index 610fc8e135f9..7d0edecfc495 100644
--- a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c
+++ b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c
@@ -268,12 +268,12 @@ static int hibmc_load(struct drm_device *dev)
ret = hibmc_hw_init(priv);
if (ret)
- goto err;
+ return ret;
ret = drmm_vram_helper_init(dev, pci_resource_start(pdev, 0), priv->fb_size);
if (ret) {
drm_err(dev, "Error initializing VRAM MM; %d\n", ret);
- goto err;
+ return ret;
}
ret = hibmc_kms_init(priv);
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 628/644] ALSA: usb-audio: Fix size validation in convert_chmap_v3()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (626 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 627/644] drm/hisilicon/hibmc: fix the hibmc loaded failed bug Greg Kroah-Hartman
@ 2025-08-26 11:11 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 629/644] drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() Greg Kroah-Hartman
` (21 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 89f0addeee3cb2dc49837599330ed9c4612f05b0 ]
The "p" pointer is void so sizeof(*p) is 1. The intent was to check
sizeof(*cs_desc), which is 3, instead.
Fixes: ecfd41166b72 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/aKL5kftC1qGt6lpv@stanley.mountain
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/stream.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index f5a6e990d07a..12a5e053ec54 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -349,7 +349,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
u16 cs_len;
u8 cs_type;
- if (len < sizeof(*p))
+ if (len < sizeof(*cs_desc))
break;
cs_len = le16_to_cpu(cs_desc->wLength);
if (len < cs_len)
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 629/644] drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (627 preceding siblings ...)
2025-08-26 11:11 ` [PATCH 5.15 628/644] ALSA: usb-audio: Fix size validation in convert_chmap_v3() Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 630/644] ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add Greg Kroah-Hartman
` (20 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chenyuan Yang, Alex Hung,
Dan Wheeler, Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenyuan Yang <chenyuan0y@gmail.com>
[ Upstream commit 7a2ca2ea64b1b63c8baa94a8f5deb70b2248d119 ]
The function mod_hdcp_hdcp1_create_session() calls the function
get_first_active_display(), but does not check its return value.
The return value is a null pointer if the display list is empty.
This will lead to a null pointer dereference.
Add a null pointer check for get_first_active_display() and return
MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.
This is similar to the commit c3e9826a2202
("drm/amd/display: Add null pointer check for get_first_active_display()").
Fixes: 2deade5ede56 ("drm/amd/display: Remove hdcp display state with mst fix")
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5e43eb3cd731649c4f8b9134f857be62a416c893)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c
index b840da3f052a..b5a15b7aae66 100644
--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c
+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c
@@ -256,6 +256,9 @@ enum mod_hdcp_status mod_hdcp_hdcp1_create_session(struct mod_hdcp *hdcp)
return MOD_HDCP_STATUS_FAILURE;
}
+ if (!display)
+ return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND;
+
hdcp_cmd = (struct ta_hdcp_shared_memory *)psp->hdcp_context.context.mem_context.shared_buf;
mutex_lock(&psp->hdcp_context.mutex);
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 630/644] ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (628 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 629/644] drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 631/644] ppp: fix race conditions in ppp_fill_forward_path Greg Kroah-Hartman
` (19 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minhong He, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minhong He <heminhong@kylinos.cn>
[ Upstream commit 84967deee9d9870b15bc4c3acb50f1d401807902 ]
The seg6_genl_sethmac() directly uses the algorithm ID provided by the
userspace without verifying whether it is an HMAC algorithm supported
by the system.
If an unsupported HMAC algorithm ID is configured, packets using SRv6 HMAC
will be dropped during encapsulation or decapsulation.
Fixes: 4f4853dc1c9c ("ipv6: sr: implement API to control SR HMAC structure")
Signed-off-by: Minhong He <heminhong@kylinos.cn>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250815063845.85426-1-heminhong@kylinos.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/seg6_hmac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c
index 58203c41d652..7e3a85769932 100644
--- a/net/ipv6/seg6_hmac.c
+++ b/net/ipv6/seg6_hmac.c
@@ -294,6 +294,9 @@ int seg6_hmac_info_add(struct net *net, u32 key, struct seg6_hmac_info *hinfo)
struct seg6_pernet_data *sdata = seg6_pernet(net);
int err;
+ if (!__hmac_get_algo(hinfo->alg_id))
+ return -EINVAL;
+
err = rhashtable_lookup_insert_fast(&sdata->hmac_infos, &hinfo->node,
rht_params);
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 631/644] ppp: fix race conditions in ppp_fill_forward_path
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (629 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 630/644] ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 632/644] net: phy: Use netif_rx() Greg Kroah-Hartman
` (18 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingfang Deng <dqfext@gmail.com>
[ Upstream commit 0417adf367a0af11adf7ace849af4638cfb573f7 ]
ppp_fill_forward_path() has two race conditions:
1. The ppp->channels list can change between list_empty() and
list_first_entry(), as ppp_lock() is not held. If the only channel
is deleted in ppp_disconnect_channel(), list_first_entry() may
access an empty head or a freed entry, and trigger a panic.
2. pch->chan can be NULL. When ppp_unregister_channel() is called,
pch->chan is set to NULL before pch is removed from ppp->channels.
Fix these by using a lockless RCU approach:
- Use list_first_or_null_rcu() to safely test and access the first list
entry.
- Convert list modifications on ppp->channels to their RCU variants and
add synchronize_net() after removal.
- Check for a NULL pch->chan before dereferencing it.
Fixes: f6efc675c9dd ("net: ppp: resolve forwarding path for bridge pppoe devices")
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Link: https://patch.msgid.link/20250814012559.3705-2-dqfext@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_generic.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 3e804800c509..5cb06e04293e 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -33,6 +33,7 @@
#include <linux/ppp_channel.h>
#include <linux/ppp-comp.h>
#include <linux/skbuff.h>
+#include <linux/rculist.h>
#include <linux/rtnetlink.h>
#include <linux/if_arp.h>
#include <linux/ip.h>
@@ -1612,11 +1613,14 @@ static int ppp_fill_forward_path(struct net_device_path_ctx *ctx,
if (ppp->flags & SC_MULTILINK)
return -EOPNOTSUPP;
- if (list_empty(&ppp->channels))
+ pch = list_first_or_null_rcu(&ppp->channels, struct channel, clist);
+ if (!pch)
+ return -ENODEV;
+
+ chan = READ_ONCE(pch->chan);
+ if (!chan)
return -ENODEV;
- pch = list_first_entry(&ppp->channels, struct channel, clist);
- chan = pch->chan;
if (!chan->ops->fill_forward_path)
return -EOPNOTSUPP;
@@ -2999,7 +3003,7 @@ ppp_unregister_channel(struct ppp_channel *chan)
*/
down_write(&pch->chan_sem);
spin_lock_bh(&pch->downl);
- pch->chan = NULL;
+ WRITE_ONCE(pch->chan, NULL);
spin_unlock_bh(&pch->downl);
up_write(&pch->chan_sem);
ppp_disconnect_channel(pch);
@@ -3505,7 +3509,7 @@ ppp_connect_channel(struct channel *pch, int unit)
hdrlen = pch->file.hdrlen + 2; /* for protocol bytes */
if (hdrlen > ppp->dev->hard_header_len)
ppp->dev->hard_header_len = hdrlen;
- list_add_tail(&pch->clist, &ppp->channels);
+ list_add_tail_rcu(&pch->clist, &ppp->channels);
++ppp->n_channels;
pch->ppp = ppp;
refcount_inc(&ppp->file.refcnt);
@@ -3535,10 +3539,11 @@ ppp_disconnect_channel(struct channel *pch)
if (ppp) {
/* remove it from the ppp unit's list */
ppp_lock(ppp);
- list_del(&pch->clist);
+ list_del_rcu(&pch->clist);
if (--ppp->n_channels == 0)
wake_up_interruptible(&ppp->file.rwait);
ppp_unlock(ppp);
+ synchronize_net();
if (refcount_dec_and_test(&ppp->file.refcnt))
ppp_destroy_interface(ppp);
err = 0;
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 632/644] net: phy: Use netif_rx().
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (630 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 631/644] ppp: fix race conditions in ppp_fill_forward_path Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 633/644] phy: mscc: Fix timestamping for vsc8584 Greg Kroah-Hartman
` (17 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Heiner Kallweit,
Radu Pirea, Richard Cochran, Russell King,
Sebastian Andrzej Siewior, David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit a3d73e15909bdcf25f341e6623cc165ba7eb5968 ]
Since commit
baebdf48c3600 ("net: dev: Makes sure netif_rx() can be invoked in any context.")
the function netif_rx() can be used in preemptible/thread context as
well as in interrupt context.
Use netif_rx().
Cc: Andrew Lunn <andrew@lunn.ch>
Cc: Heiner Kallweit <hkallweit1@gmail.com>
Cc: Radu Pirea <radu-nicolae.pirea@oss.nxp.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Russell King <linux@armlinux.org.uk>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: bc1a59cff9f7 ("phy: mscc: Fix timestamping for vsc8584")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/dp83640.c | 6 +++---
drivers/net/phy/mscc/mscc_ptp.c | 2 +-
drivers/net/phy/nxp-c45-tja11xx.c | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c
index 705c16675b80..88d23890f3be 100644
--- a/drivers/net/phy/dp83640.c
+++ b/drivers/net/phy/dp83640.c
@@ -886,7 +886,7 @@ static void decode_rxts(struct dp83640_private *dp83640,
spin_unlock_irqrestore(&dp83640->rx_lock, flags);
if (shhwtstamps)
- netif_rx_ni(skb);
+ netif_rx(skb);
}
static void decode_txts(struct dp83640_private *dp83640,
@@ -1332,7 +1332,7 @@ static void rx_timestamp_work(struct work_struct *work)
break;
}
- netif_rx_ni(skb);
+ netif_rx(skb);
}
if (!skb_queue_empty(&dp83640->rx_queue))
@@ -1383,7 +1383,7 @@ static bool dp83640_rxtstamp(struct mii_timestamper *mii_ts,
skb_queue_tail(&dp83640->rx_queue, skb);
schedule_delayed_work(&dp83640->ts_work, SKB_TIMESTAMP_TIMEOUT);
} else {
- netif_rx_ni(skb);
+ netif_rx(skb);
}
return true;
diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
index 92f59c964409..cf61990ccd37 100644
--- a/drivers/net/phy/mscc/mscc_ptp.c
+++ b/drivers/net/phy/mscc/mscc_ptp.c
@@ -1218,7 +1218,7 @@ static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts,
ts.tv_sec--;
shhwtstamps->hwtstamp = ktime_set(ts.tv_sec, ns);
- netif_rx_ni(skb);
+ netif_rx(skb);
return true;
}
diff --git a/drivers/net/phy/nxp-c45-tja11xx.c b/drivers/net/phy/nxp-c45-tja11xx.c
index 13269c4e87dd..e6ac851b217a 100644
--- a/drivers/net/phy/nxp-c45-tja11xx.c
+++ b/drivers/net/phy/nxp-c45-tja11xx.c
@@ -436,7 +436,7 @@ static long nxp_c45_do_aux_work(struct ptp_clock_info *ptp)
shhwtstamps_rx = skb_hwtstamps(skb);
shhwtstamps_rx->hwtstamp = ns_to_ktime(timespec64_to_ns(&ts));
NXP_C45_SKB_CB(skb)->header->reserved2 = 0;
- netif_rx_ni(skb);
+ netif_rx(skb);
}
return reschedule ? 1 : -1;
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 633/644] phy: mscc: Fix timestamping for vsc8584
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (631 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 632/644] net: phy: Use netif_rx() Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 634/644] net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Greg Kroah-Hartman
` (16 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Horatiu Vultur, Vadim Fedorenko,
Vladimir Oltean, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit bc1a59cff9f797bfbf8f3104507584d89e9ecf2e ]
There was a problem when we received frames and the frames were
timestamped. The driver is configured to store the nanosecond part of
the timestmap in the ptp reserved bits and it would take the second part
by reading the LTC. The problem is that when reading the LTC we are in
atomic context and to read the second part will go over mdio bus which
might sleep, so we get an error.
The fix consists in actually put all the frames in a queue and start the
aux work and in that work to read the LTC and then calculate the full
received time.
Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20250818081029.1300780-1-horatiu.vultur@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc.h | 12 ++++++++
drivers/net/phy/mscc/mscc_main.c | 12 ++++++++
drivers/net/phy/mscc/mscc_ptp.c | 49 ++++++++++++++++++++++++--------
3 files changed, 61 insertions(+), 12 deletions(-)
diff --git a/drivers/net/phy/mscc/mscc.h b/drivers/net/phy/mscc/mscc.h
index 055e4ca5b3b5..878298304430 100644
--- a/drivers/net/phy/mscc/mscc.h
+++ b/drivers/net/phy/mscc/mscc.h
@@ -360,6 +360,13 @@ struct vsc85xx_hw_stat {
u16 mask;
};
+struct vsc8531_skb_cb {
+ u32 ns;
+};
+
+#define VSC8531_SKB_CB(skb) \
+ ((struct vsc8531_skb_cb *)((skb)->cb))
+
struct vsc8531_private {
int rate_magic;
u16 supp_led_modes;
@@ -408,6 +415,11 @@ struct vsc8531_private {
*/
struct mutex ts_lock;
struct mutex phc_lock;
+
+ /* list of skbs that were received and need timestamp information but it
+ * didn't received it yet
+ */
+ struct sk_buff_head rx_skbs_list;
};
/* Shared structure between the PHYs of the same package.
diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c
index b349c359089e..03aa85ec60df 100644
--- a/drivers/net/phy/mscc/mscc_main.c
+++ b/drivers/net/phy/mscc/mscc_main.c
@@ -2324,6 +2324,13 @@ static int vsc85xx_probe(struct phy_device *phydev)
return vsc85xx_dt_led_modes_get(phydev, default_mode);
}
+static void vsc85xx_remove(struct phy_device *phydev)
+{
+ struct vsc8531_private *priv = phydev->priv;
+
+ skb_queue_purge(&priv->rx_skbs_list);
+}
+
/* Microsemi VSC85xx PHYs */
static struct phy_driver vsc85xx_driver[] = {
{
@@ -2554,6 +2561,7 @@ static struct phy_driver vsc85xx_driver[] = {
.config_intr = &vsc85xx_config_intr,
.suspend = &genphy_suspend,
.resume = &genphy_resume,
+ .remove = &vsc85xx_remove,
.probe = &vsc8574_probe,
.set_wol = &vsc85xx_wol_set,
.get_wol = &vsc85xx_wol_get,
@@ -2579,6 +2587,7 @@ static struct phy_driver vsc85xx_driver[] = {
.config_intr = &vsc85xx_config_intr,
.suspend = &genphy_suspend,
.resume = &genphy_resume,
+ .remove = &vsc85xx_remove,
.probe = &vsc8574_probe,
.set_wol = &vsc85xx_wol_set,
.get_wol = &vsc85xx_wol_get,
@@ -2604,6 +2613,7 @@ static struct phy_driver vsc85xx_driver[] = {
.config_intr = &vsc85xx_config_intr,
.suspend = &genphy_suspend,
.resume = &genphy_resume,
+ .remove = &vsc85xx_remove,
.probe = &vsc8584_probe,
.get_tunable = &vsc85xx_get_tunable,
.set_tunable = &vsc85xx_set_tunable,
@@ -2627,6 +2637,7 @@ static struct phy_driver vsc85xx_driver[] = {
.config_intr = &vsc85xx_config_intr,
.suspend = &genphy_suspend,
.resume = &genphy_resume,
+ .remove = &vsc85xx_remove,
.probe = &vsc8584_probe,
.get_tunable = &vsc85xx_get_tunable,
.set_tunable = &vsc85xx_set_tunable,
@@ -2650,6 +2661,7 @@ static struct phy_driver vsc85xx_driver[] = {
.config_intr = &vsc85xx_config_intr,
.suspend = &genphy_suspend,
.resume = &genphy_resume,
+ .remove = &vsc85xx_remove,
.probe = &vsc8584_probe,
.get_tunable = &vsc85xx_get_tunable,
.set_tunable = &vsc85xx_set_tunable,
diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
index cf61990ccd37..f77bfbee5f20 100644
--- a/drivers/net/phy/mscc/mscc_ptp.c
+++ b/drivers/net/phy/mscc/mscc_ptp.c
@@ -1190,9 +1190,7 @@ static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts,
{
struct vsc8531_private *vsc8531 =
container_of(mii_ts, struct vsc8531_private, mii_ts);
- struct skb_shared_hwtstamps *shhwtstamps = NULL;
struct vsc85xx_ptphdr *ptphdr;
- struct timespec64 ts;
unsigned long ns;
if (!vsc8531->ptp->configured)
@@ -1202,27 +1200,52 @@ static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts,
type == PTP_CLASS_NONE)
return false;
- vsc85xx_gettime(&vsc8531->ptp->caps, &ts);
-
ptphdr = get_ptp_header_rx(skb, vsc8531->ptp->rx_filter);
if (!ptphdr)
return false;
- shhwtstamps = skb_hwtstamps(skb);
- memset(shhwtstamps, 0, sizeof(struct skb_shared_hwtstamps));
-
ns = ntohl(ptphdr->rsrvd2);
- /* nsec is in reserved field */
- if (ts.tv_nsec < ns)
- ts.tv_sec--;
+ VSC8531_SKB_CB(skb)->ns = ns;
+ skb_queue_tail(&vsc8531->rx_skbs_list, skb);
- shhwtstamps->hwtstamp = ktime_set(ts.tv_sec, ns);
- netif_rx(skb);
+ ptp_schedule_worker(vsc8531->ptp->ptp_clock, 0);
return true;
}
+static long vsc85xx_do_aux_work(struct ptp_clock_info *info)
+{
+ struct vsc85xx_ptp *ptp = container_of(info, struct vsc85xx_ptp, caps);
+ struct skb_shared_hwtstamps *shhwtstamps = NULL;
+ struct phy_device *phydev = ptp->phydev;
+ struct vsc8531_private *priv = phydev->priv;
+ struct sk_buff_head received;
+ struct sk_buff *rx_skb;
+ struct timespec64 ts;
+ unsigned long flags;
+
+ __skb_queue_head_init(&received);
+ spin_lock_irqsave(&priv->rx_skbs_list.lock, flags);
+ skb_queue_splice_tail_init(&priv->rx_skbs_list, &received);
+ spin_unlock_irqrestore(&priv->rx_skbs_list.lock, flags);
+
+ vsc85xx_gettime(info, &ts);
+ while ((rx_skb = __skb_dequeue(&received)) != NULL) {
+ shhwtstamps = skb_hwtstamps(rx_skb);
+ memset(shhwtstamps, 0, sizeof(struct skb_shared_hwtstamps));
+
+ if (ts.tv_nsec < VSC8531_SKB_CB(rx_skb)->ns)
+ ts.tv_sec--;
+
+ shhwtstamps->hwtstamp = ktime_set(ts.tv_sec,
+ VSC8531_SKB_CB(rx_skb)->ns);
+ netif_rx(rx_skb);
+ }
+
+ return -1;
+}
+
static const struct ptp_clock_info vsc85xx_clk_caps = {
.owner = THIS_MODULE,
.name = "VSC85xx timer",
@@ -1236,6 +1259,7 @@ static const struct ptp_clock_info vsc85xx_clk_caps = {
.adjfine = &vsc85xx_adjfine,
.gettime64 = &vsc85xx_gettime,
.settime64 = &vsc85xx_settime,
+ .do_aux_work = &vsc85xx_do_aux_work,
};
static struct vsc8531_private *vsc8584_base_priv(struct phy_device *phydev)
@@ -1563,6 +1587,7 @@ int vsc8584_ptp_probe(struct phy_device *phydev)
mutex_init(&vsc8531->phc_lock);
mutex_init(&vsc8531->ts_lock);
+ skb_queue_head_init(&vsc8531->rx_skbs_list);
/* Retrieve the shared load/save GPIO. Request it as non exclusive as
* the same GPIO can be requested by all the PHYs of the same package.
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 634/644] net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (632 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 633/644] phy: mscc: Fix timestamping for vsc8584 Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 635/644] ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc Greg Kroah-Hartman
` (15 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+20537064367a0f98d597,
Yuichiro Tsuji, Andrew Lunn, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuichiro Tsuji <yuichtsu@amazon.com>
[ Upstream commit 24ef2f53c07f273bad99173e27ee88d44d135b1c ]
Syzbot reported shift-out-of-bounds exception on MDIO bus initialization.
The PHY address should be masked to 5 bits (0-31). Without this
mask, invalid PHY addresses could be used, potentially causing issues
with MDIO bus operations.
Fix this by masking the PHY address with 0x1f (31 decimal) to ensure
it stays within the valid range.
Fixes: 4faff70959d5 ("net: usb: asix_devices: add phy_mask for ax88772 mdio bus")
Reported-by: syzbot+20537064367a0f98d597@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=20537064367a0f98d597
Tested-by: syzbot+20537064367a0f98d597@syzkaller.appspotmail.com
Signed-off-by: Yuichiro Tsuji <yuichtsu@amazon.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250818084541.1958-1-yuichtsu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/asix_devices.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
index 928516222959..97d2037e7fee 100644
--- a/drivers/net/usb/asix_devices.c
+++ b/drivers/net/usb/asix_devices.c
@@ -669,7 +669,7 @@ static int ax88772_init_mdio(struct usbnet *dev)
priv->mdio->read = &asix_mdio_bus_read;
priv->mdio->write = &asix_mdio_bus_write;
priv->mdio->name = "Asix MDIO Bus";
- priv->mdio->phy_mask = ~(BIT(priv->phy_addr) | BIT(AX_EMBD_PHY_ADDR));
+ priv->mdio->phy_mask = ~(BIT(priv->phy_addr & 0x1f) | BIT(AX_EMBD_PHY_ADDR));
/* mii bus name is usb-<usb bus number>-<usb device number> */
snprintf(priv->mdio->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
dev->udev->bus->busnum, dev->udev->devnum);
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 635/644] ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (633 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 634/644] net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 636/644] igc: fix disabling L1.2 PCI-E link substate on I226 on init Greg Kroah-Hartman
` (14 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Xing, Larysa Zaremba,
Paul Menzel, Aleksandr Loktionov, Priya Singh, Tony Nguyen,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Xing <kernelxing@tencent.com>
[ Upstream commit 4d4d9ef9dfee877d494e5418f68a1016ef08cad6 ]
Resolve the budget negative overflow which leads to returning true in
ixgbe_xmit_zc even when the budget of descs are thoroughly consumed.
Before this patch, when the budget is decreased to zero and finishes
sending the last allowed desc in ixgbe_xmit_zc, it will always turn back
and enter into the while() statement to see if it should keep processing
packets, but in the meantime it unexpectedly decreases the value again to
'unsigned int (0--)', namely, UINT_MAX. Finally, the ixgbe_xmit_zc returns
true, showing 'we complete cleaning the budget'. That also means
'clean_complete = true' in ixgbe_poll.
The true theory behind this is if that budget number of descs are consumed,
it implies that we might have more descs to be done. So we should return
false in ixgbe_xmit_zc to tell napi poll to find another chance to start
polling to handle the rest of descs. On the contrary, returning true here
means job done and we know we finish all the possible descs this time and
we don't intend to start a new napi poll.
It is apparently against our expectations. Please also see how
ixgbe_clean_tx_irq() handles the problem: it uses do..while() statement
to make sure the budget can be decreased to zero at most and the negative
overflow never happens.
The patch adds 'likely' because we rarely would not hit the loop condition
since the standard budget is 256.
Fixes: 8221c5eba8c1 ("ixgbe: add AF_XDP zero-copy Tx support")
Signed-off-by: Jason Xing <kernelxing@tencent.com>
Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Priya Singh <priyax.singh@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20250819222000.3504873-4-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
index b399b9c14717..9a789a419166 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
@@ -392,7 +392,7 @@ static bool ixgbe_xmit_zc(struct ixgbe_ring *xdp_ring, unsigned int budget)
dma_addr_t dma;
u32 cmd_type;
- while (budget-- > 0) {
+ while (likely(budget)) {
if (unlikely(!ixgbe_desc_unused(xdp_ring))) {
work_done = false;
break;
@@ -427,6 +427,8 @@ static bool ixgbe_xmit_zc(struct ixgbe_ring *xdp_ring, unsigned int budget)
xdp_ring->next_to_use++;
if (xdp_ring->next_to_use == xdp_ring->count)
xdp_ring->next_to_use = 0;
+
+ budget--;
}
if (tx_desc) {
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 636/644] igc: fix disabling L1.2 PCI-E link substate on I226 on init
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (634 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 635/644] ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 637/644] net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit Greg Kroah-Hartman
` (13 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ValdikSS, Vitaly Lifshits,
Paul Menzel, Tony Nguyen, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: ValdikSS <iam@valdikss.org.ru>
[ Upstream commit 1468c1f97cf32418e34dbb40b784ed9333b9e123 ]
Device ID comparison in igc_is_device_id_i226 is performed before
the ID is set, resulting in always failing check on init.
Before the patch:
* L1.2 is not disabled on init
* L1.2 is properly disabled after suspend-resume cycle
With the patch:
* L1.2 is properly disabled both on init and after suspend-resume
How to test:
Connect to the 1G link with 300+ mbit/s Internet speed, and run
the download speed test, such as:
curl -o /dev/null http://speedtest.selectel.ru/1GB
Without L1.2 disabled, the speed would be no more than ~200 mbit/s.
With L1.2 disabled, the speed would reach 1 gbit/s.
Note: it's required that the latency between your host and the remote
be around 3-5 ms, the test inside LAN (<1 ms latency) won't trigger the
issue.
Link: https://lore.kernel.org/intel-wired-lan/15248b4f-3271-42dd-8e35-02bfc92b25e1@intel.com
Fixes: 0325143b59c6 ("igc: disable L1.2 PCI-E link substate to avoid performance issue")
Signed-off-by: ValdikSS <iam@valdikss.org.ru>
Reviewed-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20250819222000.3504873-6-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_main.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index f52c1674d19b..6a9ad4231b0c 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -6549,6 +6549,13 @@ static int igc_probe(struct pci_dev *pdev,
adapter->port_num = hw->bus.func;
adapter->msg_enable = netif_msg_init(debug, DEFAULT_MSG_ENABLE);
+ /* PCI config space info */
+ hw->vendor_id = pdev->vendor;
+ hw->device_id = pdev->device;
+ hw->revision_id = pdev->revision;
+ hw->subsystem_vendor_id = pdev->subsystem_vendor;
+ hw->subsystem_device_id = pdev->subsystem_device;
+
/* Disable ASPM L1.2 on I226 devices to avoid packet loss */
if (igc_is_device_id_i226(hw))
pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2);
@@ -6573,13 +6580,6 @@ static int igc_probe(struct pci_dev *pdev,
netdev->mem_start = pci_resource_start(pdev, 0);
netdev->mem_end = pci_resource_end(pdev, 0);
- /* PCI config space info */
- hw->vendor_id = pdev->vendor;
- hw->device_id = pdev->device;
- hw->revision_id = pdev->revision;
- hw->subsystem_vendor_id = pdev->subsystem_vendor;
- hw->subsystem_device_id = pdev->subsystem_device;
-
/* Copy the default MAC and PHY function pointers */
memcpy(&hw->mac.ops, ei->mac_ops, sizeof(hw->mac.ops));
memcpy(&hw->phy.ops, ei->phy_ops, sizeof(hw->phy.ops));
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 637/644] net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (635 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 636/644] igc: fix disabling L1.2 PCI-E link substate on I226 on init Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 638/644] net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate Greg Kroah-Hartman
` (12 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William Liu, Savino Dicanosa,
Toke Høiland-Jørgensen, Jamal Hadi Salim,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: William Liu <will@willsroot.io>
[ Upstream commit 15de71d06a400f7fdc15bf377a2552b0ec437cf5 ]
The following setup can trigger a WARNING in htb_activate due to
the condition: !cl->leaf.q->q.qlen
tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 \
htb rate 64bit
tc qdisc add dev lo parent 1:1 handle f: \
cake memlimit 1b
ping -I lo -f -c1 -s64 -W0.001 127.0.0.1
This is because the low memlimit leads to a low buffer_limit, which
causes packet dropping. However, cake_enqueue still returns
NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an
empty child qdisc. We should return NET_XMIT_CN when packets are
dropped from the same tin and flow.
I do not believe return value of NET_XMIT_CN is necessary for packet
drops in the case of ack filtering, as that is meant to optimize
performance, not to signal congestion.
Fixes: 046f6fd5daef ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
Signed-off-by: William Liu <will@willsroot.io>
Reviewed-by: Savino Dicanosa <savy@syst3mfailure.io>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20250819033601.579821-1-will@willsroot.io
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cake.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 8429d7f8aba4..73b840762afb 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -1761,7 +1761,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
ktime_t now = ktime_get();
struct cake_tin_data *b;
struct cake_flow *flow;
- u32 idx;
+ u32 idx, tin;
/* choose flow to insert into */
idx = cake_classify(sch, &b, skb, q->flow_mode, &ret);
@@ -1771,6 +1771,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
__qdisc_drop(skb, to_free);
return ret;
}
+ tin = (u32)(b - q->tins);
idx--;
flow = &b->flows[idx];
@@ -1938,13 +1939,22 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
q->buffer_max_used = q->buffer_used;
if (q->buffer_used > q->buffer_limit) {
+ bool same_flow = false;
u32 dropped = 0;
+ u32 drop_id;
while (q->buffer_used > q->buffer_limit) {
dropped++;
- cake_drop(sch, to_free);
+ drop_id = cake_drop(sch, to_free);
+
+ if ((drop_id >> 16) == tin &&
+ (drop_id & 0xFFFF) == idx)
+ same_flow = true;
}
b->drop_overlimit += dropped;
+
+ if (same_flow)
+ return NET_XMIT_CN;
}
return NET_XMIT_SUCCESS;
}
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 638/644] net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (636 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 637/644] net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 639/644] bonding: update LACP activity flag after setting lacp_active Greg Kroah-Hartman
` (11 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William Liu, Savino Dicanosa,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: William Liu <will@willsroot.io>
[ Upstream commit 2c2192e5f9c7c2892fe2363244d1387f62710d83 ]
The WARN_ON trigger based on !cl->leaf.q->q.qlen is unnecessary in
htb_activate. htb_dequeue_tree already accounts for that scenario.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: William Liu <will@willsroot.io>
Reviewed-by: Savino Dicanosa <savy@syst3mfailure.io>
Link: https://patch.msgid.link/20250819033632.579854-1-will@willsroot.io
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_htb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index e9f349cb6446..6c4de685a8e4 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -589,7 +589,7 @@ htb_change_class_mode(struct htb_sched *q, struct htb_class *cl, s64 *diff)
*/
static inline void htb_activate(struct htb_sched *q, struct htb_class *cl)
{
- WARN_ON(cl->level || !cl->leaf.q || !cl->leaf.q->q.qlen);
+ WARN_ON(cl->level || !cl->leaf.q);
if (!cl->prio_activity) {
cl->prio_activity = 1 << cl->prio;
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 639/644] bonding: update LACP activity flag after setting lacp_active
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (637 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 638/644] net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 640/644] ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation Greg Kroah-Hartman
` (10 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit b64d035f77b1f02ab449393342264b44950a75ae ]
The port's actor_oper_port_state activity flag should be updated immediately
after changing the lacp_active option to reflect the current mode correctly.
Fixes: 3a755cd8b7c6 ("bonding: add new option lacp_active")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20250815062000.22220-2-liuhangbin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_3ad.c | 25 +++++++++++++++++++++++++
drivers/net/bonding/bond_options.c | 1 +
include/net/bond_3ad.h | 1 +
3 files changed, 27 insertions(+)
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index ff6d4e74a186..fcbd70ad45b9 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -2730,6 +2730,31 @@ void bond_3ad_update_lacp_rate(struct bonding *bond)
spin_unlock_bh(&bond->mode_lock);
}
+/**
+ * bond_3ad_update_lacp_active - change the lacp active
+ * @bond: bonding struct
+ *
+ * Update actor_oper_port_state when lacp_active is modified.
+ */
+void bond_3ad_update_lacp_active(struct bonding *bond)
+{
+ struct port *port = NULL;
+ struct list_head *iter;
+ struct slave *slave;
+ int lacp_active;
+
+ lacp_active = bond->params.lacp_active;
+ spin_lock_bh(&bond->mode_lock);
+ bond_for_each_slave(bond, slave, iter) {
+ port = &(SLAVE_AD_INFO(slave)->port);
+ if (lacp_active)
+ port->actor_oper_port_state |= LACP_STATE_LACP_ACTIVITY;
+ else
+ port->actor_oper_port_state &= ~LACP_STATE_LACP_ACTIVITY;
+ }
+ spin_unlock_bh(&bond->mode_lock);
+}
+
size_t bond_3ad_stats_size(void)
{
return nla_total_size_64bit(sizeof(u64)) + /* BOND_3AD_STAT_LACPDU_RX */
diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
index 5da4599377e1..24072e164b77 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -1390,6 +1390,7 @@ static int bond_option_lacp_active_set(struct bonding *bond,
netdev_dbg(bond->dev, "Setting LACP active to %s (%llu)\n",
newval->string, newval->value);
bond->params.lacp_active = newval->value;
+ bond_3ad_update_lacp_active(bond);
return 0;
}
diff --git a/include/net/bond_3ad.h b/include/net/bond_3ad.h
index f2273bd5a4c5..2dd382a81dd5 100644
--- a/include/net/bond_3ad.h
+++ b/include/net/bond_3ad.h
@@ -303,6 +303,7 @@ int bond_3ad_lacpdu_recv(const struct sk_buff *skb, struct bonding *bond,
int bond_3ad_set_carrier(struct bonding *bond);
void bond_3ad_update_lacp_active(struct bonding *bond);
void bond_3ad_update_lacp_rate(struct bonding *bond);
+void bond_3ad_update_lacp_active(struct bonding *bond);
void bond_3ad_update_ad_actor_settings(struct bonding *bond);
int bond_3ad_stats_fill(struct sk_buff *skb, struct bond_3ad_stats *stats);
size_t bond_3ad_stats_size(void);
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 640/644] ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (638 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 639/644] bonding: update LACP activity flag after setting lacp_active Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 641/644] s390/hypfs: Avoid unnecessary ioctl registration in debugfs Greg Kroah-Hartman
` (9 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 8410fe81093ff231e964891e215b624dabb734b0 ]
The entry of the validators table for UAC3 feature unit is defined
with a wrong sub-type UAC_FEATURE (= 0x06) while it should have been
UAC3_FEATURE (= 0x07). This patch corrects the entry value.
Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units")
Link: https://patch.msgid.link/20250821150835.8894-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/validate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/validate.c b/sound/usb/validate.c
index 4f4e8e87a14c..a0d55b77c994 100644
--- a/sound/usb/validate.c
+++ b/sound/usb/validate.c
@@ -285,7 +285,7 @@ static const struct usb_desc_validator audio_validators[] = {
/* UAC_VERSION_3, UAC3_EXTENDED_TERMINAL: not implemented yet */
FUNC(UAC_VERSION_3, UAC3_MIXER_UNIT, validate_mixer_unit),
FUNC(UAC_VERSION_3, UAC3_SELECTOR_UNIT, validate_selector_unit),
- FUNC(UAC_VERSION_3, UAC_FEATURE_UNIT, validate_uac3_feature_unit),
+ FUNC(UAC_VERSION_3, UAC3_FEATURE_UNIT, validate_uac3_feature_unit),
/* UAC_VERSION_3, UAC3_EFFECT_UNIT: not implemented yet */
FUNC(UAC_VERSION_3, UAC3_PROCESSING_UNIT, validate_processing_unit),
FUNC(UAC_VERSION_3, UAC3_EXTENSION_UNIT, validate_processing_unit),
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 641/644] s390/hypfs: Avoid unnecessary ioctl registration in debugfs
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (639 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 640/644] ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 642/644] s390/hypfs: Enable limited access during lockdown Greg Kroah-Hartman
` (8 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mete Durlu, Vasily Gorbik,
Peter Oberparleiter, Alexander Gordeev, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Oberparleiter <oberpar@linux.ibm.com>
[ Upstream commit fec7bdfe7f8694a0c39e6c3ec026ff61ca1058b9 ]
Currently, hypfs registers ioctl callbacks for all debugfs files,
despite only one file requiring them. This leads to unintended exposure
of unused interfaces to user space and can trigger side effects such as
restricted access when kernel lockdown is enabled.
Restrict ioctl registration to only those files that implement ioctl
functionality to avoid interface clutter and unnecessary access
restrictions.
Tested-by: Mete Durlu <meted@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down")
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/hypfs/hypfs_dbfs.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/arch/s390/hypfs/hypfs_dbfs.c b/arch/s390/hypfs/hypfs_dbfs.c
index f4c7dbfaf8ee..c5f53dc3dbbc 100644
--- a/arch/s390/hypfs/hypfs_dbfs.c
+++ b/arch/s390/hypfs/hypfs_dbfs.c
@@ -64,24 +64,28 @@ static long dbfs_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
long rc;
mutex_lock(&df->lock);
- if (df->unlocked_ioctl)
- rc = df->unlocked_ioctl(file, cmd, arg);
- else
- rc = -ENOTTY;
+ rc = df->unlocked_ioctl(file, cmd, arg);
mutex_unlock(&df->lock);
return rc;
}
-static const struct file_operations dbfs_ops = {
+static const struct file_operations dbfs_ops_ioctl = {
.read = dbfs_read,
.llseek = no_llseek,
.unlocked_ioctl = dbfs_ioctl,
};
+static const struct file_operations dbfs_ops = {
+ .read = dbfs_read,
+};
+
void hypfs_dbfs_create_file(struct hypfs_dbfs_file *df)
{
- df->dentry = debugfs_create_file(df->name, 0400, dbfs_dir, df,
- &dbfs_ops);
+ const struct file_operations *fops = &dbfs_ops;
+
+ if (df->unlocked_ioctl)
+ fops = &dbfs_ops_ioctl;
+ df->dentry = debugfs_create_file(df->name, 0400, dbfs_dir, df, fops);
mutex_init(&df->lock);
}
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 642/644] s390/hypfs: Enable limited access during lockdown
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (640 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 641/644] s390/hypfs: Avoid unnecessary ioctl registration in debugfs Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 643/644] netfilter: nf_reject: dont leak dst refcount for loopback packets Greg Kroah-Hartman
` (7 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mete Durlu, Vasily Gorbik,
Peter Oberparleiter, Alexander Gordeev, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Oberparleiter <oberpar@linux.ibm.com>
[ Upstream commit 3868f910440c47cd5d158776be4ba4e2186beda7 ]
When kernel lockdown is active, debugfs_locked_down() blocks access to
hypfs files that register ioctl callbacks, even if the ioctl interface
is not required for a function. This unnecessarily breaks userspace
tools that only rely on read operations.
Resolve this by registering a minimal set of file operations during
lockdown, avoiding ioctl registration and preserving access for affected
tooling.
Note that this change restores hypfs functionality when lockdown is
active from early boot (e.g. via lockdown=integrity kernel parameter),
but does not apply to scenarios where lockdown is enabled dynamically
while Linux is running.
Tested-by: Mete Durlu <meted@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down")
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/hypfs/hypfs_dbfs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/s390/hypfs/hypfs_dbfs.c b/arch/s390/hypfs/hypfs_dbfs.c
index c5f53dc3dbbc..5848f2e374a6 100644
--- a/arch/s390/hypfs/hypfs_dbfs.c
+++ b/arch/s390/hypfs/hypfs_dbfs.c
@@ -6,6 +6,7 @@
* Author(s): Michael Holzheu <holzheu@linux.vnet.ibm.com>
*/
+#include <linux/security.h>
#include <linux/slab.h>
#include "hypfs.h"
@@ -83,7 +84,7 @@ void hypfs_dbfs_create_file(struct hypfs_dbfs_file *df)
{
const struct file_operations *fops = &dbfs_ops;
- if (df->unlocked_ioctl)
+ if (df->unlocked_ioctl && !security_locked_down(LOCKDOWN_DEBUGFS))
fops = &dbfs_ops_ioctl;
df->dentry = debugfs_create_file(df->name, 0400, dbfs_dir, df, fops);
mutex_init(&df->lock);
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 643/644] netfilter: nf_reject: dont leak dst refcount for loopback packets
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (641 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 642/644] s390/hypfs: Enable limited access during lockdown Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 644/644] wifi: mac80211: check basic rates validity in sta_link_apply_parameters Greg Kroah-Hartman
` (6 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 91a79b792204313153e1bdbbe5acbfc28903b3a5 ]
recent patches to add a WARN() when replacing skb dst entry found an
old bug:
WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline]
WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline]
WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234
[..]
Call Trace:
nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325
nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27
expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline]
..
This is because blamed commit forgot about loopback packets.
Such packets already have a dst_entry attached, even at PRE_ROUTING stage.
Instead of checking hook just check if the skb already has a route
attached to it.
Fixes: f53b9b0bdc59 ("netfilter: introduce support for reject at prerouting stage")
Signed-off-by: Florian Westphal <fw@strlen.de>
Link: https://patch.msgid.link/20250820123707.10671-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/nf_reject_ipv4.c | 6 ++----
net/ipv6/netfilter/nf_reject_ipv6.c | 5 ++---
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index 350aaca12618..c1f5ca847c8a 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -247,8 +247,7 @@ void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
if (!oth)
return;
- if ((hook == NF_INET_PRE_ROUTING || hook == NF_INET_INGRESS) &&
- nf_reject_fill_skb_dst(oldskb) < 0)
+ if (!skb_dst(oldskb) && nf_reject_fill_skb_dst(oldskb) < 0)
return;
if (skb_rtable(oldskb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
@@ -317,8 +316,7 @@ void nf_send_unreach(struct sk_buff *skb_in, int code, int hook)
if (iph->frag_off & htons(IP_OFFSET))
return;
- if ((hook == NF_INET_PRE_ROUTING || hook == NF_INET_INGRESS) &&
- nf_reject_fill_skb_dst(skb_in) < 0)
+ if (!skb_dst(skb_in) && nf_reject_fill_skb_dst(skb_in) < 0)
return;
if (skb_csum_unnecessary(skb_in) || !nf_reject_verify_csum(proto)) {
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
index 8208490e05a3..ca39b83c2a5d 100644
--- a/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -295,7 +295,7 @@ void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
fl6.fl6_sport = otcph->dest;
fl6.fl6_dport = otcph->source;
- if (hook == NF_INET_PRE_ROUTING || hook == NF_INET_INGRESS) {
+ if (!skb_dst(oldskb)) {
nf_ip6_route(net, &dst, flowi6_to_flowi(&fl6), false);
if (!dst)
return;
@@ -394,8 +394,7 @@ void nf_send_unreach6(struct net *net, struct sk_buff *skb_in,
if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL)
skb_in->dev = net->loopback_dev;
- if ((hooknum == NF_INET_PRE_ROUTING || hooknum == NF_INET_INGRESS) &&
- nf_reject6_fill_skb_dst(skb_in) < 0)
+ if (!skb_dst(skb_in) && nf_reject6_fill_skb_dst(skb_in) < 0)
return;
icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0);
--
2.50.1
^ permalink raw reply related [flat|nested] 651+ messages in thread
* [PATCH 5.15 644/644] wifi: mac80211: check basic rates validity in sta_link_apply_parameters
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (642 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 643/644] netfilter: nf_reject: dont leak dst refcount for loopback packets Greg Kroah-Hartman
@ 2025-08-26 11:12 ` Greg Kroah-Hartman
2025-08-26 17:20 ` [PATCH 5.15 000/644] 5.15.190-rc1 review Florian Fainelli
` (5 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Greg Kroah-Hartman @ 2025-08-26 11:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikhail Lobanov, Johannes Berg,
Hanne-Lotta Mäenpää
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Lobanov <m.lobanov@rosa.ru>
commit 16ee3ea8faef8ff042acc15867a6c458c573de61 upstream.
When userspace sets supported rates for a new station via
NL80211_CMD_NEW_STATION, it might send a list that's empty
or contains only invalid values. Currently, we process these
values in sta_link_apply_parameters() without checking the result of
ieee80211_parse_bitrates(), which can lead to an empty rates bitmap.
A similar issue was addressed for NL80211_CMD_SET_BSS in commit
ce04abc3fcc6 ("wifi: mac80211: check basic rates validity").
This patch applies the same approach in sta_link_apply_parameters()
for NL80211_CMD_NEW_STATION, ensuring there is at least one valid
rate by inspecting the result of ieee80211_parse_bitrates().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: b95eb7f0eee4 ("wifi: cfg80211/mac80211: separate link params from station params")
Signed-off-by: Mikhail Lobanov <m.lobanov@rosa.ru>
Link: https://patch.msgid.link/20250317103139.17625-1-m.lobanov@rosa.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ Summary of conflict resolutions:
- Function ieee80211_parse_bitrates() takes channel width as its
first parameter in mainline kernel version. In v5.15 the function
takes the whole chandef struct as its first parameter.
- The same function takes link station parameters as its last
parameter, and in v5.15 they are in a struct called sta,
instead of a struct called link_sta. ]
Signed-off-by: Hanne-Lotta Mäenpää <hannelotta@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/cfg.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1658,12 +1658,13 @@ static int sta_apply_parameters(struct i
return ret;
}
- if (params->supported_rates && params->supported_rates_len) {
- ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef,
- sband, params->supported_rates,
- params->supported_rates_len,
- &sta->sta.supp_rates[sband->band]);
- }
+ if (params->supported_rates &&
+ params->supported_rates_len &&
+ !ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef,
+ sband, params->supported_rates,
+ params->supported_rates_len,
+ &sta->sta.supp_rates[sband->band]))
+ return -EINVAL;
if (params->ht_capa)
ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,
^ permalink raw reply [flat|nested] 651+ messages in thread
* Re: [PATCH 5.15 000/644] 5.15.190-rc1 review
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (643 preceding siblings ...)
2025-08-26 11:12 ` [PATCH 5.15 644/644] wifi: mac80211: check basic rates validity in sta_link_apply_parameters Greg Kroah-Hartman
@ 2025-08-26 17:20 ` Florian Fainelli
2025-08-26 17:43 ` Jon Hunter
` (4 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Florian Fainelli @ 2025-08-26 17:20 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor, hargar, broonie, achill
On 8/26/25 04:01, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.190 release.
> There are 644 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Aug 2025 11:08:21 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.190-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 651+ messages in thread
* Re: [PATCH 5.15 000/644] 5.15.190-rc1 review
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (644 preceding siblings ...)
2025-08-26 17:20 ` [PATCH 5.15 000/644] 5.15.190-rc1 review Florian Fainelli
@ 2025-08-26 17:43 ` Jon Hunter
2025-08-26 17:47 ` Brett A C Sheffield
` (3 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Jon Hunter @ 2025-08-26 17:43 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, achill,
linux-tegra, stable
On Tue, 26 Aug 2025 13:01:31 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.190 release.
> There are 644 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Aug 2025 11:08:21 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.190-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v5.15:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
105 tests: 105 pass, 0 fail
Linux version: 5.15.190-rc1-ge09f9302f92d
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 651+ messages in thread
* Re: 5.15.190-rc1 review
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (645 preceding siblings ...)
2025-08-26 17:43 ` Jon Hunter
@ 2025-08-26 17:47 ` Brett A C Sheffield
2025-08-27 9:22 ` [PATCH 5.15 000/644] " Anders Roxell
` (2 subsequent siblings)
649 siblings, 0 replies; 651+ messages in thread
From: Brett A C Sheffield @ 2025-08-26 17:47 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, achill,
Brett A C Sheffield
Upstream commit:
9e30ecf23b1b ("net: ipv4: fix incorrect MTU in broadcast routes")
introduces a regression which breaks IPv4 broadcast, which stops WOL working
(breaking my CI system), among other things:
https://lore.kernel.org/regressions/20250822165231.4353-4-bacs@librecast.net
Mainline fix pending.
# Librecast Test Results
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 5.15.190-rc1-00645-ge09f9302f92d #48 SMP Tue Aug 26 11:48:25 -00 2025 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 651+ messages in thread
* Re: [PATCH 5.15 000/644] 5.15.190-rc1 review
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (646 preceding siblings ...)
2025-08-26 17:47 ` Brett A C Sheffield
@ 2025-08-27 9:22 ` Anders Roxell
2025-08-27 9:29 ` Ron Economos
2025-08-28 8:26 ` Vijayendra Suman
649 siblings, 0 replies; 651+ messages in thread
From: Anders Roxell @ 2025-08-27 9:22 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, hargar, broonie, achill
On Tue, 26 Aug 2025 at 13:13, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.15.190 release.
> There are 644 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Aug 2025 11:08:21 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.190-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro's test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 5.15.190-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git commit: e09f9302f92d6e366e40ce66054adc57d2bada85
* git describe: v5.15.189-645-ge09f9302f92d
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.15.y/build/v5.15.189-645-ge09f9302f92d
## Test Regressions (compared to v5.15.187-81-gd21affcc10e6)
## Metric Regressions (compared to v5.15.187-81-gd21affcc10e6)
## Test Fixes (compared to v5.15.187-81-gd21affcc10e6)
## Metric Fixes (compared to v5.15.187-81-gd21affcc10e6)
## Test result summary
total: 52799, pass: 43384, fail: 2145, skip: 6975, xfail: 295
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 101 total, 101 passed, 0 failed
* arm64: 28 total, 28 passed, 0 failed
* i386: 18 total, 18 passed, 0 failed
* mips: 22 total, 22 passed, 0 failed
* parisc: 3 total, 3 passed, 0 failed
* powerpc: 22 total, 22 passed, 0 failed
* riscv: 8 total, 8 passed, 0 failed
* s390: 9 total, 9 passed, 0 failed
* sh: 10 total, 10 passed, 0 failed
* sparc: 6 total, 6 passed, 0 failed
* x86_64: 24 total, 24 passed, 0 failed
## Test suites summary
* boot
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-exec
* kselftest-fpu
* kselftest-futex
* kselftest-intel_pstate
* kselftest-kcmp
* kselftest-livepatch
* kselftest-membarrier
* kselftest-mincore
* kselftest-mm
* kselftest-mqueue
* kselftest-net
* kselftest-net-mptcp
* kselftest-openat2
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-tc-testing
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user_events
* kselftest-vDSO
* kselftest-x86
* kunit
* kvm-unit-tests
* lava
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-build-clang
* log-parser-build-gcc
* log-parser-test
* ltp-capability
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-hugetlb
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* perf
* rcutorture
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 651+ messages in thread
* Re: [PATCH 5.15 000/644] 5.15.190-rc1 review
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (647 preceding siblings ...)
2025-08-27 9:22 ` [PATCH 5.15 000/644] " Anders Roxell
@ 2025-08-27 9:29 ` Ron Economos
2025-08-28 8:26 ` Vijayendra Suman
649 siblings, 0 replies; 651+ messages in thread
From: Ron Economos @ 2025-08-27 9:29 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie, achill
On 8/26/25 04:01, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.190 release.
> There are 644 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Aug 2025 11:08:21 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.190-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 651+ messages in thread
* Re: [PATCH 5.15 000/644] 5.15.190-rc1 review
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
` (648 preceding siblings ...)
2025-08-27 9:29 ` Ron Economos
@ 2025-08-28 8:26 ` Vijayendra Suman
649 siblings, 0 replies; 651+ messages in thread
From: Vijayendra Suman @ 2025-08-28 8:26 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, hargar, broonie, achill
On 26/08/25 4:31 pm, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.190 release.
> There are 644 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 28 Aug 2025 11:08:21 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/
> patch-5.15.190-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
No issues were seen on x86_64 and aarch64 platforms with our testing.
Tested-by: Vijayendra Suman <vijayendra.suman@oracle.com>>
> thanks,
>
> greg k-h
^ permalink raw reply [flat|nested] 651+ messages in thread
end of thread, other threads:[~2025-08-28 8:26 UTC | newest]
Thread overview: 651+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-26 11:01 [PATCH 5.15 000/644] 5.15.190-rc1 review Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 001/644] phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 002/644] USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 003/644] USB: serial: option: add Foxconn T99W640 Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 004/644] USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 005/644] usb: gadget: configfs: Fix OOB read on empty string write Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 006/644] i2c: stm32: fix the device used for the DMA map Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 007/644] thunderbolt: Fix bit masking in tb_dp_port_set_hops() Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 008/644] Input: xpad - set correct controller type for Acer NGR200 Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 009/644] pch_uart: Fix dma_sync_sg_for_device() nents value Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 010/644] HID: core: ensure the allocated report buffer can contain the reserved report ID Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 011/644] HID: core: ensure __hid_request reserves the report ID as the first byte Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 012/644] HID: core: do not bypass hid_hw_raw_request Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 013/644] tracing: Add down_write(trace_event_sem) when adding trace event Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 014/644] phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 015/644] af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 016/644] af_packet: fix soft lockup issue caused by tpacket_snd() Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 017/644] dmaengine: nbpfaxi: Fix memory corruption in probe() Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 018/644] isofs: Verify inode mode when loading from disk Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 019/644] memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 020/644] mmc: bcm2835: Fix dma_unmap_sg() nents value Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 021/644] mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 022/644] mmc: sdhci_am654: Workaround for Errata i2312 Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 023/644] pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 024/644] soc: aspeed: lpc-snoop: Cleanup resources in stack-order Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 025/644] soc: aspeed: lpc-snoop: Dont disable channels that arent enabled Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 026/644] iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 027/644] iio: adc: max1363: Reorder mode_list[] entries Greg Kroah-Hartman
2025-08-26 11:01 ` [PATCH 5.15 028/644] iio: adc: stm32-adc: Fix race in installing chained IRQ handler Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 029/644] comedi: pcl812: Fix bit shift out of bounds Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 030/644] comedi: aio_iiro_16: " Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 031/644] comedi: das16m1: " Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 032/644] comedi: das6402: " Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 033/644] comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 034/644] comedi: Fix some signed shift left operations Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 035/644] comedi: Fix use of uninitialized data in insn_rw_emulate_bits() Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 036/644] comedi: Fix initialization of data for instructions that write to subdevice Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 037/644] bpf: Reject %p% format string in bprintf-like helpers Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 038/644] net: emaclite: Fix missing pointer increment in aligned_read() Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 039/644] net/sched: sch_qfq: Fix race condition on qfq_aggregate Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 040/644] rpl: Fix use-after-free in rpl_do_srh_inline() Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 041/644] pinctrl: mediatek: moore: check if pin_desc is valid before use Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 042/644] smb: client: fix use-after-free in cifs_oplock_break Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 043/644] nvme: fix misaccounting of nvme-mpath inflight I/O Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 044/644] selftests: udpgro: report error when receive failed Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 045/644] selftests: net: increase inter-packet timeout in udpgro.sh Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 046/644] hwmon: (corsair-cpro) Validate the size of the received input buffer Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 047/644] usb: net: sierra: check for no status endpoint Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 048/644] Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 049/644] Bluetooth: SMP: If an unallowed command is received consider it a failure Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 050/644] Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 051/644] lib: bitmap: Introduce node-aware alloc API Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 052/644] net/mlx5e: Add support to klm_umr_wqe Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 053/644] net/mlx5: Correctly set gso_size when LRO is used Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 054/644] ipv6: mcast: Delay put pmc->idev in mld_del_delrec() Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 055/644] Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 056/644] net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 057/644] net: bridge: Do not offload IGMP/MLD messages Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 058/644] net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 059/644] sched: Change nr_uninterruptible type to unsigned long Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 060/644] clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 061/644] usb: hub: fix detection of high tier USB3 devices behind suspended hubs Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 062/644] usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 063/644] usb: hub: Fix flushing of delayed work used for post resume purposes Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 064/644] usb: musb: Add and use inline functions musb_{get,set}_state Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 065/644] usb: musb: fix gadget state on disconnect Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 066/644] usb: dwc3: qcom: Dont leave BCR asserted Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 067/644] ASoC: fsl_sai: Force a software reset when starting in consumer mode Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 068/644] mm/vmalloc: leave lazy MMU mode on PTE mapping error Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 069/644] powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 070/644] platform/x86: think-lmi: Fix kobject cleanup Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 071/644] bpf, sockmap: Fix panic when calling skb_linearize Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 072/644] x86: Fix get_wchan() to support the ORC unwinder Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 073/644] sched: Add wrapper for get_wchan() to keep task blocked Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 074/644] x86: Fix __get_wchan() for !STACKTRACE Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 075/644] x86: Pin task-stack in __get_wchan() Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 076/644] Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 077/644] regulator: core: fix NULL dereference on unbind due to stale coupling data Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 078/644] RDMA/core: Rate limit GID cache warning messages Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 079/644] interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 080/644] regmap: fix potential memory leak of regmap_bus Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 081/644] i40e: Add rx_missed_errors for buffer exhaustion Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 082/644] i40e: report VF tx_dropped with tx_errors instead of tx_discards Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 083/644] net: appletalk: Fix use-after-free in AARP proxy probe Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 084/644] net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 085/644] net: hns3: fix concurrent setting vlan filter issue Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 086/644] net: hns3: disable interrupt when ptp init failed Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 087/644] net: hns3: fixed vf get max channels bug Greg Kroah-Hartman
2025-08-26 11:02 ` [PATCH 5.15 088/644] platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 089/644] i2c: qup: jump out of the loop in case of timeout Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 090/644] i2c: virtio: Avoid hang by using interruptible completion wait Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 091/644] bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 092/644] ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 093/644] dpaa2-eth: Fix device reference count leak in MAC endpoint handling Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 094/644] dpaa2-switch: " Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 095/644] e1000e: disregard NVM checksum on tgp when valid checksum bit is not set Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 096/644] e1000e: ignore uninitialized checksum word on tgp Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 097/644] gve: Fix stuck TX queue for DQ queue format Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 098/644] nilfs2: reject invalid file types when reading inodes Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 099/644] mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 100/644] usb: typec: tcpm: allow to use sink in accessory mode Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 101/644] usb: typec: tcpm: allow switching to mode accessory to mux properly Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 102/644] usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 103/644] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode() Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 104/644] jfs: reject on-disk inodes of an unsupported type Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 105/644] comedi: comedi_test: Fix possible deletion of uninitialized timers Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 106/644] ALSA: hda: Add missing NVIDIA HDA codec IDs Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 107/644] usb: chipidea: add USB PHY event Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 108/644] usb: phy: mxs: disconnect line when USB charger is attached Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 109/644] ethernet: intel: fix building with large NR_CPUS Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 110/644] ASoC: Intel: fix SND_SOC_SOF dependencies Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 111/644] fs_context: fix parameter name in infofc() macro Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 112/644] hfsplus: remove mutex_lock check in hfsplus_free_extents Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 113/644] Revert "fs/ntfs3: Replace inode_trylock with inode_lock" Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 114/644] ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 115/644] ASoC: ops: dynamically allocate struct snd_ctl_elem_value Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 116/644] selftests: Fix errno checking in syscall_user_dispatch test Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 117/644] ARM: dts: vfxxx: Correctly use two tuples for timer address Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 118/644] usb: misc: apple-mfi-fastcharge: Make power supply names unique Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 119/644] staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 120/644] vmci: Prevent the dispatching of uninitialized payloads Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 121/644] pps: fix poll support Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 122/644] Revert "vmci: Prevent the dispatching of uninitialized payloads" Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 123/644] usb: early: xhci-dbc: Fix early_ioremap leak Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 124/644] arm: dts: ti: omap: Fixup pinheader typo Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 125/644] ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 126/644] arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 127/644] arm64: dts: imx8mn-beacon: " Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 128/644] PM / devfreq: Check governor before using governor->name Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 129/644] cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 130/644] cpufreq: Initialize cpufreq-based frequency-invariance later Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 131/644] cpufreq: Init policy->rwsem before it may be possibly used Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 132/644] samples: mei: Fix building on musl libc Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 133/644] staging: nvec: Fix incorrect null termination of battery manufacturer Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 134/644] selftests/tracing: Fix false failure of subsystem event test Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 135/644] drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 136/644] bpf, sockmap: Fix psock incorrectly pointing to sk Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 137/644] bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 138/644] bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 139/644] caif: reduce stack size, again Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 140/644] wifi: rtl818x: Kill URBs before clearing tx status queue Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 141/644] wifi: iwlwifi: Fix memory leak in iwl_mvm_init() Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 142/644] iwlwifi: Add missing check for alloc_ordered_workqueue Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 143/644] wifi: ath11k: clear initialized flag for deinit-ed srng lists Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 144/644] tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 145/644] net/mlx5: Check device memory pointer before usage Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 146/644] m68k: Dont unregister boot console needlessly Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 147/644] drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value Greg Kroah-Hartman
2025-08-26 11:03 ` [PATCH 5.15 148/644] netfilter: nf_tables: adjust lockdep assertions handling Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 149/644] arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 150/644] um: rtc: Avoid shadowing err in uml_rtc_start() Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 151/644] net/sched: Restrict conditions for adding duplicating netems to qdisc tree Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 152/644] net_sched: act_ctinfo: use atomic64_t for three counters Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 153/644] xen/gntdev: remove struct gntdev_copy_batch from stack Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 154/644] wifi: rtl8xxxu: Fix RX skb size for aggregation disabled Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 155/644] mwl8k: Add missing check after DMA map Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 156/644] wifi: mac80211: Dont call fq_flow_idx() for management frames Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 157/644] wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 158/644] Reapply "wifi: mac80211: Update skbs control block key in ieee80211_tx_dequeue()" Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 159/644] wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 160/644] can: kvaser_pciefd: Store device channel index Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 161/644] can: kvaser_usb: Assign netdev.dev_port based on " Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 162/644] netfilter: xt_nfacct: dont assume acct name is null-terminated Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 163/644] selftests: rtnetlink.sh: remove esp4_offload after test Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 164/644] vrf: Drop existing dst reference in vrf_ip6_input_dst Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 165/644] PCI: rockchip-host: Fix "Unexpected Completion" log message Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 166/644] crypto: marvell/cesa - Fix engine load inaccuracy Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 167/644] mtd: fix possible integer overflow in erase_xfer() Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 168/644] clk: davinci: Add NULL check in davinci_lpsc_clk_register() Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 169/644] media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 170/644] clk: xilinx: vcu: unregister pll_post only if registered correctly Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 171/644] power: supply: cpcap-charger: Fix null check for power_supply_get_by_name Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 172/644] power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 173/644] PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 174/644] pinctrl: sunxi: Fix memory leak on krealloc failure Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 175/644] clk: clk-axi-clkgen: fix fpfd_max frequency for zynq Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 176/644] perf sched: Fix memory leaks for evsel->priv in timehist Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 177/644] crypto: inside-secure - Fix `dma_unmap_sg()` nents value Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 178/644] crypto: ccp - Fix crash when rebind ccp device for ccp.ko Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 179/644] RDMA/hns: Fix -Wframe-larger-than issue Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 180/644] kernel: trace: preemptirq_delay_test: use offstack cpu mask Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 181/644] perf tests bp_account: Fix leaked file descriptor Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 182/644] clk: sunxi-ng: v3s: Fix de clock definition Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 183/644] scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 184/644] scsi: mvsas: " Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 185/644] scsi: isci: " Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 186/644] watchdog: ziirave_wdt: check record length in ziirave_firm_verify() Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 187/644] hwrng: mtk - handle devm_pm_runtime_enable errors Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 188/644] crypto: keembay - Fix dma_unmap_sg() nents value Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 189/644] crypto: img-hash " Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 190/644] soundwire: stream: restore params when prepare ports fail Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 191/644] PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 192/644] fs/orangefs: Allow 2 more characters in do_c_string() Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 193/644] dmaengine: mv_xor: Fix missing check after DMA map and missing unmap Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 194/644] dmaengine: nbpfaxi: Add missing check after DMA map Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 195/644] sh: Do not use hyphen in exported variable name Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 196/644] crypto: qat - fix seq_file position update in adf_ring_next() Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 197/644] fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 198/644] jfs: fix metapage reference count leak in dbAllocCtl Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 199/644] mtd: rawnand: atmel: Fix dma_mapping_error() address Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 200/644] mtd: rawnand: rockchip: Add missing check after DMA map Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 201/644] mtd: rawnand: atmel: set pmecc data setup time Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 202/644] vhost-scsi: Fix log flooding with target does not exist errors Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 203/644] bpf: Check flow_dissector ctx accesses are aligned Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 204/644] apparmor: ensure WB_HISTORY_SIZE value is a power of 2 Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 205/644] module: Restore the moduleparam prefix length check Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 206/644] ucount: fix atomic_long_inc_below() argument type Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 207/644] rtc: ds1307: fix incorrect maximum clock rate handling Greg Kroah-Hartman
2025-08-26 11:04 ` [PATCH 5.15 208/644] rtc: hym8563: " Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 209/644] rtc: pcf85063: " Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 210/644] rtc: pcf8563: " Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 211/644] rtc: rv3028: " Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 212/644] f2fs: fix KMSAN uninit-value in extent_info usage Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 213/644] f2fs: doc: fix wrong quota mount option description Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 214/644] f2fs: fix to avoid UAF in f2fs_sync_inode_meta() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 215/644] f2fs: fix to avoid panic in f2fs_evict_inode Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 216/644] f2fs: fix to avoid out-of-boundary access in devs.path Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 217/644] scsi: mpt3sas: Fix a fw_event memory leak Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 218/644] scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 219/644] kconfig: qconf: fix ConfigList::updateListAllforAll() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 220/644] PCI: pnv_php: Clean up allocated IRQs on unplug Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 221/644] PCI: pnv_php: Work around switches with broken presence detection Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 222/644] powerpc/eeh: Export eeh_unfreeze_pe() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 223/644] powerpc/eeh: Rely on dev->link_active_reporting Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 224/644] powerpc/eeh: Make EEH driver device hotplug safe Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 225/644] PCI: pnv_php: Fix surprise plug detection and recovery Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 226/644] pNFS/flexfiles: dont attempt pnfs on fatal DS errors Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 227/644] NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 228/644] NFSv4.2: another fix for listxattr Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 229/644] XArray: Add calls to might_alloc() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 230/644] NFS: Fixup allocation flags for nfsiods __GFP_NORETRY Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 231/644] netpoll: prevent hanging NAPI when netcons gets enabled Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 232/644] phy: mscc: Fix parsing of unicast frames Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 233/644] pptp: ensure minimal skb length in pptp_xmit() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 234/644] net/mlx5: Correctly set gso_segs when LRO is used Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 235/644] ipv6: reject malicious packets in ipv6_gso_segment() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 236/644] net: drop UFO packets in udp_rcv_segment() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 237/644] benet: fix BUG when creating VFs Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 238/644] ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 239/644] smb: server: remove separate empty_recvmsg_queue Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 240/644] smb: server: make sure we call ib_dma_unmap_single() only if we called ib_dma_map_single already Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 241/644] smb: server: let recv_done() consistently call put_recvmsg/smb_direct_disconnect_rdma_connection Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 242/644] smb: server: let recv_done() avoid touching data_transfer after cleanup/move Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 243/644] smb: client: let recv_done() cleanup before notifying the callers Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 244/644] pptp: fix pptp_xmit() error path Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 245/644] perf/core: Dont leak AUX buffer refcount on allocation failure Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 246/644] perf/core: Exit early on perf_mmap() fail Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 247/644] perf/core: Prevent VMA split of buffer mappings Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 248/644] selftests/perf_events: Add a mmap() correctness test Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 249/644] net/packet: fix a race in packet_set_ring() and packet_notifier() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 250/644] vsock: Do not allow binding to VMADDR_PORT_ANY Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 251/644] USB: serial: option: add Foxconn T99W709 Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 252/644] net: usbnet: Avoid potential RCU stall on LINK_CHANGE event Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 253/644] net: usbnet: Fix the wrong netif_carrier_on() call Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 254/644] ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 255/644] MIPS: mm: tlb-r4k: Uniquify TLB entries on init Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 256/644] mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 257/644] usb: gadget : fix use-after-free in composite_dev_cleanup() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 258/644] io_uring: dont use int for ABI Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 259/644] ALSA: usb-audio: Validate UAC3 power domain descriptors, too Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 260/644] ALSA: usb-audio: Validate UAC3 cluster segment descriptors Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 261/644] gpio: virtio: Fix config space reading Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 262/644] netlink: avoid infinite retry looping in netlink_unicast() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 263/644] net: gianfar: fix device leak when querying time stamp info Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 264/644] net: dpaa: " Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 265/644] net: usb: asix_devices: add phy_mask for ax88772 mdio bus Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 266/644] nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 267/644] NFSD: detect mismatch of file handle and delegation stateid in OPEN op Greg Kroah-Hartman
2025-08-26 11:05 ` [PATCH 5.15 268/644] sunvdc: Balance device refcount in vdc_port_mpgroup_check Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 269/644] fs: Prevent file descriptor table allocations exceeding INT_MAX Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 270/644] eventpoll: Fix semi-unbounded recursion Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 271/644] Documentation: ACPI: Fix parent device references Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 272/644] ACPI: processor: perflib: Fix initial _PPC limit application Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 273/644] ACPI: processor: perflib: Move problematic pr->performance check Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 274/644] udp: also consider secpath when evaluating ipsec use for checksumming Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 275/644] netfilter: ctnetlink: fix refcount leak on table dump Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 276/644] sctp: linearize cloned gso packets in sctp_rcv Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 277/644] intel_idle: Allow loading ACPI tables for any family Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 278/644] cpuidle: governors: menu: Avoid using invalid recent intervals data Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 279/644] ptp: prevent possible ABBA deadlock in ptp_clock_freerun() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 280/644] hfs: fix slab-out-of-bounds in hfs_bnode_read() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 281/644] hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 282/644] hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 283/644] hfsplus: dont use BUG_ON() in hfsplus_create_attributes_file() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 284/644] arm64: Handle KCOV __init vs inline mismatches Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 285/644] smb/server: avoid deadlock when linking with ReplaceIfExists Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 286/644] udf: Verify partition map count Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 287/644] drbd: add missing kref_get in handle_write_conflicts Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 288/644] hfs: fix not erasing deleted b-tree node issue Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 289/644] better lockdep annotations for simple_recursive_removal() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 290/644] ata: libata-sata: Disallow changing LPM state if not supported Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 291/644] fs/ntfs3: Add sanity check for file name Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 292/644] fs/ntfs3: correctly create symlink for relative path Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 293/644] ext2: Handle fiemap on empty files to prevent EINVAL Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 294/644] securityfs: dont pin dentries twice, once is enough Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 295/644] usb: xhci: print xhci->xhc_state when queue_command failed Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 296/644] cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 297/644] selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 298/644] usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 299/644] usb: xhci: Avoid showing warnings for dying controller Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 300/644] usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 301/644] usb: xhci: Avoid showing errors during surprise removal Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 302/644] gpio: wcd934x: check the return value of regmap_update_bits() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 303/644] cpufreq: Exit governor when failed to start old governor Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 304/644] ARM: rockchip: fix kernel hang during smp initialization Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 305/644] PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 306/644] EDAC/synopsys: Clear the ECC counters on init Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 307/644] ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 308/644] thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 309/644] tools/nolibc: define time_t in terms of __kernel_old_time_t Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 310/644] gpio: tps65912: check the return value of regmap_update_bits() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 311/644] ARM: tegra: Use I/O memcpy to write to IRAM Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 312/644] selftests: tracing: Use mutex_unlock for testing glob filter Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 313/644] ACPI: PRM: Reduce unnecessary printing to avoid user confusion Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 314/644] PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 315/644] thermal: sysfs: Return ENODATA instead of EAGAIN for reads Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 316/644] PM: sleep: console: Fix the black screen issue Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 317/644] ACPI: processor: fix acpi_object initialization Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 318/644] mmc: sdhci-msm: Ensure SD card power isnt ON when card removed Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 319/644] ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 320/644] pps: clients: gpio: fix interrupt handling order in remove path Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 321/644] reset: brcmstb: Enable reset drivers for ARCH_BCM2835 Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 322/644] mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 323/644] x86/bugs: Avoid warning when overriding return thunk Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 324/644] ASoC: hdac_hdmi: Rate limit logging on connection and disconnection Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 325/644] ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 326/644] ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 327/644] usb: typec: intel_pmc_mux: Defer probe if SCU IPC isnt present Greg Kroah-Hartman
2025-08-26 11:06 ` [PATCH 5.15 328/644] usb: core: usb_submit_urb: downgrade type check Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 329/644] pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 330/644] platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 331/644] platform/chrome: cros_ec_typec: Defer probe on missing EC parent Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 332/644] ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 333/644] ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 334/644] ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 335/644] iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 336/644] ASoC: codecs: rt5640: Retry DEVICE_ID verification Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 337/644] xen/netfront: Fix TX response spurious interrupts Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 338/644] ktest.pl: Prevent recursion of default variable options Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 339/644] wifi: cfg80211: reject HTC bit for management frames Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 340/644] s390/time: Use monotonic clock in get_cycles() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 341/644] be2net: Use correct byte order and format string for TCP seq and ack_seq Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 342/644] et131x: Add missing check after DMA map Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 343/644] net: ag71xx: " Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 344/644] net/mlx5e: Properly access RCU protected qdisc_sleeping variable Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 345/644] arm64: Mark kernel as tainted on SAE and SError panic Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 346/644] rcu: Protect ->defer_qs_iw_pending from data race Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 347/644] net: mctp: Prevent duplicate binds Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 348/644] wifi: cfg80211: Fix interface type validation Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 349/644] net: ipv4: fix incorrect MTU in broadcast routes Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 350/644] net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 351/644] sched/deadline: Fix accounting after global limits change Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 352/644] wifi: iwlwifi: mvm: fix scan request validation Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 353/644] s390/stp: Remove udelay from stp_sync_clock() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 354/644] wifi: mac80211: dont complete management TX on SAE commit Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 355/644] (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 356/644] ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 357/644] drm/msm: use trylock for debugfs Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 358/644] net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 359/644] net: atlantic: add set_power to fw_ops for atl2 to fix wol Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 360/644] net: fec: allow disable coalescing Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 361/644] drm/amd/display: Separate set_gsl from set_gsl_source_select Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 362/644] wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 363/644] wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 364/644] drm/amd/display: Fix failed to blank crtc! Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 365/644] wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()` Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 366/644] netmem: fix skb_frag_address_safe with unreadable skbs Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 367/644] wifi: iwlegacy: Check rate_idx range after addition Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 368/644] dpaa_eth: dont use fixed_phy_change_carrier Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 369/644] drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 370/644] net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 371/644] gve: Return error for unknown admin queue command Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 372/644] net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 373/644] net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 374/644] net: dsa: b53: prevent DIS_LEARNING " Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 375/644] net: dsa: b53: prevent SWITCH_CTRL " Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 376/644] wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 377/644] net: ncsi: Fix buffer overflow in fetching version id Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 378/644] drm/ttm: Should to return the evict error Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 379/644] uapi: in6: restore visibility of most IPv6 socket options Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 380/644] drm/ttm: Respect the shrinker core free target Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 381/644] net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325 Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 382/644] vhost: fail early when __vhost_add_used() fails Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 383/644] watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 384/644] cifs: Fix calling CIFSFindFirst() for root path without msearch Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 385/644] crypto: hisilicon/hpre - fix dma unmap sequence Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 386/644] ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 387/644] scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated Greg Kroah-Hartman
2025-08-26 11:07 ` [PATCH 5.15 388/644] fs/orangefs: use snprintf() instead of sprintf() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 389/644] watchdog: dw_wdt: Fix default timeout Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 390/644] MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 391/644] watchdog: iTCO_wdt: Report error if timeout configuration fails Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 392/644] scsi: bfa: Double-free fix Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 393/644] jfs: truncate good inode pages when hard link is 0 Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 394/644] jfs: Regular file corruption check Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 395/644] jfs: upper bound check of tree index in dbAllocAG Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 396/644] MIPS: Dont crash in stack_top() for tasks without ABI or vDSO Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 397/644] media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 398/644] leds: leds-lp50xx: Handle reg to get correct multi_index Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 399/644] RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 400/644] RDMA/core: reduce stack using in nldev_stat_get_doit() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 401/644] scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 402/644] scsi: mpt3sas: Correctly handle ATA device errors Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 403/644] pinctrl: stm32: Manage irq affinity settings Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 404/644] media: tc358743: Check I2C succeeded during probe Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 405/644] media: tc358743: Return an appropriate colorspace from tc358743_set_fmt Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 406/644] media: tc358743: Increase FIFO trigger level to 374 Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 407/644] media: usb: hdpvr: disable zero-length read messages Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 408/644] media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 409/644] media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 410/644] media: uvcvideo: Fix bandwidth issue for Alcor camera Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 411/644] crypto: octeontx2 - add timeout for load_fvc completion poll Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 412/644] md: dm-zoned-target: Initialize return variable r to avoid uninitialized use Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 413/644] i3c: add missing include to internal header Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 414/644] rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 415/644] i3c: dont fail if GETHDRCAP is unsupported Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 416/644] dm-mpath: dont print the "loaded" message if registering fails Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 417/644] i2c: Force DLL0945 touchpad i2c freq to 100khz Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 418/644] kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 419/644] kconfig: nconf: Ensure null termination where strncpy is used Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 420/644] scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 421/644] scsi: target: core: Generate correct identifiers for PR OUT transport IDs Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 422/644] scsi: aacraid: Stop using PCI_IRQ_AFFINITY Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 423/644] ipmi: Use dev_warn_ratelimited() for incorrect message warnings Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 424/644] kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 425/644] kconfig: gconf: fix potential memory leak in renderer_edited() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 426/644] kconfig: lxdialog: fix space to (de)select options Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 427/644] ipmi: Fix strcpy source and destination the same Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 428/644] net: phy: smsc: add proper reset flags for LAN8710A Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 429/644] block: avoid possible overflow for chunk_sectors check in blk_stack_limits() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 430/644] pNFS: Fix stripe mapping in block/scsi layout Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 431/644] pNFS: Fix disk addr range check " Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 432/644] pNFS: Handle RPC size limit for layoutcommits Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 433/644] pNFS: Fix uninited ptr deref in block/scsi layout Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 434/644] rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 435/644] scsi: lpfc: Remove redundant assignment to avoid memory leak Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 436/644] ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 437/644] ASoC: soc-dai.h: merge DAI call back functions into ops Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 438/644] ASoC: fsl_sai: replace regmap_write with regmap_update_bits Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 439/644] drm/amdgpu: fix incorrect vm flags to map bo Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 440/644] ext4: fix largest free orders lists corruption on mb_optimize_scan switch Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 441/644] usb: core: config: Prevent OOB read in SS endpoint companion parsing Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 442/644] misc: rtsx: usb: Ensure mmc child device is active when card is present Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 443/644] usb: typec: ucsi: Update power_supply on power role change Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 444/644] comedi: fix race between polling and detaching Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 445/644] thunderbolt: Fix copy+paste error in match_service_id() Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 446/644] cdc-acm: fix race between initial clearing halt and open Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 447/644] btrfs: fix log tree replay failure due to file with 0 links and extents Greg Kroah-Hartman
2025-08-26 11:08 ` [PATCH 5.15 448/644] btrfs: do not allow relocation of partially dropped subvolumes Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 449/644] fbdev: Fix vmalloc out-of-bounds write in fast_imageblit Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 450/644] parisc: Makefile: fix a typo in palo.conf Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 451/644] mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 452/644] mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 453/644] media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 454/644] media: uvcvideo: Do not mark valid metadata as invalid Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 455/644] HID: magicmouse: avoid setting up battery timer when not needed Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 456/644] serial: 8250: fix panic due to PSLVERR Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 457/644] cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 458/644] m68k: Fix lost column on framebuffer debug console Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 459/644] usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 460/644] usb: gadget: udc: renesas_usb3: fix device leak at unbind Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 461/644] usb: dwc3: meson-g12a: fix device leaks " Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 462/644] bus: mhi: host: Fix endianness of BHI vector table Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 463/644] vt: keyboard: Dont process Unicode characters in K_OFF mode Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 464/644] vt: defkeymap: Map keycodes above 127 to K_HOLE Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 465/644] lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 466/644] Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 467/644] ext4: check fast symlink for ea_inode correctly Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 468/644] ext4: fix fsmap end of range reporting with bigalloc Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 469/644] ext4: fix reserved gdt blocks handling in fsmap Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 470/644] ext4: dont try to clear the orphan_present feature block device is r/o Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 471/644] ext4: use kmalloc_array() for array space allocation Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 472/644] ext4: fix hole length calculation overflow in non-extent inodes Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 473/644] scsi: mpi3mr: Fix race between config read submit and interrupt completion Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 474/644] ata: libata-scsi: Fix ata_to_sense_error() status handling Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 475/644] zynq_fpga: use sgtable-based scatterlist wrappers Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 476/644] wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 477/644] wifi: ath11k: fix source ring-buffer corruption Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 478/644] pwm: imx-tpm: Reset counter if CMOD is 0 Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 479/644] hwmon: (gsc-hwmon) fix fan pwm setpoint show functions Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 480/644] mtd: spinand: propagate spinand_wait() errors from spinand_write_page() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 481/644] mtd: rawnand: fsmc: Add missing check after DMA map Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 482/644] PCI: endpoint: Fix configfs group list head handling Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 483/644] PCI: endpoint: Fix configfs group removal on driver teardown Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 484/644] jbd2: prevent softlockup in jbd2_log_do_checkpoint() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 485/644] soc/tegra: pmc: Ensure power-domains are in a known state Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 486/644] media: gspca: Add bounds checking to firmware parser Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 487/644] media: hi556: correct the test pattern configuration Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 488/644] media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 489/644] media: v4l2-ctrls: Dont reset handlers error in v4l2_ctrl_handler_free() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 490/644] media: usbtv: Lock resolution while streaming Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 491/644] media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 492/644] media: ov2659: Fix memory leaks in ov2659_probe() Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 493/644] media: venus: Add a check for packet size after reading from shared memory Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 494/644] media: venus: hfi: explicitly release IRQ during teardown Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 495/644] media: venus: vdec: Clamp param smaller than 1fps and bigger than 240 Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 496/644] media: venus: venc: " Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 497/644] drm/amd: Restore cached power limit during resume Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 498/644] drm/amd/display: Dont overwrite dce60_clk_mgr Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 499/644] net, hsr: reject HSR frame if skb cant hold tag Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 500/644] ipv6: sr: Fix MAC comparison to be constant-time Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 501/644] mptcp: drop skb if MPTCP skb extension allocation fails Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 502/644] mptcp: pm: kernel: flush: do not reset ADD_ADDR limit Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 503/644] sch_htb: make htb_qlen_notify() idempotent Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 504/644] sch_hfsc: make hfsc_qlen_notify() idempotent Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 505/644] sch_qfq: make qfq_qlen_notify() idempotent Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 506/644] mm: drop the assumption that VM_SHARED always implies writable Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 507/644] mm: update memfd seal write check to include F_SEAL_WRITE Greg Kroah-Hartman
2025-08-26 11:09 ` [PATCH 5.15 508/644] mm: reinstate ability to map write-sealed memfd mappings read-only Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 509/644] selftests/memfd: add test for mapping write-sealed memfd read-only Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 510/644] ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 511/644] drm/sched: Remove optimization that causes hang when killing dependent jobs Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 512/644] arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 513/644] ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 514/644] f2fs: fix to do sanity check on ino and xnid Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 515/644] iio: hid-sensor-prox: Restore lost scale assignments Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 516/644] iio: hid-sensor-prox: Fix incorrect OFFSET calculation Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 517/644] x86/mce/amd: Add default names for MCA banks and blocks Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 518/644] usb: hub: avoid warm port reset during USB3 disconnect Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 519/644] usb: hub: Dont try to recover devices lost during warm reset Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 520/644] smb: client: fix use-after-free in crypt_message when using async crypto Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 521/644] x86/fpu: Delay instruction pointer fixup until after warning Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 522/644] ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 523/644] smb: server: Fix extension string in ksmbd_extract_shortname() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 524/644] hv_netvsc: Fix panic during namespace deletion with VF Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 525/644] usb: typec: fusb302: cache PD RX state Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 526/644] PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 527/644] block: Make REQ_OP_ZONE_FINISH a write operation Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 528/644] net: enetc: fix device and OF node leak at probe Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 529/644] NFS: Create an nfs4_server_set_init_caps() function Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 530/644] NFS: Fix the setting of capabilities when automounting a new filesystem Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 531/644] mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 532/644] usb: musb: omap2430: Convert to platform remove callback returning void Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 533/644] usb: musb: omap2430: fix device leak at unbind Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 534/644] ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 535/644] bus: mhi: host: Detect events pointing to unexpected TREs Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 536/644] usb: dwc3: imx8mp: fix device leak at unbind Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 537/644] platform/chrome: cros_ec: Make cros_ec_unregister() return void Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 538/644] platform/chrome: cros_ec: Use per-device lockdep key Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 539/644] platform/chrome: cros_ec: remove unneeded label and if-condition Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 540/644] platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 541/644] net/sched: sch_ets: properly init all active DRR list handles Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 542/644] net_sched: sch_ets: implement lockless ets_dump() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 543/644] net/sched: ets: use old nbands while purging unused classes Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 544/644] KVM: VMX: Flush shadow VMCS on emergency reboot Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 545/644] btrfs: populate otime when logging an inode item Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 546/644] sch_drr: make drr_qlen_notify() idempotent Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 547/644] codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 548/644] sch_htb: make htb_deactivate() idempotent Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 549/644] PCI: vmd: Assign VMD IRQ domain before enumeration Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 550/644] ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 551/644] kbuild: userprogs: use correct linker when mixing clang and GNU ld Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 552/644] selftests: mptcp: make sendfile selftest work Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 553/644] selftests: mptcp: connect: also cover alt modes Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 554/644] selftests: mptcp: connect: also cover checksum Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 555/644] selftests: mptcp: add missing join check Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 556/644] mptcp: fix error mibs accounting Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 557/644] mptcp: introduce MAPPING_BAD_CSUM Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 558/644] selftests: mptcp: Initialize variables to quiet gcc 12 warnings Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 559/644] mptcp: drop unused sk in mptcp_push_release Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 560/644] mptcp: do not queue data on closed subflows Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 561/644] scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 562/644] scsi: ufs: ufs-pci: Fix default runtime and system PM levels Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 563/644] KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 564/644] memstick: Fix deadlock by moving removing flag earlier Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 565/644] mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 566/644] squashfs: fix memory leak in squashfs_fill_super Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 567/644] mm/debug_vm_pgtable: clear page table entries at destroy_args() Greg Kroah-Hartman
2025-08-26 11:10 ` [PATCH 5.15 568/644] ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 569/644] drm/amd/display: Avoid a NULL pointer dereference Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 570/644] drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 571/644] drm/amd/display: Fix DP audio DTO1 clock source on DCE 6 Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 572/644] drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 573/644] drm/amd/display: Fill display clock and vblank " Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 574/644] fs/buffer: fix use-after-free when call bh_read() helper Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 575/644] use uniform permission checks for all mount propagation changes Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 576/644] fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 577/644] ftrace: Also allocate and copy hash for reading of filter files Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 578/644] iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 579/644] iio: proximity: isl29501: fix buffered read on big-endian systems Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 580/644] most: core: Drop device reference after usage in get_channel() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 581/644] usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 582/644] comedi: Make insn_rw_emulate_bits() do insn->n samples Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 583/644] comedi: pcl726: Prevent invalid irq number Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 584/644] comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 585/644] usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 586/644] usb: renesas-xhci: Fix External ROM access timeouts Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 587/644] USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 588/644] usb: storage: realtek_cr: Use correct byte order for bcs->Residue Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 589/644] USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 590/644] usb: dwc3: Ignore late xferNotReady event to prevent halt timeout Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 591/644] usb: dwc3: Remove WARN_ON for device endpoint command timeouts Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 592/644] drm/amd/display: Dont overclock DCE 6 by 15% Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 593/644] mptcp: disable add_addr retransmission when timeout is 0 Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 594/644] drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 595/644] f2fs: fix to avoid out-of-boundary access in dnode page Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 596/644] media: camss: Convert to platform remove callback returning void Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 597/644] media: qcom: camss: cleanup media device allocated resource on error path Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 598/644] media: venus: Add support for SSR trigger using fault injection Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 599/644] media: venus: protect against spurious interrupts during probe Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 600/644] locking/barriers, kcsan: Support generic instrumentation Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 601/644] asm-generic: Add memory barrier dma_mb() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 602/644] wifi: ath11k: fix dest ring-buffer corruption when ring is full Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 603/644] soc: qcom: mdt_loader: Ensure we dont read past the ELF header Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 604/644] iio: adc: ad_sigma_delta: change to buffer predisable Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 605/644] scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 606/644] scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 607/644] scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 608/644] pwm: mediatek: Implement .apply() callback Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 609/644] pwm: mediatek: Handle hardware enable and clock enable separately Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 610/644] pwm: mediatek: Fix duty and period setting Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 611/644] selftests: mptcp: pm: check flush doesnt reset limits Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 612/644] compiler: remove __ADDRESSABLE_ASM{_STR,}() again Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 613/644] usb: xhci: Fix slot_id resource race conflict Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 614/644] iio: imu: inv_icm42600: change invalid data error to -EBUSY Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 615/644] tracing: Remove unneeded goto out logic Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 616/644] tracing: Limit access to parser->buffer when trace_get_user failed Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 617/644] iio: light: as73211: Ensure buffer holes are zeroed Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 618/644] mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 619/644] x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 620/644] mm/page_alloc: detect allocation forbidden by cpuset and bail out early Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 621/644] cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 622/644] RDMA/bnxt_re: Fix to initialize the PBL array Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 623/644] net: bridge: fix soft lockup in br_multicast_query_expired() Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 624/644] scsi: qla4xxx: Prevent a potential error pointer dereference Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 625/644] iommu/amd: Avoid stack buffer overflow from kernel cmdline Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 626/644] mlxsw: spectrum: Forward packets with an IPv4 link-local source IP Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 627/644] drm/hisilicon/hibmc: fix the hibmc loaded failed bug Greg Kroah-Hartman
2025-08-26 11:11 ` [PATCH 5.15 628/644] ALSA: usb-audio: Fix size validation in convert_chmap_v3() Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 629/644] drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 630/644] ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 631/644] ppp: fix race conditions in ppp_fill_forward_path Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 632/644] net: phy: Use netif_rx() Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 633/644] phy: mscc: Fix timestamping for vsc8584 Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 634/644] net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 635/644] ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 636/644] igc: fix disabling L1.2 PCI-E link substate on I226 on init Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 637/644] net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 638/644] net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 639/644] bonding: update LACP activity flag after setting lacp_active Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 640/644] ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 641/644] s390/hypfs: Avoid unnecessary ioctl registration in debugfs Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 642/644] s390/hypfs: Enable limited access during lockdown Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 643/644] netfilter: nf_reject: dont leak dst refcount for loopback packets Greg Kroah-Hartman
2025-08-26 11:12 ` [PATCH 5.15 644/644] wifi: mac80211: check basic rates validity in sta_link_apply_parameters Greg Kroah-Hartman
2025-08-26 17:20 ` [PATCH 5.15 000/644] 5.15.190-rc1 review Florian Fainelli
2025-08-26 17:43 ` Jon Hunter
2025-08-26 17:47 ` Brett A C Sheffield
2025-08-27 9:22 ` [PATCH 5.15 000/644] " Anders Roxell
2025-08-27 9:29 ` Ron Economos
2025-08-28 8:26 ` Vijayendra Suman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).